Re: Proposal: have client CVS send remote username to server CVS

[Alexey Mahotkin]

>>>>> "NLY" == Noel L Yap <[EMAIL PROTECTED]> writes:

NLY> How do you guarantee that CVSUSER is set properly (ie can't be
NLY> spoofed)? 

Because it is verified against CVSROOT/cvspasswd file (it is extended
and improved analog of CVSROOT/passwd from stock CVS).  Each cvs user
has an entry there, with her very own password.

NLY> PS I chose REMOTE_USER 'cos that's what Encommerce sets.  I
NLY> haven't figured a way to spoof Encommerce's REMOTE_USER setting,
NLY> but, then again, I'm not an expert hacker.

I just wanted to explicitly state that the value of CVSUSER is being
setup via pure CVS facilities, namely :pserver: auth protocol.  They
are verified by separate binary, and only if they are verified, `cvs'
binary itself is run and uses it.

--alexm