[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fw: need to force username of cvs 'action' when using shared
|
From: |
Pierre Asselin |
|
Subject: |
Re: Fw: need to force username of cvs 'action' when using shared |
|
Date: |
Sun, 2 May 2004 21:12:15 -0400 |
|
User-agent: |
tin/1.4.4-20000803 ("Vet for the Insane") (UNIX) (Linux/2.2.19-7.0.1 (i586)) |
Larry Jones <address@hidden> wrote:
> What you're doing (using a single account for everyone) is what is
> compromising the tracking. What you're asking for would completely
> compromise the tracking since it would allow absolutely anyone to commit
> changes whilst claiming to be anyone else they like.
Actually, Tim might be able to preseve accountability if he keeps full
control of the public keys. Each private key allows one developer to run
exactly one command, which sets that developers environment variable and
execs "cvs server" (so I guess the developers also need to tweak their
CVS_SERVER variable at the client end).
But CVS doesn't have an environment variable to fake the userid.
Seems that Tim would have to hack CVS and get a copy installed on the
colocated server, in his private tree if necessary. After that, he'd
better lock down the CVSROOT/ module, otherwise his developers could
manipulate the authorized_keys file through loginfo and other hooks.
What other holes are there? Is it worth the trouble to chase them
down?
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: Fw: need to force username of cvs 'action' when using shared,
Pierre Asselin <=