cvs-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cvs-dev] cvs features for gnu savannah

From: Thorsten Glaser
Subject: Re: [Cvs-dev] cvs features for gnu savannah
Date: Thu, 1 Dec 2016 21:08:14 +0000 (UTC) 
Bob Proulx dixit:

>That looks very interesting.  I only very briefly skimmed the above
>and I wonder how well that will work for MS-Windows users of cvs.

SSH works on Windows just as well, with a variety of clients
(I’ve toyed with this with TortoiseCVS a bit, ages ago).

>However it also addresses a different issue point.  It is an encrypted
>transport while the straight pserver is not.  There are at least two

Yes, which is a good thing, as it’s not just encrypted (which may also
be a good selling point) but also secures the content in a way that
ensures that the client gets the correct (not corrupt, not modified)
source code.

>camps on this.  One worries about clients with limited capabilities
>and resources.  We want to continue to provide for them.  The other

Yes, I understand them. (This is indeed a scenario in which I see
pserver, but for the general populace I’d prefer it to not be used.)

>camp is worried about man-in-the-middle attacks against unencrypted
>transports being able to inject malicious bytes into the transaction.
>That camp would like to shutdown unencrypted transports to prevent the
>possibility of such malicious injection.  And at least another camp
>will want this to be the choice of individual projects to decide for
>themselves.

I find myself between those chairs, I personally don’t run pserver
because the server part is a hassle, while the SSH part integrates
well, but I’m not opposed to providing it to those who cannot use
SSH transport for various reasons (even though I’d urge them to
reconsider).

>> Of course, you can continue running pserver, although, please, in
>> read-only mode.
>
>Savannah has always run pserver in read-only mode and as a uniquely
>different user id with no file permissions.

OK.

>> > because no one else would know of the locally patched version.  If
>> > these patches were in an official release then we wouldn't need to be
>> > maintaining our own source fork.  That way Savannah would get the
>>
>> True, although for that point it doesn’t matter whether “in an official
>> release” means upstream or distribution.
>
>Agreed.  Either way will work nicely for Savannah.  Although upstream
>is obviously beneficial to the larger community.

Sure, but that’s precisely the reason I wish to do that more slowly,
well actually, more carefully.

Thanks,
//mirabilos
-- 
Solange man keine schmutzigen Tricks macht, und ich meine *wirklich*
schmutzige Tricks, wie bei einer doppelt verketteten Liste beide
Pointer XORen und in nur einem Word speichern, funktioniert Boehm ganz
hervorragend.           -- Andreas Bogk über boehm-gc in d.a.s.r
reply via email to
[Prev in Thread] Current Thread [Next in Thread]