[CLUE-Admin] Anonymous CVS Access

Jed S. Baer thag at frii.com
Sat Jan 17 22:32:53 MST 2004 

On Sat, 17 Jan 2004 21:33:16 -0700
CLUE President <president at clue.denver.co.us> wrote:

> On Saturday 17 January 2004 7:50 pm, Jed S. Baer wrote:
> >
> > Well, I'm testing a script to publish the development site to a
> > location on the CLUE server. In the process, I've discovered that the
> > anonymous CVS access described at
> > http://cluedenver.org/siteDevelopment.html doesn't work.
> >
> > The culprit is the cvsroot/CVSROOT/passwd file, which specifies a
> > password for user anonymous.
> 
> AFICT - there was no way to have an 'anonymous' user w/o a password
> using pserver. I seem to recall something in the CVS docs about it.

Well, just reading the docs @cvshome.org, it appears that it's just an
entry in the passwd file, with the password field empty.

> > So, the question is, do we really want to allow unrestricted anonymous
> > read access to the CVS respository? 
> 
> Can't think of a reason not to - our code should be open source.

Ah, one thing leads to another. Published under what license? If the
consensus is GPL, then I'll stick in a the appropriate files.

> > If so, there's an impact to the publish.sh script, and somebody will
> > need to add a readers file to the cvsroot/CVSROOT/ directory, and
> > change the passwd file. I can do these things.
> 
> I thought anonymous was in the readers file, but from your comments I
> guess not.

Oops, my bad. There is a readers file. Contains publish, and anonymous.
But the passwd file still requires a password for anonymous.

> > I also note that the user "publish" exists in the CVS passwd file with
> > no password, and "pubcvs" equivalent. 
> 
> IIRC, the 'publish' user does the cvs update when you run the
> publish.cgi script from the admin site.  It also should (have been) read
> only.

Nope, the publish script uses anonymous. There's a .cvspass file so that
the script doesn't need to login.

> > This is bad. 
> 
> Bad because no password and no readers file?

Yeah, if there weren't one -- except I just missed it. But if it's unused,
I'd just as soon remove it anyway.

> > Any thoughts?
> 
> You are on the case - My initial configuration does not have the same 
> assumptions as yours and you're in charge of it now.   So,  do what you
> think is best.  I hacked it together because I was a cvs newbie and
> because I didn't have clear requirements other than the ability for
> admin users to publish the latest cvs commits to the web site from the
> cgi.

OK, as long as there aren't any objections from anyone else. I note that
apparently I'm the only person to try anonymous CVS access, or anyone else
who has didn't feel it was worth mentioning.

jed
-- 
http://s88369986.onlinehome.us/freedomsight/

... it is poor civic hygiene to install technologies that could someday
facilitate a police state. -- Bruce Schneier

More information about the clue-admin mailing list