The files which are checkout out without write permissions correspond to files that were watched (thats what I think anyway) you can look in the repository at the CVS/fileattr and you will find the filename in there. As for why any watches ever get created...I don't know. Oh, the CVS dir name is used since CVS could never exist in a CVS checkout except as a CVS control directory so is used in the repository as the magic state dir for watches.
In this case, it looks like simonc created a watch but I am not entirely sure of that.
$ls -l packages/acs-authentication/CVS total 4 -rw-rw-r-- 1 simonc cvs 47 Aug 22 06:55 fileattr $ cat packages/acs-authentication/CVS/fileattr Facs-authentication.info _watched= D _watched=Anyway, I think we could nuke all these fileattr files and the problem would go away but I wish I knew why they got created in the first place.