[ On Friday, June 1, 2001 at 14:02:22 (-0400), Derek R. Price wrote: ]
> Subject: Re: Linux security issues as they pertain to CVS
>
> "Greg A. Woods" wrote:
>
> > The problem is that I see it as if you're trying to say that CVS Pserver
> > plus SSL equals secure. It most certainly does not. You have no
> > provable authentication and thus no provable accountability.
>
> Not on the server side, but it prevents sniffing.
Why bother? You're gaining so little and adding yet more opportunities
for fatally wrong perceptions to creep in.
I.e. if something's worth doing then it's worth doing right (the first time!).
> Server certificate checking can
> prove to the client that it got the correct server and this can prevent the user from
> sending her password to an imposter.
Have you implemented that? Securely (i.e. with real Unix IDs)?
Why not just use SSH? It can do that already, out-of-the-box even!
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
_______________________________________________
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs
