Re: things currently broken/missing

-On [20040211 17:32], Tom Lane (tgl@sss.pgh.pa.us) wrote:
>I think we probably ought to leave this turned off.  From a security
>standpoint, it would scare me quite a lot for the cgi user to have write
>access to the CVS tree.  Even though the annotation software itself may
>do nothing more risky than temporarily locking files, what of bugs that
>might allow someone to make more extensive changes?

Make sure to replace every call to 'cvs' with 'cvs -R'.  This enables
read-only repository mode.  Or set the relevant environment variable.
Note that cvs 1.12.x is more intelligent about locks.

--
Jeroen Ruigrok van der Werven <asmodai(at)wxs.nl> / asmodai / kita no mono
PGP fingerprint: 2D92 980E 45FE 2C28 9DB7  9D88 97E6 839B 2EAC 625B
http://www.tendra.org/   | http://diary.in-nomine.org/
Expansion of happiness is the purpose of life...