I've been thinking about the RCS Keyword Exploit ( http://ximbiot.com/cvs/wiki/index.php?title=GPG-Signed_Commits_RCS_Keyword_Exploit )
Unless I'm mistaken, no keywords are expanded on check-in, they are all expanded on check-out, correct?
How about if CVS/Base contains the revision exactly as stored in the RCS file (which will then allow the RCS keywords to be included in the signature), and the server also sends a patch that expands the keyword, which would be stored in a separate file, such as .#filename.revision.kwd. Since these files contain only the patches required (if any) to expand RCS keywords, the files will be fairly small.
Thoughts? -- Jim _______________________________________________ Bug-cvs mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/bug-cvs
