public inbox for [email protected]
help / color / mirror / Atom feedFrom: Marc G. Fournier <[email protected]>
To: Tom Lane <[email protected]>
Cc: Robert Treat <[email protected]>
Cc: Marc G. Fournier <[email protected]>
Cc: [email protected]
Subject: Re: things currently broken/missing
Date: Wed, 11 Feb 2004 12:35:58 -0400 (AST)
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <1076509856.18024.90.camel@camel>
<[email protected]>
<1076514410.17920.94.camel@camel>
<[email protected]>
doing a quick look, we're running an *ancient* version (not sure what
version):
# $Id: cvsweb.cgi,v 1.1.1.1 2001/10/03 12:24:53 root Exp $
vs 2.0.6 which is in FreeBSD ports:
# $FreeBSD: projects/cvsweb/cvsweb.cgi,v 1.119.2.6 2002/09/26 20:56:05
scop Exp $
and:
The latest beta version, 2.9.2 on the web site at:
http://www.freebsd.org/projects/cvsweb.html
so, do we want to look at upgrading? :)
On Wed, 11 Feb 2004, Tom Lane wrote:
> Robert Treat <[email protected]> writes:
> > On Wed, 2004-02-11 at 10:19, Marc G. Fournier wrote:
> >> Odd ... I just disabled it ... why would we want that ability enabled:
> >>
> >> # allow annotation of files
> >> # this requires rw-access to the
> >> # CVSROOT/history - file and rw-access
> >> # to the subdirectory to place the lock
> >> # so you maybe don't want it
> >>
> >> sounds to me like anyone with a web browser can write to CVS?
>
> > thats not what its supposed to do, though it does sound like thats what
> > it does from the instructions you've pasted. what its supposed to do is
> > give you a a breakdown of file changes per version, similar to this:
> > http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/urchin5/Makefile?annotate=1.2
>
> I think we probably ought to leave this turned off. From a security
> standpoint, it would scare me quite a lot for the cgi user to have write
> access to the CVS tree. Even though the annotation software itself may
> do nothing more risky than temporarily locking files, what of bugs that
> might allow someone to make more extensive changes?
>
> The annotation display is kind of nice, but it doesn't strike me as
> useful enough to be worth taking any risks for. The people who are
> likely to need it all have local CVS copies and can just run "cvs anno"
> when they need it. (But then, I only find a use for this maybe a couple
> times a year. Perhaps other people depend on it more?)
>
> regards, tom lane
>
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email: [email protected] Yahoo!: yscrappy ICQ: 7615664
view thread (9+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: things currently broken/missing
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox