People are growing tired of this and we're going round in circles. This
will be my last public post on this for now. David, I thought your message
was a pretty good explanation of my point of view.
On Fri, Aug 11, 2000 at 03:14:58PM -0400, Greg A. Woods wrote:
> In an employment contract scenario accountability can be attained in
> many ways, such as by restricting developers to a private, secure, LAN;
> and of course authentication is secure because you really do know their
> true identity and you have a legally binding contract with them.
I have set up CVS repositories for about ten different projects now. Nine
times I allow(ed) access only through SSH. In those cases if someone
misbehaved I would have the option of reprimanding them, firing
them, or maybe even charging them with something. Of course it's
never come up--the people I've worked with have all been honest,
decent, and in most cases hardworking people.
The tenth time I started out allowing access only through SSH as well,
but I quickly discovered that many of my clients were having serious
problems using it. I thought long and hard about the risks and decided
that the circumstances in this one case justified the use of pserver.
However, that didn't stop me from wanting pserver to be as secure as
it could be, so I worked out a way to make it safer to use. I posted
that patch a week or two ago, and we've been arguing about it ever since.
Nine times out of ten I agree with you 100% and set up my repositories
exactly the way that you propose. I've been doing it that way for years.
I sure wish I could use SSH for my opensource repository as well, but
as several people on this list have testified now, it just ain't as
easy or as painless as you claim.
I need the contributions of the Windows/Mac developers that I might
lose by staying with SSH far more than I need to avoid any chance of
a breakin, or be able to prove exactly who did it if it happens.
If/when I do experience some kind of ongoing security problem as a
result of using pserver I will no doubt switch back to ssh, and run
it the way I run it everywhere else (except I might chroot the ssh
setup as well in this case).
But I don't plan to erect any barriers to development until I have
to, especially since I know I can tolerate one or two breakins in
the meantime.
> BTW, *how* you hold someone accountable is an entirely different
> subject, and it's something that you need to write into your security
> policy. However no matter whether you just dismiss that person, sue
> them, charge them under the criminal system, perform a reverse attack on
> them, or _whatever_, you *MUST* know their real-world identity in order
> to do it!
I'm not going to do any of those things. I'm going to clean up the mess
and give the UID in question a second chance--only this time they will
have to use SSH to connect. If they blow it a second time, then I'll
drop them from the system.
I'm not going to hold any grudges. Life is too short, and I have too
much to do, to waste my time seeking revenge.
> What Justin is also doing, and what's unethical about it, is that he's
> promoting a totally false sense of security, and one that's known to be
> false! Yes it's true that I did not do the ethical thing and force
> cvspserver to be ripped out of CVS long ago, but I think I've owned up
> to that mistake by now....
I have been very forthright about the risks. I've pointed out to people
who didn't understand exactly how and why pserver was weak. The fact that
I went on to say that I could live with that weakness does not in any way
mean I've given anyone a false sense of security.
Anyway, this has gone on long enough. I don't mind continuing this in
private email, but I doubt people on this list are going to benefit from
this being conducted in public any longer.
Justin
