[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Cvs-dev] cvs features for gnu savannah
From: |
Thorsten Glaser |
Subject: |
Re: [Cvs-dev] cvs features for gnu savannah |
Date: |
Thu, 1 Dec 2016 21:08:14 +0000 (UTC) |
Bob Proulx dixit:
>That looks very interesting. I only very briefly skimmed the above
>and I wonder how well that will work for MS-Windows users of cvs.
SSH works on Windows just as well, with a variety of clients
(I’ve toyed with this with TortoiseCVS a bit, ages ago).
>However it also addresses a different issue point. It is an encrypted
>transport while the straight pserver is not. There are at least two
Yes, which is a good thing, as it’s not just encrypted (which may also
be a good selling point) but also secures the content in a way that
ensures that the client gets the correct (not corrupt, not modified)
source code.
>camps on this. One worries about clients with limited capabilities
>and resources. We want to continue to provide for them. The other
Yes, I understand them. (This is indeed a scenario in which I see
pserver, but for the general populace I’d prefer it to not be used.)
>camp is worried about man-in-the-middle attacks against unencrypted
>transports being able to inject malicious bytes into the transaction.
>That camp would like to shutdown unencrypted transports to prevent the
>possibility of such malicious injection. And at least another camp
>will want this to be the choice of individual projects to decide for
>themselves.
I find myself between those chairs, I personally don’t run pserver
because the server part is a hassle, while the SSH part integrates
well, but I’m not opposed to providing it to those who cannot use
SSH transport for various reasons (even though I’d urge them to
reconsider).
>> Of course, you can continue running pserver, although, please, in
>> read-only mode.
>
>Savannah has always run pserver in read-only mode and as a uniquely
>different user id with no file permissions.
OK.
>> > because no one else would know of the locally patched version. If
>> > these patches were in an official release then we wouldn't need to be
>> > maintaining our own source fork. That way Savannah would get the
>>
>> True, although for that point it doesn’t matter whether “in an official
>> release” means upstream or distribution.
>
>Agreed. Either way will work nicely for Savannah. Although upstream
>is obviously beneficial to the larger community.
Sure, but that’s precisely the reason I wish to do that more slowly,
well actually, more carefully.
Thanks,
//mirabilos
--
Solange man keine schmutzigen Tricks macht, und ich meine *wirklich*
schmutzige Tricks, wie bei einer doppelt verketteten Liste beide
Pointer XORen und in nur einem Word speichern, funktioniert Boehm ganz
hervorragend. -- Andreas Bogk über boehm-gc in d.a.s.r