C Wayne Huling writes:
I am using CVS to maintain our web site. I was curious if anyone else
was doing this as well, and if so, what tips or tricks they might be
able to offer in updating the web tree once new files have been placed
in the repository. I tried using the -i in the modules
I tend to think that each project should have their own repo. This would ease
permissioning into the repo. The alternative would be to use file system ACLs
(if you have those).
The problem with ssh is that it requires a login shell into the server (please
correct me if I'm wrong 'cos I've been
[EMAIL PROTECTED] on 05/14/2000 09:50:23 PM
CVS with its own dedicated socket/port
run across SSH
Transport secured, but the CVS socket/port
is open to the world on the remote machine,
and hence is insecure there, and on the
remote machine's network.
If the data stream
[EMAIL PROTECTED] on 05/14/2000 05:39:09 PM
Chris Cowan [EMAIL PROTECTED] writes:
In the past (no longer), I've used or attempted to used RCS and CVS with
both AFS and DFS. (I admined AFS for over 6 years, DFS for 2 years). I
would avoid the AFS/CVS combination for the following
Perhaps coincidence, perhaps not... A little while after
the last email I sent about CVS security, somebody tried to
crack me (and may very well have succeeded), repeatedly
trying to connect to the SSH port on my home machine that once
was used to port forward X between my home machine
and
Noel L Yap wrote:
[EMAIL PROTECTED] on 05/14/2000 09:50:23 PM
CVS with its own dedicated socket/port
run across SSH
Transport secured, but the CVS socket/port
is open to the world on the remote machine,
and hence is insecure there, and on the
remote machine's
On Mon, May 15, 2000 at 09:57:47AM -0400, Noel L Yap wrote:
The problem with ssh is that it requires a login shell into the server (please
correct me if I'm wrong 'cos I've been looking for a way around this).
The user needs an *account* on the server; they don't need to be
able to log into
I haven't found a good, scalable, secure way to set up CVS.
Turning recent discussions on their heads,
what is wrong with running CVS on a network filesystem
like AFS (or DFS, if you're lucky enough to have that option)?
AFS and DFS are scalable. Installations with thousands of
users are not
I understand how to secure CVS on a networked filesystem like AFS.
First, make sure that CVS has no set-user-id components.
Then, make sure that the ACLs for the repository are set correctly.
Then, manage Kerberos authentication.
This is straightforward, and does not require auditting CVS
[ On Monday, May 15, 2000 at 09:46:15 (-0400), Noel L Yap wrote: ]
Subject: Re: CVS security: networked filesystems like AFS, client server, ssh
[EMAIL PROTECTED] on 05/14/2000 09:50:23 PM
CVS with its own dedicated socket/port
run across SSH
Transport secured, but the CVS
Dear list members,
I have a cvs pserver (v.1.10.7 (client/server)) on a Debian GNU/Linux
2.1 (slink). It works just fine locally, I am able to login remotely,
bit I am not able to checkout.
cvs -d :pserver:user@host:/usr/local/pkimelo/cvsroot checkout 31um
Cannot access
=?iso-8859-1?Q?G=E1bor?= Ziegler writes:
I have a cvs pserver (v.1.10.7 (client/server)) on a Debian GNU/Linux
2.1 (slink). It works just fine locally, I am able to login remotely,
bit I am not able to checkout.
cvs -d :pserver:user@host:/usr/local/pkimelo/cvsroot checkout 31um
Cannot
[EMAIL PROTECTED] on 05/15/2000 01:44:08 PM
C'mon, Noel, you work for a bank! Surely you know this stuff
Fortunately for the bank, I don't work at this level. I am anxious to learn,
though, so if you have any book or URL recommendations, I'd appreciate a list.
Or, perhaps better: I
I have been searching the WEB for CVS Administrator Training and only came
across one option: "CVS administration and management from GIOS"
(www.giosinc.com/Training/training.html). I found Karl Fogel's book (Open Source
Development with CVS) helpful but many setup issues remain obscure.
Eric Siegerman wrote:
The user needs an *account* on the server; they don't need to be
able to log into it.
Actually, you might not need to create a login for every user.
Just a single one, set up as above, should do. Give each user
their own key-pair, and put all their public keys in
Maybe I'm just missing something, but why wouldn't you just set up
Kerberos and use the GSSAPI connection method to access the CVS server?
This gets you past the network security issues (almost)
and into the application security issues:
how do you know that CVS itself is secure?
If you run
Or, perhaps better: I by no means have audited the security of CVS.
I think the manual states that CVS isn't secure nor is it meant to be secure --
use something else.
My version of something else:
** CVS across ssh or kserver, if you trust the client machines to
be properly secured
** CVS across AFS or DFS
How does the later improve in any way on the former?!? If the client is
not secure, AFS and/or DFS is not going to help you in much of any manner.
Short answer: in the latter (CVS on top of AFS) CVS does not need
to be trusted. Only the filesystem needs to be
I hadn't caught this the first time. Not only is everyone using the same
account, but CVS has no way of knowing who you really are. I don't worry too
much about the former in our situation, but I do care about the latter.
Actually, I think that CVS does know who the user is
- or, at least,
I think that feature/convenience/tool support-wise pserver is far superior.
The only real downside is that someone with a packet sniffer could fairly
easily sniff your your username and password.
That is fairly easy to solve, just encrypt the link with your favorite SSL
Bridge software or SSH
Dear all,
I have a number of Windows users that access a CVS repository through
WinCvs. The repository is available to them as a Samba share (that's
Windoze for NFS mountable, well close enough ;-).
Thing is that all their commits are logged with their Windows logon
names which are rather
I don't understand. What would prevent you from using CVS in client/server mode
To begin with, we can ignore pserver out of hand, right?
(unless those that configured it absolutely turned it off) if you're able to use
it in local mode? The only thing I can think of is if the repository is
22 matches
Mail list logo
