[cvsnt] CVSNT Best Practise...

Tue Apr 22 22:50:23 BST 2003

Hi everyone,

I'm in the progress of moving all our cvs repositories to a new box. This
box will be placed in a DMZ zone, the port no. 2401 will be open (to the
external net) and it will _not_ be part of our NT-domain.
We have aprox 10-20 repositories, each with between 10 to 50 modules.
The number of users are currently around 30, but will grow to at least a 100
in the near future.
Also the number of repositories and modules will grow rapidly.

We have some requirements to this setup:
 - it must be secure.
 - it must be manageble (add/delete user, grant access to repositories,
grant access to modules inside repositories)
 - it must be stable (Solved! we use cvsnt :-) )

In this contex I have a couple of questions I hope some of you could answer:

1) Whitch protocoll do I use?
We're thinking of using the (new) sserver (SSL) protocol. Does this sound
resonable?
Is it possible to use the sspi protocol in this setup? (Remember the server
is not in our NT-domain).
We are using WinCvs as the client, so we hope they soon will add the
"sserver" to the list of available protocols....

2) Should I use the "passwd" file or should I create every user on the
windows box?
If we use the passwd file, can I share it between multiple cvs repositories?
If we are _not_ using the passwd file, can we still use the "cvs passwd"
command ?

3) How do I grant access (None, Read and Write) to repositories? And to
modules inside repositories?
Do I need the "group" file for this, or do I only use NT groups (and NTFS
access)?

As you can understand, I'm mostly conserned about the "managebility" and
administrative effort needed to get this up and running. I would realy like
to be able to "disable a user", configure "password expire" for a user,
grant "write access to rep A on module xyz", and so on...

Any comments/ideas on this issue are mostly welcome.
Thaks!

--
Christer,
Norway.