> > Use CVS_RSH = ssh, and make sure that committers commit files via ssh
> > instead of pserver.
>
> I've been thinking for awhile that we really ought to be using ssh
> not plain pserver for committers access. I'd support making that
> change.
This change should be made before CVSROOT is made public... and even
then, old history of the passwd file should be nuked, IMHO. Use of
passwd and pserver is scary, esp for a project this big and well
known... at least all CVSup users have copies of the source code and
its history.
> Okay, I have CVSup up and available again, which allows you to
> download the whole repository locally to work on ... is there a
> strong reason why anoncvs is *required* to the repository with this
> available?
CVSup is a PITA to get setup on OSes other than FreeBSD? CVSup is a
pretty hacker oriented tool... not many folks have it, at least not
in the numbers of normal cvs users.
> Sean cites both performance and security as reasons to *not* make
> anoncvs available ...
Security for anoncvs isn't a big issue if the file system permissions
are set correctly and the ability to execute remote sh files is
disabled on the cvs server (I think it is disabled in FreeBSD's cvs,
but it's a local patch and enabled by default elsewhere. If you need
the patch, I can dig it up, it's just a two line little thing that
disables it in the pserver protocol...)
Performance for cvs update over pserver is abysmal and pretty hard on
the server, though easy on the client. If the cvs server gets bogged
down, then it may be worth while to look into this and make a call for
mirrors. Is this an issue? Putting the lock files on an mfs
partition also helps (generally needed for anoncvs anyway)... -sc
--
Sean Chittenden
