dropping support for cvsweb in debian
Hi, I'm the maintainer of the cvsweb package for Debian.
Since I took on maintaining cvsweb, I have fixed about 10 very stupid
bugs. Several of these could be security holes. Cvsweb is great in
concept, but the implementation is quite lacking. The design is such
that I expect security holes and stupid bugs will contine to crop up
unless a fuill rewrite is done.
Luckily, we have such a rewrite. It's called viewcvs and is already a
part of debian unstable. I've been playing around with it for a few
hours, and it is a near exact clone of cvsweb's user interface, and
seems to not be vulnerable to any of the problems I've found in cvsweb.
So I'm thinking about dropping cvsweb from Debian unstable entirely.
Viewcvs could then Replace it.
I'd like to know what any interested parties feel about this plan.
see shy jo