[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Linux security issues as they pertain to CVS

From: Greg A. Woods
Subject: Re: Linux security issues as they pertain to CVS
Date: Thu, 31 May 2001 15:29:19 -0400 (EDT)

[ On Thursday, May 31, 2001 at 08:06:35 (-0400), Derek R. Price wrote: ]
> Subject: Re: Linux security issues as they pertain to CVS
> I don't agree.  There are different levels of security, and I will grant that 
> some
> are simply deterrents, but costs are going to be weighed in any security
> implementation decision.

I'm not talking about "levels of security" (indeed all security is
simply a matter of paying enough (in whatever currency is necessary) for
deterrents to reduce the risk of a successful exploit down to an
acceptable level).  There is no such thing as "absolute security" and
that's not what I was trying to imply.

The problem is that I see it as if you're trying to say that CVS Pserver
plus SSL equals secure.  It most certainly does not.  You have no
provable authentication and thus no provable accountability.

The problem with even allowing pserver to continue to exist (with or
without SSL) in its present form (i.e. within CVS) is that it plainly
misleads administrators not trained in understanding trust into having
the wrong impression about the level of security they have actually
implemented if they choose to use it.  This is plainly visible every day
in questions put to this list.

                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <address@hidden>     <address@hidden>
Planix, Inc. <address@hidden>;   Secrets of the Weird <address@hidden>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]