Jim, all, I'll take on a point below:
> -----Original Message----- > From: Jim.Hyslop [mailto:[EMAIL PROTECTED] > Sent: Friday, December 19, 2003 5:19 PM > To: 'CVS-II Discussion Mailing List'; 'CVS-II Bugs Mailing List' > Subject: RE: CVS Security Issues [stuff deleted...] > > I.e. please do not pretend you can gain anything by > pretending to make > > the CVSROOT/passwd file harder to mess with. > That's a good point - as Bruce Schneier, author of "Applied > Cryptography" > and a computer security expert, is fond of saying: Security > is only as good > as its weakest link. For pserver, access to the passwd file is not the > weakest link by any means. Moving the file to a different > location will not > significantly improve its inherent insecurity. [more stuff deleted ...] The only reason to put the passwords somewhere else is to prevent someone from accidentally checking it out and accidentally changing or deleting someone elses' password and checking the file back in. It's a support issue, not a security one, whether the user intended to change their password or someone elses' is another question entirely. But I think there is a 'gain' here by keeping the passwd file somewhere else where some git can't wipe all the users by accident and bring development to a grinding halt. That's my opinion. On security, you have two types of security anyways: 1) protection against malicious people and 2) protection for your data from accidental damage, deletion, or whatever ("protecting users from themselves"). CVS is part of category 2, obviously with the support of backup systems and so on. Pserver figures into category 2 because you prevent the users from accidentally working in the actual repository and doing stuff like deleting directories. The keyword here is accidental - either because of ignorance or because one was not thinking about what directory someone happened to be in. I would also argue category 2 is (still) responsible for most data loss in the world today. Your opinion? Seasons greetings, Mr. Jan Walter Chief Architect DEFINIENS AG Trappentreustr. 1; D-80339 M�nchen Phone: +49-(0)89-231180-18 Fax: +49-(0)89-231180-90 [EMAIL PROTECTED] http://www.definiens.com _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
