From owner-freebsd-hackers  Wed Sep 17 09:51:21 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id JAA24314
          for hackers-outgoing; Wed, 17 Sep 1997 09:51:21 -0700 (PDT)
Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA24309
          for <hackers@FreeBSD.ORG>; Wed, 17 Sep 1997 09:51:16 -0700 (PDT)
Received: (from daemon@localhost)
	by alpo.whistle.com (8.8.5/8.8.5) id JAA19469;
	Wed, 17 Sep 1997 09:47:32 -0700 (PDT)
Received: from current1.whistle.com(207.76.205.22)
 via SMTP by alpo.whistle.com, id smtpd019465; Wed Sep 17 16:47:29 1997
Message-ID: <34200977.446B9B3D@whistle.com>
Date: Wed, 17 Sep 1997 09:46:47 -0700
From: Julian Elischer <julian@whistle.com>
Organization: Whistle Communications
X-Mailer: Mozilla 3.0Gold (X11; I; FreeBSD 2.2-CURRENT i386)
MIME-Version: 1.0
To: itojun@itojun.org
CC: Marc Slemko <marcs@znep.com>, hackers@FreeBSD.ORG
Subject: Re: cvs pserver mode
References: <Pine.BSF.3.95.970916235732.6754A-100000@alive.znep.com> <19600.874477702@itojun.csl.sony.co.jp>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

itojun@itojun.org wrote:
> 
> >>      does any of you have trouble using pserver mode of cvs?
> >First, don't use pserver.  It sucks.  Badly.  It stores unencrypted
> >passwords on the clients disk and anyone with a shell on the server an
> >steal connections (and hence passwords) from users connecting.  Bad.
> >Secondly, you need the --allow-root option to tell it what repositories to
> >use.  This is new in 1.9.10 or something like that.
> 
>         Thanks very much for the comment (and to Julian), I'll keep myself
>         away from pserver.
> 
>         My goal is to have a way to publish half-public source code to
>         20 or so people, without giving them an account on my machine.
>         (they won't make changes to my repository)
>         Options seems to be as follows, but I don't know which is good/bad.
>         - cvs pserver (should stay away from this)
>         - anonymous cvs + some modification
>           (how to set it up? OpenBSD people uses this to keep them in sync)
>         - cvsupd + some modification
>           (current version has no authentication, it seems)
>         - give an account (say, "mygroup") to them and use rsh/ssh
> 
>         Please let me know your opinion.  Thanks!
> 
> itojun
you can use ssh  as the transport in which case you need to make it so
the othe rpeople can do an ssh to your server
(at least that way the passwd is protected)
if you use pserver, set up an alternate password file in the CVSROOT
directory (as directd in the docs,) or make sure that teh accounts 
you setup for them have no login shell. That way all they can do is CVS.
If you have kerberos of course the kserver protocol is the most secure.

how about setting up a cvsup server?
then they can get updates as needed. and how about a cvsweb server
(as seen at http://www.freebsd.org/cgi/cvsweb.cgi/ )