OpenBSD Project Will Release OpenCVS

thequbemaster writes "The OpenBSD project, responsible for OpenSSH, OpenBGPD, and OpenNTPD, has created OpenCVS, a BSD licensed implementation of CVS client and server. From the site: 'It aims to be as compatible as possible with other CVS implementations, except when particular features reduce the overall security of the system. The OpenCVS project was started after discussions regarding the latest GNU CVS vulnerabilities that came out. Although CVS is widely used, its development has been mostly stagnant in the last years and many security issues have popped up, both in the implementation and in the mechanisms.' No releases are available yet. The README in the OpenCVS CVS repository states that the server is not ready yet, but looks like the client is usable." Update: 12/15 20:18 GMT by T : This project was mentioned briefly the other day, too.

Re:OpenNTP problems

[shub]

Whereas I post with my own slashdot account, and don't try to hide behind an AC.

I have said that I would remove all comments in my blog which are posted with bogus e-mail addresses, and I have done that. What you haven't seen is the comments in my blog which were favourable to my view, but which were also posted with bogus e-mail addresses, and which were also deleted. I will continue my policy regarding the deletion of comments posted to my blog which have bogus e-mail addresses, and if someone wants to post a rebuttal comment with a valid e-mail address, then I will leave it.

I have no problem with the creation of a "lightweight" time server, but the problem is that the NTPv3 and NTPv4 protocols are, by their very nature, quite heavy -- you simply cannot escape that fact. If you want something "lightweight", then you have to give up NTPv3 and/or NTPv4, and instead go with SNTP.

Please note that there is a "lightweight" SNTP server included in the "Reference Implementation" tarball, known as "msntp". This is the same SNTP server as used on m0n0wall. If you want a lightweight SNTP server implementation, you should check it out.

The real problem is that the PR/marketing campaign by Theo and Henning has been that OpenNTPd is a complete fully functional replacement for the Reference Implementation, which even casual inspection shows to be patently false. Now, if they wanted to change the name of the project to OpenSNTPd and change the PR/marketing to match, I wouldn't have a leg to stand on. I challenge Theo or Henning to do this. At least, they'd be able to make me shut up.

With regards to my blog on OpenNTPd, I contacted Henning, and had several conversations with him regarding the project and where he saw things going. I tried very, very hard to give them every possible benefit of the doubt. When it became clear that he and Theo considered the project to be essentially finished (at what I would consider the 0.0.1 stage), and they were already looking for other things to work on, that's when I took the material I had been working on for a long time, and did a final "publication" of it.

I tried very, very hard to be as objective as possible, and to do everything I could to avoid flame wars, while still keeping what I considered to be constructive criticism. Needless to say, I've been underwhelmed by some of the responses, especially from some of the slashdot crowd.

Meanwhile, if people want to check out "slander" or "libel", try asking yourself why something qualifies under these terms when I say it, but qualifies as "fact" when Dan says the exact same thing. There's someone using a double-standard here, but it's not me.