1This is cvs.info, produced by makeinfo version 4.0 from cvs.texinfo.
2
3START-INFO-DIR-ENTRY
4* CVS: (cvs). Concurrent Versions System
5END-INFO-DIR-ENTRY
6
7 Copyright (C) 1992, 1993 Signum Support AB Copyright (C) 1993, 1994
8Free Software Foundation, Inc.
9
10 Permission is granted to make and distribute verbatim copies of this
11manual provided the copyright notice and this permission notice are
12preserved on all copies.
13
14 Permission is granted to copy and distribute modified versions of
15this manual under the conditions for verbatim copying, provided also
16that the entire resulting derived work is distributed under the terms
17of a permission notice identical to this one.
18
19 Permission is granted to copy and distribute translations of this
20manual into another language, under the above conditions for modified
21versions, except that this permission notice may be stated in a
22translation approved by the Free Software Foundation.
23
24�
25File: cvs.info, Node: Intro administrative files, Next: Multiple repositories, Prev: Working directory storage, Up: Repository
26
27The administrative files
28========================
29
30 The directory `$CVSROOT/CVSROOT' contains some "administrative
31files". *Note Administrative files::, for a complete description. You
32can use CVS without any of these files, but some commands work better
33when at least the `modules' file is properly set up.
34
35 The most important of these files is the `modules' file. It defines
36all modules in the repository. This is a sample `modules' file.
37
38 CVSROOT CVSROOT
39 modules CVSROOT modules
40 cvs gnu/cvs
41 rcs gnu/rcs
42 diff gnu/diff
43 tc yoyodyne/tc
44
45 The `modules' file is line oriented. In its simplest form each line
46contains the name of the module, whitespace, and the directory where
47the module resides. The directory is a path relative to `$CVSROOT'.
48The last four lines in the example above are examples of such lines.
49
50 The line that defines the module called `modules' uses features that
51are not explained here. *Note modules::, for a full explanation of all
52the available features.
53
54Editing administrative files
55----------------------------
56
57 You edit the administrative files in the same way that you would edit
58any other module. Use `cvs checkout CVSROOT' to get a working copy,
59edit it, and commit your changes in the normal way.
60
61 It is possible to commit an erroneous administrative file. You can
62often fix the error and check in a new revision, but sometimes a
63particularly bad error in the administrative file makes it impossible
64to commit new revisions.
65
66�
67File: cvs.info, Node: Multiple repositories, Next: Creating a repository, Prev: Intro administrative files, Up: Repository
68
69Multiple repositories
70=====================
71
72 In some situations it is a good idea to have more than one
73repository, for instance if you have two development groups that work
74on separate projects without sharing any code. All you have to do to
75have several repositories is to specify the appropriate repository,
76using the `CVSROOT' environment variable, the `-d' option to CVS, or
77(once you have checked out a working directory) by simply allowing CVS
78to use the repository that was used to check out the working directory
79(*note Specifying a repository::).
80
81 The big advantage of having multiple repositories is that they can
82reside on different servers. With CVS version 1.10, a single command
83cannot recurse into directories from different repositories. With
84development versions of CVS, you can check out code from multiple
85servers into your working directory. CVS will recurse and handle all
86the details of making connections to as many server machines as
87necessary to perform the requested command. Here is an example of how
88to set up a working directory:
89
90 cvs -d server1:/cvs co dir1
91 cd dir1
92 cvs -d server2:/root co sdir
93 cvs update
94
95 The `cvs co' commands set up the working directory, and then the
96`cvs update' command will contact server2, to update the dir1/sdir
97subdirectory, and server1, to update everything else.
98
99�
100File: cvs.info, Node: Creating a repository, Next: Backing up, Prev: Multiple repositories, Up: Repository
101
102Creating a repository
103=====================
104
105 To set up a CVS repository, first choose the machine and disk on
106which you want to store the revision history of the source files. CPU
107and memory requirements are modest, so most machines should be
108adequate. For details see *Note Server requirements::.
109
110 To estimate disk space requirements, if you are importing RCS files
111from another system, the size of those files is the approximate initial
112size of your repository, or if you are starting without any version
113history, a rule of thumb is to allow for the server approximately three
114times the size of the code to be under CVS for the repository (you will
115eventually outgrow this, but not for a while). On the machines on
116which the developers will be working, you'll want disk space for
117approximately one working directory for each developer (either the
118entire tree or a portion of it, depending on what each developer uses).
119
120 The repository should be accessible (directly or via a networked
121file system) from all machines which want to use CVS in server or local
122mode; the client machines need not have any access to it other than via
123the CVS protocol. It is not possible to use CVS to read from a
124repository which one only has read access to; CVS needs to be able to
125create lock files (*note Concurrency::).
126
127 To create a repository, run the `cvs init' command. It will set up
128an empty repository in the CVS root specified in the usual way (*note
129Repository::). For example,
130
131 cvs -d /usr/local/cvsroot init
132
133 `cvs init' is careful to never overwrite any existing files in the
134repository, so no harm is done if you run `cvs init' on an already
135set-up repository.
136
137 `cvs init' will enable history logging; if you don't want that,
138remove the history file after running `cvs init'. *Note history file::.
139
140�
141File: cvs.info, Node: Backing up, Next: Moving a repository, Prev: Creating a repository, Up: Repository
142
143Backing up a repository
144=======================
145
146 There is nothing particularly magical about the files in the
147repository; for the most part it is possible to back them up just like
148any other files. However, there are a few issues to consider.
149
150 The first is that to be paranoid, one should either not use CVS
151during the backup, or have the backup program lock CVS while doing the
152backup. To not use CVS, you might forbid logins to machines which can
153access the repository, turn off your CVS server, or similar mechanisms.
154The details would depend on your operating system and how you have CVS
155set up. To lock CVS, you would create `#cvs.rfl' locks in each
156repository directory. See *Note Concurrency::, for more on CVS locks.
157Having said all this, if you just back up without any of these
158precautions, the results are unlikely to be particularly dire.
159Restoring from backup, the repository might be in an inconsistent
160state, but this would not be particularly hard to fix manually.
161
162 When you restore a repository from backup, assuming that changes in
163the repository were made after the time of the backup, working
164directories which were not affected by the failure may refer to
165revisions which no longer exist in the repository. Trying to run CVS
166in such directories will typically produce an error message. One way
167to get those changes back into the repository is as follows:
168
169 * Get a new working directory.
170
171 * Copy the files from the working directory from before the failure
172 over to the new working directory (do not copy the contents of the
173 `CVS' directories, of course).
174
175 * Working in the new working directory, use commands such as `cvs
176 update' and `cvs diff' to figure out what has changed, and then
177 when you are ready, commit the changes into the repository.
178
179�
180File: cvs.info, Node: Moving a repository, Next: Remote repositories, Prev: Backing up, Up: Repository
181
182Moving a repository
183===================
184
185 Just as backing up the files in the repository is pretty much like
186backing up any other files, if you need to move a repository from one
187place to another it is also pretty much like just moving any other
188collection of files.
189
190 The main thing to consider is that working directories point to the
191repository. The simplest way to deal with a moved repository is to
192just get a fresh working directory after the move. Of course, you'll
193want to make sure that the old working directory had been checked in
194before the move, or you figured out some other way to make sure that
195you don't lose any changes. If you really do want to reuse the existing
196working directory, it should be possible with manual surgery on the
197`CVS/Repository' files. You can see *Note Working directory storage::,
198for information on the `CVS/Repository' and `CVS/Root' files, but
199unless you are sure you want to bother, it probably isn't worth it.
200
201�
202File: cvs.info, Node: Remote repositories, Next: Read-only access, Prev: Moving a repository, Up: Repository
203
204Remote repositories
205===================
206
207 Your working copy of the sources can be on a different machine than
208the repository. Using CVS in this manner is known as "client/server"
209operation. You run CVS on a machine which can mount your working
210directory, known as the "client", and tell it to communicate to a
211machine which can mount the repository, known as the "server".
212Generally, using a remote repository is just like using a local one,
213except that the format of the repository name is:
214
215 :METHOD:[[USER][:PASSWORD]@]HOSTNAME[:[PORT]]/path/to/repository
216
217 Specifying a password in the repository name is not recommended
218during checkout, since this will cause CVS to store a cleartext copy of
219the password in each created directory. `cvs login' first instead
220(*note Password authentication client::).
221
222 The details of exactly what needs to be set up depend on how you are
223connecting to the server.
224
225 If METHOD is not specified, and the repository name contains `:',
226then the default is `ext' or `server', depending on your platform; both
227are described in *Note Connecting via rsh::.
228
229* Menu:
230
231* Server requirements:: Memory and other resources for servers
232* Connecting via rsh:: Using the `rsh' program to connect
233* Password authenticated:: Direct connections using passwords
234* GSSAPI authenticated:: Direct connections using GSSAPI
235* Kerberos authenticated:: Direct connections with kerberos
236* Connecting via fork:: Using a forked `cvs server' to connect
237
238�
239File: cvs.info, Node: Server requirements, Next: Connecting via rsh, Up: Remote repositories
240
241Server requirements
242-------------------
243
244 The quick answer to what sort of machine is suitable as a server is
245that requirements are modest--a server with 32M of memory or even less
246can handle a fairly large source tree with a fair amount of activity.
247
248 The real answer, of course, is more complicated. Estimating the
249known areas of large memory consumption should be sufficient to
250estimate memory requirements. There are two such areas documented
251here; other memory consumption should be small by comparison (if you
252find that is not the case, let us know, as described in *Note BUGS::,
253so we can update this documentation).
254
255 The first area of big memory consumption is large checkouts, when
256using the CVS server. The server consists of two processes for each
257client that it is serving. Memory consumption on the child process
258should remain fairly small. Memory consumption on the parent process,
259particularly if the network connection to the client is slow, can be
260expected to grow to slightly more than the size of the sources in a
261single directory, or two megabytes, whichever is larger.
262
263 Multiplying the size of each CVS server by the number of servers
264which you expect to have active at one time should give an idea of
265memory requirements for the server. For the most part, the memory
266consumed by the parent process probably can be swap space rather than
267physical memory.
268
269 The second area of large memory consumption is `diff', when checking
270in large files. This is required even for binary files. The rule of
271thumb is to allow about ten times the size of the largest file you will
272want to check in, although five times may be adequate. For example, if
273you want to check in a file which is 10 megabytes, you should have 100
274megabytes of memory on the machine doing the checkin (the server
275machine for client/server, or the machine running CVS for
276non-client/server). This can be swap space rather than physical
277memory. Because the memory is only required briefly, there is no
278particular need to allow memory for more than one such checkin at a
279time.
280
281 Resource consumption for the client is even more modest--any machine
282with enough capacity to run the operating system in question should
283have little trouble.
284
285 For information on disk space requirements, see *Note Creating a
286repository::.
287
288�
289File: cvs.info, Node: Connecting via rsh, Next: Password authenticated, Prev: Server requirements, Up: Remote repositories
290
291Connecting with rsh
292-------------------
293
294 CVS uses the `rsh' protocol to perform these operations, so the
295remote user host needs to have a `.rhosts' file which grants access to
296the local user.
297
298 For example, suppose you are the user `mozart' on the local machine
299`toe.example.com', and the server machine is `faun.example.org'. On
300faun, put the following line into the file `.rhosts' in `bach''s home
301directory:
302
303 toe.example.com mozart
304
305 Then test that `rsh' is working with
306
307 rsh -l bach faun.example.org 'echo $PATH'
308
309 Next you have to make sure that `rsh' will be able to find the
310server. Make sure that the path which `rsh' printed in the above
311example includes the directory containing a program named `cvs' which
312is the server. You need to set the path in `.bashrc', `.cshrc', etc.,
313not `.login' or `.profile'. Alternately, you can set the environment
314variable `CVS_SERVER' on the client machine to the filename of the
315server you want to use, for example `/usr/local/bin/cvs-1.6'.
316
317 There is no need to edit `inetd.conf' or start a CVS server daemon.
318
319 There are two access methods that you use in `CVSROOT' for rsh.
320`:server:' specifies an internal rsh client, which is supported only by
321some CVS ports. `:ext:' specifies an external rsh program. By default
322this is `rsh' but you may set the `CVS_RSH' environment variable to
323invoke another program which can access the remote server (for example,
324`remsh' on HP-UX 9 because `rsh' is something different). It must be a
325program which can transmit data to and from the server without modifying
326it; for example the Windows NT `rsh' is not suitable since it by
327default translates between CRLF and LF. The OS/2 CVS port has a hack
328to pass `-b' to `rsh' to get around this, but since this could
329potentially cause problems for programs other than the standard `rsh',
330it may change in the future. If you set `CVS_RSH' to `SSH' or some
331other rsh replacement, the instructions in the rest of this section
332concerning `.rhosts' and so on are likely to be inapplicable; consult
333the documentation for your rsh replacement.
334
335 Continuing our example, supposing you want to access the module
336`foo' in the repository `/usr/local/cvsroot/', on machine
337`faun.example.org', you are ready to go:
338
339 cvs -d :ext:bach@faun.example.org/usr/local/cvsroot checkout foo
340
341 (The `bach@' can be omitted if the username is the same on both the
342local and remote hosts.)
343
344�
345File: cvs.info, Node: Password authenticated, Next: GSSAPI authenticated, Prev: Connecting via rsh, Up: Remote repositories
346
347Direct connection with password authentication
348----------------------------------------------
349
350 The CVS client can also connect to the server using a password
351protocol. This is particularly useful if using `rsh' is not feasible
352(for example, the server is behind a firewall), and Kerberos also is
353not available.
354
355 To use this method, it is necessary to make some adjustments on both
356the server and client sides.
357
358* Menu:
359
360* Password authentication server:: Setting up the server
361* Password authentication client:: Using the client
362* Password authentication security:: What this method does and does not do
363
364�
365File: cvs.info, Node: Password authentication server, Next: Password authentication client, Up: Password authenticated
366
367Setting up the server for password authentication
368.................................................
369
370 First of all, you probably want to tighten the permissions on the
371`$CVSROOT' and `$CVSROOT/CVSROOT' directories. See *Note Password
372authentication security::, for more details.
373
374 On the server side, the file `/etc/inetd.conf' needs to be edited so
375`inetd' knows to run the command `cvs pserver' when it receives a
376connection on the right port. By default, the port number is 2401; it
377would be different if your client were compiled with `CVS_AUTH_PORT'
378defined to something else, though. This can also be sepcified in the
379CVSROOT variable (*note Remote repositories::) or overridden with the
380CVS_CLIENT_PORT environment variable (*note Environment variables::).
381
382 If your `inetd' allows raw port numbers in `/etc/inetd.conf', then
383the following (all on a single line in `inetd.conf') should be
384sufficient:
385
386 2401 stream tcp nowait root /usr/local/bin/cvs
387 cvs -f --allow-root=/usr/cvsroot pserver
388
389 You could also use the `-T' option to specify a temporary directory.
390
391 The `--allow-root' option specifies the allowable CVSROOT directory.
392Clients which attempt to use a different CVSROOT directory will not be
393allowed to connect. If there is more than one CVSROOT directory which
394you want to allow, repeat the option. (Unfortunately, many versions of
395`inetd' have very small limits on the number of arguments and/or the
396total length of the command. The usual solution to this problem is to
397have `inetd' run a shell script which then invokes CVS with the
398necessary arguments.)
399
400 If your `inetd' wants a symbolic service name instead of a raw port
401number, then put this in `/etc/services':
402
403 cvspserver 2401/tcp
404
405 and put `cvspserver' instead of `2401' in `inetd.conf'.
406
407 Once the above is taken care of, restart your `inetd', or do
408whatever is necessary to force it to reread its initialization files.
409
410 If you are having trouble setting this up, see *Note Connection::.
411
412 Because the client stores and transmits passwords in cleartext
413(almost--see *Note Password authentication security::, for details), a
414separate CVS password file is generally used, so people don't compromise
415their regular passwords when they access the repository. This file is
416`$CVSROOT/CVSROOT/passwd' (*note Intro administrative files::). It
417uses a colon-separated format, similar to `/etc/passwd' on Unix systems,
418except that it has fewer fields: CVS username, optional password, and
419an optional system username for CVS to run as if authentication
420succeeds. Here is an example `passwd' file with five entries:
421
422 anonymous:
423 bach:ULtgRLXo7NRxs
424 spwang:1sOp854gDF3DY
425 melissa:tGX1fS8sun6rY:pubcvs
426 qproj:XR4EZcEs0szik:pubcvs
427
428 (The passwords are encrypted according to the standard Unix
429`crypt()' function, so it is possible to paste in passwords directly
430from regular Unix `/etc/passwd' files.)
431
432 The first line in the example will grant access to any CVS client
433attempting to authenticate as user `anonymous', no matter what password
434they use, including an empty password. (This is typical for sites
435granting anonymous read-only access; for information on how to do the
436"read-only" part, see *Note Read-only access::.)
437
438 The second and third lines will grant access to `bach' and `spwang'
439if they supply their respective plaintext passwords.
440
441 The fourth line will grant access to `melissa', if she supplies the
442correct password, but her CVS operations will actually run on the
443server side under the system user `pubcvs'. Thus, there need not be
444any system user named `melissa', but there _must_ be one named `pubcvs'.
445
446 The fifth line shows that system user identities can be shared: any
447client who successfully authenticates as `qproj' will actually run as
448`pubcvs', just as `melissa' does. That way you could create a single,
449shared system user for each project in your repository, and give each
450developer their own line in the `$CVSROOT/CVSROOT/passwd' file. The CVS
451username on each line would be different, but the system username would
452be the same. The reason to have different CVS usernames is that CVS
453will log their actions under those names: when `melissa' commits a
454change to a project, the checkin is recorded in the project's history
455under the name `melissa', not `pubcvs'. And the reason to have them
456share a system username is so that you can arrange permissions in the
457relevant area of the repository such that only that account has
458write-permission there.
459
460 If the system-user field is present, all password-authenticated CVS
461commands run as that user; if no system user is specified, CVS simply
462takes the CVS username as the system username and runs commands as that
463user. In either case, if there is no such user on the system, then the
464CVS operation will fail (regardless of whether the client supplied a
465valid password).
466
467 The password and system-user fields can both be omitted (and if the
468system-user field is omitted, then also omit the colon that would have
469separated it from the encrypted password). For example, this would be a
470valid `$CVSROOT/CVSROOT/passwd' file:
471
472 anonymous::pubcvs
473 fish:rKa5jzULzmhOo:kfogel
474 sussman:1sOp854gDF3DY
475
476 When the password field is omitted or empty, then the client's
477authentication attempt will succeed with any password, including the
478empty string. However, the colon after the CVS username is always
479necessary, even if the password is empty.
480
481 CVS can also fall back to use system authentication. When
482authenticating a password, the server first checks for the user in the
483`$CVSROOT/CVSROOT/passwd' file. If it finds the user, it will use that
484entry for authentication as described above. But if it does not find
485the user, or if the CVS `passwd' file does not exist, then the server
486can try to authenticate the username and password using the operating
487system's user-lookup routines (this "fallback" behavior can be disabled
488by setting `SystemAuth=no' in the CVS `config' file, *note config::).
489Be aware, however, that falling back to system authentication might be
490a security risk: CVS operations would then be authenticated with that
491user's regular login password, and the password flies across the
492network in plaintext. See *Note Password authentication security:: for
493more on this.
494
495 Right now, the only way to put a password in the CVS `passwd' file
496is to paste it there from somewhere else. Someday, there may be a `cvs
497passwd' command.
498
499 Unlike many of the files in `$CVSROOT/CVSROOT', it is normal to edit
500the `passwd' file in-place, rather than via CVS. This is because of the
501possible security risks of having the `passwd' file checked out to
502people's working copies. If you do want to include the `passwd' file
503in checkouts of `$CVSROOT/CVSROOT', see *Note checkoutlist::.
504
505�
506File: cvs.info, Node: Password authentication client, Next: Password authentication security, Prev: Password authentication server, Up: Password authenticated
507
508Using the client with password authentication
509.............................................
510
511 To run a CVS command on a remote repository via the
512password-authenticating server, one specifies the `pserver' protocol,
513optional username, repository host, an optional port number, and path
514to the repository. For example:
515
516 cvs -d :pserver:faun.example.org:/usr/local/cvsroot checkout someproj
517
518 or
519
520 CVSROOT=:pserver:bach@faun.example.org:2401/usr/local/cvsroot
521 cvs checkout someproj
522
523 However, unless you're connecting to a public-access repository
524(i.e., one where that username doesn't require a password), you'll need
525to supply a password or "log in" first. Logging in verifies your
526password with the repository and stores it in a file. It's done with
527the `login' command, which will prompt you interactively for the
528password if you didn't supply one as part of $CVSROOT:
529
530 cvs -d :pserver:bach@faun.example.org:/usr/local/cvsroot login
531 CVS password:
532
533 or
534
535 cvs -d :pserver:bach:p4ss30rd@faun.example.org:/usr/local/cvsroot login
536
537 After you enter the password, CVS verifies it with the server. If
538the verification succeeds, then that combination of username, host,
539repository, and password is permanently recorded, so future
540transactions with that repository won't require you to run `cvs login'.
541(If verification fails, CVS will exit complaining that the password
542was incorrect, and nothing will be recorded.)
543
544 The records are stored, by default, in the file `$HOME/.cvspass'.
545That file's format is human-readable, and to a degree human-editable,
546but note that the passwords are not stored in cleartext--they are
547trivially encoded to protect them from "innocent" compromise (i.e.,
548inadvertent viewing by a system administrator or other non-malicious
549person).
550
551 You can change the default location of this file by setting the
552`CVS_PASSFILE' environment variable. If you use this variable, make
553sure you set it _before_ `cvs login' is run. If you were to set it
554after running `cvs login', then later CVS commands would be unable to
555look up the password for transmission to the server.
556
557 Once you have logged in, all CVS commands using that remote
558repository and username will authenticate with the stored password.
559So, for example
560
561 cvs -d :pserver:bach@faun.example.org:/usr/local/cvsroot checkout foo
562
563 should just work (unless the password changes on the server side, in
564which case you'll have to re-run `cvs login').
565
566 Note that if the `:pserver:' were not present in the repository
567specification, CVS would assume it should use `rsh' to connect with the
568server instead (*note Connecting via rsh::).
569
570 Of course, once you have a working copy checked out and are running
571CVS commands from within it, there is no longer any need to specify the
572repository explicitly, because CVS can deduce the repository from the
573working copy's `CVS' subdirectory.
574
575 The password for a given remote repository can be removed from the
576`CVS_PASSFILE' by using the `cvs logout' command.
577
578�
579File: cvs.info, Node: Password authentication security, Prev: Password authentication client, Up: Password authenticated
580
581Security considerations with password authentication
582....................................................
583
584 The passwords are stored on the client side in a trivial encoding of
585the cleartext, and transmitted in the same encoding. The encoding is
586done only to prevent inadvertent password compromises (i.e., a system
587administrator accidentally looking at the file), and will not prevent
588even a naive attacker from gaining the password.
589
590 The separate CVS password file (*note Password authentication
591server::) allows people to use a different password for repository
592access than for login access. On the other hand, once a user has
593non-read-only access to the repository, she can execute programs on the
594server system through a variety of means. Thus, repository access
595implies fairly broad system access as well. It might be possible to
596modify CVS to prevent that, but no one has done so as of this writing.
597
598 Note that because the `$CVSROOT/CVSROOT' directory contains `passwd'
599and other files which are used to check security, you must control the
600permissions on this directory as tightly as the permissions on `/etc'.
601The same applies to the `$CVSROOT' directory itself and any directory
602above it in the tree. Anyone who has write access to such a directory
603will have the ability to become any user on the system. Note that
604these permissions are typically tighter than you would use if you are
605not using pserver.
606
607 In summary, anyone who gets the password gets repository access
608(which may imply some measure of general system access as well). The
609password is available to anyone who can sniff network packets or read a
610protected (i.e., user read-only) file. If you want real security, get
611Kerberos.
612
613�
614File: cvs.info, Node: GSSAPI authenticated, Next: Kerberos authenticated, Prev: Password authenticated, Up: Remote repositories
615
616Direct connection with GSSAPI
617-----------------------------
618
619 GSSAPI is a generic interface to network security systems such as
620Kerberos 5. If you have a working GSSAPI library, you can have CVS
621connect via a direct TCP connection, authenticating with GSSAPI.
622
623 To do this, CVS needs to be compiled with GSSAPI support; when
624configuring CVS it tries to detect whether GSSAPI libraries using
625kerberos version 5 are present. You can also use the `--with-gssapi'
626flag to configure.
627
628 The connection is authenticated using GSSAPI, but the message stream
629is _not_ authenticated by default. You must use the `-a' global option
630to request stream authentication.
631
632 The data transmitted is _not_ encrypted by default. Encryption
633support must be compiled into both the client and the server; use the
634`--enable-encrypt' configure option to turn it on. You must then use
635the `-x' global option to request encryption.
636
637 GSSAPI connections are handled on the server side by the same server
638which handles the password authentication server; see *Note Password
639authentication server::. If you are using a GSSAPI mechanism such as
640Kerberos which provides for strong authentication, you will probably
641want to disable the ability to authenticate via cleartext passwords.
642To do so, create an empty `CVSROOT/passwd' password file, and set
643`SystemAuth=no' in the config file (*note config::).
644
645 The GSSAPI server uses a principal name of cvs/HOSTNAME, where
646HOSTNAME is the canonical name of the server host. You will have to
647set this up as required by your GSSAPI mechanism.
648
649 To connect using GSSAPI, use `:gserver:'. For example,
650
651 cvs -d :gserver:faun.example.org:/usr/local/cvsroot checkout foo
652
653�
654File: cvs.info, Node: Kerberos authenticated, Next: Connecting via fork, Prev: GSSAPI authenticated, Up: Remote repositories
655
656Direct connection with kerberos
657-------------------------------
658
659 The easiest way to use kerberos is to use the kerberos `rsh', as
660described in *Note Connecting via rsh::. The main disadvantage of
661using rsh is that all the data needs to pass through additional
662programs, so it may be slower. So if you have kerberos installed you
663can connect via a direct TCP connection, authenticating with kerberos.
664
665 This section concerns the kerberos network security system, version
6664. Kerberos version 5 is supported via the GSSAPI generic network
667security interface, as described in the previous section.
668
669 To do this, CVS needs to be compiled with kerberos support; when
670configuring CVS it tries to detect whether kerberos is present or you
671can use the `--with-krb4' flag to configure.
672
673 The data transmitted is _not_ encrypted by default. Encryption
674support must be compiled into both the client and server; use the
675`--enable-encryption' configure option to turn it on. You must then
676use the `-x' global option to request encryption.
677
678 You need to edit `inetd.conf' on the server machine to run `cvs
679kserver'. The client uses port 1999 by default; if you want to use
680another port specify it in the `CVSROOT' (*note Remote repositories::)
681or the `CVS_CLIENT_PORT' environment variable on the client.
682
683 When you want to use CVS, get a ticket in the usual way (generally
684`kinit'); it must be a ticket which allows you to log into the server
685machine. Then you are ready to go:
686
687 cvs -d :kserver:faun.example.org:/usr/local/cvsroot checkout foo
688
689 Previous versions of CVS would fall back to a connection via rsh;
690this version will not do so.
691
692�
693File: cvs.info, Node: Connecting via fork, Prev: Kerberos authenticated, Up: Remote repositories
694
695Connecting with fork
696--------------------
697
698 This access method allows you to connect to a repository on your
699local disk via the remote protocol. In other words it does pretty much
700the same thing as `:local:', but various quirks, bugs and the like are
701those of the remote CVS rather than the local CVS.
702
703 For day-to-day operations you might prefer either `:local:' or
704`:fork:', depending on your preferences. Of course `:fork:' comes in
705particularly handy in testing or debugging `cvs' and the remote
706protocol. Specifically, we avoid all of the network-related
707setup/configuration, timeouts, and authentication inherent in the other
708remote access methods but still create a connection which uses the
709remote protocol.
710
711 To connect using the `fork' method, use `:fork:' and the pathname to
712your local repository. For example:
713
714 cvs -d :fork:/usr/local/cvsroot checkout foo
715
716 As with `:ext:', the server is called `cvs' by default, or the value
717of the `CVS_SERVER' environment variable.
718
719�
720File: cvs.info, Node: Read-only access, Next: Server temporary directory, Prev: Remote repositories, Up: Repository
721
722Read-only repository access
723===========================
724
725 It is possible to grant read-only repository access to people using
726the password-authenticated server (*note Password authenticated::).
727(The other access methods do not have explicit support for read-only
728users because those methods all assume login access to the repository
729machine anyway, and therefore the user can do whatever local file
730permissions allow her to do.)
731
732 A user who has read-only access can do only those CVS operations
733which do not modify the repository, except for certain "administrative"
734files (such as lock files and the history file). It may be desirable
735to use this feature in conjunction with user-aliasing (*note Password
736authentication server::).
737
738 Unlike with previous versions of CVS, read-only users should be able
739merely to read the repository, and not to execute programs on the
740server or otherwise gain unexpected levels of access. Or to be more
741accurate, the _known_ holes have been plugged. Because this feature is
742new and has not received a comprehensive security audit, you should use
743whatever level of caution seems warranted given your attitude concerning
744security.
745
746 There are two ways to specify read-only access for a user: by
747inclusion, and by exclusion.
748
749 "Inclusion" means listing that user specifically in the
750`$CVSROOT/CVSROOT/readers' file, which is simply a newline-separated
751list of users. Here is a sample `readers' file:
752
753 melissa
754 splotnik
755 jrandom
756
757 (Don't forget the newline after the last user.)
758
759 "Exclusion" means explicitly listing everyone who has _write_
760access--if the file
761
762 $CVSROOT/CVSROOT/writers
763
764exists, then only those users listed in it have write access, and
765everyone else has read-only access (of course, even the read-only users
766still need to be listed in the CVS `passwd' file). The `writers' file
767has the same format as the `readers' file.
768
769 Note: if your CVS `passwd' file maps cvs users onto system users
770(*note Password authentication server::), make sure you deny or grant
771read-only access using the _cvs_ usernames, not the system usernames.
772That is, the `readers' and `writers' files contain cvs usernames, which
773may or may not be the same as system usernames.
774
775 Here is a complete description of the server's behavior in deciding
776whether to grant read-only or read-write access:
777
778 If `readers' exists, and this user is listed in it, then she gets
779read-only access. Or if `writers' exists, and this user is NOT listed
780in it, then she also gets read-only access (this is true even if
781`readers' exists but she is not listed there). Otherwise, she gets
782full read-write access.
783
784 Of course there is a conflict if the user is listed in both files.
785This is resolved in the more conservative way, it being better to
786protect the repository too much than too little: such a user gets
787read-only access.
788
789�
790File: cvs.info, Node: Server temporary directory, Prev: Read-only access, Up: Repository
791
792Temporary directories for the server
793====================================
794
795 While running, the CVS server creates temporary directories. They
796are named
797
798 cvs-servPID
799
800where PID is the process identification number of the server. They are
801located in the directory specified by the `TMPDIR' environment variable
802(*note Environment variables::), the `-T' global option (*note Global
803options::), or failing that `/tmp'.
804
805 In most cases the server will remove the temporary directory when it
806is done, whether it finishes normally or abnormally. However, there
807are a few cases in which the server does not or cannot remove the
808temporary directory, for example:
809
810 * If the server aborts due to an internal server error, it may
811 preserve the directory to aid in debugging
812
813 * If the server is killed in a way that it has no way of cleaning up
814 (most notably, `kill -KILL' on unix).
815
816 * If the system shuts down without an orderly shutdown, which tells
817 the server to clean up.
818
819 In cases such as this, you will need to manually remove the
820`cvs-servPID' directories. As long as there is no server running with
821process identification number PID, it is safe to do so.
822
823�
824File: cvs.info, Node: Starting a new project, Next: Revisions, Prev: Repository, Up: Top
825
826Starting a project with CVS
827***************************
828
829 Because renaming files and moving them between directories is
830somewhat inconvenient, the first thing you do when you start a new
831project should be to think through your file organization. It is not
832impossible to rename or move files, but it does increase the potential
833for confusion and CVS does have some quirks particularly in the area of
834renaming directories. *Note Moving files::.
835
836 What to do next depends on the situation at hand.
837
838* Menu:
839
840* Setting up the files:: Getting the files into the repository
841* Defining the module:: How to make a module of the files
842
843�
844File: cvs.info, Node: Setting up the files, Next: Defining the module, Up: Starting a new project
845
846Setting up the files
847====================
848
849 The first step is to create the files inside the repository. This
850can be done in a couple of different ways.
851
852* Menu:
853
854* From files:: This method is useful with old projects
855 where files already exists.
856* From other version control systems:: Old projects where you want to
857 preserve history from another system.
858* From scratch:: Creating a directory tree from scratch.
859
860�
861File: cvs.info, Node: From files, Next: From other version control systems, Up: Setting up the files
862
863Creating a directory tree from a number of files
864------------------------------------------------
865
866 When you begin using CVS, you will probably already have several
867projects that can be put under CVS control. In these cases the easiest
868way is to use the `import' command. An example is probably the easiest
869way to explain how to use it. If the files you want to install in CVS
870reside in `WDIR', and you want them to appear in the repository as
871`$CVSROOT/yoyodyne/RDIR', you can do this:
872
873 $ cd WDIR
874 $ cvs import -m "Imported sources" yoyodyne/RDIR yoyo start
875
876 Unless you supply a log message with the `-m' flag, CVS starts an
877editor and prompts for a message. The string `yoyo' is a "vendor tag",
878and `start' is a "release tag". They may fill no purpose in this
879context, but since CVS requires them they must be present. *Note
880Tracking sources::, for more information about them.
881
882 You can now verify that it worked, and remove your original source
883directory.
884
885 $ cd ..
886 $ cvs checkout yoyodyne/RDIR # Explanation below
887 $ diff -r WDIR yoyodyne/RDIR
888 $ rm -r WDIR
889
890Erasing the original sources is a good idea, to make sure that you do
891not accidentally edit them in WDIR, bypassing CVS. Of course, it would
892be wise to make sure that you have a backup of the sources before you
893remove them.
894
895 The `checkout' command can either take a module name as argument (as
896it has done in all previous examples) or a path name relative to
897`$CVSROOT', as it did in the example above.
898
899 It is a good idea to check that the permissions CVS sets on the
900directories inside `$CVSROOT' are reasonable, and that they belong to
901the proper groups. *Note File permissions::.
902
903 If some of the files you want to import are binary, you may want to
904use the wrappers features to specify which files are binary and which
905are not. *Note Wrappers::.
906
907�
908File: cvs.info, Node: From other version control systems, Next: From scratch, Prev: From files, Up: Setting up the files
909
910Creating Files From Other Version Control Systems
911-------------------------------------------------
912
913 If you have a project which you are maintaining with another version
914control system, such as RCS, you may wish to put the files from that
915project into CVS, and preserve the revision history of the files.
916
917From RCS
918 If you have been using RCS, find the RCS files--usually a file
919 named `foo.c' will have its RCS file in `RCS/foo.c,v' (but it
920 could be other places; consult the RCS documentation for details).
921 Then create the appropriate directories in CVS if they do not
922 already exist. Then copy the files into the appropriate
923 directories in the CVS repository (the name in the repository must
924 be the name of the source file with `,v' added; the files go
925 directly in the appropriate directory of the repository, not in an
926 `RCS' subdirectory). This is one of the few times when it is a
927 good idea to access the CVS repository directly, rather than using
928 CVS commands. Then you are ready to check out a new working
929 directory.
930
931 The RCS file should not be locked when you move it into CVS; if it
932 is, CVS will have trouble letting you operate on it.
933
934From another version control system
935 Many version control systems have the ability to export RCS files
936 in the standard format. If yours does, export the RCS files and
937 then follow the above instructions.
938
939 Failing that, probably your best bet is to write a script that
940 will check out the files one revision at a time using the command
941 line interface to the other system, and then check the revisions
942 into CVS. The `sccs2rcs' script mentioned below may be a useful
943 example to follow.
944
945From SCCS
946 There is a script in the `contrib' directory of the CVS source
947 distribution called `sccs2rcs' which converts SCCS files to RCS
948 files. Note: you must run it on a machine which has both SCCS and
949 RCS installed, and like everything else in contrib it is
950 unsupported (your mileage may vary).
951
952From PVCS
953 There is a script in the `contrib' directory of the CVS source
954 distribution called `pvcs_to_rcs' which converts PVCS archives to
955 RCS files. You must run it on a machine which has both PVCS and
956 RCS installed, and like everything else in contrib it is
957 unsupported (your mileage may vary). See the comments in the
958 script for details.
959
960�
961File: cvs.info, Node: From scratch, Prev: From other version control systems, Up: Setting up the files
962
963Creating a directory tree from scratch
964--------------------------------------
965
966 For a new project, the easiest thing to do is probably to create an
967empty directory structure, like this:
968
969 $ mkdir tc
970 $ mkdir tc/man
971 $ mkdir tc/testing
972
973 After that, you use the `import' command to create the corresponding
974(empty) directory structure inside the repository:
975
976 $ cd tc
977 $ cvs import -m "Created directory structure" yoyodyne/DIR yoyo start
978
979 Then, use `add' to add files (and new directories) as they appear.
980
981 Check that the permissions CVS sets on the directories inside
982`$CVSROOT' are reasonable.
983
984�
985File: cvs.info, Node: Defining the module, Prev: Setting up the files, Up: Starting a new project
986
987Defining the module
988===================
989
990 The next step is to define the module in the `modules' file. This
991is not strictly necessary, but modules can be convenient in grouping
992together related files and directories.
993
994 In simple cases these steps are sufficient to define a module.
995
996 1. Get a working copy of the modules file.
997
998 $ cvs checkout CVSROOT/modules
999 $ cd CVSROOT
1000
1001 2. Edit the file and insert a line that defines the module. *Note
1002 Intro administrative files::, for an introduction. *Note
1003 modules::, for a full description of the modules file. You can
1004 use the following line to define the module `tc':
1005
1006 tc yoyodyne/tc
1007
1008 3. Commit your changes to the modules file.
1009
1010 $ cvs commit -m "Added the tc module." modules
1011
1012 4. Release the modules module.
1013
1014 $ cd ..
1015 $ cvs release -d CVSROOT
1016
1017�
1018File: cvs.info, Node: Revisions, Next: Branching and merging, Prev: Starting a new project, Up: Top
1019
1020Revisions
1021*********
1022
1023 For many uses of CVS, one doesn't need to worry too much about
1024revision numbers; CVS assigns numbers such as `1.1', `1.2', and so on,
1025and that is all one needs to know. However, some people prefer to have
1026more knowledge and control concerning how CVS assigns revision numbers.
1027
1028 If one wants to keep track of a set of revisions involving more than
1029one file, such as which revisions went into a particular release, one
1030uses a "tag", which is a symbolic revision which can be assigned to a
1031numeric revision in each file.
1032
1033* Menu:
1034
1035* Revision numbers:: The meaning of a revision number
1036* Versions revisions releases:: Terminology used in this manual
1037* Assigning revisions:: Assigning revisions
1038* Tags:: Tags--Symbolic revisions
1039* Tagging the working directory:: The cvs tag command
1040* Tagging by date/tag:: The cvs rtag command
1041* Modifying tags:: Adding, renaming, and deleting tags
1042* Tagging add/remove:: Tags with adding and removing files
1043* Sticky tags:: Certain tags are persistent
1044
1045�
1046File: cvs.info, Node: Revision numbers, Next: Versions revisions releases, Up: Revisions
1047
1048Revision numbers
1049================
1050
1051 Each version of a file has a unique "revision number". Revision
1052numbers look like `1.1', `1.2', `1.3.2.2' or even `1.3.2.2.4.5'. A
1053revision number always has an even number of period-separated decimal
1054integers. By default revision 1.1 is the first revision of a file.
1055Each successive revision is given a new number by increasing the
1056rightmost number by one. The following figure displays a few
1057revisions, with newer revisions to the right.
1058
1059 +-----+ +-----+ +-----+ +-----+ +-----+
1060 ! 1.1 !----! 1.2 !----! 1.3 !----! 1.4 !----! 1.5 !
1061 +-----+ +-----+ +-----+ +-----+ +-----+
1062
1063 It is also possible to end up with numbers containing more than one
1064period, for example `1.3.2.2'. Such revisions represent revisions on
1065branches (*note Branching and merging::); such revision numbers are
1066explained in detail in *Note Branches and revisions::.
1067
1068�
1069File: cvs.info, Node: Versions revisions releases, Next: Assigning revisions, Prev: Revision numbers, Up: Revisions
1070
1071Versions, revisions and releases
1072================================
1073
1074 A file can have several versions, as described above. Likewise, a
1075software product can have several versions. A software product is
1076often given a version number such as `4.1.1'.
1077
1078 Versions in the first sense are called "revisions" in this document,
1079and versions in the second sense are called "releases". To avoid
1080confusion, the word "version" is almost never used in this document.
1081
1082�
1083File: cvs.info, Node: Assigning revisions, Next: Tags, Prev: Versions revisions releases, Up: Revisions
1084
1085Assigning revisions
1086===================
1087
1088 By default, CVS will assign numeric revisions by leaving the first
1089number the same and incrementing the second number. For example,
1090`1.1', `1.2', `1.3', etc.
1091
1092 When adding a new file, the second number will always be one and the
1093first number will equal the highest first number of any file in that
1094directory. For example, the current directory contains files whose
1095highest numbered revisions are `1.7', `3.1', and `4.12', then an added
1096file will be given the numeric revision `4.1'.
1097
1098 Normally there is no reason to care about the revision numbers--it
1099is easier to treat them as internal numbers that CVS maintains, and tags
1100provide a better way to distinguish between things like release 1
1101versus release 2 of your product (*note Tags::). However, if you want
1102to set the numeric revisions, the `-r' option to `cvs commit' can do
1103that. The `-r' option implies the `-f' option, in the sense that it
1104causes the files to be committed even if they are not modified.
1105
1106 For example, to bring all your files up to revision 3.0 (including
1107those that haven't changed), you might invoke:
1108
1109 $ cvs commit -r 3.0
1110
1111 Note that the number you specify with `-r' must be larger than any
1112existing revision number. That is, if revision 3.0 exists, you cannot
1113`cvs commit -r 1.3'. If you want to maintain several releases in
1114parallel, you need to use a branch (*note Branching and merging::).
1115
1116