Re: cvs.debian.org problem

[Andreas Metzler <ametzler@downhill.at.eu.org>]

Steve Greenland <steveg@moregruel.net> wrote:
> On 28-Jan-03, 11:20 (CST), Raphael Hertzog <hertzog@debian.org> wrote: 
>> And why are you doing that ? I see no point in not giving CVS anonymous
>> access when we have a web interface ... and when all the code is under a
>> free license. It makes it just more difficult for people to contribute
>> (they can't use cvs diff for example).

> Because pserver is a security disaster waiting to happen -- even
> according to the CVS developers. (And has happened, as recently as
> within the last month). It's barely tolerable if the only thing it's
> used for is read-only anonymous access (which is what I presume we're
> talking about here) and it's setup correctly, but even then I would
> worry.

Running it chrooted under a non-priviledged user-id in a directory
where /this/ user has no write access should make the risk tolerable.
Iirc cvsd (I don't know whether it is in Debian) can do this.
                cu andreas