How do folks use an SCM?

[Jon Stanley]

So I have an interesting situation. I have an SCM (CVS, don't laugh)
that requires kerberized gserver authentication. How do I use Koji
with this? I don't mind embedding a password for a user that has
read-only access to the repo somewhere, but I really don't want to if
I can avoid it.

Also, with the interesting requirement of a Makefile with target srpm,
how do folks generate that for externally developed packages? Frankly,
most of the packages that we're going to build are rebuilds of RHEL
content with minor changes (sometimes a patch, sometimes just pathname
changes, etc), so generating an SRPM and feeding it directly to koji
is easier than maintaining some SCM layout that's foreign to us and a
lookaside cache. Note that the reason we want to use koji is build
reproducibility, but we'll be saving the SRPM's used in some location.