Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD Project Will Release OpenCVS

Posted by timothy on from the they're-big-on-that-open-thing dept.

thequbemaster writes "The OpenBSD project, responsible for OpenSSH, OpenBGPD, and OpenNTPD, has created OpenCVS, a BSD licensed implementation of CVS client and server. From the site: 'It aims to be as compatible as possible with other CVS implementations, except when particular features reduce the overall security of the system. The OpenCVS project was started after discussions regarding the latest GNU CVS vulnerabilities that came out. Although CVS is widely used, its development has been mostly stagnant in the last years and many security issues have popped up, both in the implementation and in the mechanisms.' No releases are available yet. The README in the OpenCVS CVS repository states that the server is not ready yet, but looks like the client is usable." Update: 12/15 20:18 GMT by T : This project was mentioned briefly the other day, too.

9 of 287 comments (clear)

  1. This Article is Redundant by Nimrangul · · Score: 2, Insightful
    There was already an article regarding OpenCVS, and it is fairly obvious that it will be getting released, or it would not be given a Open* title and it's own site.

    Not that I mind mind you, I just didn't see why there have been to articles on OpenCVS starting up. At least this one isn't saying it was because OpenBSD hates the GPL and are trying to replace a GPL CVS system.

    --
    I'm sick of following my dreams - I'm just going to ask them where they're going and hook up with them later.
  2. What is wrong with subversion? by Yaa+101 · · Score: 4, Insightful

    What is wrong with subversion?

    1. Re:What is wrong with subversion? by chroot_james · · Score: 3, Insightful

      This is the OpenBSD team. Not a bunch of louts. They could learn SVN overnight and write an open replacement for it in a week. Remember when they decided they didn't like ipf? They designed and implemented a new packet filter that was _better_ in barely any time at all.

      With their vigilance, they'd clearly go with which ever they thought was better.

      --
      Reality is nothing but a collective hunch.
    2. Re:What is wrong with subversion? by Jahf · · Score: 2, Insightful

      Not necessarily. Switching off of ipf doesn't affect -every- developer. In fact it likely affected only the developers that went off to work on a replacement.

      Assuming OpenBSD uses CVS today, then moving to a new toolset instead of mirroring the functionality of the existing tool affects -every- person who developes on OpenBSD.

      That is a far far far more acute impact. One that I know I wouldn't want to be in charge of handling. This is the kind of thing that gives IT folks nightmares ... and developers can be some of the most obstinate people to retrain (and I say that with all affection to my father and co-workers).

      Not to mention the hassle/risk of switching the systems over in the first place.

      --
      It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
  3. Mainstream by Manan+Shah · · Score: 2, Insightful

    What will really put this into a mainstream enviornment is if there are some good GUI clients available for it. If an easy to use, and perhaps more importantly, cross platform GUI client is released, you can bet that the popularity will go up. Visual Source Safe (Microsoft) isn't all that great, but people still use it because CVS doesn't have a robust windows GUI client. Or at least it didn't early on and so the first impressions were not very friendly from companies looking at products where they wouldn't have to train their employees as much. If they can come up with a great GUI right off the bat, Microsoft will really sweat.

  4. Re:Finally... by fimbulvetr · · Score: 2, Insightful

    You do realize you can run subversion under Apache, so that subversion security == Apache security. Right?

    Yes, of course I realize. Additionally, I realize that your statement is blatently incorrect.
    Subversion security != Apache Security

    First, I referenced apache 1.3.x, afaik, subversion only runs under 2.
    Secondly, subversion *CAN* run under apache, but it can also run standalone.

    Subversion is not secure, and running under apache does not make it secure. If anything, it makes apache much more insecure.

  5. Re:We need a new one? by Anonymous Coward · · Score: 2, Insightful

    Let me see if I understand this... there were some security problems with CVS as-is, so the OpenBSD folks did the right thing and reviewed the code, discovered any remaining problems and submitted... no, no it seems they instead wrote their own CVS.

    Actually, they did review the code, find the bugs, make patches for them, and submit the patches to the CVS crew. The CVS folks did the same thing Apache did, which was to ignore the patches. The OpenBSD people were in the same boat again. They had improvements to an existing project that the project wasn't accepting. They could've forked the CVS code, which was probably what they were going to do, but the existing CVS code turned out to be so bad that starting from scratch would've been easier than forking. In light of this, most of the rest of your comment is pointless to reply to, because it's based on information you didn't have before you shot off your mouth.

    For those not familiar with the state of the world, this is going to mean a slower/longer transition to subversion (the logical successor to CVS), less interoperability between operating systems for developers and yet another tool that the OpenBSD people (who clearly did not have enough work to do already), to support.

    Subversion isn't the logical successor to CVS. Subversion has a handful of issues that stand in the way of it becoming even a viable competitor to CVS, much less a successor, and that doesn't address the svn design issues.

    OpenCVS is also compatible with CVS, except where CVS has design issues that affect security. For the most part, most people won't ever notice the difference, and the world is better for having OpenCVS around, especially when the original CVS group doesn't want to take security patches.

    Finally, the OpenBSD developers are very experienced. It's likely that OpenCVS already has fewer bugs in it than the original CVS; furthermore, the code is cleaner than CVS's and will be far easier to maintain.

    What happened to OpenBSD? Wasn't it an actual member of the open source community at one point?

    OpenBSD is taking care of OpenBSD. If that methodology results in a better operating system than others, then there's something flawed with the other methodologies. It's not OpenBSD's problem if you don't like them.

    Oh well, as long as no one tries to make me use their mutant CVS, I'll be happy.

    I'll bet that within two years, you'll be using OpenCVS with 95% exclusivity because it's a better, more secure, more stable product. It's not a good thing to rail against software projects in their infancy, because you don't know where your needs will be in time. Nobody will blame you later on for using OpenCVS.

    Lastly, I'm putting an OpenCVSup on my Christmas list. It would be outstanding to not have to choose between installing a binary package and installing a Modula-3 compiler.

  6. Re:Development has stagnated? by Anonymous Coward · · Score: 2, Insightful

    Look, you posted the exact same shit the last time this was on /. and was told that it's not about licensing, it's about a critical tool (OpenBSD developers rely on CVS to get their job done) that's not secure enough. Do you understand that? If the replacement tool is being done by an OpenBSD developer, it's only natural that the chosen license is BSD.

  7. Note to Theo and Crew. by Anonymous Coward · · Score: 0, Insightful

    Jeesuz, you did it again. You guys reimplemented something that nobody cares about anyway and is dying out fast in favor of more modern SLEEK AND PROFESSIONAL systems (ie. subversion). You reinvented the wheel. AGAIN. What is this, "Not Made By Theo" syndrome? You keep writing these little side projects, while your supposedly "bulletproof" system is not even halfway finished to a state most people can use without leaving it wide open everywhere!

    You claim that security is job one. But the facts don't back that up. Not at all. If you actually WANTED to make a secure system, you'd stop diverting your energy all over the place with these little ego-stroking projects and:

    1) Make *graphical* -- yes, graphical, you heard me -- installers and tools to *automate* -- yes, automate, you heard me -- setting up firewalls and setting up the system -- MOST security mistakes are because the admin is tired and makes a stupid typing error on the command line or forgets to do something (like edit some obscure file ten directories down in god knows where). What do you primitives have against GUIs? You know that 99.9% of desktops are running a GUI -- people like them BECAUSE THEY WORK. THEY MAKE THINGS EASIER. THEY *HELP* YOU TO DO THINGS WELL. I personally can't use OpenBSD for anything serious (even though I want to very much) simply because it won't hold my near-newbie hand AT ALL -- and I can't progress from "near-newbie" because I can't USE the damn thing! WHY should I use OpenBSD and struggle to set up my box myself when Apple will do it for me, with intelligent settings and quick security patches in Software Update? I installed OpenBSD3.5 (I wouldn't have made it through if I hadn't aped the CD instructions digit for digit, right down to folder sizes) and logged in. No X. Great. Took a few hours to get XWindows working (during that time I was on my mac, finding howtos and walkthroughs all over the net; I typed a PILE of shit into OpenBSD that I don't know what it did and never undid my changes, there were too many -- probable creation of security holes, duh). Then I installed a browser off the CD. Had to do it all from the command line, of course. Couldn't find an easy, efficient way to do it anywhere. Took five times as long as it should have because I had to type every damn line perfectly, right down to the /pub/OpenBSD/3.5/packages/i386/mozilla-firefox-0.8 .tgz. Over and over and over, finding the file, finding the directory, untarring the thing, installing it. IT JUST GOES ON AND ON AND ON AND ON! Then I tried to get on the net. Three full evenings later, still no joy. Kept going. Spent the weekend on it. Got fluxbox running. Finally got the net. Never got Java running in the browser -- I tried for over a week, since it's important for me to do fucking SECURE BANKING which I can't do with OpenBSD apparently BECAUSE IT WON'T RUN JAVA WITHOUT GIVING THEO MY LEFT NUT! There goes the purpose for having the damn thing. Whatever.

    Checked OpenBSD.org. WTF??? Thirty-two patches?? The damn thing's only been installed a couple days!! Of course, I have no clue what these archaically-named patches are for, but like a good little OpenBSD zombie I try to install them all. No such luck. I got lots of errors and no idea whether it worked or not. So I go on the net, and guess what? HACKED. HACKED! WHY? No firewall. Nothing was running. I guess I have to set this up myself. How? Where do I go? WHY is it so hard to get a functional system? ALL I WANT TO DO IS SURF THE FUGGING INTERNET!!! Your system is secure until the CDs are shipped, then we're back to Windows-style insecurity land. Patch patch patch. And THERE lays your true bottleneck. People don't install patches because they're a ROYAL PAIN IN THE ASS. Which leads us to point two:

    2) You NEED to have something like debian's security.debian.org, that just happens automatically. I don't want to spend half my day EVERY DAY recompiling and patching stupid shit! And a special note to Theo, NOBODY READS THE SOUR