Richard Stallman wrote:
> We continue to use CVS for various web pages because CVS is simple to
> use and it works.
"simple to use" -- yes.
"it works" -- I wouldn't say that of a program that is a security disaster.
Saying that CVS has security "issues" would be an understatement.
CVS was fine 25 years ago, when the internet was a friendly place. But
nowadays, where criminals and state actors are constantly and actively
trying to manipulate users and in particular developers (remember the 'xz'
story), it is a liability.
In detail:
* The latest release of CVS was in 2008. [1][2]
In general, when a program with a client-server protocol has not
seen a new release for 15 years, you can be sure that it has
not been audited from a security point-of-view and therefore has
a number of security issues.
* In 2012 a security vulnerability of score 10.0 was discovered [3].
Several distros patch this vulnerability. [4] But anyone who builds CVS
from source by themselves and uses an HTTP proxy is at risk.
* A privacy problem: When a user uses 'cvs status some-file' to test
whether 'some-file' is already under version control, the CVS client
sends the contents of 'some-file' to the CVS server. Without asking.
So, your supposedly private modifications to a package are not actually
private. And even CVS experts didn't know about this. [5]
* A privileged user can prevent all other users on the same machine
from using 'cvs init'. [6]
> Does use of CVS for them cause a concrete problem?
Yes. It puts the developers' machines (and, with it, their SSH keys in
~/.ssh/ and their GPG keys in ~/.gnupg/) at risk.
Bruno
[1] https://ftp.gnu.org/non-gnu/cvs/source/stable/
[2] https://ftp.gnu.org/non-gnu/cvs/source/feature/
[3] https://www.cvedetails.com/vulnerability-list/vendor_id-442/CVS.html
[4] https://www.cvedetails.com/cve/CVE-2012-0804/
[5] https://lists.nongnu.org/archive/html/bug-cvs/2007-01/msg00019.html
[6] https://lists.nongnu.org/archive/html/bug-cvs/2010-05/msg00003.html
