Hmm - if cvshome.org can be hacked via the pserver exploit (see
https://www.cvshome.org/ &
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0396 )
then I guess we should be worried!
i really dislike having to enter passwords all the time and pserver is good for this.
Maybe the answer is one of the restricted cvs anon shells, and publish a private key for that user so that no logging in is required.
For commit enabled people (not me since the crash ... hint hint), I suggest that we design a two tier user system - give commit people a cvs login user with a restricted shell so they can only do cvs. That way they can store a key to avoid logging in with a password with less security implications.
Then a smaller set of those people who need ssh access to the box have a seperate user that gives them that access for which they are prevented from using a key to login with.
I can't imagine that a high percentage of committers really need ssh access to the box.
We really shouldn't ignore this.
Or we could switch to subversion, but i'm not really a fan of doing this as documented elsewhere.