Slashdot Mirror
New BSD licensed CVS replacement for OpenBSD
Jeferey Bakins writes "In an effort, by Jean-Francois Brousseau (jfb@openbsd.org), to rid the OpenBSD CVS tree of GPL'ed licensed code, OpenCVS is now officially part of the OpenBSD project.
For more details, see the OpenCVS homepage;
http://www.openbsd.org/opencvs/"
There's no silver bullet for licences either. The OpenBSDers want their system licenced under their rules, and more power to them. They have to remove all GPL code to do this beacuse the GPL is a more or less all or nothing free software licence.
It's got nothing to do with evangelism, and all to do with practicality. You can't have bits and pieces of code GPLed and some not.
Other licences are more flexible, but are less precise. I'll still be using the GPL for most of the code I write, because I want as many people as possible to use it, and be fully secure in doing so.
May the Maths Be with you!
Read again...
.-) ) to rewrite it. Also, understandable code makes it easier to find a fix non-security bugs (but we like to look at all bugs, as potentially exploitable ones .-)).
/. account)...
While CVS have been a functional tool in simple use, it has quite some drawbacks. Everyone who has been in the CVS guts (believe me, I have), knows that it is essentially write-only code.
It is quite buggy, albeit the bugs are in corner-cases, not seldom noticed by people not using CVS massively. The CVS maintainers have been unwilling to accept bug reports (it may be a matter of opinion: "it's not a bug, it's a feature" has been heard). OpenBSD have had several local changes to cvs over the years.
However, for the reason stated above (write-only code), we cannot trust the code enough. It has been one of the weakest spots of our system securitywise. CVS is also a network service, as such, it can put systems into potential risk, like
all network services. We want to be able to put greater trust into this service. The people who thinks this is just license masturbation are wrong. It is nice to be able to free code, but the important thing is to secure it. GCC is not a network service. The GPL is not reason enough for us (yet
Niklas Hallqvist (I don't care enough to create a
OpenBSD wont stop using GCC until a reliable BSD licensed Compiler Collection replacement is available. One such possibility is TenDRA; http://www.tendra.org/
Correct; OpenBSD is compiled by the GCC.
There is a lot more to this than the license, though the license alone would be more than sufficient to justify doing it. While true, CVS is typically a development tool, that is HARDLY the limit of its abilities. What if you want to use a modified CVS to track configuration changes in a non-open source application? Oops! Can't do that with GPL'd CVS.
:). Then there is just plain simple security: nothing stops any person who has CVS access from being able to go in and directly edit the CVS repository files files OUTSIDE the CVS system, leading to untracked changes in the tree.
:-)
CVS development has basicly stalled for quite some time. It has reached "good enough" state -- obviously, considering the number of projects that live off of it -- but there are still issues. Check the OpenBSD CVS Commit logs, search for "cvs sucks" and other such non-positive reviews of CVS's operation.
There are also the relative primativeness of some aspects of CVS and its access rights. If you have access to the CVS repository, you can do anything with it... What if I'm not qualified to work in certain trees? What if I fat-finger an scp operation and upload a huge set of files into the CVS directory (no, I *don't* want to talk about it, but it's not a hypothetical concern!
And that's hardly all the complaints... If you think "license" is the only difference, you obviously didn't read the goals page very carefully (or believed the one line summary
as much as I use Subversion and other modern alternatives CVS is not dead.
just take a look at what the previously win32-only CVSNT client/server package can do for you.
it runs perfectly fine on GNU/Linux and also has commercial support if needed.
> No, it is foremost a licensing issue and you are being disengenious saying otherwise.
It is also a licensing issue.
> You may call me impolite if you wish, but I am no more impolite as the insinuation that GPL'd CVS is somehow not FREE.
It has a restriction. That restriction may serve a good purpose, but it is a restriction nonetheless and hence less free. If it is free enough or actually better or whatever is a matter of opinion. Calling it non free is a bit too much imho, but calling it not free enough, well, I tend to agree there, but I accept that others don't. How difficult is it for you to do what you said and accept someoen elses choice, even more when that someone is also prepared to do the work for it?
Eventually, yes.
With the generally crappiness of GCC3, quite a few developers have been looking at Tendra. Licensing issues helped, but it's really how slow and buggy GCC3 has become that is driving people away.
And before I get modded down as a pro-BSD troll, I'd like to say, you can hear the same complaints from plenty of Linux devs as well.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
CVS is a solid piece of software
No, it isn't. Development is not that active anymore, the code is a total mess. Why? The networking portions are an afterthought, so there's a lot of duplicated code. It has tons of problems (ever tried renaming a file and keeping its history?). But it does the job, that's why a lot of people use it. The OpenBSD guys rely on CVS to do their job, but if it's an insecure piece of software then a replace is very welcomed.
While I advocate OS, I settled on Perforce (free for 2 users/2 workspaces) for my home projects more than 2 years ago and never looked back.
I say, kudos OpenBSD guys for doing this, it's a win-win situation.
This is different, yes OpenBSD developers are working at removing GPL tools, but that does not mean they aren't replacing things of other less-free origin.
Replacing the GnuCVS with OpenCVS isn't just over a license; it is more that as long as they're doing such a massive undertaking, they may as well go a little further and start fresh with a better license.
I'm sick of following my dreams - I'm just going to ask them where they're going and hook up with them later.
If the same class of people are doing opencvs then should we assume that the only safe environment to run opencvs will be OpenBSD, until otherwise proven?
The "class of people" responsible for the bug in portable OpenSSH was me and nobody else - so please don't impugne the other OpenBSD developers.
The fact that the 3.7.1 hole was not exploitable on OpenBSD was due to the fact that the bug related to PAM authentication, which OpenBSD doesn't use (for good reason).
BTW, the bug was a logic error that could have been made in any language, so the standard Slashdolt cry of "C is insecure, use XXX" wouldn't have saved you.
1) Poorly-specified - there are several ambuiguities in the spec, some with security implications if you get it wrong.
2) Implementation differences between Linux-PAM, Sun PAM and OpenPAM - as a direct result of (1) above.
3) Useless broken API which is completely blocking (i.e it prompts for an expects to receive the password/response in a single function call) - making is near-useless for a network application without major trickery
4) Broken design that requires loadable modules which are encouraged by the API to pass opaque data behind the back of the calling application
5) Total lack of separation between policy and mechanism - users are expected to configure policy by specifying which loadable modues are loaded using a silly and restrictive grammar.
6) Zero standardisation for modules or their arguments. As a result, everyone implements things a little bit differently.
Those are just the ones off the top of my head.
2st: It is a question of priorities. The OpenBSD projecty does not want such an important tool (and a networking tool as well) for their development to be of questionable quality. Other posts provide more info why we think GNU CVS is a security hazard.
1: I explained this in another post, you must have missed it. The BSDs can have sources fetched via CVS (NetBSD recommends this way, rightly so), and having it in the base package makes this infinitely more convenient than having to install the gargantuan cvsup port or poking around for up-to-date-enough source tarballs once daily. Given the relatively small footprint of the CVS client, this convenience is well worth it.
2: They don't have 'too much human resources', you're thinking of Linux. OpenBSD has clear goals and, yes, are motivated to achieve these goals. Security and freedom are goals; this project helps both. The BSDs don't "struggle hard" with manpower, they have as many developers as are needed; everything worth doing gets done. And having less developers is often better for coordination, which is why BSD code bases continue to be consistent and robust.
Sam ty sig.