Re: cvs-nserver and latest CVS advisory (Was: patch to make CVS chroot)

[Justin Wells]

On Wed, Aug 09, 2000 at 10:53:10AM -0400, Greg A. Woods wrote:

> I.e. Justin:  Please do not continue to publicly promote your patch --
> it is not an improvement in security and continued promotion will give
> CVS users a false sense of security.  In fact I will continue to
> strongly suggest that you not even use it for yourself!

Is it as easy for a WinCVS user to set up ssh as it is to set up pserver?

No.

That's a fact. And so long as it's a fact I am going to use pserver. And 
so will other people. And so long as that's true we might as well at least
make the damn thing as secure as it can be.

> (Mind you -- I cannot say the above without also stressing the risks of
> something like SSH are not zero -- the server must still trust the
> physical hardware and the operating system within the client since SSH
> can easily be used covertly by a virus or worm!  This means that SSH
> users on both ends of the connection must continually secure their
> systems and provide reasonable assurances against such covert use!)

Not to mention trusting the users. I don't trust them. I don't actually
see ssh as significantly increasing my security because even with maximal
security between the user and the server, I still don't trust the user. 

You are still thinking inside the professional software development shop
box where issues like not trusting your users don't come up.

Justin