bug-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS Security Issues

From: Derek Robert Price
Subject: Re: CVS Security Issues
Date: Thu, 18 Dec 2003 15:16:32 -0500
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

McNamee, John wrote:

>I think moving the password file out of CVSROOT would be a bad idea.
>
>(1) It would just give a false sense of security to lusers
>(unfortunately,
>many lusers have the title "System Administrator" on their business
>card,
>but they're still lusers).


I agree.

>(2) It would break systems with multiple repositories that each have
>their
>own user/password list.


No it wouldn't.  If you look at the way these patches are implemented,
they only override the options in CVSROOT/passwd when they exist.  If
they don't exist, or don't exist for a specific repository, CVS would
fall back on CVSROOT/passwd.

Also, both patches have a file format like:

<repository>
<options>...

<repository2>
<options>...

>(3) It would make backing up an entire repository a little more
>difficult.
>
>I wouldn't complain if this became a compile-time configuration option,
>so those who want it can have it.  Just don't make it the default.


Due to the override nature, these would effectively be run-time options.

Derek

- --
                *8^)

Email: derek@ximbiot.com

Get CVS support at <http://ximbiot.com>!
- --
In matters of style, swim with the current; In matters of principal,
stand like a rock.
            - Thomas Jefferson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQE/4gsfLD1OTBfyMaQRAsYtAKDzJGT6ABz8OMztN6Tor6yZf8EAygCgkfG/
hA84tc0wzdJNq2G/anwg6+M=
=4QFY
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]