[Zope-Coders] cvs vulnerability

Mon, 1 Oct 2001 12:20:52 +0100

It occured to me that there's a weak point in the security for CVS
commiters: we deposit our keys TTW over SSL, using our normal zope.org
password, which also gets used elsewhere, unencrypted.  What's more,
my zope.org password has about 1 bit of entropy, and several of my
colleagues know it; my ssl passphrase, on the other hand, is very
secure.  (I think ;-)

Perhaps you should only be able to deposit a key once TTW, and
subsequently must do so using ssh?

seb