Re: cvs-nserver and latest CVS advisory (Was: patch to make CVS chroot)

[Justin Wells]

On Thu, Aug 10, 2000 at 12:40:20PM -0400, Greg A. Woods wrote:
> The current implementation of cvspserver was always fatally broken.  the
> RSH method was available right from the beginning and could just as
> easily have been implemented in every client, easier in fact than
> writing the current broken code.

The RSH method just hands out shells on the box directly. How is that a
good idea? At least pserver can be patched so it doesn't give out shells.

> Nobody in their right mind, i.e. nobody who has even an ounce of
> understanding of computer security, would ever want to avoid using real
> system IDs for commit access.

For the record I agree with this. I used real system ids with pserver.

Justin