What I need:

• users can add themselves as cvs readers to any project
• existing cvs writers can give other users write permissions
• no shell access required
• no mailing list required

This sounds like a 95% match to the TWiki access control methods.

What I plan to do is:

• For CVS:
  • Create a chrooted CVS repository for each project.
  • Use SSH tunnelling to provide access to the cvs server.
  • Use an ssh2 DSA key to limit ssh access to only the cvs server.
• For TWiki:
  • Put TWiki with BasicAuthentication? on an Apache server.
  • Use SSL to prevent password sniffing.
  • Create a new TWiki web for each project
  • Create TWiki groups for cvs readers and cvs writers for each project.
• Write scripts to
  • extract users name and password from .htpasswd
  • extract cvs readers from a "ProjectCvsReadersGroup" page
  • extract cvs writers from a "ProjectCvsWritersGroup" page
  • update the cvs passwd, readers, writers files

Has anyone else done anything like this?

Can anyone see any major security holes in this plan?

-- AndrewDalgleish? - 22 Nov 2001

I just read a book that said that Basic Authentication will always send user id and password in plaintext.

They recommended setting up one's own CGI for handling login.

(Reference: Dusting, Rashka, McDiarmid: Quality Web Systems. Addison-Wesley.)

I'm not sure how seriously this advice should be taken, they also say that CGI is slow without even mentioning FastCGI or mod_perl, and while these methodes may still be slow compared to some others, they'd at least have deserved mention.

-- JoachimDurchholz - 23 Nov 2001

Given the forks of the SourceForge code there are many interesting and related ideas. Here are some ideas that I see evolving.

• TWiki has been packaged for Debian GNU/Linux
• The Debian fork of SourceForge is one of two strongest development areas outside of VA's efforts. The other one is GNU Savannah.
• Subversion (the next CVS) is coming closer to completion
• http://Coopx.eu.org has some design documents on platform independent hosting & moving hosted content

-- GrantBow - 18 Oct 2002

This sounds really interesting. I was researching also what can be used as some kind of the ContentForge? for the network on NGO Internet service providers I am working with. Anyone interested in the topics can add it's contact to ContentForge? or NgoTWikiSites.

-- ZeljkoBlace - 18 Oct 2002

Twiki-based portal for software development groups - seems like something I am looking for! Could be a killer application for Twiki (or any other wiki which will implement it first). So far I found:

• display source code: Pdoc (some people liked it - example is on CodevDocumentationProject#Twiki_source_code_published_on_w )
• viewCVS http://www.viewcvs.org (python - maybe there is perl-based tool like that?)
• bug tracking - Twiki
• documentation - Twiki
• FAQ forums - Twiki

-- PeterMasiar - 29 Aug 2003