On Sat, Aug 05, 2000 at 02:32:53PM -0400, Greg A. Woods wrote:
> Excuse me? If you just run CVS as normal *REAL* users then you can have
> all the benefits of unix groups!
Sorry, I can't do that. It's not possible.
> Please do not try to resolve inconsistencies in your own requirements by
> making everything less secure!
If you try to use my patch with anything other than pserver it exits with
an error message. It certainly has not made anything less secure. The
security of any pserver installation which deploys it will increase.
Your statement deserves ridicule.
> WinCVS works very well with SSH on NT -- I've no experience with Win9x,
It most certainly does not!
Do you want me to forward to you the 50 or so emails I got from windows
users struggling to make it work? Do you know how many succeeded? Maybe
if I flew to bulgaria or australia or brazil or wherever they happen to
be then with some experience I could get it to work for them.
But guess what? These people are volunteering their time and energy to
my project. They aren't willing to spend any effort on making their
WinCVS/ssh system work when it fails. They just give up and do something
different and I lose those resources.
That's just unacceptable. I can tell you I tried your ssh solution for
six months and now I'm running from it as fast and hard as I can before
it kills my project.
It's a disaster. It certainly does not work "very well". It's a failure.
> > I can't force them to switch to Unix, install loads of specialized
> > software, or fix WinCVS so that it's ssh mode actually works. I do
> > *have* to provide them with access to my CVS tree or my project will
> > die--not an option.
>
> Why don't you at least put some effort into using SSH!?!?!?!?!?!
It doesn't matter how much effort *I* am willing to put into it. It matters
how much effort the client has to put into it--NOT VERY MUCH.
Any solution has to be dead simple for people to install and use. In that
regard, WinCVS/ssh is vapourware. It's not a viable option, unless all or
most of your clients run unix.
> > CVS needs a general solution to this problem. What I did isn't ideal, in
> > any sense, but it is about 1000 times better than doing nothing.
>
> CVS already has a general solution to this problem -- use real unix IDs!
Vapourware won't help me.
> I have no idea what you're talking about. The only thing that's
> happened is that people who don't know anything about security have been
> trying to mess with things they obviously don't understand. If CVS is
> just used *properly* (i.e. the way it was designed to be used) then
> there is no problem to solve in the first place!
However there are no viable clients to use it "properly". I agree with
you that it would be preferable to pserver. But six months of running it
the way you have suggested has taught me that it doesn't work.
Here are some simple facts. Pay attention:
1) I need to run pserver
2) I need ACL
3) The patch I posted increases the security of pserver
No, it's not perfect security, but on a machine serving no other purpose
than to run pserver it really is good enough.
> SSH is only one of the options that *does* work. In a secure
> environment you can use a less secure transport, such as RSH.
I guess you just aren't paying attention. I don't have a secure environment.
I have anonymous strangers out there on the net trying to get at
my source code, and I am trying to help them. I have some other people
who have posted code to my list from time to time who I have opened up
write access to sections of my CVS archive to, and I am trying to help
them too.
I have no idea what kinds of computers these people have or even where
they live.
No, Greg, this isn't the way that *you* use CVS, but it's what I have
to do.
> If your clients are so helpless as to be unable to figure out how to get
> SSH to work then you could much more easily create a canned, tested,
> configuration for them and be done with it than you can fiddle with
> stuff you should leave well enough alone.
Sorry, I can't do that. You still don't get it.
> IT ALREADY HAS AS MANY EXTERMAL AUTH MODULES AS YOU CAN DREAM UP!!!!!
And none of them work in any useful way.
> SSH, for example is *EXACTLY* what you've asked for, AND IT ALREADY
> WORKS!!!!
Sorry Greg, I tried it for the last six months, it just doesn't work.
Maybe with a lot of fiddling it could be made to work on a client by
client basis--but I don't even know who these people are, and they
certainly aren't going to let me fiddle with their computers, even if
somehow found the time and money to fly to Bulgaria or Brazil or Austrila
or wherever to try.
Here's a fact for you to digets: when I switched my pserver to ssh activity
on my cvs repository dropped to near zero except for Unix people. When I
reverted back to pserver interested picked up immediately.
That's a fact. WinCVS/ssh just doesn't work, and if it can be made to
work, it just isn't good enough for widespread use.
Justin
