OpenBSD Project Will Release OpenCVS

thequbemaster writes "The OpenBSD project, responsible for OpenSSH, OpenBGPD, and OpenNTPD, has created OpenCVS, a BSD licensed implementation of CVS client and server. From the site: 'It aims to be as compatible as possible with other CVS implementations, except when particular features reduce the overall security of the system. The OpenCVS project was started after discussions regarding the latest GNU CVS vulnerabilities that came out. Although CVS is widely used, its development has been mostly stagnant in the last years and many security issues have popped up, both in the implementation and in the mechanisms.' No releases are available yet. The README in the OpenCVS CVS repository states that the server is not ready yet, but looks like the client is usable." Update: 12/15 20:18 GMT by T : This project was mentioned briefly the other day, too.

how long till we wait ..

[macaulay805]

for OpenWindows?

(its a joke, laugh!)

Re:how long till we wait ..

[PygmySurfer]

You mean this abomination?! Please, anything but OpenWindows!

And people think CDE is bad...

Re:how long till we wait ..

[compwiz312]

It already exists...

ReactOS http://www.reactos.com/

Ummm.. I had to read that a few times....

[GameGod0]

The OpenCVS CVS repository?

lol

Re:Ummm.. I had to read that a few times....

[Aneurysm9]

Bah! No more confusing than using GCC to compile GCC.

Re:Ummm.. I had to read that a few times....

[pablodiazgutierrez]

Actually, it'd be like using a hypothetical OpenGCC to compile GCC.

I'll have to "Check It Out"

[lottameez]

hahahahahahaha. I kill me.

Re:I'll have to "Check It Out"

Please.

*rimshot*

Re:I'll have to "Check It Out"

[DasAlbatross]

You really need to update your repretoire!

Re:I'll have to "Check It Out"

parent was funny, you're gay.

Re:I'll have to "Check It Out"

[wowbagger]

I think you need to be committed.

Re:I'll have to "Check It Out"

[stratjakt]

I checked it out but I couldnt commit to it.

HAHA get it, theres a client but no server.. hee hee..

Re:I'll have to "Check It Out"

[Jeff+DeMaagd]

I kill me.

My guess is that if you don't finish the job, some other slashdotter will.

Re:I'll have to "Check It Out"

let me guess, you'll be here all night. just kill me now eh and get it over with

Re:I'll have to "Check It Out"

[gaj]

I kill me.

Hmmm ...

Apparantly it's not just humor you suck at, then.

Re:I'll have to "Check It Out"

[aled]

You update from the repository.

This Article is Redundant

[Nimrangul]

There was already an article regarding OpenCVS, and it is fairly obvious that it will be getting released, or it would not be given a Open* title and it's own site.

Not that I mind mind you, I just didn't see why there have been to articles on OpenCVS starting up. At least this one isn't saying it was because OpenBSD hates the GPL and are trying to replace a GPL CVS system.

Re:This Article is Redundant

it's own site

"its".

Were we not...

[jwthompson2]

already aware of this?

http://bsd.slashdot.org/article.pl?sid=04/12/06/ 11 54242&tid=8&tid=7

That was back on December 6th!

Re:Were we not...

[freshman_a]

The only people aware of this were the people at The Department of Redundancy Department who were the only people already aware of this.

Re:Were we not...

[KillerDeathRobot]

Perhaps /. editors need to set up a CVS repository of articles so they can better coordinate posts?

Re:Were we not...

[ajs]

Why is there not a moderation option, -1, Use the Freaking URL tag?! Slashdot may still add in its annoying space, but at least the href works.

For those who still want that link in a usable form, it's http://bsd.slashdot.org/article.pl?sid=04/12/06/11 54242&tid=8&tid=7

Re:Were we not...

[jwthompson2]

Sorry for your loss, I've never understood the moderators system, too variant and standardless....

Re:Were we not...

[Nimrangul]

No loss involved, I just cannot wrap my head around this system that was constructed for moderation. Leaving it in the hands of random joes has made it less than steller.

Then again, I also believe in a more structured system in society where only the educated can vote after passing a test to show they know what all the candidates are and what they stand for.

Dupe

[jwbrown77]

Link

Re:Dupe

[3terrabyte]

Heheh. Shouldn't the actualy story get a -1 Redundant? Not the poster!

A great idea...

[holzp]

Merge the userfriendlyness of OpenBSD with the userfriendlyness of CVS!

What is wrong with subversion?

[Yaa+101]

What is wrong with subversion?

Re:What is wrong with subversion?

The Apache License.

Re:What is wrong with subversion?

[salimma]

I was about to ask the same question; the Subversion license seems to be BSD-like enough, and Subversion is a joy to use..

Re:What is wrong with subversion?

[Frymaster]

What is wrong with subversion?

nothing. unless, of course, you already have a major project that's been using cvs. then, if you want to switch to subversion you have to retrain your development team and switch over your repository with the cvs2svn.py tool which, according to the subversion site "is still under development... only use it on a copy of your CVS repository and double check your results"

if you're in a major production environment, that's a no go.

Re:What is wrong with subversion?

[chroot_james]

This is the OpenBSD team. Not a bunch of louts. They could learn SVN overnight and write an open replacement for it in a week. Remember when they decided they didn't like ipf? They designed and implemented a new packet filter that was _better_ in barely any time at all.

With their vigilance, they'd clearly go with which ever they thought was better.

Re:What is wrong with subversion?

[oliverthered]

What, so when you roll out you don't.
a: test using a copy.
b: veryify that everythings gone ok and then....
switch or roll back.

Or are you sying that your major project isn't 'still under development...'
Sounds like good practice to me.

Re:What is wrong with subversion?

[Phred+T.+Magnificent]

Damn, where to start? In no particular order:

• Subversion uses too damn much disk space, particularly on the client (not that it's good on the server, either, but when the client is an older laptop with a 9 GB hard drive, you really notice the problem)
• Subversion is slow
• The server-side database is too easily and far too frequently corrupted or left locked by an aborted client request, resulting in ridiculous slowdown on the client side and increased administrative overhead on the server side
• Most Subversion installations are configured to work over HTTP (only). This provides all kinds of nice anti-benefits, like:
  • Eliminating key-based SSH authentication and replacing it with weak password-based HTTP "basic" authentication
  • Replacing a nice, encrypted SSH transport with plain-text HTTP
  • Making it so that in order to use Subversion over an SSH tunnel, you first have to shut down your local Apache server, modify /etc/hosts and set up the tunnel as root, because, of course, a non-root user can't tunnel port 80

The list goes on and on and on, but I'm not interested in continuing it just now. Subversion hasn't managed yet to be the worst version control system I've ever seen: that title is still held by PVCS on Windows 3.1, circa 1995. It's getting to be a close race, though.

Re:What is wrong with subversion?

[Jahf]

Not necessarily. Switching off of ipf doesn't affect -every- developer. In fact it likely affected only the developers that went off to work on a replacement.

Assuming OpenBSD uses CVS today, then moving to a new toolset instead of mirroring the functionality of the existing tool affects -every- person who developes on OpenBSD.

That is a far far far more acute impact. One that I know I wouldn't want to be in charge of handling. This is the kind of thing that gives IT folks nightmares ... and developers can be some of the most obstinate people to retrain (and I say that with all affection to my father and co-workers).

Not to mention the hassle/risk of switching the systems over in the first place.

Re:What is wrong with subversion?

[fitz]

I've just corrected the project FAQ page to no longer reflect that cvs2svn is still under development. It's now stable, under maintenance and has been used to convert many many CVS projects, including Apache HTTP Server, Mono, and more.

Re:What is wrong with subversion?

What's wrong with subversion?

Well, specifically CAN-2004-0179, and many
other security flaws.

If you want something done right,
count on the OpenBSD group to make it
secure.

Re:What is wrong with subversion?

[TTimo]

Actually, as much as I love Subversion ( I'm not going back to CVS - open or not ), it hasn't proven much in terms of security. Apache 2 for http/https access is great for your end users, but at the same time, it hasn't been scrutinized a lot for security yet. I guess there's still Subversion over ssh if you want to strengthen things a bit.

Re:What is wrong with subversion?

[bill_kress]

I remember that old PVCS POS. It was what we used on windows 3.0 in '91-2 if I remember correctly.

But I was wondering if you had used MKS. Obviously there is no comparision to the old PVCS, but I think it is the worst VCS in common usage.

If I ever want to go find an example of how to make a really bad UI, I can go to MKS.

Re:What is wrong with subversion?

[bhima]

PVCS on Windows 3.1, circa 1995 Thanks, I had put that out of my mind

Re:What is wrong with subversion?

[ftzdomino]

It works just fine over HTTPS giving you a lot of extra security without a ridiculous ssh tunnel setup needed for any security in CVS.

Re:What is wrong with subversion?

[Doomdark]

if you want to switch to subversion you have to retrain your development team and

Yeah, that's SUCH a HUGE effort. Instead of 'cvs update', you need to use 'svn update', instead of 'cvs commit' you do 'svn commit'... you get the picture. Subversion was specifically designed to be pretty much just drop-in replacement of CVS; its design (even beyond CLI) is pretty similar to CVS (some consider such 'compatibility' to be a bad thing, as it prevents doing some more radical improvements).

Really, from command-line perspective it's trivially easy change; the biggest caveat from 'end user' POV are probably IDEs and other more advanced integration points.

From admin/scm viewpoint there may be more issues, but just using Subversion instead of CVS, that's a breeze.

Re:What is wrong with subversion?

[slipsuss]

I think your information is a bit old.

Point for point:

* Subversion deliberately uses a lot of working-copy disk space, because it's optimized for network use. (that is, it assumes that network is scarce, and disk is cheap.) It caches pristine copies of files so that lots of commands ("diff", "revert", "status") all work offline. It's a deliberate choice. Someday the developers hope to make this tradeoff configurable.

* Subversion is slower than CVS, yes, but not unusably slow. And it's faster than CVS at some things, like branching and tagging. The speed tradeoffs are amortized over the overall lifecycle of using the software. For example: it takes longer to checkout a working copy (because more data is being created on disk), but then after that, some common commands are faster than CVS as a result.

* Subversion has exposed BerkeleyDB's brittleness to end users, which is admittedly a mistake. But the Subversion team is now working closely with Sleepycat to fix these problems. And besides, there's now a whole non-database repository alternative that you can use. You can choose to avoid BDB altogether.

* You seem to be unaware that Subversion is not only able to use http://, but https:// as well, complete with server and client certificate negotiation. You can also tunnel the custom server protocol over ssh, using svn+ssh:// urls; no apache required at all, if you'd just prefer to use existing ssh accounts.

Hope this clarifies things.

Re:What is wrong with subversion?

[Doomdark]

Subversion is slow

Weird. My experience has been the exact opposite -- Subversion being significantly faster (but apparently partly due to increased disk usage, using local full copies; not requiring network access for doing status etc), and that with actual source code. And with binaries... well, CVS barely even works with binaries (plus big binaries can just bring down the CVS server -- needs at least twice the size of the binary on server side, contiguous memory); whereas Subversion has no trouble whatsoever.

I can't comment on ssh part, as the repositories I use are (I guess) properly configured so I just use svn+ssh indicator and things work smooth. I'm not sure if it's reasonable to blame scm on people don't configure it properly, however.

Re:What is wrong with subversion?

[Gerald]

You can add Ethereal to the list. We switched over a few months ago using cvs2svn.

Re:What is wrong with subversion?

[Ragica]

I'm by no means a subversion expert, or even a daily user (i have use CVS for my daily work; but i keep my personal projects that i rarely get a chance to play with in subversion), but even I can answer most of your points.

• It isn't the most disk space efficient system; but as you point out, the laptop you are using is rather limited. For the vast majority of cases these days this is not an issue.
• Slow compared to CVS? I find just the opposite. It's very much faster for most operations. Perhaps we are using it on different types of repositories.
• The database corruption/locking is a point I will give you. In my fairly casual reading on the subject it seems even the Subversion developers will give you this point. The good news is that the underlying architecture should be portable to other storage types, and this is supposedly going to be coming eventually. On the other hand, while there have been some annoying storage issues with subversion, and I've had to fix and manually unlock the database a few times, i've never lost data.
• The fact that most "installations" work over http only is not subversion's fault. It has many methods that can be used. Personally I like https via Apache webdav. It's much more flexible for my usage. But one can set things up to use ssh transport (and you don't have to do it via apache as you seem to be).

I'm just amazed no one more knowledgeable than me has responded to these points yet. Perhaps the more hardcore users weary of answering these constant misconceptions...

Re:What is wrong with subversion?

[kirkjobsluder]

Well, the big problem is that there are hundreds of legacy projects and update mechanisms that currently depend on cvs. (For example, FreeBSD's cvsup.) This means that there is still a need for a secure re-write of cvs.

Re:What is wrong with subversion?

[MemoryDragon]

Which is pretty much the same as the BSD license...

Re:What is wrong with subversion?

[MemoryDragon]

You dont even need apache for svn, you can run a standalone svn server as well, currently svn has three access methods, DAV with Apache, SVN for plain SVN TCPIP access and SVN+SSH for combined svn and ssh access.

Re:What is wrong with subversion?

[kjs3]

In other words, nothing. I'll have to check it out.

Re:What is wrong with subversion?

[kirkjobsluder]

It's not just devolopers who who would be affected by the changes. Both OpenBSD and FreeBSD use cvsup to distribute updates to users.

Re:What is wrong with subversion?

[Mr.Ned]

OpenCVS isn't trying to improve version control techniques, it's trying to provide an alternate implementation of CVS.

Re:What is wrong with subversion?

[dnf]

Of course, CAN-2004-0179 (and CAN-2004-0398) are neon (webdav library) security flaws, which were both fixed in July 2004. ( http://www.webdav.org/neon/ ) And the fixed (0.24.7) version of neon was required by Subversion 1.0.6... also released last July. ( http://svn.collab.net/repos/svn/trunk/CHANGES )

So, yes, if you are using a older version (less than 1.0.6), Subversion does have those particular security flaws. But the current version (1.1.1) certainly doesn't. And you should be keeping track of security fixes no matter what product you are using.

Re:What is wrong with subversion?

Or if you read it, you would realize it makes rediculous patent stipulations. A license is a grant of copyrights, apache is trying to make a contract, which is a very untested and likely to be non-binding legal grey area.

Re:What is wrong with subversion?

[Phred+T.+Magnificent]

Yes, I have used MKS, from 1997-2000. I'll grant you the point about the UI. My main complaint with PVCS, though, was its boneheaded workaround for the 8.3 problem, which resulted (frequently, on my particular project) in it blithely overwriting a stored file with data from an entirely different file.

Re:What is wrong with subversion?

[Tenareth]

And the new PVCS is better how? It's just as bloated, horrific and impossible to use in the latest versions as it was back then.

Re:What is wrong with subversion?

No ssh tunnel is needed for cvs, try using it sometime. You need nothing special at all, just an account on the machine, and ssh to be running.

Re:What is wrong with subversion?

[Phred+T.+Magnificent]

* Subversion deliberately uses a lot of working-copy disk space, because it's optimized for network use. (that is, it assumes that network is scarce, and disk is cheap.) It caches pristine copies of files so that lots of commands ("diff", "revert", "status") all work offline. It's a deliberate choice. Someday the developers hope to make this tradeoff configurable.

I am aware that it's a deliberate decision, and I am aware of the reasoning behind it. For most projects I've dealt with recently, the opposite assumptions have been true, though: network is readily available, but disk is (often) scarce.

* You seem to be unaware that Subversion is not only able to use http://, but https:// as well, complete with server and client certificate negotiation. You can also tunnel the custom server protocol over ssh, using svn+ssh:// urls; no apache required at all, if you'd just prefer to use existing ssh accounts.

No, I'm not unaware that you can do that. The problem is that most of the Subversion installations I've seen -- including the one at work, unfortunately -- don't. Of course, the repository at work would require an SSH tunnel for access from outside the firewall in any case, since we'd never put it on a publicly visible server even with https, but having to run the tunnel on port 80 is a real pain.

Re:What is wrong with subversion?

[Phred+T.+Magnificent]

I couldn't tell you; I haven't used it since back then. I certainly hope they've at least fixed the 8.3-related problems, though.

Re:What is wrong with subversion?

The KDE project is evaluating svn as well

Re:What is wrong with subversion?

[JoeF]

Huh? Get a clue.

• You can use whatever authentication Apache uses, including MD5, LDAP, what-have-you.
• You can use HTTPS. I do. Much easier to set up than CVS with a tunnel.

I moved my CVS archives over to Subversion when svn hit 1.0 and I never looked back. svn is sooo much better.

Re:What is wrong with subversion?

[divec]

Making it so that in order to use Subversion over an SSH tunnel, you first have to shut down your local apache server, modify /etc/hosts and set up the tunnel as root, because, of course, a non-root user can't tunnel port 80.

Not sure if I've understood correctly, but tunnelling as follows works ok for me:
$ ssh -N me@remotebox -L8080:svn-server:80 &
$ svn co http://localhost:8080/my-project

Re:What is wrong with subversion?

[rudedog]

Subversion uses too damn much disk space

So what. Disk space is too cheap to develop to edge cases like your laptop.

Subversion is slow

Because it's doing a lot more things than CVS ever did. Those things are useful.

The server-side database is too easily and far too frequently corrupted or left locked

I rarely run into locked databases (on the scale of only 1 or 2 a year) and I have never seen database corruption.

Most Subversion installations are configured to work over HTTP (only).

And how is it Subversion's fault that admins don't set the installation up to use a more secure transport. We use subversion over https with a self-signed certificate. The weak point in that chain is not with subversion, it's with the local machine, and if the local machine is compromised, both subversion/https and cvs/ssh are both equally vulnerable.

The list goes on and on and on, but I'm not interested in continuing it just now

In other words, I can't think of anything other than "it won't fit on my 9GB disk", and "some people don't set it up securely".

Lamer.

Re:What is wrong with subversion?

[MemoryDragon]

Well it is so so regarding network stuff, checking in via subversion over a slow connection is a major pain, but then work is better than with CVS due to the decreased communication and data transfer, so I guess the tradeoff in the beginning pays off very swiftly later.

Re:What is wrong with subversion?

[Jason+Hood]

You seem to still be complaining about configuration issues within subversion rather than subversion itself.

I am not sure what environment you live in but in mine we only have 100Mbs and everyone has 120GB HDs. The server has 1TB of raid storage with 4 network adaptors each with its own svnserve bound to it. Our project has 55,000 source files with 120 active developers. No problems here. We moved off a proprietary system that cost 750k a year to this which costs 120k a year (one devs salary). Compared to our old system, this is fast as hell. A checkout of a 4000k module takes about a minute. We even run a change request management system on the same server...

Webdav is and always will be slow, its just not an efficient protocol. You may have had problems with subversion but this sounds completely specific to the setup you work in. A properly implemented system should run very smooth. I am not jabbing, just showing subversion can be successful with the right setup.

Re:What is wrong with subversion?

[Doktor+Memory]

The problem is that most of the Subversion installations I've seen -- including the one at work, unfortunately -- don't. Of course, the repository at work would require an SSH tunnel for access from outside the firewall in any case, since we'd never put it on a publicly visible server even with https, but having to run the tunnel on port 80 is a real pain.

So what you're saying is: Subversion provides a multitude of authentication options, and the fact that your local administrator picked one that you don't like is Subversion's fault.

Uh HUH.

Re:What is wrong with subversion?

[Mr.Ned]

As to taking up more space than CVS, well, yes it does, but that's because it stores more information that lets the user do basic operations like rename a file - operations that are not present in CVS and are hacked around.

As to being slow compared to CVS, it is slower on some operations (such as the initial get) because it retrieves more information than the server, but consequently other operations are quicker because it already has the information.

As to database corruption and an alternate backend, there's been an alternate backend for months now.

Re:What is wrong with subversion?

[compass46]

Simple, yet possibly one of the few comments that actually understands what OpenCVS is about. OpenBSD will be using CVS for some time, why not have an implamentation that they feel is more secure than the standard?

Re:What is wrong with subversion?

[Matt+Perry]

Except that with HTTPS you have to dick around with creating a certificate, getting it signed, or self signing it, making sure that you don't have duplicate serial numbers (which some programs abort on), etc. Not to mention all the different formats for certificates. Dealing with those certificates is a huge pain in the ass.

SSH is easy because it'll handle the negotiation of all of that automatically. It's also trivial to create a SSH key with or without a password and put that on the server you want to connect to.

Re:What is wrong with subversion?

[aled]

In this line of work there is always changes, new products replace old products, new unproven technologies. Otherwise we would not have innovation. That's why we have plans and QA.
I really don't see the point of redoing CVS. It's time to grow. Better to start planning a migration to something better. CVS has way too many limitations. This isn't a tech problem but a people problem.

Re:What is wrong with subversion?

[aled]

I like Subversion but you are command line parameters is the least problem in this kind of migration. There are cultural problems and difference in the work model.
Take a look at the Mono case study is really an eye opener.

Re:What is wrong with subversion?

Why is creating a private certificate such a pain in the ass on Unix? A drooling retard could do it with the certificate wizard on Windows/IIS. ya think they'red be a shellscript or something.

Re:What is wrong with subversion?

[JoeF]

This borders at the ridiculous...
So, all you have against svn is that you need to set up https??? Give me a break...
This is probably the most stupid excuse I've ever heard.

Re:What is wrong with subversion?

[dietz]

The good news is that the underlying architecture should be portable to other storage types, and this is supposedly going to be coming eventually.

Actually there's already another storage type in 1.1.

Re:What is wrong with subversion?

acute impact. One that

"acute impact, one that".

Re:What is wrong with subversion?

[mirabilos]

Try a

$ du -sk /cvs

I'm running an OpenBSD fork, and probably have
less code in my CVS than them, but it's about
1.55 GB for us right now.

I don't trust a Berkeley DB this far, and the new
filesystem backend of svn is... smelly.

In addition to that, Benny tried to play with
only the ports tree in a svn repo. Checking it
out after the import, with no mods yet, required
already 384 MiB RAM and swap. That's too much.

Our main CVS server is a Soekris net4801.

Re:What is wrong with subversion?

should run very smooth

"smoothly".

Re:What is wrong with subversion?

[mirabilos]

Neither are as large projects as an entire opera-
ting system with far above 100'000 files in the
CVS Repository.

Also, cvsweb won't work (viewcvs would, but it
uses Python, yuck, and is a worse nightmare to
patch/maintain), rsync on berkeley DBs is pretty
much unsupported, the new file storage is untested
and who-knows-what implications there are on lok-
king, and the biggest problem is anonCVS which
would not work any more. And nobody sane would
trust svn as a network server, or - worse - as
an Apache(tm) 2 module (henning@openbsd also
says Apache(tm) 2 is not broken code, but even
broken design, and that it will never ever run
on OpenBSD).

Also, RCS files are well-hung and (in the mean-
while) pretty documented files. Says someone
who's hung in there with rcs(1) commands as well
as $EDITOR countless times in the last 3 years.

Re:What is wrong with subversion?

[mirabilos]

Laptops have usually 10-30 GB disc space and
128-256 MiB RAM. And WLAN, or worse: ADSL
access to the repo via Internet (can you say
768 kbps downstream, 128 kbps up?).

Open Source projects often have Pentium-class
systems as servers. Alpha. Vax. SPARCstation.

Re:What is wrong with subversion?

[mirabilos]

Try SSH connection multiplexing with CVS, and
the slowest part - the authentication phase -
is not repeated. Works really really good.

Re:What is wrong with subversion?

Plenty. For one thing, for a project the size of OpenBSD, the global revisioning would be extremely annoying.

"Revert sys/arch/i386/i386/pmap.c from revision 328583 to revision 295834 and try again!" Or, alternately "Reverse-apply the change from 310349 to 310350"

As opposed to reverting from, say, version 1.103 to version 1.102...

Re:What is wrong with subversion?

No, he means using CVS with the :ext: protocol which uses ssh to run a CVS process on the server and pipe data between the two.

This is similar/equivalent to using the svn+ssh:// protocol.

Re:What is wrong with subversion?

[Jason+Hood]

So now you are saying that subversion doesnt work with open source projects but does for closed source? I am getting really confused...

Re:What is wrong with subversion?

[Doomdark]

Ok thanks. That looks like an interesting article/post, on problems certain kinds of projects can (and probably will) have; bigger ones that make heavy use of more advanced CVS features (and rely heavily on such less-frequently-used-in-general features).

Re:What is wrong with subversion?

[Phred+T.+Magnificent]

Yes, that does work, most of the time. There are at least two cases where it won't, though:

1 - You need your checked out copy to work the same whether you're inside the firewall (connecting directly to the subversion server without the SSH tunnel) or outside the firewall (using SSH)
2 - Whoever set up your repository did something with svn propset svn:externals

I know, I know, you can easily work around #1 by always using the SSH tunnel whether your're inside or outside the firewall (in fact, that's what you'd have to do with CVS, too, if you were using pserver and tunnelling 2401, unless you wanted to add an entry to /etc/hosts pointing your your.cvs.server to 127.0.0.1 whenever you were outside).

#2 is probably an unusual case -- at least, I hope so -- but it's a case that I'm stuck having to deal with, and it ends up meaning that I have to use ssh -L 80:svnserver:80 and a hosts file entry, rather than ssh -L 8080:svnserver:80 and localhost.

Re:What is wrong with subversion?

[Matt+Perry]

I don't have anything against subversion and never said that I did. If you had actually read my comment you would have seen that I was saying that the complexity of managing the required cerificates for HTTPS is beyond that of dealing with SSH and SSH keys.

Re:What is wrong with subversion?

What a grammar nazi, and in this case wrong as both sentences are valid.

"One" being used in obvious connotation to represent the object of the previous sentence ("acute impact").

Also legitimate but too wordy would have been:

"acute impact. An impact so acute that"

Apparently you're in the "English has rules" camp (see also: Sanscrit and Latin) rather than the "English is a living language" camp.

Oy I wish /. allowed you to track Anon comments in your profile so that you would see this.

Re:What is wrong with subversion?

[chaos_echo]

So now you are saying that subversion doesnt work with open source projects but does for closed source? I am getting really confused...

I think he's saying that many organizations don't have the resources to make a tool like subversion worthwhile. You may have an environment where memory and disk are plentiful, but some of us don't. It was pointed out that many open source projects fit into the latter category.

I own 4 workstations and the sum of the parts of all 4 don't match the specs of the machines you work with. Given the similar feature sets of subversion and CVS there is no way that you'll convince me that the cost of the resources necessary to use a subversion repository is justifiable, the ROI just isn't there when I can run a CVS repository easily on an old or low power machine.

This isn't even considering the benfits of familiarity with CVS and RCS. Subversion is a useful tool, I'm sure it will steadily improve as time goes on, but it's not perfect and certainly doesn't fit every situation.

Re:What is wrong with subversion?

[mirabilos]

(Hi Stephen.)

In addition, I read many of the svn-related
links in this article's posts today and found
the evaluation of GNU Mono's move to svn.

The svn developers clearly state that their
tool is not suited for projects as large as
ours (with way above 130'000 files), and even
Mono (with IIRC about 50'000 files) has got
difficulties because the management it totally
different for large projects.

So it looks that, how nice svn might be, we're
not even in the target market. And I didn't check
how many files or Gibibytes the OpenBSD /cvs is
right now, but I strongly believe they have at
least 60-70% more than we.

Re:What is wrong with subversion?

[setantae]

CVSup doesn't really have any ties to CVS - it will distribute any tree you care to give it quite happily.

Re:What is wrong with subversion?

[Brandybuck]

What is wrong with subversion?

Slashdot posts story about Konqueror and some troll asks "What is wrong with Firefox?"

Slashdot posts story about Vim and some troll asks "What is wrong with Emacs?"

Slashdot posts story about SuSE and some troll asks "What is wrong with Fedora?"

The answer to all of the above is the same: "Nothing. But that isn't the project under discussion. Next time read the story blurb so you know what the topic is."

Re:What is wrong with subversion?

[1110110001]

...rsync on berkeley DBs is pretty
much unsupported, ...

BDB is just the backend Subversion uses. If you want to transmit your repository or do a backup or whatever it would be much better to use a dumpfile. 'svnadmin dump' creates dumpfiles and 'svnadmin load' imports dumpfiles.

b4n

Re:What is wrong with subversion?

[tepples]

Disk space is too cheap to develop to edge cases like your laptop [with only 9 GB of hard disk space].

My laptop has even less, you insensitive clod! How would one find 30 spare hours to flip burgers to earn 100 USD after taxes for a new laptop hard drive? And pardon my ignorance of the proper Google keywords, but are hard drives fully compatible among laptop models, or does one tend to run into BIOS limitations? Or is my world view completely screwed up?

We use subversion over https with a self-signed certificate.

Pardon my ignorance, but what's the smoothest way to deploy a self-signed certificate to all users?

humm

[whyne]

http://bsd.slashdot.org/article.pl?sid=04/12/06/11 54242&tid=8&tid=7

Mainstream

[Manan+Shah]

What will really put this into a mainstream enviornment is if there are some good GUI clients available for it. If an easy to use, and perhaps more importantly, cross platform GUI client is released, you can bet that the popularity will go up. Visual Source Safe (Microsoft) isn't all that great, but people still use it because CVS doesn't have a robust windows GUI client. Or at least it didn't early on and so the first impressions were not very friendly from companies looking at products where they wouldn't have to train their employees as much. If they can come up with a great GUI right off the bat, Microsoft will really sweat.

Re:Mainstream

[stratjakt]

Microsoft wont sweat, SourceSafe doesn't really compete with anything. It's just part of the Visual Studio package, which will sell for their IDEs and other features (.NET). I guess you can buy it seperately, I don't know who would though. It has nothing to do with Microsoft.

Re:Mainstream

[tricops]

It's not directly tied to the main CVS project, but what about TortoiseCVS? Of course, there's a subversion client of the same as well, TortoiseSVN.

Of course, even with the clients in a GUI form, it would still be nice to have a GUI tool for setting up and maintaining repositories as well.

Re:Mainstream

[TheRaven64]

The nicest version control GUI I have ever used is SCPlugin, which is a plugin for the OS X finder. It overlays a small icon in the corner of the icon of every file under version control indicating its status, and provides a context menu for performing SCM operations. There are still a few rough edges, but the integration with the finder really makes it a joy to use - SCM operations and standard file operations can be done in exactly the same way.

Re:Mainstream

[Xentax]

MS isn't going to sell only VSS forever, you know...check this out: Visual Studio Team System

Xentax

Re:Mainstream

[samjam]

With tortoise CVS I have found, the only additional training needed to get fair CVS use from team members is that merging clashes takes time and careful thought and can't be done automatically.

I highly recommend tortoise cvs - hey I use tortoise cvs under windows on a samba share from my colinux box (one day there will be linux CVS shell integration); and I use eclipse to edit the files.

Sam

Re:Mainstream

[Triumph+The+Insult+C]

tcvs (and i imagine tsvn) does exactly that. i've used tcvs for about 18 months now and it works great

Re:Mainstream

[Tenareth]

CVS ties into pretty much any programmers IDE/Editor out there, usually as part of the stock config.

Oh, you mean it should integrate with Microsoft's tools? Yeah, that'll happen...

Re:Mainstream

I much prefer wincvs over tortoisecvs. Too bad there's no svn version..?

Development has stagnated?

[tcopeland]

Hm. Well, maybe. There have been a couple releases this year, and the mailing list remains active.

I kind of feel that the torch is being passed on to Subversion, with no hard feelings between anyone. Lots of folks are converting over and most folks seem pretty happy with it. But CVS is still widely used and there are a bunch of of gurus who hang out on the list and answer questions.

Oh, and here's a mirror of various CVS releases if anyone needs them.

Re:Development has stagnated?

[ajs]

"Stagnant" development is probably as much of a red-herring as "security" in this context. Either problem is addressed with far less work by contributing updates to CVS. No, I suspect that CVS was replaced because of the fact that it is distributed under the GPL, and BSD people find that somehow distasteful.

Whatever. I'm past license wars, and the OpenBSD people can do whatever they like. Meanwhite, I'm off to learn subversion.

Re:Development has stagnated?

[Saeger]

Funny coincidence, but today I recieved a message from the Mambo CMS devs asking for community input on switching from CVS to Subversion:

Greetings,

We don't do this often, but it is time for a major decision to be made; and we need your input.

With the migration of MamboForge to the new server, we have the opportunity to change the source code management back-end from cvs to subversion.

Which one do you prefer? You can place your vote on the forums at:

http://forum.mamboserver.com/showthread.php ?t=24861

Regards,

The MamboForge Administration Team

The current poll results favor switching to Subversion by a wide margin.

Re:Development has stagnated?

Look, you posted the exact same shit the last time this was on /. and was told that it's not about licensing, it's about a critical tool (OpenBSD developers rely on CVS to get their job done) that's not secure enough. Do you understand that? If the replacement tool is being done by an OpenBSD developer, it's only natural that the chosen license is BSD.

Re:Development has stagnated?

[rwinston]

I don't think that CVS development has stagnated - in fact, I think there seems to have been quite an amount of activity on CVS development recently. Still, Suvbersion is gaining fast, and looks like it will be the de facto replacement for CVS (Wasn't it developed by some of the original CVS developers?)

Re:Development has stagnated?

[ajs]

you posted the exact same shit the last time

I did? Could you point to the previous post, please? I don't recall having posted to a previous Slashdot story about CVS.

Dupe :(

Again?

They must be really big on that open thing...

Two weeks ago

[essdodson]

Welcome to two weeks ago.

We need a new one?

[ajs]

Let me see if I understand this... there were some security problems with CVS as-is, so the OpenBSD folks did the right thing and reviewed the code, discovered any remaining problems and submitted... no, no it seems they instead wrote their own CVS.

Doh.

For those not familiar with the state of the world, this is going to mean a slower/longer transition to subversion (the logical successor to CVS), less interoperability between operating systems for developers and yet another tool that the OpenBSD people (who clearly did not have enough work to do already), to support. It will also mean that while they were clearly an interested party who was deriving benefits from a project and had expertise to contribute, they instead opted out and left the tool that had done so much for them to fend for itself.

What happened to OpenBSD? Wasn't it an actual member of the open source community at one point?

Oh well, as long as no one tries to make me use their mutant CVS, I'll be happy.

Re:We need a new one?

[MassacrE]

"Any remaining problems"?

You obviously are unfamiliar with the CVS dungpile, err.. codebase. For instance, there is no access provider mechanism - they copied and pasted the code from the filesystem tree to make the pserver tree, then nobody thought "hey, maybe this will be a maintainability problem later?"

There is also no application-level interface to CVS. CVS tools typically use regexp or other parsing techniques to invoke the CVS command-line and parse its contents.

If this causes a slower transition to Subversion, it will be because people don't need to run away from the existing CVS implementation screaming anymore. A good implementation of CVS will put the emphasis of subversion right where it should be - adding compelling features which will convince people to move to it.

As far as 'less interoperability between operating systems' is concerned, I do not see why this would be restricted to BSD systems, any more than openssh was.

Re:We need a new one?

"It will also mean that while they were clearly an interested party who was deriving benefits from a project and had expertise to contribute, they instead opted out and left the tool that had done so much for them to fend for itself."

Um, but this is -exactly- what the people who wrote subversion did. In fact, a lot of them were core CVS developers. They took a look at it, said it sucks and is going to be too hard to fix right, so let's start fresh. The only difference is subversion completely started fresh, breaking ALL compat, while the open team decided that they like CVS, so let's just rewrite the thing right.

Where's the problem in this?

Re:We need a new one?

[ajs]

So, to cut out the bile and name-calling, your concern is in two parts: the pserver mechanism is unmaintainable and there's no API.

Now, ask yourself which is harder: writing a new pserver layer and an API or re-writing the entire toolchain? What's more, which one hurts an existing open source project from which OpenBSD has derived untold benefit over many years?

I'm sorry, I just don't accept your "dungheap" metaphor as a valid reason for abandoning this tool when there are many tools which OpenBSD has contributed to fixing and/or adding features to.

Something rings hollow.

Re:We need a new one?

Let me see if I understand this... there were some security problems with CVS as-is, so the OpenBSD folks did the right thing and reviewed the code, discovered any remaining problems and submitted... no, no it seems they instead wrote their own CVS.

Actually, they did review the code, find the bugs, make patches for them, and submit the patches to the CVS crew. The CVS folks did the same thing Apache did, which was to ignore the patches. The OpenBSD people were in the same boat again. They had improvements to an existing project that the project wasn't accepting. They could've forked the CVS code, which was probably what they were going to do, but the existing CVS code turned out to be so bad that starting from scratch would've been easier than forking. In light of this, most of the rest of your comment is pointless to reply to, because it's based on information you didn't have before you shot off your mouth.

For those not familiar with the state of the world, this is going to mean a slower/longer transition to subversion (the logical successor to CVS), less interoperability between operating systems for developers and yet another tool that the OpenBSD people (who clearly did not have enough work to do already), to support.

Subversion isn't the logical successor to CVS. Subversion has a handful of issues that stand in the way of it becoming even a viable competitor to CVS, much less a successor, and that doesn't address the svn design issues.

OpenCVS is also compatible with CVS, except where CVS has design issues that affect security. For the most part, most people won't ever notice the difference, and the world is better for having OpenCVS around, especially when the original CVS group doesn't want to take security patches.

Finally, the OpenBSD developers are very experienced. It's likely that OpenCVS already has fewer bugs in it than the original CVS; furthermore, the code is cleaner than CVS's and will be far easier to maintain.

What happened to OpenBSD? Wasn't it an actual member of the open source community at one point?

OpenBSD is taking care of OpenBSD. If that methodology results in a better operating system than others, then there's something flawed with the other methodologies. It's not OpenBSD's problem if you don't like them.

Oh well, as long as no one tries to make me use their mutant CVS, I'll be happy.

I'll bet that within two years, you'll be using OpenCVS with 95% exclusivity because it's a better, more secure, more stable product. It's not a good thing to rail against software projects in their infancy, because you don't know where your needs will be in time. Nobody will blame you later on for using OpenCVS.

Lastly, I'm putting an OpenCVSup on my Christmas list. It would be outstanding to not have to choose between installing a binary package and installing a Modula-3 compiler.

Re:We need a new one?

[Geekboy(Wizard)]

Stop being stupid. OpenCVS is designed to be a drop in replacement. It will always work with GNU cvs, so you can use either the OpenCVS client with the GNU cvs server, or the GNU cvs client with the OpenCVS server.

Re:We need a new one?

Dude, you're a complete retard. This is not an extended CVS, is a replacement because the current one cannot be maintained. The code is a royal mess, it's impossible to audit that source without losing your sanity. So stop bitching about it, and don't even dare tell OpenBSD developers what they should do with their free time.

Re:We need a new one?

[Azul]

You know, this is precissely how OpenBSD was born. Theo de Raadt was contributing to NetBSD until the NetBSD core decided to remove his write privileges from its sources. Theo, upset, decided to fork and start OpenBSD.

Originally, it had nothing to do with security, but rather with "openness" (from Theo's point of view, after he was kicked out). I suppose it would be called SecureBSD had security been the reason Theo started working on it.

You can find out more about this straight from the horse's mouth.

So, I suppose, forking established projects due to disagreements such as these is nothing new for the OpenBSD people.

Re:We need a new one?

i don't think openbsd particularlly like the GPL

so given a choice between major changes which would leave a better app but still under the GPL and reimplimenting under theier own terms they choose the latter

why bother?

[vsync64]

This is silly. Subversion already exists.

Re:why bother?

[Trejkaz]

Subversion can't access CVS repositories, which is probably important for fools who still use CVS.

The best part

[ZorbaTHut]

isn't just the fact that it's a dupe.

It's that the posted link, to the article that this is a dupe of, is a link into the admin interface. For the curious, right now it's https://slashdot.org/admin.pl?op=edit&sid=04/12/15 /1936218 - I imagine this will be changed once the admins notice . . . well, probably.

Re:The best part

Simply explanation: Timothy

In related news...

Theo has revealed that OpenCC, OpenLibC and OpenLinux are still some way off, OpenHTTPD is making good progress however as a fork of the popular Apache web server. Oh, and DARPA suck!

Re:In related news...

[upsidedown_duck]

The OpenBSD folks would re-implement GCC in a heartbeat, if they could afford the man-years to do so.

Re:In related news...

Heartbeat ... man-years ... would these be portable-heartbeat and portable-man-years or OBSD specific?

Re:In related news...

[bluGill]

Hmm.... OpenCC is the only one of those that does not exist and fully functional today. LibC is, and always has been a part of OpenBSD. Linux is a kernel that looks a lot like Unix, so is the OpenBSD kernel. There is even a linux compatibility mode for your linux apps.

Re:In related news...

[Hyksos]

OpenGCC... it doesn't even compile security weaknesses!

Re:In related news...

[upsidedown_duck]

Funny mod day, huh? I've actually seen OpenBSD people discuss a real desire to replace GCC (GCC is not under a BSD license). Man-years was not at all an understatement.

Re:In related news...

[uid8472]

Laugh all you want, but there was a halfway serious effort at one point to see what it would take to get the Plan9 C toolchain (which is vastly simpler than GCC, although ISTR it doesn't support all of ANSI C) released under a BSD-compatible license. I think the motivation was a combination of GCC's GPL-ness and its size/complexity.

They'll get my patronage if...

[Old+Wolf]

...they enable tag/update/diff/etc. by date on a branch, add a special tag like HEAD but for a given branch, and keep track of when branches have merged so that you can actually keep 2 slightly different versions in sync.

Re:They'll get my patronage if...

[jdh28]

..they enable tag/update/diff/etc. by date on a branch, add a special tag like HEAD but for a given branch, and keep track of when branches have merged so that you can actually keep 2 slightly different versions in sync.

CVSNT is an actively developed, native port of CVS to Windows, but which also runs on Linux, that implements at least the first and third points here. I'm not sure what you mean by the second.

john

Reason for the stagnation

[phr1]

I can't resist: Netcraft confirms it, CVS is dead.

More seriously, CVS sucks. Efforts spent reimplementing it are better spent replacing it (Subversion, Arch, Darcs, whatever).

subversion?

[Roadmaster]

I like subversion. why don't they? I found it easy to install the server, and the client is easier to use than cvs.

Re:subversion?

[TheRaven64]

Because a lot of existing infrastructure still uses CVS? In the long term, transitioning this to SVN is a good idea, and I certainly wouldn't recommend that a new project use CVS. In the mean time, however, I think the OpenBSD people feel that it would be nice to have a CVS implementation that was secure and maintainable.

Re:subversion?

[upsidedown_duck]

why don't they?

I don't care for Subversion because it is immature. I also find their ideas about a whole slew of different database backends will be a source of endless problems (who'd ever thunk that XYZ had endianness issues or that QRS can't talk to ABC). Subversion is certainly very neat, but I'd still consider commercial VC software if my business depended on having really good VC in a project.

Re:subversion?

"I found it easy to install the server,"

Well, using CLA-2004:883 and other
exploits for subversion, I also found
it easy to install on your computer. ;)

Ok, so you missed the point of the article,
so I gotta bust out the caps on you:

SUBVERSION AND CVS ARE INSECURE

That's by the openbsd group is rewriting them.

They and they alone are trusted with the
open source version of ssh. (Yes, there's
a GNU variant that barely works, and it's
insecure...)

Re:subversion?

[Doomdark]

I don't care for Subversion because it is immature.

Hmmh? Care to elaborate how is it immature? (it went to 1.0 a while ago; and I haven't seen too many problems being reported).

a whole slew of different database backends will be a source of endless problems

Well... designing modular systems make sense, and also allow for more optimal systems for specific needs. Sometimes it's useful to have simple file system based repository (easier to debug, do low-tech integration, etc), DB-based one may be more efficient, or allow more advanced integration etc. etc. And theoretically it could also allow for some level of distribution, at least on backend side, if storage space requirements are huge.

And if modularity makes sense, it's reasonable to implement 2 different backends, to make sure the interface between components is general enough, to allow for more implementations... this all assuming there are real benefits, and that no single backend is best for most common situations.

Re:subversion?

[dnf]

CLA-2004:883 was fixed as of Subversion 1.0.8, released on 22-Sep-2004. http://svn.collab.net/repos/svn/trunk/CHANGES

If you are using a version earlier than 1.0.8, you should certainly upgrade. You should be keeping track of securify fixes for any product you use on a regular basis, of course.

Re:subversion?

[upsidedown_duck]

Care to elaborate how is it immature?

Subversion is far enough along to be useful to some people, but I'm not sure if I would put a very large amount of money on the line with it. I've seen way to many new fashionable tools get adopted by overly-optimistic people only to have them come back and bite them hard. Additional layers of abstraction obscuring troubleshooting, new cure-all frameworks obscuring troubleshooting, ambitious roadmaps that will probably never be implemented, etc. are all the hallmarks of young tools that are barely out of puberty, yet. Subversion has some of these qualities.

Also, such tools are a dime a dozen. How many free alternatives to CVS have come out in past few years? At least three. Most are merely academic exercises, some a little bit more than that, none have withstood the test of time, yet. If I set up a Subversion repository, now, will it still be useful in five years? Will there be clear migration paths during upgrades? Will one of the other upstarts eclipse Subversion in the fashion shows next year? Who knows? All Subversion is, right now, is a bandwagon to me.

Re:subversion?

Writing proactively secure software to ensure that there are fewer exploits is much better than sticking your head in the sand, writing garbage code, and then trying to fix the exploitable flaws when you find out about them, often after many people have already been hit by them.

Re:subversion?

[Zaiff+Urgulbunger]

You're right to be cautious, but Subversion has been officially stable for a number of years now. If the benefits don't justify making a change right now, then I wouldn't bother, but if you're starting a new project, its worth considering.

Also, such tools are a dime a dozen. How many free alternatives to CVS have come out in past few years? At least three. Most are merely academic exercises, some a little bit more than that, none have withstood the test of time, yet. If I set up a Subversion repository, now, will it still be useful in five years? Will there be clear migration paths during upgrades? Will one of the other upstarts eclipse Subversion in the fashion shows next year? Who knows? All Subversion is, right now, is a bandwagon to me.

Who knows. If we're really lucky then yes there will be something even better! But even if there were, you'd still be allowed to stick with your crusty old version of Subversion then, as much as you can stick with CVS (or whatever) now.

I do take your point though, but there does appear to be a fair bit of genuine support for Subversion right now, as opposed to a lot of hype driven support. Its that constant hum of activity that made me feel comfortable enough to start using SVN -- without that, I'd have played safe and I'd be using CVS now.

Re:subversion?

[dnf]

I agree.

How do you know the neon library maintainers didn't do just what you suggest, but being human, still managed to make mistakes? Are you arguing against the use of libraries that you yourself don't write? You know OpenOffice uses neon, right? Are you saying that the OpenOffice developers are idiots because they also use neon?

As long as people write software, no matter how good they are, no matter what OS they write for, there will always be security flaws. To assume otherwise is folly.

But the original argument was: CLA-2004:883 is a reason not to use Subversion. I just pointed out that it is in fact a very good reason not to use an older version of Subversion... it's not a specific argument against Subversion itself.

You statement, on the other hand, is a basic ad hominem fallacy ( http://www.datanation.com/fallacies/attack.htm ) , and doesn't really refute anything.

Re:subversion?

[aled]

Subversion is modular, has 2 backend and many client protocols that are all used in different projects because there are needs to each one. With mainly good results, some with projects of many gigabytes. Pointers at http://subversion.tigris.org/propaganda.html.
The n you prejudice without any concrete evidence, without other knowledge than that is "new" and is somehow obscure because of layers, abstractions and framworks. But again without any concrete evidence.
If you think I'm wrong please give some real facts, for example: point to the framework that you think is over-abstract.

Re:subversion?

[mirabilos]

OpenBSD was going to transition to OpenCM long-term.
The bad news is that it uses boehm-gc, requires
6 to 8 GB of RAM and development stalled.

So, I think, they'll stick to (Open)CVS for
at least another 10 years. Might be a good thing.

Re:subversion?

[Doomdark]

I agree it's good to be sceptical about new things, and I certainly could do my own ranting about excessive framework oriented mind sets (excessive abstraction is a sign of someone that just barely passed initial bump of learning, but not yet matured to true expert), but it seems to be you are basing your reservations on "this is how these things are in general" as opposed to following up on this specific tool's progress. And if so it's bit unfair to group it generically, without considering it on its OWN merits.

In case of Subversion, I see it as a rather pragmatic project and tool (after all, it does NOT try to solve all problems for everyone, OR even try some complete different way to solve the basic SCM problems -- it's "only" improving on tried mechanisms). And although there are obviously ambitious goals, none of those are fundamental enough that missing the goal would jeopardize usability or future of the tool.

For what it's worth, I have started 2 new projects with Subversion, and so far I'm happy with it (neither really business critical -- for those I'd get someone else to do it for me). But I'm not really an SCM power user, so it's just for basic versioning and concurrent development needs, not a culture of its own (like some projects apparently use such tools -- the Mono use case was frightening in this aspect).

People are still using CVS?

[codepuke]

Even Linus doesn't use it.

IMHO there are much better alternatives out there. I use Subversion at home and Perforce (definitely worth the cost) at work and I'll never go back. Source control without atomic commits really isn't much control at all...

Re:People are still using CVS?

[LurkerXXX]

http://www.internet-security.ca/internet-security- news-005/security-flaws-discovered-in-open-source- databases.html

Subversion isn't a better alternative to OpenBSD folks. It's got security holes in it too.

Re:People are still using CVS?

[Zaiff+Urgulbunger]

As has been mentioned previously, this bug has been fixed. So if you're running an out of date version, then yes it has security flaws. And if your running an up-to-date version, then... well, it certainly has one less security flaw and is to all intents and purposes, as secure as anything else!

Re:People are still using CVS?

"Even Linus doesn't use it?" He never used it.

On the other hand, large projects such as GCC and all of the *BSDs do use it, have used it for quite a while and it works quite well for them.

Standard Disclaimer

[Ann+Elk]

This project was mentioned briefly the other day, too.

Maybe this disclaimer should appear at the end of every article summary...

Great. Just what we need...

[doppleganger871]

...another 24-hour pharmacy.

Incompatible or Insecure Design

The Subversion project tries to be a better CVS by redefining some of the concepts that it believes CVS got wrong (e.g. versioning at the file level rather than the repository level)

In doing so, they made it impossible to write a simple "drop-in" replacement to CVS with SVN because it changed fundamental API's.

If CVS is conceptually insecure in its design (rather than just its implementation) it seems the same issues will arise that make OpenCVS either an "insecurely designed drop in implementation" or a "securely designed incompatible replacement".

Why bother? Why not work with addressing the security design problems with Arch or SVN?

What a useless piece of...

[ttfkam]

They take what amounts to a standard set of hacks on top of RCS. Then they make a port of it with a BSD license. Then... we're supposed to believe this is a good thing?

Subversion and arch would be better models wouldn't they? Hell, subversion has an Apache-style license to it. Closer to BSD than GNU CVS's GPL *and* Subversion is better than CVS right now.

I'm more than grateful to the OpenBSD project for their work on free firewall implementations, openssl, openssh, etc. But enough's enough. CVS? Aim a little fucking higher guys!

Re:What a useless piece of...

[Nimrangul]

OpenSSL is in no way related to OpenBSD. They are completely unrelated.

Re:What a useless piece of...

Maybe you won't use it, but I will. I've been managing my code with RCS for some time now (which is easy because I'm the only coder in this shop right now) and I've been thinking about switching to another system to set things up for the future, when others arrive. However, I'm well aware of the flaws of CVS and that's why I never put much effort into learning it. So I'm very, very happy they're fixing CVS once and for all.
BTW, there's lots of projects out there that still use CVS despite its flaws, because it's easier to say "use something better" than spend all the time converting huge codebases, especially if you want to keep the revision history intact. So kudos to OpenBSD for once again saving the day, when others would just as well say "sorry pal you gotta upgrade, c-ya and wouldn't wanna be ya".

Re:What a useless piece of...

[Simon+Lyngshede]

No one is forcing you to think that OpenCVS is a good thing, in fact, Im pretty sure that the OpenBSD developers don't care about what you think.

If they like CVS, but not the GNU implementation, why shouldn't they write a new implementation?

I can't believe the number of people who think they are suppose to tell the OpenBSD developers what to do. If you don't like what they are doing, that's your problem. The developers can do what ever they want and right now they want OpenCVS, not Subversion, not Arch and not GNUs cvs implementation.

If you know better, you can do the work yourself.

Re:What a useless piece of...

[ttfkam]

1. The conversion from RCS to CVS is not necessarily seamless.
2. As Subversion whole reason for existence is to "fix CVS once and for all", there are migration tools to switch with.

The Apache Software Foundation has been steadily moving their revision control to Subversion and they have a *huge* amount of code. No one is suggesting you scrap everything you've got and starting over from scratch.

Re:What a useless piece of...

[ttfkam]

And no one is trying to force them into caring what I think. I simply stated my opinion: it's a waste of time to reinvent an obsolete wheel. Take the advice or don't. That has no bearing on me airing my opinion.

Re:What a useless piece of...

For me it'll be seamless. I know RCS backwards and forwards, inside and out.
But that wasn't really my point. I'm sure the new CVS will be greatly appreciated by those who don't have the time to:
1. learn a new software, and redo all their scripts and build system, find GUI front-ends, and all the associated mess this entails
2. spend time converting a largish codebase, then keeping the old one around because hey, shit happens (and the admin who implicitely trusts the new system is a fool or a newbie)
Apache and some opensource projects can afford to do it, but let's see how many businesses are willing to throw away valuable time. Hell, most companies are already behind schedule on most of their projets anyway. It's always been like that, time always gets you and if something works, even just barely (but good enough) then your ass will get reamed for fixing shit that ain't broke.

Finally...

[fimbulvetr]

CVS and subversion are plauged with security vulnerabilities. I was beginning to wonder if it was ever going to stablize like apache 1.3.

I'm extremely happy to see that the open(bsd) team is doing what it's best at.

Re:Finally...

"CVS and subversion are plauged with security vulnerabilities. I was beginning to wonder if it was ever going to stablize like apache 1.3."

Um. You do realize you can run subversion under Apache, so that subversion security == Apache security. Right?

Re:Finally...

[fimbulvetr]

You do realize you can run subversion under Apache, so that subversion security == Apache security. Right?

Yes, of course I realize. Additionally, I realize that your statement is blatently incorrect.
Subversion security != Apache Security

First, I referenced apache 1.3.x, afaik, subversion only runs under 2.
Secondly, subversion *CAN* run under apache, but it can also run standalone.

Subversion is not secure, and running under apache does not make it secure. If anything, it makes apache much more insecure.

Elegy for *BSD

Elegy For *BSD

I am a *BSD user
and I try hard to be brave
That is a tall order
*BSD's foot is in the grave.

I tap at my toy keyboard
and whistle a happy tune
but keeping happy's so hard,
*BSD died so soon.

Each day I wake and softly sob
Nightfall finds me crying
Not only am I a zit faced slob
but *BSD is dying.

OpenNTP problems

[andrel]

I hope they do a better job with CVS then when they botched implementing NTP

Re:OpenNTP problems

Funny how Brad removes all comments to his post that aren't somehow favorable to his point of view. I know that I posted a response that refutes his claims, and there were others that did the same.

The big problem with Brad's opinion on OpenNTPD is that he fails to grasp the concept that it was designed to be a _lightweight_ replacement that did basic time syncronization and never claimed to implement every nuance of the ntp protocol. Also, it was/is a very new price of software when he wrote that article and neglected to consider that it wasn't fully mature yet (which noone claimed it was).

I'm not a fan of Dan Bernstein, but he had it right when he said Brad was a slanderous/libelous jerk.

Re:OpenNTP problems

I wrote the initial NTP implementation that OpenNTPD is based on, and was hacking on it until I decided the OpenBSD developers weren't worth my time; and I agree with all of the technical points that Brad made.

-- Alexander Guy

Re:OpenNTP problems

Brad Knowles Considered Harmful

You may not know this but I, AC, sometimes use my position as an anally retentive little pedant to voice unpopular opinions on slashdot.org. What I don't feel the need to do is set up my own whining weblog. Feel free to ignore or censor me since nobody@example.org is not my real email address, and hey I'll come clean; my real name is not "Anonymous Coward" either.

Re:OpenNTP problems

[LurkerXXX]

And in response:

http://www.ie.openbsd.org/faq/faq6.html#OpenNTPD

Re:OpenNTP problems

Brad Knowles is as big an asshole as Dag-Erling Smorgrav, if not more. Don't take anything he writes seriously.

--
HawkinsOS, fuck Smorgrav in the ass.

Re:OpenNTP problems

I wrote linux, until I decided that Linus guy wasn't worth my time, and I agree with all of the technical points SCO made.

--Darl McBride

Re:OpenNTP problems

Yeah, too bad they botched it by making it just work, instead of being a stupid pain in the ass that randomly stops working and constantly needs to be monitored so it doesn't mess up your clock. I have very little to do, and need stuff like ntpd breaking to fill my day.

Re:OpenNTP problems

[manifest37]

Here is a link to read:

http://www.openntpd.org/goals.html

Re:OpenNTP problems

Fuck that money bullshit. It's all a front. Your soul is mine.
--Satan

Re:OpenNTP problems

[shub]

Whereas I post with my own slashdot account, and don't try to hide behind an AC.

I have said that I would remove all comments in my blog which are posted with bogus e-mail addresses, and I have done that. What you haven't seen is the comments in my blog which were favourable to my view, but which were also posted with bogus e-mail addresses, and which were also deleted. I will continue my policy regarding the deletion of comments posted to my blog which have bogus e-mail addresses, and if someone wants to post a rebuttal comment with a valid e-mail address, then I will leave it.

I have no problem with the creation of a "lightweight" time server, but the problem is that the NTPv3 and NTPv4 protocols are, by their very nature, quite heavy -- you simply cannot escape that fact. If you want something "lightweight", then you have to give up NTPv3 and/or NTPv4, and instead go with SNTP.

Please note that there is a "lightweight" SNTP server included in the "Reference Implementation" tarball, known as "msntp". This is the same SNTP server as used on m0n0wall. If you want a lightweight SNTP server implementation, you should check it out.

The real problem is that the PR/marketing campaign by Theo and Henning has been that OpenNTPd is a complete fully functional replacement for the Reference Implementation, which even casual inspection shows to be patently false. Now, if they wanted to change the name of the project to OpenSNTPd and change the PR/marketing to match, I wouldn't have a leg to stand on. I challenge Theo or Henning to do this. At least, they'd be able to make me shut up.

With regards to my blog on OpenNTPd, I contacted Henning, and had several conversations with him regarding the project and where he saw things going. I tried very, very hard to give them every possible benefit of the doubt. When it became clear that he and Theo considered the project to be essentially finished (at what I would consider the 0.0.1 stage), and they were already looking for other things to work on, that's when I took the material I had been working on for a long time, and did a final "publication" of it.

I tried very, very hard to be as objective as possible, and to do everything I could to avoid flame wars, while still keeping what I considered to be constructive criticism. Needless to say, I've been underwhelmed by some of the responses, especially from some of the slashdot crowd.

Meanwhile, if people want to check out "slander" or "libel", try asking yourself why something qualifies under these terms when I say it, but qualifies as "fact" when Dan says the exact same thing. There's someone using a double-standard here, but it's not me.

Re:OpenNTP problems

Nobody cares if you shutup or not, you've proven yourself time and again to be not only clueless, but also a liar, who likes to attack anyone who does anything you percieve as threatening. Your bullshit about qmail and djbdns is plenty enough to make anyone think twice before believing anything you say.

Re:OpenNTP problems

Doesn't answer the security questions of authentication and spoofing. (which seems really bad expecially coming from OpenBSD)

Re:OpenNTP problems

[Goo.cc]

The problem with that guy's complaint is that OpenNTP isn't designed to be a fully featured NTP client; it just provides a majority of the features that a majority of users use. For those that need the full functionality of the classic NTP program, they can get the previous version from OpenBSD ports.

Re:OpenNTP problems

[LurkerXXX]

True. However they note under the goals of the project that some folks don't run NTPD at all because it is difficult to set up, uses quite a bit of memory, and their machines are often hugely off correct time because of this. OpenNTP gives those folks an easy way to run it on their system.

The other big thing is it is easily auditable whereas NTPD isn't. OpenBSD guys seem to be big into auditing code. They've often cleaned up 'dirty' code, and ended up being immune to security holes that were only later identified in those apps run on other OS's. They might figure the possibility of a spoofing problem ( and ending up with time being off because of that ) might be better than a potential unseen security hole letting the bad guys get root access.

Hmm...

[which+way+is+up]

No thanks, I prefer visual source safe.

Re:Hmm...

[stratjakt]

Funny how you're a troll but everyone making the exact same statement about subversion is +5: insightful!

I prefer VSS too. It works and I dont have to futz around on a command line.

Re:Hmm...

why is parent modded troll, because he goes against group think? come on mods. Show some independent thought.

Re:Hmm...

Independent thought? On Slashdot???? HAHAHAHAHAHA!!!!!

Re:Hmm...

[which+way+is+up]

I hate to reply to my own post, but others on here have stated their preference for one version of VC over another. Yet I'm modded down? Not sure I understand, Surely I can't be the only one here who uses Visual Source Safe?

Re:Hmm...

[Tenareth]

VSS is fine for small projects, but having a global distributed repository is not exactly it's thing. Which, btw is the whole point of this article.

Re:Hmm...

[Tenareth]

Because VSS isn't anything like CVS of Subversion, or even PVCS (that hunk of trash) for that matter.

It's a mid-size project type tool that is not designed for global teams to use. This entire article is about replacing CVS because of it's Security deficits...

VSS isn't in the same league.

and Arch, and BitKeeper, Aegis, SVK

[noblesse+oblige]

And the GNU people have run to Arch with the usual zealot flair. A good comparison can be found here.

"Compatible"

[upsidedown_duck]

I guess that means it still sucks compared to 95% of VC systems out there (the remaining 5% being RCS and nightly backups).

Re:"Compatible"

[anarxia]

Don't forget SourceSafe :)

It's time for the Daily Puzzler

Today's Puzzler asks you to discover what the following four items have in common:

1. Laci Peterson
2. Lori Hacking
3. Nicole Simpson
4. BSD

Submit your response along with a stamped self-addressed envelope.
See contest rules for details. Void where prohibited.

Re:It's time for the Daily Puzzler

[Nimrangul]

I would like to just submit that I find your post to be highly distasteful. I cannot find there anything funny about the brutal murder of those woman by their husbands.

Your implied corilation of death is not only of poor taste but suprisingly cold-hearted.

Berkley db?

[oliverthered]

1: install subversion
2: upgrabe berkley db
3: pannic. (or svn recover, or db ... recover)

I've also had no end of trouble setting the permissions to 660 U:root G:subversion without the database corrupting.

Re:Berkley db?

[ishmalius]

This is no longer a necessity. There is a filesystem-oriented repository format now. We have been using it for over a month now with no problems.

Re:Berkley db?

[oliverthered]

I'm sorry, you made me laugh uncontrolably.
Anyhow, thats great news.

1: How do I convery my existing system? Any chance of a link.

2:
It's easy for me to backup, and if I loose a couple of revisions that's ok but 'no longer a necessity' and 'over a month with no problems' gave me a bit of a chuckle...

what version of subversion, and how long has it been in release?
I'll switch to it at home so that it get's a bit more testing (so long as it's out of alhpa), then maybe I can recomend it at work at a leter point in time.

Re:Berkley db?

[chuck]

1: How do I convery my existing system? Any chance of a link.

Read the Subversion Book

Note the "svn dump" and "svn load" commands. "dump" will serialize your database into a text representation. Then reconfigure your server, and use "load" to incorporate all the data into your new database.

Re:Berkley db?

[flink]

I've also had no end of trouble setting the permissions to 660 U:root G:subversion without the database corrupting.

This is actually very simple to fix, although you do have to be careful setting things up. Just make your db directory look like this:

[svn@lynx ~/ec-svn]$ ls -la repo/db
total 442800
drwxrwsr-x 2 svn svn 4096 Dec 15 17:55 .
drwxrwsr-x 7 svn svn 4096 Feb 27 2004 ..
-rw-rw-r-- 1 svn svn 8634368 Dec 15 17:55 changes
-rw-rw-r-- 1 svn svn 1032192 Dec 15 17:55 copies
-rw-rw-r-- 1 svn svn 8192 Dec 13 15:25 __db.001
-rw-rw-r-- 1 svn svn 270336 Dec 13 15:25 __db.002
...

Note the SGID bits on the directories. Now all you have to do is follow a few simple rules:

1. All processes accessing the db must be in the svn group.
2. All processes accessing the db must be using a umask of 002.
3. All interactive maintenance must be done via the svn account and not as root.

I have been running a repo at my company for over a year (since v0.33, 11/03) and the only wedges I've had is when I forgot and broke rules 2 or 3. These were all recoverable by fixing the permissions and running svnadmin recover.

As for backups, I have my post-commit script do an incremental dump of the committed revision in the background. A cron script does a nightly cumulative dump of the entire repo.

Re:Berkley db?

[oliverthered]

Yep, that's kinda what I've got(now).

The problem was that the database kept getting trashed.

Re:Berkley db?

[egoots]

what version of subversion, and how long has it been in release?

The file based backend (termed FSFS) came out in version 1.1.0 which was released on Sep 29, 2004. Since then, a minor bug fix maintenance release V1.1.1 has been released on Oct 22, 2004.

You can see the complete release history at the following web page: http://subversion.tigris.org/project_status.html

Re:Berkley db?

To save anyone else poking around....

The file based backend (termed FSFS) came out in version 1.1.0 which was released on Sep 29, 2004. Since then, a minor bug fix maintenance release V1.1.1 has been released on Oct 22, 2004.

Subversion 1.1 Release Notes

(and State of the Project)

--snip--

Non-database repositories (new server feature)

It's now possible to create repositories that don't use a BerkeleyDB database. Instead, these new repositories store data in the ordinary filesystem. Because Subversion developers often refer to the repository as "The Filesystem", we have adopted the rather confusing habit of referring to these new repositories as "fsfs" repositories... that is, a Filesystem implementation that uses the OS filesystem to store data.

Note that the data files created by fsfs repositories are still in a binary format, and are not human editable!

Why would someone choose an fsfs repository over BerkeleyDB? The immediate and obvious advantages are the ability to access a repository over a network filesystem, and no more database "wedges" needing recovery. You can read the
full list of advantages/disadvantages at http://web.mit.edu/ghudson/info/fsfs

To create an fsfs repository, simply run 'svnadmin create --fs-type fsfs'. Or, if BerkeleyDB wasn't detected at compile time, 'svnadmin create' will default to type fsfs.

--snip--

run then svn dump command which will serialize your database into a text representation.

Run svn create --fs-type fsfs

and usesvn load to incorporate all the data into your new database.

Re:Berkley db?

It's easy for me to backup, and if I loose a couple of revisions

"back up" ("backup" is a noun), "lose".

it get's a bit

"gets".

Also, some typos ("convery", "alhpa", "recomend", "leter", etc.).

Re:Berkley db?

Well done, you now get a job being a junior secutary for George Bush have a very nice day.

Who needs it?

[Macrobat]

I just use the Open~ project to make backups whenever I edit a file.

Apropos of nothing...

my phone just rang.

There's already a better CVS...

[cduffy]

...and I'm not just talking SVN (which is quite successful at its "better CVS" goal, though I prefer Arch with its "better revision system" intent): CVSNT

Why it's so rarely used (with the exception of being packaged with the major CVS client GUIs on Windows), and why so few Linux distributions package it, has always been a mystery to me.

Re:There's already a better CVS...

Umm, because CVSNT runs on Windows. Yes, there is a linux port, but it has no benefits over stock CVS. Also, CVSNT is a bitch to install.

Re:There's already a better CVS...

[cduffy]

Yes, there is a linux port, but it has no benefits over stock CVS.

Bullshit. CVSNT has a better security model and more features (BranchPoint, SSL support, etc) than stock CVS, on any platform.

Requiem for the FUD

[AgainstFUD]

... facts are facts. ;)

FreeBSD:
FreeBSD, Stealth-Growth Open Source Project (Jun 2004)
"FreeBSD has dramatically increased its market penetration over the last year."
Nearly 2.5 Million Active Sites running FreeBSD (Jun 2004)
"[FreeBSD] has a secured a strong foothold with the hosting community and continues to grow, gaining over a million hostnames and half a million active sites since July 2003."
What's New in the FreeBSD Network Stack (Sep 2004)
"FreeBSD can now route 1Mpps on a 2.8GHz Xeon whilst Linux can't do much more than 100kpps."

NetBSD:
NetBSD sets Internet2 Land Speed World Record (May 2004)
NetBSD again sets Internet2 Land Speed World Record (30 Sep 2004)

OpenBSD:
OpenBSD Widens Its Scope (Nov 2004)
Review: OpenBSD 3.6 shows steady improvement (Nov 2004)

*BSD in general:
Deep study: The world's safest computing environment (Nov 2004)
"The world's safest and most secure 24/7 online computing environment - operating system plus applications - is proving to be the Open Source platform of BSD (Berkeley Software Distribution) and the Mac OS X based on Darwin."
..and last but not least, we have the cutest mascot as well - undisputedly. ;)

--
Being able to read *other people's* source code is a nice thing, not a 'fundamental freedom'.

Lots of reasons...

[emil]

I am not a fanatic about BSD vs. GPL, but let me count the ways...

1. Anything under BSD license is much more free than GPL free software. Hey, it doesn't change my life much, but there are a lot of people who care about this. More BSD free software is good for everybody.
2. Is it your right to ask OpenBSD developers to GPL their code, when they would prefer to apply a BSD license to it? It certainly isn't mine.
3. It is unlikely that the current CVS uses strlcpy/strlcat. Would retrofitting this functionality be accepted by the CVS people, especially as the GNU libc people have already rejected it? (Boy, that was a great step forward in security there.)

OpenBSD has been slowly stripping/replacing GPL software wherever they can. Recent fatalities include gzip and gawk. It's their distribution, and they can do what they want.

But I for one am glad for OpenBSD. It fits me like a glove. I just wish that Microsoft couldn't copy so much of it.

Re:Lots of reasons...

[ajs]

"I am not a fanatic about BSD vs. GPL"

You wrote a BSD vs GPL flame in response to a post which mentioned neither. That is pretty much exactly my definition of a BSD vs. GPL fanatic.

Licenses are fascinating bits of legal hackery, but when it comes to software, one should never be so distracted by such toys that one forgets that the software and the community built around that software is the real value.

Re:Lots of reasons...

[Nimrangul]

That is the most sound reason to leave everything under the BSD or public domain I have ever seen.

Noone cares though, many people do not want a company to take something they worked on and make money off of it without them getting their piece. Many more just don't want a company making money off their work.

Re:Lots of reasons...

No, gawk is not a recent fatality, none of the BSDs have used gawk in years. Second, this has nothing to do with license, so most of your post is just stupid. Third, why do you care if microsoft starts making less shitty products because of openbsd? That sounds like it would be a good thing to me.

Re:Lots of reasons...

[Eric+Smith]

Is it your right to ask OpenBSD developers to GPL their code, when they would prefer to apply a BSD license to it?

Yes, I do have the right to ask that. Just as the OpenBSD developers have the right to ignore me and release it under whatever license they prefer.

It certainly isn't mine.

Maybe you should move to a country where you have the right to free speech?

Re:LOL OMG WTF

Hah! This is hilarious if you've ever been required to play a video that's been encapsulated in Matroska. It's similar to the Ogg encapsulation format, but less well supported in practically every player that exists. I had to upgrade mplayer just to handle the .mkv, and there were a handful of extra libraries it needed to do that. All in all, I ended up recompiling the new mplayer three times (this is on LFS) to get it to work.

Borked link

[Hel+Toupee]

The link to the OpenBGPD site is wrong. A simple investigation reveals that the poster posted the site as www.openbDbd.org. "Slashdot editors" seems to be and oxymoron....

Re:Borked link

[Ndiin]

"Slashdot editors" seems to be and oxymoron....

Hint: Don't make typos when complaining about typos.

Excellent news!

[Eric+Smith]

Now there's finally a basis for development of proprietary closed-source derivatives of CVS. GPL'd software sucks, because there's no way for Microsoft to lock consumers into proprietary derivatives.

Borked Link

[Hel+Toupee]

The link to the OpenBGPD site is wrong. The poster wrote it as www.openbDpd.org. "Slashdot editors" seems to be an oxymoron....

Forget the BSD license

[stratjakt]

When will someone create a GPLed replacement for this OpenCVS thing?

Some actual facts

[AgainstFUD]

http://bsd.slashdot.org/comments.pl?sid=131228&cid =10982290

Re:Some actual facts

Congratulations! Your multiple posting of the same comment succeeds in associating the entire BSD community with spammers.

The difference being that spammers should be dead, whereas BSD already is.

If it's Wednesday, and it is Timothy

It must be a dupe. Why do I waste my time????

Some actual facts

[AgainstFUD]

http://bsd.slashdot.org/comments.pl?sid=131228&cid =10982290

Coping with Death

Of course you mourn the demise of *BSD. It's only natural. Dealing with the death of an operating system close to you can be one of the most traumatic experiences of your life, and you're bound to go through a range of emotions. While you may be able to work through those feelings on your own, it's often helpful to talk to a friend, a family member, or a counselor. You might also seek out a support group for people who are grieving.

Grieving is a process, and it's totally normal to go through feelings of shock, sadness, anger even guilt. The healing process is different for everyone. It might take you six weeks to move on, or it might take you six years. Don't beat yourself up because you're not "over it" yet. It takes time to heal wounds.

So what else can you do to feel better? It might sound corny, but try writing a letter, making a collage, or planting a tree in memory of the operating system you've lost. Remembering and celebrating all the good things *BSD brought to your life might help give you some closure, and having a keepsake to honor *BSD may help you get through some tough times in the future when you'll be missing it.

It's true that life won't be the same without *BSD around. It may seem like you'll never feel better, but eventually you will. Take some comfort in the old saying, "Time heals all wounds," and remember that *BSD will always be with you in your heart.

Some actual facts

[AgainstFUD]

http://bsd.slashdot.org/comments.pl?sid=131228&cid =10982290

Some actual facts

[AgainstFUD]

http://bsd.slashdot.org/comments.pl?sid=131228&cid =10982290

You completely ignore security.

[emil]

Face it, the GNU toolchain will never be as secure as OpenBSD. Yes, you have Openwall, PaX, and SELinux floating around, but what major distribution uses them right now? W^X was released in 3.3.

Theo & Co. have had a number of good security patches rejected by various GPL maintainers (and yes, some have been accepted). However, can you blame them for jumping the gun on a CVS replacement? It's core to the OS.

OpenBSD is developed for a variety of reasons, some which I agree with entirely, and some that give me pause (I just read criticism of OpenNTPd that makes me want to turn it off). I also wish that certain players in the industry could be bound by the GPL when working with OpenBSD code, but this is not to be.

OpenBSD is developed and licensed for Theo's reasons. I use it for my reasons. If you don't like it, don't use it. Should people not be free to do what they want with their time?

Who made you God?

Re:You completely ignore security.

[Michael+Wardle]

Face it, the GNU toolchain will never be as secure as OpenBSD. Yes, you have Openwall, PaX, and SELinux floating around, but what major distribution uses them right now? W^X was released in 3.3.

Fedora Core has incorporated Exec-Shield and SELinux since its first release. These technologies will also be included in Red Hat's next major enterprise operating system release, Red Hat Enterprise Linux 4, due early in 2005.

Re:You completely ignore security.

[ajs]

Face it, the GNU toolchain will never be as secure as OpenBSD

That's a very nice bit of speculation / opinion. It, however, has nothing to do with my post in any way whatsoever.

Please, folks, if you're BSD bigots or Linux bigots or Windows bigots or whatever, go find a post that says, "<your favorite tool/os/language> sucks," and reply with your rant. Meanwhile, take your non-sequitors and file them.

Coming soon...

OpenWheel: no longer will we be victim to restrictive goodyear/firestone licences!

Better colours

http://shit.slashdot.org/article.pl?sid=04/12/15/1 936218

More power to them...

[psykocrime]

I personally think it's something of a waste to write yet another replacement for CVS, but if they feel they need it, then great. It's open-source, it's volunteer, so nobody has any business telling these people *not* to write OpenCVS.

That said, I (and many others) consider Subversion to be the logical successor to CVS, and it seems to me that any effort spent on revision control would be better spent contributing to Subversion (or Arch maybe) instead of writing yet another version of something that's essentially obsolete.

OTOH, if they have major disagreements with the fundamental architecture of Subversion (and I understand that some people do) then maybe it would be better to just start from scratch, and design their own vision of an ideal revision control system?

Either way, it probably means more quality open source code, and in the long run, everybody ultimately benefits.

Re:More power to them...

[kirkjobsluder]

That said, I (and many others) consider Subversion to be the logical successor to CVS, and it seems to me that any effort spent on revision control would be better spent contributing to Subversion (or Arch maybe) instead of writing yet another version of something that's essentially obsolete.

I think the core problem is that CVS has become something of a legacy tool like sed, awk, grep and sh. Many of these tools may be "obsolete" but that does not mean that we don't need secure and trustworthy versions of those tools.

For the forseeable future, there will probably be projects using cvs for the next several years. OpenBSD users use cvsup for patching and updating both the base system and ports tree. I like Subversion and use it for my own stuff, but I don't think it is quite ready yet.

Broken Link for OpenBGPD

[Chaos1]

The link points to http://www.openbdpd.org/, and should be http://www.openbgpd.org/

Off topic: PF better than IPFILTER how?

[Xenophon+Fenderson,]

The two work about the same, except PF doesn't support an in-kernel FTP proxy (had to hack up my firewall rules big time to make FTP work, and I still have to open up a bazillion ports for the dynamic connections). It has lots of other stuff I will never use, e.g. scrub and modulate state. I only use PF because fwbuilder's rule compiler for PF outputs correct code, as compared to its compiler for IPFILTER which outputs buggy NAT rules, and I really don't feel like wasting my time writing firewall rules manually.

Re:Off topic: PF better than IPFILTER how?

[mirabilos]

Now now. That's definitively FTP's fault, and IMHO
this pre-1980 protocol deserves to finally die
anyway.
What's wrong with using HTTP for fast public down-
loads, SCP/SFTP for secured file transfers and if
it really has to be fast, netcat (and ssh to start
netcat on the remote end)?

Even Windows®-FTP-Clients do usually support SFTP.

Re:Off topic: PF better than IPFILTER how?

[Xenophon+Fenderson,]

D00d, I would love to see FTP finally die. Unfortunately, FreeBSD's own file distribution mechanisms rely on FTP, e.g. "pkg_add -r", ports, etc. And just about every other piece of modern firewall software can proxy FTP in the kernel (ipfilter, iptables, FireWall-1, etc.). Don't get me wrong: "modulate state" and the scrub options are really cool, but they solve a theoretical problem. I, instead, have a real problem with not being able to easily make FTP through my firewall work. What sucks even more is that I prefer to do egress filtering. With an in-kernel proxy, everything works properly because the proxy will add the necessary ingress and egress rules to make the file transfers work. Not so with ftp-proxy(8). So I have to either do "pass out" in pf.conf or click the "pass all outgoing" option in fwbuilder. This missing feature violates my expectations and it unnecessarily complicates my firewall rules (and weakens them in a theoretical sense).

(Yes, I am a have-my-cake-and-eat-it-too kind of guy.)

Re:Off topic: PF better than IPFILTER how?

[mirabilos]

a) You can retrieve packages by HTTP.

b) More insecurity in the kernel?

c) Rewrite ftp-proxy so that it uses a table
which is manipulated by ftp-proxy but which
must be contained in the pf.conf first.
spamd does this too, I think.

Re:Off topic: PF better than IPFILTER how?

That's a solution that is a non-starter for a lot of people. It is easy to say "just switch to x" but it isn't possible for lots of folks.

But it feels good to denigrate rather than help. I know, I'm doing it now and I feel *great*.

Theoretical solutions are nice, in theory. Practical solutions are more practical, however.

I feel so bad I have to explain this.

Re:Off topic: PF better than IPFILTER how?

ftp-proxy + passive ftp == ftp nirvana! :-)

Note to Theo and Crew.

Jeesuz, you did it again. You guys reimplemented something that nobody cares about anyway and is dying out fast in favor of more modern SLEEK AND PROFESSIONAL systems (ie. subversion). You reinvented the wheel. AGAIN. What is this, "Not Made By Theo" syndrome? You keep writing these little side projects, while your supposedly "bulletproof" system is not even halfway finished to a state most people can use without leaving it wide open everywhere!

You claim that security is job one. But the facts don't back that up. Not at all. If you actually WANTED to make a secure system, you'd stop diverting your energy all over the place with these little ego-stroking projects and:

1) Make *graphical* -- yes, graphical, you heard me -- installers and tools to *automate* -- yes, automate, you heard me -- setting up firewalls and setting up the system -- MOST security mistakes are because the admin is tired and makes a stupid typing error on the command line or forgets to do something (like edit some obscure file ten directories down in god knows where). What do you primitives have against GUIs? You know that 99.9% of desktops are running a GUI -- people like them BECAUSE THEY WORK. THEY MAKE THINGS EASIER. THEY *HELP* YOU TO DO THINGS WELL. I personally can't use OpenBSD for anything serious (even though I want to very much) simply because it won't hold my near-newbie hand AT ALL -- and I can't progress from "near-newbie" because I can't USE the damn thing! WHY should I use OpenBSD and struggle to set up my box myself when Apple will do it for me, with intelligent settings and quick security patches in Software Update? I installed OpenBSD3.5 (I wouldn't have made it through if I hadn't aped the CD instructions digit for digit, right down to folder sizes) and logged in. No X. Great. Took a few hours to get XWindows working (during that time I was on my mac, finding howtos and walkthroughs all over the net; I typed a PILE of shit into OpenBSD that I don't know what it did and never undid my changes, there were too many -- probable creation of security holes, duh). Then I installed a browser off the CD. Had to do it all from the command line, of course. Couldn't find an easy, efficient way to do it anywhere. Took five times as long as it should have because I had to type every damn line perfectly, right down to the /pub/OpenBSD/3.5/packages/i386/mozilla-firefox-0.8 .tgz. Over and over and over, finding the file, finding the directory, untarring the thing, installing it. IT JUST GOES ON AND ON AND ON AND ON! Then I tried to get on the net. Three full evenings later, still no joy. Kept going. Spent the weekend on it. Got fluxbox running. Finally got the net. Never got Java running in the browser -- I tried for over a week, since it's important for me to do fucking SECURE BANKING which I can't do with OpenBSD apparently BECAUSE IT WON'T RUN JAVA WITHOUT GIVING THEO MY LEFT NUT! There goes the purpose for having the damn thing. Whatever.

Checked OpenBSD.org. WTF??? Thirty-two patches?? The damn thing's only been installed a couple days!! Of course, I have no clue what these archaically-named patches are for, but like a good little OpenBSD zombie I try to install them all. No such luck. I got lots of errors and no idea whether it worked or not. So I go on the net, and guess what? HACKED. HACKED! WHY? No firewall. Nothing was running. I guess I have to set this up myself. How? Where do I go? WHY is it so hard to get a functional system? ALL I WANT TO DO IS SURF THE FUGGING INTERNET!!! Your system is secure until the CDs are shipped, then we're back to Windows-style insecurity land. Patch patch patch. And THERE lays your true bottleneck. People don't install patches because they're a ROYAL PAIN IN THE ASS. Which leads us to point two:

2) You NEED to have something like debian's security.debian.org, that just happens automatically. I don't want to spend half my day EVERY DAY recompiling and patching stupid shit! And a special note to Theo, NOBODY READS THE SOUR

Re:Note to Theo and Crew.

Exactly, why use your brain when you can be a dumbass instead...

IPv6?

[isj]

Does this mean that there is a chance that we will get a CVS implementation that supports IPv6 out-of-the-box? I am getting tired of patching it.

Re:IPv6?

[mirabilos]

Eh? cvs uses ssh for connecting to the server, or
operates locally.

What? You're using pserver/kserver? Don't.

You can even use anoncvs to make non-anynomous
read/write accounts for users to access the CVS
repository by means of cvs server, preventing them
from directly writing into the repo.
http://mirbsd.bsdadvocacy.org/cvs.cgi/src/l ibexec/ anoncvssh/

Briefly?

I guess "briefly" is Timmy's way of mitigating the fact that he fucked up.

Now we know that the janitors don't read the articles, but do they even scan slashdork's titles?

CVSNT anyone?

CVSNT http://cvsnt.org/wiki is actively maintained and has many improvements compared to standard CVS. It is definitely worth having a look at if standard CVS does not give you what you want.

And before you start complaining: it runs on Linux as well as Windows (don't know about other *nix'es).

Unfortunately it has got a bizarre release cycle which makes it hard to figure out which versions are stable, but if you use a conservative approach and monitor the development mailinglists it can be acceptable. I have been using it successfully in a production environment for over a year without any serious problems. And we were very happy with the extended functionality, especially the improvements regarding merging between branches.

heheheheh

Open CVS, Openstandard, and apparently Open the door as slashdot just nicked your nix box.

Scratch OpenSSL from the list...

[ttfkam]

I stand corrected. Thank you.

Breaking News

[MightyMartian]

OpenFord has announced it will be releasing Open Model A, the very latest in high tech auto design.

Have you read CVS source?

[^BR]

Can you honestly say that you understand what is does? I tried and al I got was a headache...

The sad fact is that it's likely more work to get into CVS than to rewrite one cleanly.

It is supposed to be a protocol anyway, not just a program, another reimplementation (I don't know if CVSNT is a CVS descendant) will at least give the benefit of better documentation for the protocol...

Nice response, Mr AC

[eightball]

I mostly agree with your assessment, though I am not sure this project will have the success of OpenSSH. But, we can hope.

less restrictive license == a good thing

an equivalent product with a a less restrictive license is a good thing.

commercial -> GNU -> BSD

it's all good man!

have a joint and then run this, it'll help ya feel better
cd /usr/ports/graphics/pornview; make; sudo make install
take two and call me in da morning....

open* by openbsd

i love all your projects. please continue to deliever the most secure apps out there!

Some actual facts (and two more lines)

[AgainstFUD]

http://bsd.slashdot.org/comments.pl?sid=131228&cid =10982290

The fact that you complain to me, instead of complaining to the *FUD-spreading* trolls, who should associate the entire GNU/Linux community with, according to your reasoning.

Some actual facts

http://bsd.slashdot.org/comments.pl?sid=131228&cid =10982290

GCC will be replaced some day

Check out Tendra. It is a free-as-in-BSD C compiler. It works well for C, but still has some problems with C++ (no STL).

Re:GCC will be replaced some day

[RdsArts]

IIRC, Tendra was the compiler they were tossing around as a idea of which one to move to a few months back. Or at least some messages were passed around.

I've always wondered why they hadn't. Sure, it's not a 100% drop-in replacement for GCC, but considering how much GPLed code they've dropped and that it would push them much closer to being a fully-BSDed OS, I don't see how it would have been that much more of a problem.

Wrong

FreeBSD uses Perforce, and only uses CVS as a kind of fallback.

Some actual facts

[Aga1nstFUD]

http://bsd.slashdot.org/comments.pl?sid=132239&cid =11082989

Some actual facts (Parent is a Troll)

[Aga1nstFUD]

http://bsd.slashdot.org/comments.pl?sid=132239&cid =11082989

Some actual facts (Other links are trolls)

[Aga1nstFUD]

http://bsd.slashdot.org/comments.pl?sid=132239&cid =11082989

Some actual facts

[AgainstFUD]

http://bsd.slashdot.org/comments.pl?sid=131228&cid =10982290

Some actual facts

[AgainstFUD]

http://bsd.slashdot.org/comments.pl?sid=131228&cid =10982290

Some actual facts

[AgainstFUD]

http://bsd.slashdot.org/comments.pl?sid=131228&cid =10982290

Some actual facts (other posts are trolls)

[Aga1nstFUD]

http://bsd.slashdot.org/comments.pl?sid=132867&cid =11094025

Some actual facts

[AgainstFUD]

http://bsd.slashdot.org/comments.pl?sid=131228&cid =10982290

Some actual facts

[Aga1nstFUD]

http://bsd.slashdot.org/comments.pl?sid=132867&cid =11094025

Some actual facts

[Aga1nstFUD]

http://bsd.slashdot.org/comments.pl?sid=132867&cid =11094025

Some actual facts (parent is a troll)

[Aga1nstFUD]

http://bsd.slashdot.org/comments.pl?sid=132867&cid =11094025 It's not "FUD" if it's true.

Some actual facts

[AgainstFUD]

http://bsd.slashdot.org/comments.pl?sid=131228&cid =10982290

Some actual facts

[AgainstFUD]

http://bsd.slashdot.org/comments.pl?sid=131228&cid =10982290

Some actual facts

[AgainstFUD]

http://bsd.slashdot.org/comments.pl?sid=131228&cid =10982290