[cvsnt] Advice on preferred protocol for internet deployment of CVSNT

Luigi D. Sandon mailbox at sandon.it
Thu Mar 8 09:06:38 GMT 2007

Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.

> They have a hosted web server that's reasonably well backed up and on a
> The project sponsor is concerned about theft of his source code, and

I won't host a repository on the same machine acting as a web server, if 
concerned about code theft. A web server opens an attack surface - you can 
harden the CVS protocol as you like, but if the web server or a web 
application is compromised, and the attacker gains access to the file system 
with enough privileges, your code could be gone anyway.

>adding a domain controller or joining the server into an existing domain
>have been ruled out for paranoia reasons.

May be correct. Usually is better that machines in perimeter networks (i.e. 
DMZs) are not part of a domain in internal networks - many ports have to be 
opened in a firewall to make AD work, and a compromised machine may have 
access to too many domain resources - anyway they become a bridgehead for 
further attacks. Usually they have their own domain, or are configured as 
standalone servers. In Windows 2000 and 2003, the domain *is not* a security 
boundary. The forest is.

> They also have 3 people who need access to this repository

Given the small number of people needing access, IMHO you don't need a 
public machine. I would put the repository on a machine in the company's 
internal network and use a VPN to access it. On the Internet side the CVS 
protocol used is irrelevant, the VPN itself encrypts the transmission.


More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook