public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tom Lane <[email protected]>
To: Robert Treat <[email protected]>
Cc: Marc G. Fournier <[email protected]>
Cc: [email protected]
Subject: Re: things currently broken/missing
Date: Wed, 11 Feb 2004 11:15:16 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <1076514410.17920.94.camel@camel>
References: <1076509856.18024.90.camel@camel>
<[email protected]>
<1076514410.17920.94.camel@camel>
Robert Treat <[email protected]> writes:
> On Wed, 2004-02-11 at 10:19, Marc G. Fournier wrote:
>> Odd ... I just disabled it ... why would we want that ability enabled:
>>
>> # allow annotation of files
>> # this requires rw-access to the
>> # CVSROOT/history - file and rw-access
>> # to the subdirectory to place the lock
>> # so you maybe don't want it
>>
>> sounds to me like anyone with a web browser can write to CVS?
> thats not what its supposed to do, though it does sound like thats what
> it does from the instructions you've pasted. what its supposed to do is
> give you a a breakdown of file changes per version, similar to this:
> http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/urchin5/Makefile?annotate=1.2
I think we probably ought to leave this turned off. From a security
standpoint, it would scare me quite a lot for the cgi user to have write
access to the CVS tree. Even though the annotation software itself may
do nothing more risky than temporarily locking files, what of bugs that
might allow someone to make more extensive changes?
The annotation display is kind of nice, but it doesn't strike me as
useful enough to be worth taking any risks for. The people who are
likely to need it all have local CVS copies and can just run "cvs anno"
when they need it. (But then, I only find a use for this maybe a couple
times a year. Perhaps other people depend on it more?)
regards, tom lane
view thread (9+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: things currently broken/missing
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox