[EMAIL PROTECTED] on 2000.08.10 10:26:29
>On Thu, Aug 10, 2000 at 09:45:13AM -0400, Noel L Yap wrote:
>
>> (Also, IMHO, the
>> clients should generate the key pair (what password are you
>> talking about?) and give you the public key).
>
>OK, so they do that and then they attack me. Really, what does it matter
>that I know their email address? What am I going to do about it?
Exactly what you've been saying you're going to do about it -- recover. Only
now, you really do know their email address -- it's not just someone pretending
to be them.
>> So you already keep a separate copy of the repository and you already perform
>> audits.
>
>I'm responsible for the quality of my code and I am always looking at all
>the changes to see what people are doing. I do this already for reasons that
>have nothing to do with security, but rather have to do with code quality.
>
>And yes I have backups of my repository.
OK, you've answered your own question above. What's the problem?
>> use your pserver patch ... but don't expect it to become part of standard
CVS.
>
>Here's my point: the pserver patch makes pserver more secure. You may not
>like pserver, but it's still a part of CVS, and anything that is still a
>part of CVS ought to be the best that it can be.
>
>There are only two defensible options here:
>
> a) immediately remove pserver from CVS
> b) immediately apply the patch
c) prove that the patch either makes CVS worse, or does nothing to CVS. If
either is true, CVS should stay as is.
I think you've done a decent job explaining the merits of your patch. All I've
seen against it is, "It's bad." Can we get something substantial and specific
explaining why it is bad?
Noel
This communication is for informational purposes only. It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.
