[ On Thursday, May 31, 2001 at 08:06:35 (-0400), Derek R. Price wrote: ]
> Subject: Re: Linux security issues as they pertain to CVS
>
> I don't agree. There are different levels of security, and I will grant that some
> are simply deterrents, but costs are going to be weighed in any security
> implementation decision.
I'm not talking about "levels of security" (indeed all security is
simply a matter of paying enough (in whatever currency is necessary) for
deterrents to reduce the risk of a successful exploit down to an
acceptable level). There is no such thing as "absolute security" and
that's not what I was trying to imply.
The problem is that I see it as if you're trying to say that CVS Pserver
plus SSL equals secure. It most certainly does not. You have no
provable authentication and thus no provable accountability.
The problem with even allowing pserver to continue to exist (with or
without SSL) in its present form (i.e. within CVS) is that it plainly
misleads administrators not trained in understanding trust into having
the wrong impression about the level of security they have actually
implemented if they choose to use it. This is plainly visible every day
in questions put to this list.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
_______________________________________________
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs
