Re: [ANNOUNCE] cvs-nserver 1.11.1.1 released

[Frederic Brehm]

> [ On Friday, June 15, 2001 at 00:23:14 (-0700), Gianni Mariani wrote: ]
> >  Subject: Re: [ANNOUNCE] cvs-nserver 1.11.1.1 released
> >
> >  cvs-nserver sounds great.
> >
> >  I'd like to see thin kind of authentication support in the base CVS soon.


At 11:04 -0400 6/15/01, Greg A. Woods wrote:
> No, you do not.  You do not want to see ANY kind of authentication or
> authorisation support in CVS, EVER.
>
> CVS is NOT a security tool and it was not designed to be secure.


Greg tells you that you do not want what you THINK you want, but he 
does not tell you what you SHOULD want (probably because he's tired 
of repeating himself). So, what should you want? Here's a short 
explanation.

First, a review of one way to run CVS in client/server mode.

  CVS client <-------->RSH client<-------->RSH server<-------->CVS server
            CVS protocol        RSH protocol        CVS protocol


Here's a more secure way

  CVS client <-------->SSH client<-------->SSH server<-------->CVS server
            CVS protocol        SSH protocol        CVS protocol


Here's what you SHOULD want for authentication/security method XXX

  CVS client <-------->XXX client<-------->XXX server<-------->CVS server
            CVS protocol        XXX protocol        CVS protocol

So, all you have to do is to get/buy/create the XXX client/server 
pair. You don't have to modify CVS and convince the CVS maintainers 
to add your patches to the distribution (good luck!).

Something like this should probably go into the manual because this 
is definitely an FAQ. If this were in the manual, then our very own 
CVS AI robot guy :-) could reply with a URL to the manual section.

Fred


--
Fred Brehm, Sarnoff Corporation, address@hidden