[ On Wednesday, August 9, 2000 at 11:54:33 (-0400), Justin Wells wrote: ]
> Subject: Re: cvs-nserver and latest CVS advisory (Was: patch to make CVS chroot)
>
> Is it as easy for a WinCVS user to set up ssh as it is to set up pserver?
>
> No.
Contrary to your claims it's not hard at all to use SSH with WinCVS.
Read the SourceForge documentation for an extremely lucid and accurate
description of the step-by-step instructions on how to do it.
> That's a fact. And so long as it's a fact I am going to use pserver. And
> so will other people. And so long as that's true we might as well at least
> make the damn thing as secure as it can be.
You cannot fix it -- you're addressing the wrong problem and you are
giving people a false sense of security and as such *YOU* are actually
making them more vulnerable as a result!
> Not to mention trusting the users. I don't trust them. I don't actually
> see ssh as significantly increasing my security because even with maximal
> security between the user and the server, I still don't trust the user.
>
> You are still thinking inside the professional software development shop
> box where issues like not trusting your users don't come up.
I don't think you understand "trust" as it is used in computer security
discussions.
Indeed there are differences when employment contracts can be used as
external policy controls. However I also run a CVS server that hosts
the maintenance of several freeware tools and as such I rely upon
volunteer labour. In most cases I've been able to rely upon
professional and personal relationships to build trust. However if I
were to solicit services from more anonymous volunteers I would move
that server onto a machine where I would not risk things that I could
not trust such volunteers to avoid messing with. Other than that though
I'd still require SSH for commit access and I'd still do independent
mechanical audits of all changes.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
