Greg Woods writes: > It's all part of the same thing. In computer > security you can't have any accountability without > authorisation, and to do authorisation you have to > have "strong" authentication [...]
Again, I agree with you on the principle. It makes perfect sense. On the other hand, from a purely practical point of view, many repository are trying to put in *some* level of control without having to set up a full C2-style access control mechanism. Sure, it's not perfect, but it's adequate in most situations (this is a judgement call, and involves a resources vs security tradeoff). I'm sure you've seen typical corporate IT setups - everything is broken up into departments, and the network administrators don't necessarily cooperate with the domain administrators, who don't in turn work too closely with the repository administrators. This makes it hard for the repository administrator to put in a level of access control without having to spend days or months running after the other departments, and genuflecting in front of the change review boards. Other competitive source-code control systems have such informal mechanisms in place that are trivial to administer, _for the person who is responsible for maintaining the repository_, and it's generally in response to overwhelming customer demand. -- Shankar. _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
