This guide assumes you have already [created a new CVS root](/cvs/repo) and imported repositories. Committers will use the real CVS repo for reading and writing, whereas in this guide, we create an anoncvs mirror for guest read-only access. $ mkdir ~/anoncvs $ cd ~/anoncvs $ ftp https://www.openbsd.org/anoncvs.shar $ sh anoncvs.shar Edit the first line of ~/Makefile: CVSROOT=anoncvs@anoncvs.example.com:/cvs Replace anoncvs.example.com with your domain. You want to leave /cvs as-is because CVS runs inside a chroot jail. $ make $ doas useradd -m -d /open/anoncvs -s /open/anoncvssh anoncvs $ doas cp anoncvssh /open/anoncvssh $ doas chmod 4111 /open/anoncvssh You will need to set anoncvs so it has no password. Run `doas vipw` and edit the line so it looks like this (except with the uid and gid 1001 perhaps changed to another value): anoncvs::1001:1001::0:0::/open/anoncvs:/open/anoncvssh Add this to the bottom of /etc/ssh/sshd_config: Match User anoncvs PermitEmptyPasswords yes AllowTcpForwarding no AllowAgentForwarding no X11Forwarding no PermitTTY no Then restart sshd: $ doas rcctl restart sshd Run as root to create the chroot jail: export CVSYNCUSER=$USER mkdir /open/anoncvs/cvs chown -R $CVSYNCUSER:commit /open/anoncvs/cvs chmod -R g+w /open/anoncvs/cvs The person maintaining the cvs archive is $CVSYNCUSER . Replace $USER with the maintainer's username. The commands below are needed for OpenBSD 6.9 stable: touch /open/anoncvs/.hushlogin touch /open/anoncvs/.profile mkdir /open/anoncvs/{bin,dev,tmp,usr,var,etc} cp /bin/{cat,pwd,rm,sh} /open/anoncvs/bin/ mknod -m 666 /open/anoncvs/dev/null c 2 2 mknod -m 666 /open/anoncvs/dev/zero c 2 12 cp /etc/{hosts,protocols,resolv.conf,services,ttys} /open/anoncvs/etc/ chmod 444 /open/anoncvs/etc/{hosts,protocols,resolv.conf,services,ttys} ln -s /open/anoncvs/tmp /open/anoncvs/var/tmp chmod a+rwx /open/anoncvs/tmp mkdir /open/anoncvs/usr/{bin,lib} cp /usr/bin/cvs /open/anoncvs/usr/bin/ mkdir /open/anoncvs/usr/libexec cp /usr/libexec/ld.so /open/anoncvs/usr/libexec/ cp /usr/lib/libz.so.5.0 /open/anoncvs/usr/lib/ cp /usr/lib/libc.so.96.0 /open/anoncvs/usr/lib/ chown -R root:wheel /open/anoncvs (:if false:) This was recommended by the README in the shar file from OpenBSD's anoncvs instructions, but I found it was unnecessary and potentially leaks system information: cp /etc/{group,hosts,passwd,protocols} /open/anoncvs/etc/ cp /etc/{pwd.db,resolv.conf,services,ttys} /open/anoncvs/etc/ (:ifend:) ## Syncing repos You now want to sync repos from the committers' CVSROOT to the anoncvs CVSROOT. You want to run this command while logged in as the CVS maintainer: $ openrsync -a --delete --rsync-path=openrsync /CVS/ /open/anoncvs/cvs/ We will set up a cronjob so the repos are synced daily: $ crontab -e @daily -s /usr/bin/openrsync -a --delete --rsync-path=/usr/bin/openrsync /CVS/ /open/anoncvs/cvs/ ## Results The /open/anoncvs/cvs/ directory should look like this: # ls -lha /open/anoncvs/cvs total 28 drwxr-xr-x 7 root wheel 512B Oct 9 06:19 . drwxr-xr-x 10 root wheel 512B Oct 9 06:10 .. drwxrwxr-x 3 jrmu commit 1.0K Apr 29 06:48 CVSROOT drwxrwxr-x 9 jrmu commit 512B May 8 11:42 acopm drwxrwxr-x 2 jrmu commit 1.0K Aug 26 04:17 botnow drwxrwxr-x 8 jrmu commit 512B May 27 16:57 brogue-ce drwxrwxr-x 6 jrmu commit 512B May 7 06:46 ircnowd ## Publish SSH fingerprints Make sure to publish your [SSH fingerprints](/https://wiki.ircnow.org/index.php?n=Ssh.Fingerprints) so users can be certain that the source code was transported securely. ## Test anoncvs You'll want to [test anoncvs](/cvs/intro) to make sure it's working. Recommended Reading: https://www.openbsd.org/anoncvs.html https://www.openbsd.org/anoncvs.shar See Also: [CVS repo Guide](/Cvs/repo) [Cvsweb Guide](/Cvs/Cvsweb) [CVS Intro](/Cvs/Intro)