What's the best way to secure a public Concurrent Version System repository that allows for anonymous read-only access using the standard pserver connection protocol for CVS?

Try the cvsd program, a wrapper for running CVS in a change root (chroot) "jail" on most Unix-type systems. Using cvsd to run the public CVS pserver in a restricted chroot jail protects the system by limiting the amount of damage that could be done if CVS were exploited.

The cvsd program is used by SourceForge.net to provide anonymous CVS access for SourceForge projects.

To install cvsd, you need to have CVS installed. Then download the cvsd package and follow the installation instructions, paying special attention to the user-id, group-id and file permission settings to ensure that a secure chroot environment is created.

Binary packages are available for Debian, Fedora, FreeBSD and GenToo Linux installs. For other systems, you have to download and build the source package. After installing and configuring cvsd, create or copy the public CVS repository containing the files you want to share with the world, and open up the CVS port in your firewall to allow pserver connections to cvsd.

While it's possible to provide read/write access for privileged users, many systems have a working CVS repository reachable only through SSH and maintain a public read-only copy in a separate directory managed by cvsd.