bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] cvs security versus Checkin.prog and Update.prog


From: Derek Robert Price
Subject: Re: [PATCH] cvs security versus Checkin.prog and Update.prog
Date: Thu, 27 Mar 2003 23:45:26 -0500
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02

Mike Sutton wrote:

See like a reasonable approach to me.

On 03/26/03 19:14:18, Mark D. Baushke wrote:
Hi Folks,

I was just revisiting the thread about the CVS/Checkin.prog and
CVS/Update.prog for security. The two relevant threads seem to be:

   http://www.mail-archive.com/address@hidden/msg00384.html
and
   http://mail.gnu.org/archive/html/bug-cvs/2003-03/msg00107.html

I have not really finished writing updates for the documentation of this
proposed patch yet, but I thought I would float the idea to see what
folks think of it.

This patch the choice to be up to a given repository manager with the
default being to be more secure.

Actually, I floated the idea of removing the functionality entirely by the dev list some weeks ago and didn't receive any objections. Karl Fogel even piped up to second the motion. My second choice was continuing to support the features via CVSROOT/config options, but I'd still much rather remove the functionality entirely. I hear little enough about it to think that noone is really using it and there are other, more secure ways of hooking into the commit processes.

I told the CERT vulnerability tracking folks <http://www.cert.org> we'd do something by the next release but I hadn't gotten around to it yet.

Derek

--
               *8^)

Email: address@hidden

Get CVS support at <http://ximbiot.com>!
--
Tar is not a plaything.
Tar is not a plaything.
Tar is not a plaything...

         - Bart Simpson on chalkboard, _The Simpsons_







reply via email to

[Prev in Thread] Current Thread [Next in Thread]