Re: cvs-nserver and latest CVS advisory (Was: patch to make CVS chroot)

[Tobias Weingartner]

On Wednesday, August 9, Justin Wells wrote:
> 
> ssh CVS is just as vulnerable though. Just because I gave someone a write
> password doesn't mean that they are going to be trustworthy.

Right there you are contradicting yourself.  If you *give* someone a means
to make changes, that implies that you *trust* them to make changes.  If
that is not the case, you are painting yourself into a corner.


> Even if I find out who they are--what am I going to do about it? Sue them?
> What if they are outside North America?

A rather US centered attitude.  Sue them?  Given *trust*, this should not be
an issue.  And yes, there are a number of means to establish trust among users
and clients.  They all take some non-finite amount of time and commitment
though.  (At least the ones I know of...)

--Toby.