2017-06-13 10:17 AEST by Arthur Barrett - This is actually all about the 'encrypted files' enhancement described in bug 7095.

We could checkout a 'new' file (like CVS/Entries.extra) to the clients that contains the rules for the checked 
out files.  The filesystem driver (IFS) could then restrict those files based on those rules, e.g.:
- cannot be copied out of this directory
- can only be read by these signed executables: vs.exe, cpp.exe and cvsnt.exe
- signature checking rules (cannot be self-signed)

The filesystem driver would need to require that these files cannot be modified by anything other than 
cvsnt.exe.