Re: cvs-nserver and latest CVS advisory (Was: patch to make CVS chroot)

[Justin Wells]

On Thu, Aug 10, 2000 at 09:45:13AM -0400, Noel L Yap wrote:

> (Also, IMHO, the
> clients should generate the key pair (what password are you
> talking about?) and give you the public key).

OK, so they do that and then they attack me. Really, what does it matter
that I know their email address? What am I going to do about it?

> So you already keep a separate copy of the repository and you already perform
> audits.

I'm responsible for the quality of my code and I am always looking at all
the changes to see what people are doing. I do this already for reasons that
have nothing to do with security, but rather have to do with code quality.

And yes I have backups of my repository.

> use your pserver patch ... but don't expect it to become part of standard CVS.

Here's my point: the pserver patch makes pserver more secure. You may not 
like pserver, but it's still a part of CVS, and anything that is still a 
part of CVS ought to be the best that it can be.

There are only two defensible options here:

  a) immediately remove pserver from CVS
  b) immediately apply the patch

No other course of action is defensible. 

Justin