Re: CVS security audit?
[ On Friday, December 19, 2003 at 21:00:46 (-0500), Larry Jones wrote: ] Subject: Re: CVS security audit? The objection is that CVS was never *designed*, or even *intended*, to be secure. An audit will affect my confidence not one whit -- it's sufficient to keep honest people honest, nothing more. Indeed. I couldn't agree more. Furthermore CVS was designed to use any sufficiently transparent remote job execution protocol that could have a wrapper put around it such that it works like rsh. What more could anyone ask for than to leave both communications _and_ security to some other specialized tools? -- Greg A. Woods +1 416 218-0098 VE3TCPRoboHack [EMAIL PROTECTED] Planix, Inc. [EMAIL PROTECTED] Secrets of the Weird [EMAIL PROTECTED] ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
CVS security audit?
Just out of curiosity, is this rash of CVS security fixes coming out of the savannah.gnu.org audit? Let me be a bit of a gadfly: I presume the Savannah folks are security-auditing CVS along with other relevent tools, even if they aren't the source of the current bug reports. Now, I seem to recall that one of the big objections to pserver is that CVS has never had a security audit. Once the Savannah audit is finished, that objection goes away. How will that affect peoples' level of confidence in pserver and the like? -- | | /\ |-_|/ Eric Siegerman, Toronto, Ont.[EMAIL PROTECTED] | | / It must be said that they would have sounded better if the singer wouldn't throw his fellow band members to the ground and toss the drum kit around during songs. - Patrick Lenneau ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: CVS security audit?
[following up my own post; sorry] On Fri, Dec 19, 2003 at 06:08:40PM -0500, I wrote: How will [a security audit having been done] affect peoples' level of confidence in pserver and the like? In another thread, on Fri, Dec 19, 2003 at 11:18:57AM -0500, Jim.Hyslop wrote: Well, clearly pserver is not secure because the password is sent effectively in plain text [...] Woops, I'd forgotten about that! Ok, as regards pserver itself, my question was pretty dumb. But how about GSSAPI or Kerberos with encryption? -- | | /\ |-_|/ Eric Siegerman, Toronto, Ont.[EMAIL PROTECTED] | | / It must be said that they would have sounded better if the singer wouldn't throw his fellow band members to the ground and toss the drum kit around during songs. - Patrick Lenneau ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: CVS security audit?
Eric Siegerman writes: Now, I seem to recall that one of the big objections to pserver is that CVS has never had a security audit. Once the Savannah audit is finished, that objection goes away. How will that affect peoples' level of confidence in pserver and the like? The objection is that CVS was never *designed*, or even *intended*, to be secure. An audit will affect my confidence not one whit -- it's sufficient to keep honest people honest, nothing more. -Larry Jones Like I'm going to get any sleep NOW. -- Calvin ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
