From owner-freebsd-hackers Wed Sep 17 16:54:43 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id QAA19627 for hackers-outgoing; Wed, 17 Sep 1997 16:54:43 -0700 (PDT) Received: from itojun.csl.sony.co.jp (root@itojun.csl.sony.co.jp [133.138.1.134]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA19612 for ; Wed, 17 Sep 1997 16:54:31 -0700 (PDT) From: itojun@itojun.org Received: from localhost (itojun@localhost [127.0.0.1]) by itojun.csl.sony.co.jp (8.8.5/3.3W3) with ESMTP id IAA26900 for ; Thu, 18 Sep 1997 08:49:54 +0900 (JST) To: hackers@freebsd.org Subject: Re: cvs pserver mode (summary) X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 References: <34200977.446B9B3D@whistle.com> In-reply-to: Julian Elischer 's message of Wed, 17 Sep 1997 09:46:47 -0700. <34200977.446B9B3D@whistle.com> X-Mailer: comp (MHng project) version 1997/08/04 03:38:46, by Jun-ichiro Itoh MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Content-ID: Date: Thu, 18 Sep 1997 08:49:54 +0900 Message-ID: <26897.874540194@itojun.csl.sony.co.jp> Sender: owner-freebsd-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Many thanks to people sent me the comments about this: >> Thanks very much for the comment (and to Julian), I'll keep myself >> away from pserver. >> My goal is to have a way to publish half-public source code to >> 20 or so people, without giving them an account on my machine. >> (they won't make changes to my repository) >> Options seems to be as follows, but I don't know which is good/bad. >> - cvs pserver (should stay away from this) >> - anonymous cvs + some modification >> (how to set it up? OpenBSD people uses this to keep them in sync) >> - cvsupd + some modification >> (current version has no authentication, it seems) >> - give an account (say, "mygroup") to them and use rsh/ssh >> Please let me know your opinion. Thanks! Summary of the answers is as follows: 1. cvs pserver mode is not good since: - it stores cleartext password in ~/.cvspass - cleartext password will be transmitted over the net 2. cvs pserver mode needs "--allow-root=/cvsroot", which is new option introduced in 1.19.10. 3. make account for people with no login shell, let them use ssh to invoke remote cvs. 4. use cvsup server. 5. anoncvs server in chroot'ed environment. need some modification on cvs, and need to write a wrapper. 6. how about rsync? Finally, I set up cvsup server with IP address check. The security I wanted was to restrict the people who can fetch my repository to small members (20 or so), and the member is known already. (I did not want them to have account on my machine) cvsup server with IP address check (cvsupd.access) seems to be the easiest and sound solution for me. I don't know why but I wasn't able to run pserver successfully. Anyway suggestion was pserver has pitfalls, so I did not used this. Again, I would like to say thank you for wonderful answers. itojun