mailing list archives
Re: CVS woes: .cvspass
From: Tilman Schmidt <Tilman.Schmidt () ePost de>
Date: Fri, 06 Aug 2004 10:29:36 +0200
Greg A. Woods schrieb in <bugtraq () SecurityFocus com>:
[ On Thursday, August 5, 2004 at 12:52:10 (+0300), Delian Krustev wrote: ]
There's a site outhere. It's sf.net . They demonstrate, with the number
of projects being hosted there (with pserver access), You're not right
In the scenario you speak of sf.net has no real requirement for
accountability -- their offerning using CVSpserver is effectively the
same as providing anonymous access. Sf.net doesn't care who the real
humans are in this case -- they simply do their best (which isn't always
perfect) to keep whole projects from interfering with each other.
In fact, you are even more right than you seem to think. Sf.net's
pserver access is actually anonymous and read-only. Project data in
the SF repository is considered public, and open to anonymous read
access anyway. Their pserver access doesn't add anything to that.
Meanwhile, IIUC, sf.net does also offer secure SSH access to systems
hosting CVS repositories and they use true system identities for eash
SSH account, and presumably with this offering there's normally one (or
maybe more) unique system accounts for every real human using this
That is so, and SSH access, with a system identity that is a member
of the project's development team, is required for committing changes
to a project repository.
service, though of course the responsibility of verifying the uniqueness
of system identities will be on the shoulders of the CVS project admins,
and perhaps not on sf.net themselves.
Indeed. The registration form asks you to enter a real name, and
a valid E-mail address which is verified by a confirmation E-mail,
but there is no verification beyond that.
Tilman Schmidt E-Mail: Tilman.Schmidt () ePost de
Diese Nachricht besteht zu 100% aus wiederverwerteten Bits.
Ungeöffnet mindestens haltbar bis: (siehe Rückseite)