Hi, I'm the maintainer of the cvsweb package for Debian. Since I took on maintaining cvsweb, I have fixed about 10 very stupid bugs. Several of these could be security holes. Cvsweb is great in concept, but the implementation is quite lacking. The design is such that I expect security holes and stupid bugs will contine to crop up unless a fuill rewrite is done.
Luckily, we have such a rewrite. It's called viewcvs and is already a part of debian unstable. I've been playing around with it for a few hours, and it is a near exact clone of cvsweb's user interface, and seems to not be vulnerable to any of the problems I've found in cvsweb. So I'm thinking about dropping cvsweb from Debian unstable entirely. Viewcvs could then Replace it. I'd like to know what any interested parties feel about this plan. -- see shy jo
