Re: [PATCH] cvs security versus Checkin.prog and Update.prog

[Derek Robert Price]

Mike Sutton wrote:

> See like a reasonable approach to me.
>
> On 03/26/03 19:14:18, Mark D. Baushke wrote:
>  
>
> > Hi Folks,
> >
> > I was just revisiting the thread about the CVS/Checkin.prog and
> > CVS/Update.prog for security. The two relevant threads seem to be:
> >
> >    http://www.mail-archive.com/bug-cvs@gnu.org/msg00384.html
> > and
> >    http://mail.gnu.org/archive/html/bug-cvs/2003-03/msg00107.html
> >
> > I have not really finished writing updates for the documentation of this
> > proposed patch yet, but I thought I would float the idea to see what
> > folks think of it.
> >
> > This patch the choice to be up to a given repository manager with the
> > default being to be more secure.
> >    

Actually, I floated the idea of removing the functionality entirely by 
the dev list some weeks ago and didn't receive any objections.  Karl 
Fogel even piped up to second the motion.  My second choice was 
continuing to support the features via CVSROOT/config options, but I'd 
still much rather remove the functionality entirely.  I hear little 
enough about it to think that noone is really using it and there are 
other, more secure ways of hooking into the commit processes.

I told the CERT vulnerability tracking folks <http://www.cert.org> we'd 
do something by the next release but I hadn't gotten around to it yet.

Derek

--
               *8^)

Email: derek@ximbiot.com

Get CVS support at <http://ximbiot.com>!
--
Tar is not a plaything.
Tar is not a plaything.
Tar is not a plaything...

         - Bart Simpson on chalkboard, _The Simpsons_