Larry Jones <[EMAIL PROTECTED]> wrote: > What you're doing (using a single account for everyone) is what is > compromising the tracking. What you're asking for would completely > compromise the tracking since it would allow absolutely anyone to commit > changes whilst claiming to be anyone else they like.
Actually, Tim might be able to preseve accountability if he keeps full control of the public keys. Each private key allows one developer to run exactly one command, which sets that developers environment variable and execs "cvs server" (so I guess the developers also need to tweak their CVS_SERVER variable at the client end). But CVS doesn't have an environment variable to fake the userid. Seems that Tim would have to hack CVS and get a copy installed on the colocated server, in his private tree if necessary. After that, he'd better lock down the CVSROOT/ module, otherwise his developers could manipulate the authorized_keys file through loginfo and other hooks. What other holes are there? Is it worth the trouble to chase them down? _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
