Re: HEADS UP: Importing csup into base

From: Ceri Davies <ceri_at_submonkey.net> Date: Thu, 2 Mar 2006 09:24:41 +0000 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:53 UTC

On Thu, Mar 02, 2006 at 12:39:05AM +0100, Maxime Henrion wrote:
> Wesley Shields wrote:
> > On Wed, Mar 01, 2006 at 04:17:08PM -0500, Kris Kennaway wrote:
> > > On Wed, Mar 01, 2006 at 04:19:32PM -0500, Wesley Shields wrote:
> > > > On Wed, Mar 01, 2006 at 03:33:41PM -0500, Lowell Gilbert wrote:
> > > > > Scott Long <scottl_at_samsco.org> writes:
> > > > > 
> > > > > > Maxime Henrion wrote:
> > > > > > > 	Hey all,
> > > > > > > I have released a new snapshot of csup a few minutes ago,
> > > > > > 
> > > > > > [...]
> > > > > > 
> > > > > > >   - Executes (shell commands sent by the server, even more rarely
> > > > > > > used),
> > > > > > 
> > > > > > Are you joking?
> > > > > 
> > > > > Are you asking whether he's joking about (1) the idea of ever
> > > > > implementing it, (2) the fact that he hasn't done it yet, or 
> > > > > (3) the idea that it's rarely used?  All of those sound 
> > > > > reasonable to me...
> > > > 
> > > > I'm questioning (1) myself.  This just seems like a bad idea from a
> > > > security perspective.  Of course, some kind of sanitization could
> > > > mitigate the issue.
> > > 
> > > Let's not lose sight of the fact that whoever runs the cvsup server
> > > already owns your machine, since they're giving you unauthenticated
> > > source code [1].
> > 
> > You are right on this point.  But on the scale of potentially bad things
> > I think a rogue server sending commands that the client exectues is
> > pretty close to a rogue server sending malicious source code.  At least
> > the source is easily verifiable and (in the case of the malicious source
> > being inserted at the master site) has a good chance of being noticed.
> > 
> > It's not that I'm 100% against this idea, but rather that I'd like to
> > see the client be cautious of the possibility of a rogue server.  Of
> > course, this could all be the plan and I'm just raising a non-issue.
> 
> Just to make things straight, executes are always off by default, and
> need to be explicitely enabled by the user.  This is how it has always
> been in CVSup, and there is no reason for csup to change that when it
> will support executes.  That said, the mail I sent wasn't about whether
> I should implement executes or not.  They are just part of the "missing
> features" list.

Just be 100% clear, what Maxime is saying here is that CVSup already has
this functionality, so this bikeshed is like 100 years too late.

Ceri
-- 
That must be wonderful!  I don't understand it at all.
                                                  -- Moliere