Re: Please sign software with GnuPG

From: Jonathan Blandford <jrb redhat com>
To: Sven Neumann <sven gimp org>
Cc: Peter Wainwright <prw wainpr demon co uk>, Tor Lillqvist <tml iki fi>, Per Tunedal <pt radvis nu>, gtk-devel-list gnome org, cvsmaster gnome org
Subject: Re: Please sign software with GnuPG
Date: 03 Nov 2002 11:56:48 -0500

Sven Neumann <sven gimp org> writes:

> Hi,
> 
> Peter Wainwright <prw wainpr demon co uk> writes:
> 
> > That said, I don't know what the security issues are with CVS.
> 
> the most severe security issue with GNOME CVS is probably that it
> still uses the pserver protocol that gives no reasonable
> authentification at all although there are alternatives around for
> years. GNOME CVS is the only CVS server I know of that still doesn't
> use ssh key authentification to identify trusted users that are
> allowed to commit. Is there a good reason for that?

Mostly lack of time to move over to ssh authentication.  Also, ssh is
hardly a panacea.  Given that anyone can still commit to any module you
are only as safe as all the keys are.  Monitoring CVS commits is still a
good idea.

That being said, HP has kindly donated a new machine to act as
cvs.gnome.org.  When it arrives, we're planning on using it as an
opportunity to move to ssh based CVS with the goal of phasing out
pserver within a certain time period.

Thanks,
-Jonathan

References:
- Re: Please sign software with GnuPG
  - From: Tor Lillqvist
- Re: Please sign software with GnuPG
  - From: Peter Wainwright
- Re: Please sign software with GnuPG
  - From: Sven Neumann

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]