bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS Security Issues


From: Greg A. Woods
Subject: Re: CVS Security Issues
Date: Thu, 18 Dec 2003 20:07:33 -0500 (EST)

[ On Thursday, December 18, 2003 at 14:26:26 (-0500), Derek Robert Price wrote: 
]
> Subject: CVS Security Issues
>
> Does anyone else have any opinions on this?

It would be much Much MUCH better to begin to deprecate any and all
support for "cvs" passwords than to give any further support to the
false illusion of any security someone might pretend to see in them.

CVS pserver support is, just barely, safely usable _only_ for truly
anonymous access (which normally also means read-only access) (and only
then when there's some underlying network integrity protection),
regardless of how your network works, which clients you use, etc.

_ANYONE_ considering the use of some tool like CVS obviously also needs
at least some degree of true security (i.e. authentication,
accountability, _and_ integrity) -- otherwise they're doing worse than
fooling themselves (they're fooling _everyone_ involved with using their
repository).

I.e. please do not pretend you can gain anything by pretending to make
the CVSROOT/passwd file harder to mess with.

-- 
                                                Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <address@hidden>
Planix, Inc. <address@hidden>          Secrets of the Weird <address@hidden>




reply via email to

[Prev in Thread] Current Thread [Next in Thread]