New BSD licensed CVS replacement for OpenBSD

Jeferey Bakins writes "In an effort, by Jean-Francois Brousseau (jfb@openbsd.org), to rid the OpenBSD CVS tree of GPL'ed licensed code, OpenCVS is now officially part of the OpenBSD project. For more details, see the OpenCVS homepage; http://www.openbsd.org/opencvs/"

That's great. . . but, um, why?

[Christopher+Cashell]

I'm all for developers choosing their own license, and I'll for making sure that license incompatibilities don't cause problems for software developers.

However, we're talking about a tool you use for development, not something that is traditionally integrated into an application. CVS is a solid piece of software, and Subversion fixes many of the minor issues with CVS, and if those aren't your cup of tea, there are a number of other interesting version management tools (darcs, arch, bitkeeper, etc).

Considering all of that, do we really need a CVS clone, where the only difference is the license?

Especially when development of CVS has essentially ceased, other than bug/security fixes, and there are superior alternatives being developed (even the CVS developers will readily admit that CVS has architectural deficiencies that can really only be solved by a design, which is why most of them have moved on to other versioning tools).

So, I'm left wondering. . . why? Why bother doing this? What exactly does this achieve? I mean, if the guy writing this gets his rocks off on reimplementing somewhat obsolete applications, then more power to him, but I can't help but think that he could find something more rewarding than this.

Re:That's great. . . but, um, why?

[DrSkwid]

do we really need a CVS clone, where the only difference is the license?

When the "we" is OpenBSD then the answer is yes.

If you are not part of that "we" then the question is pointless.

Re:That's great. . . but, um, why?

[Christopher+Cashell]

When the "we" is OpenBSD then the answer is yes.

So the goal is to reimplement every piece of GPLed code, is that correct?

Let me know when they've finished with their GCC, Gnome, and KDE replacements. I'm looking forward to trying them out in 2012.

If you are not part of that "we" then the question is pointless.

Ah, that's helpful. All of a sudden, I'm reminded of why I've never cared much for OpenBSD.

You guys enjoy your "new" CVS. I'm going back to actually getting work done using the tools available to me, including new technology like Subversion, darcs, and arch, as well as legacy software like CVS.

Ideology is great, but once I reach the minimum required level of freedom (for my definition of free (which tends to closely parallel the DFSG)), I'm more interested in pragmatism and getting things done.

Re:That's great. . . but, um, why?

Ahem... cvs is a network service, gnome/kde are just desktop environments. OpenBSD is focussed on securing networks, yes? What makes you think that writting a more secure cvs is a waste of time? You talk about being pragmatic, but then you say everybody needs to start using subversion/darcs, so you must also think everyobody must ditch Windows OS and use Linux instead? Well guess what, people are going to keep using the tools they already know and have invested much time in, so maybe it's good if somebody can fix these tools.

Re:That's great. . . but, um, why?

If it wasn't just a license thing, then why not just patch CVS? Why not fork CVS and use the same license? Why not contribute to a project that offers superior services to CVS (say DARCS or the like)? No, it is foremost a licensing issue and you are being disengenious saying otherwise.

Erh, patching old, crufty, buggy CVS code may not be the best way to make it secure. OpenBSD realize that making CVS as secure as they prefer would imply a rewrite in any case. So why not start out fresh? Much easier to audit their own code based upon their own secure coding techniques.

Re:That's great. . . but, um, why?

You didn't write the code, so shut yer yap. It's amazing how people who are "pro-freedom" want so much to control the actions of others.
Oh yes, true freedom means you don't try to control others. That means you, and the GPL are not about freedom, they're about imposing your will on others.

Re:That's great. . . but, um, why?

[Goo.cc]

You know, some people don't care for software that is emcumbered by the GPL and it is perfectly reasonable to write a replacement for such software. Just because you don't agree doesn't make it wrong.

Re:That's great. . . but, um, why?

[Richard_at_work]

The thing that amuses me about this post is that someone probably said this exact thing way back in the 1980s when GNU put together the project to write their own c compiler, unix replacement etc. When will people understand that some people view the GPL in the same manner as those GPL evangelists view commercial licenses - not free enough. Ideology is great, but you have to realise that everyones ideological views are the same - an opinion, and yours may not be the same as mine.

Re:That's great. . . but, um, why?

[Brandybuck]

do we really need a CVS clone, where the only difference is the license?

If you would have bothered to read the article, instead of relying and the biased slashdot blurb, you would have realized that licensing isn't even offered as a reason. Really it's not!

For your edification, here is the complete stated rational for OpenCVS: "The OpenCVS project was started after discussions regarding the latest GNU CVS vulnerabilities that came out. Although CVS is widely used, its development has been mostly stagnant in the last years and many security issues have popped up, both in the implementation and in the mechanisms."

Re:The battle continues...

[DrSkwid]

It is not a debate.

"do what thou wilt" is the OpenBSD creed and the GPL is incompatible with that, what's your problem ?

Re:Why ?

One step at a time. Their use of CVS is deeply ingrained at the moment. Rewriting a well-understood tool is one thing. Designing and implementing a new source-control tool is a much larger, riskier task.

Re:The battle continues...

[SirGeek]

There's no silver bullet for licences either. The OpenBSDers want their system licenced under their rules, and more power to them. They have to remove all GPL code to do this beacuse the GPL is a more or less all or nothing free software licence.

Then is Open BSD going to stop using GCC ? I mean, GCC is GPL so it is using GPL software to create their system, right ?

Article Summary Misleading

[eviltypeguy]

I think the article summary is somewhat misleading, the front page of the project claims that OpenCVS is a result of the ongoing security vulnerabilities in the existing CVS project, which has grown stagnant:

The OpenCVS project was started after discussions regarding the latest GNU CVS vulnerabilities that came out. Although CVS is widely used, its development has been mostly stagnant in the last years and many security issues have popped up, both in the implementation and in the mechanisms.

Of course, I'm not going to be stupid enough to deny that there is a great probablity that another unwritten motivating factor was to use a non-GPL licensed piece of software. But, I think time has proven that while OpenBSD may not be a very useable distribution from a common desktop end-user standpoint, a lot of very good portable, secure code has come out of the project. Since I have to continue to run CVS servers for some of the projects I host I look forward to a secure portable CVS server that I can be more confident in.

Re:Article Summary Misleading

[evilviper]

while OpenBSD may not be a very useable distribution from a common desktop end-user standpoint

I have no idea why people keep saying this. It's behind FreeBSD in the number of ports, but it still has all the major stuff available. Firefox, KDE, GNOME, etc. It's a bare Unix system, waiting to be made into anything you want it to be. How can it possibly be unusable for the same tasks that other Unix systems are usable for?

Frankly, I find it to be a bit nicer than FreeBSD, and miles ahead of Linux, in that every device you plug-in will work immediately without problems, or will not work (because it's unsupported), rather than requiring you to load modules left and right, and change parameters, addresses, etc.

that's not the goddamn point

[Geekboy(Wizard)]

the point of opencvs isn't to randomly replace GPL'd code, but to provide a different implementation, that is free of bugs and security issues. he's also working on other features to make cvs server better, and more secure.

Re:that's not the goddamn point

[0racle]

That was the portable OpenSSH, not native OpenSSH. OpenSSH on OpenBSD has had one problem in the past few years because all the parts that it requires are secure and audited. Porting OpenSSH to other platforms requires them to link to other libraries that have not been written as securly and very often never audited, therefore its not a bug in OpenSSH so much as an unintended interaction because it is outside of its native environment.

Rumor has it that you havne't had to update qmail or djbdns because those projects arn't exactly open to accepting bug reports or acknowledging the fact that there might be problems. I don't really know, I don't use either of them.

Re:More than the license.

You should really look at CVS code before saying something like that... it's mostly impossible to fix anything down there.

and there are also some good reasons not to switch to subversion.

You say it's the same developers as CVS ? well, big surprise, they produced another half-finished piece of software.

When what you care about is not extended functionality, but robustness and speed, cvs does not fit the bill. Neither does subversion.

Umm. No.

[nenolod]

In an effort, by Jean-Francois Brousseau (jfb@openbsd.org), to rid the OpenBSD CVS tree of GPL'ed licensed code, OpenCVS is now officially part of the OpenBSD project. For more details, see the OpenCVS homepage; http://www.openbsd.org/opencvs/

Umm. No. That's not what it's about at all. Lets correct the mistakes now, shall we?

1) There was no OpenCVS until the OpenBSD project noticed some major security vulnerabilities posted to bugtraq in GNU CVS.

2) The reason why OpenCVS was written was to provide a more secure client/server package than what the [now stagnant] GNU CVS project is currently providing. It has nothing to do with GPL vs BSD, infact the OpenBSD project is all about what RMS calls "free software".

So basically the Slashdot editors posted a troll to the front page. Beautiful. :)

Re:The battle continues...

[Richard_at_work]

OpenBSD will stop using GCC when the Tendra Project has reached a satisfactory level of maturity. The OpenBSD team work under the premise that GPLed items are 'free enough for them' until a replacement can be found, just like Linus works under the same premise (see Bitkeeper).

Re:More than the license.

[setagllib]

There's more to it than that, though. BSDs run on a "least surprise" tactic, whereby major systems shouldn't change unless there is something REALLY wrong. The BSDs have all used CVS right from the early versions, and can still be fetched this way. If any of them were to drop CVS support for Subversion, for instance, users would have to adapt, and with the significant user base of BSD, that's quite a disruption.

An honest question: Can Subversion import a CVS history and all branches and everything else relevant without any need for hand-hacking? Because when you want to migrate decades of source to a new system and keep it in working order, you don't want to have to mangle every file by hand. If Subversion does this then it's not entirely impractical to implement it - but since the biggest TRIVIAL (can be fixed without disrupting user base's expectations) problems in CVS can be fixed with a compatible re-write, it makes sense to do it that way. In this regard I congratulate OpenBSD on yet another brilliant and far overdue idea.

Re:Why CVS?

arch is a different beast altogether (and because of that much more complex) and not finished yet.
svn is still too new for some people to trust it implicitely. cvs is tried and true. a lot of folks will be using it for a long time to come. at least until they feel confidant enough in the alternatives.
don't forget there's lots of people out there who are used to cvs and have come to accept it. just like you're used to the limitations of the networking protocols TCP/IP, SMTP, etc. which are currently known to have problems but there's too much invested in them right now to just switch on a dime. change takes time. the openbsd folks understand this apparently. their solutions so far have been not to reinvent the wheel from scratch but to try and fix it as much as humanly possible. for that i'm grateful!

Re:The battle continues...

[dmiller]

gcc isn't perfect, but it isn't nearly as annoyingly bad as some of the other stuff we have to use. More importantly, it doesn't have to deal with untrusted network data (like cvs does).

A BSD licensed cc would be nice, but an absolute crapload of work - especially renovating all those programs and ports that depend on gccisms (some of which are perfectly reasonable)