Re: Linux security issues as they pertain to CVS

info-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Linux security issues as they pertain to CVS

From:	Greg A. Woods
Subject:	Re: Linux security issues as they pertain to CVS
Date:	Fri, 1 Jun 2001 15:32:47 -0400 (EDT)

[ On Friday, June 1, 2001 at 14:02:22 (-0400), Derek R. Price wrote: ]
> Subject: Re: Linux security issues as they pertain to CVS
>
> "Greg A. Woods" wrote:
> 
> > The problem is that I see it as if you're trying to say that CVS Pserver
> > plus SSL equals secure.  It most certainly does not.  You have no
> > provable authentication and thus no provable accountability.
> 
> Not on the server side, but it prevents sniffing.

Why bother?  You're gaining so little and adding yet more opportunities
for fatally wrong perceptions to creep in.

I.e. if something's worth doing then it's worth doing right (the first time!).

>  Server certificate checking can
> prove to the client that it got the correct server and this can prevent the 
> user from
> sending her password to an imposter.

Have you implemented that?  Securely (i.e. with real Unix IDs)?

Why not just use SSH?  It can do that already, out-of-the-box even!

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <address@hidden>     <address@hidden>
Planix, Inc. <address@hidden>;   Secrets of the Weird <address@hidden>

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Linux security issues as they pertain to CVS, Derek R. Price, 2001/06/01
- Re: Linux security issues as they pertain to CVS, Greg A. Woods <=

Prev by Date: Re: CVS & SSL
Next by Date: Re: CVS & SSL
Previous by thread: Re: Linux security issues as they pertain to CVS
Next by thread: Re: CVS LockDir Help
Index(es):
- Date
- Thread