OpenBSD Project Will Release OpenCVS

thequbemaster writes "The OpenBSD project, responsible for OpenSSH, OpenBGPD, and OpenNTPD, has created OpenCVS, a BSD licensed implementation of CVS client and server. From the site: 'It aims to be as compatible as possible with other CVS implementations, except when particular features reduce the overall security of the system. The OpenCVS project was started after discussions regarding the latest GNU CVS vulnerabilities that came out. Although CVS is widely used, its development has been mostly stagnant in the last years and many security issues have popped up, both in the implementation and in the mechanisms.' No releases are available yet. The README in the OpenCVS CVS repository states that the server is not ready yet, but looks like the client is usable." Update: 12/15 20:18 GMT by T : This project was mentioned briefly the other day, too.

Ummm.. I had to read that a few times....

[GameGod0]

The OpenCVS CVS repository?

lol

I'll have to "Check It Out"

[lottameez]

hahahahahahaha. I kill me.

Re:I'll have to "Check It Out"

[wowbagger]

I think you need to be committed.

This Article is Redundant

[Nimrangul]

There was already an article regarding OpenCVS, and it is fairly obvious that it will be getting released, or it would not be given a Open* title and it's own site.

Not that I mind mind you, I just didn't see why there have been to articles on OpenCVS starting up. At least this one isn't saying it was because OpenBSD hates the GPL and are trying to replace a GPL CVS system.

Were we not...

[jwthompson2]

already aware of this?

http://bsd.slashdot.org/article.pl?sid=04/12/06/ 11 54242&tid=8&tid=7

That was back on December 6th!

A great idea...

[holzp]

Merge the userfriendlyness of OpenBSD with the userfriendlyness of CVS!

What is wrong with subversion?

[Yaa+101]

What is wrong with subversion?

Re:What is wrong with subversion?

[chroot_james]

This is the OpenBSD team. Not a bunch of louts. They could learn SVN overnight and write an open replacement for it in a week. Remember when they decided they didn't like ipf? They designed and implemented a new packet filter that was _better_ in barely any time at all.

With their vigilance, they'd clearly go with which ever they thought was better.

Re:What is wrong with subversion?

[Phred+T.+Magnificent]

Damn, where to start? In no particular order:

• Subversion uses too damn much disk space, particularly on the client (not that it's good on the server, either, but when the client is an older laptop with a 9 GB hard drive, you really notice the problem)
• Subversion is slow
• The server-side database is too easily and far too frequently corrupted or left locked by an aborted client request, resulting in ridiculous slowdown on the client side and increased administrative overhead on the server side
• Most Subversion installations are configured to work over HTTP (only). This provides all kinds of nice anti-benefits, like:
  • Eliminating key-based SSH authentication and replacing it with weak password-based HTTP "basic" authentication
  • Replacing a nice, encrypted SSH transport with plain-text HTTP
  • Making it so that in order to use Subversion over an SSH tunnel, you first have to shut down your local Apache server, modify /etc/hosts and set up the tunnel as root, because, of course, a non-root user can't tunnel port 80

The list goes on and on and on, but I'm not interested in continuing it just now. Subversion hasn't managed yet to be the worst version control system I've ever seen: that title is still held by PVCS on Windows 3.1, circa 1995. It's getting to be a close race, though.

Re:What is wrong with subversion?

[Jahf]

Not necessarily. Switching off of ipf doesn't affect -every- developer. In fact it likely affected only the developers that went off to work on a replacement.

Assuming OpenBSD uses CVS today, then moving to a new toolset instead of mirroring the functionality of the existing tool affects -every- person who developes on OpenBSD.

That is a far far far more acute impact. One that I know I wouldn't want to be in charge of handling. This is the kind of thing that gives IT folks nightmares ... and developers can be some of the most obstinate people to retrain (and I say that with all affection to my father and co-workers).

Not to mention the hassle/risk of switching the systems over in the first place.

Re:What is wrong with subversion?

[fitz]

I've just corrected the project FAQ page to no longer reflect that cvs2svn is still under development. It's now stable, under maintenance and has been used to convert many many CVS projects, including Apache HTTP Server, Mono, and more.

Re:What is wrong with subversion?

[slipsuss]

I think your information is a bit old.

Point for point:

* Subversion deliberately uses a lot of working-copy disk space, because it's optimized for network use. (that is, it assumes that network is scarce, and disk is cheap.) It caches pristine copies of files so that lots of commands ("diff", "revert", "status") all work offline. It's a deliberate choice. Someday the developers hope to make this tradeoff configurable.

* Subversion is slower than CVS, yes, but not unusably slow. And it's faster than CVS at some things, like branching and tagging. The speed tradeoffs are amortized over the overall lifecycle of using the software. For example: it takes longer to checkout a working copy (because more data is being created on disk), but then after that, some common commands are faster than CVS as a result.

* Subversion has exposed BerkeleyDB's brittleness to end users, which is admittedly a mistake. But the Subversion team is now working closely with Sleepycat to fix these problems. And besides, there's now a whole non-database repository alternative that you can use. You can choose to avoid BDB altogether.

* You seem to be unaware that Subversion is not only able to use http://, but https:// as well, complete with server and client certificate negotiation. You can also tunnel the custom server protocol over ssh, using svn+ssh:// urls; no apache required at all, if you'd just prefer to use existing ssh accounts.

Hope this clarifies things.

Re:What is wrong with subversion?

[Doomdark]

Subversion is slow

Weird. My experience has been the exact opposite -- Subversion being significantly faster (but apparently partly due to increased disk usage, using local full copies; not requiring network access for doing status etc), and that with actual source code. And with binaries... well, CVS barely even works with binaries (plus big binaries can just bring down the CVS server -- needs at least twice the size of the binary on server side, contiguous memory); whereas Subversion has no trouble whatsoever.

I can't comment on ssh part, as the repositories I use are (I guess) properly configured so I just use svn+ssh indicator and things work smooth. I'm not sure if it's reasonable to blame scm on people don't configure it properly, however.

Re:What is wrong with subversion?

[Ragica]

I'm by no means a subversion expert, or even a daily user (i have use CVS for my daily work; but i keep my personal projects that i rarely get a chance to play with in subversion), but even I can answer most of your points.

• It isn't the most disk space efficient system; but as you point out, the laptop you are using is rather limited. For the vast majority of cases these days this is not an issue.
• Slow compared to CVS? I find just the opposite. It's very much faster for most operations. Perhaps we are using it on different types of repositories.
• The database corruption/locking is a point I will give you. In my fairly casual reading on the subject it seems even the Subversion developers will give you this point. The good news is that the underlying architecture should be portable to other storage types, and this is supposedly going to be coming eventually. On the other hand, while there have been some annoying storage issues with subversion, and I've had to fix and manually unlock the database a few times, i've never lost data.
• The fact that most "installations" work over http only is not subversion's fault. It has many methods that can be used. Personally I like https via Apache webdav. It's much more flexible for my usage. But one can set things up to use ssh transport (and you don't have to do it via apache as you seem to be).

I'm just amazed no one more knowledgeable than me has responded to these points yet. Perhaps the more hardcore users weary of answering these constant misconceptions...

Re:What is wrong with subversion?

[divec]

Making it so that in order to use Subversion over an SSH tunnel, you first have to shut down your local apache server, modify /etc/hosts and set up the tunnel as root, because, of course, a non-root user can't tunnel port 80.

Not sure if I've understood correctly, but tunnelling as follows works ok for me:
$ ssh -N me@remotebox -L8080:svn-server:80 &
$ svn co http://localhost:8080/my-project

Re:What is wrong with subversion?

[rudedog]

Subversion uses too damn much disk space

So what. Disk space is too cheap to develop to edge cases like your laptop.

Subversion is slow

Because it's doing a lot more things than CVS ever did. Those things are useful.

The server-side database is too easily and far too frequently corrupted or left locked

I rarely run into locked databases (on the scale of only 1 or 2 a year) and I have never seen database corruption.

Most Subversion installations are configured to work over HTTP (only).

And how is it Subversion's fault that admins don't set the installation up to use a more secure transport. We use subversion over https with a self-signed certificate. The weak point in that chain is not with subversion, it's with the local machine, and if the local machine is compromised, both subversion/https and cvs/ssh are both equally vulnerable.

The list goes on and on and on, but I'm not interested in continuing it just now

In other words, I can't think of anything other than "it won't fit on my 9GB disk", and "some people don't set it up securely".

Lamer.

Re:What is wrong with subversion?

[Jason+Hood]

You seem to still be complaining about configuration issues within subversion rather than subversion itself.

I am not sure what environment you live in but in mine we only have 100Mbs and everyone has 120GB HDs. The server has 1TB of raid storage with 4 network adaptors each with its own svnserve bound to it. Our project has 55,000 source files with 120 active developers. No problems here. We moved off a proprietary system that cost 750k a year to this which costs 120k a year (one devs salary). Compared to our old system, this is fast as hell. A checkout of a 4000k module takes about a minute. We even run a change request management system on the same server...

Webdav is and always will be slow, its just not an efficient protocol. You may have had problems with subversion but this sounds completely specific to the setup you work in. A properly implemented system should run very smooth. I am not jabbing, just showing subversion can be successful with the right setup.

Re:What is wrong with subversion?

[Mr.Ned]

As to taking up more space than CVS, well, yes it does, but that's because it stores more information that lets the user do basic operations like rename a file - operations that are not present in CVS and are hacked around.

As to being slow compared to CVS, it is slower on some operations (such as the initial get) because it retrieves more information than the server, but consequently other operations are quicker because it already has the information.

As to database corruption and an alternate backend, there's been an alternate backend for months now.

Re:What is wrong with subversion?

[mirabilos]

Try SSH connection multiplexing with CVS, and
the slowest part - the authentication phase -
is not repeated. Works really really good.

Mainstream

[Manan+Shah]

What will really put this into a mainstream enviornment is if there are some good GUI clients available for it. If an easy to use, and perhaps more importantly, cross platform GUI client is released, you can bet that the popularity will go up. Visual Source Safe (Microsoft) isn't all that great, but people still use it because CVS doesn't have a robust windows GUI client. Or at least it didn't early on and so the first impressions were not very friendly from companies looking at products where they wouldn't have to train their employees as much. If they can come up with a great GUI right off the bat, Microsoft will really sweat.

Development has stagnated?

[tcopeland]

Hm. Well, maybe. There have been a couple releases this year, and the mailing list remains active.

I kind of feel that the torch is being passed on to Subversion, with no hard feelings between anyone. Lots of folks are converting over and most folks seem pretty happy with it. But CVS is still widely used and there are a bunch of of gurus who hang out on the list and answer questions.

Oh, and here's a mirror of various CVS releases if anyone needs them.

Re:Development has stagnated?

[Saeger]

Funny coincidence, but today I recieved a message from the Mambo CMS devs asking for community input on switching from CVS to Subversion:

Greetings,

We don't do this often, but it is time for a major decision to be made; and we need your input.

With the migration of MamboForge to the new server, we have the opportunity to change the source code management back-end from cvs to subversion.

Which one do you prefer? You can place your vote on the forums at:

http://forum.mamboserver.com/showthread.php ?t=24861

Regards,

The MamboForge Administration Team

The current poll results favor switching to Subversion by a wide margin.

Re:Development has stagnated?

Look, you posted the exact same shit the last time this was on /. and was told that it's not about licensing, it's about a critical tool (OpenBSD developers rely on CVS to get their job done) that's not secure enough. Do you understand that? If the replacement tool is being done by an OpenBSD developer, it's only natural that the chosen license is BSD.

The best part

[ZorbaTHut]

isn't just the fact that it's a dupe.

It's that the posted link, to the article that this is a dupe of, is a link into the admin interface. For the curious, right now it's https://slashdot.org/admin.pl?op=edit&sid=04/12/15 /1936218 - I imagine this will be changed once the admins notice . . . well, probably.

Standard Disclaimer

[Ann+Elk]

This project was mentioned briefly the other day, too.

Maybe this disclaimer should appear at the end of every article summary...

Re:We need a new one?

[MassacrE]

"Any remaining problems"?

You obviously are unfamiliar with the CVS dungpile, err.. codebase. For instance, there is no access provider mechanism - they copied and pasted the code from the filesystem tree to make the pserver tree, then nobody thought "hey, maybe this will be a maintainability problem later?"

There is also no application-level interface to CVS. CVS tools typically use regexp or other parsing techniques to invoke the CVS command-line and parse its contents.

If this causes a slower transition to Subversion, it will be because people don't need to run away from the existing CVS implementation screaming anymore. A good implementation of CVS will put the emphasis of subversion right where it should be - adding compelling features which will convince people to move to it.

As far as 'less interoperability between operating systems' is concerned, I do not see why this would be restricted to BSD systems, any more than openssh was.

Hmm...

[which+way+is+up]

No thanks, I prefer visual source safe.

and Arch, and BitKeeper, Aegis, SVK

[noblesse+oblige]

And the GNU people have run to Arch with the usual zealot flair. A good comparison can be found here.

Re:subversion?

[TheRaven64]

Because a lot of existing infrastructure still uses CVS? In the long term, transitioning this to SVN is a good idea, and I certainly wouldn't recommend that a new project use CVS. In the mean time, however, I think the OpenBSD people feel that it would be nice to have a CVS implementation that was secure and maintainable.

Re:In related news...

[upsidedown_duck]

The OpenBSD folks would re-implement GCC in a heartbeat, if they could afford the man-years to do so.

Lots of reasons...

[emil]

I am not a fanatic about BSD vs. GPL, but let me count the ways...

1. Anything under BSD license is much more free than GPL free software. Hey, it doesn't change my life much, but there are a lot of people who care about this. More BSD free software is good for everybody.
2. Is it your right to ask OpenBSD developers to GPL their code, when they would prefer to apply a BSD license to it? It certainly isn't mine.
3. It is unlikely that the current CVS uses strlcpy/strlcat. Would retrofitting this functionality be accepted by the CVS people, especially as the GNU libc people have already rejected it? (Boy, that was a great step forward in security there.)

OpenBSD has been slowly stripping/replacing GPL software wherever they can. Recent fatalities include gzip and gawk. It's their distribution, and they can do what they want.

But I for one am glad for OpenBSD. It fits me like a glove. I just wish that Microsoft couldn't copy so much of it.

Re:Berkley db?

[ishmalius]

This is no longer a necessity. There is a filesystem-oriented repository format now. We have been using it for over a month now with no problems.

Re:Finally...

[fimbulvetr]

You do realize you can run subversion under Apache, so that subversion security == Apache security. Right?

Yes, of course I realize. Additionally, I realize that your statement is blatently incorrect.
Subversion security != Apache Security

First, I referenced apache 1.3.x, afaik, subversion only runs under 2.
Secondly, subversion *CAN* run under apache, but it can also run standalone.

Subversion is not secure, and running under apache does not make it secure. If anything, it makes apache much more insecure.

Re:We need a new one?

Let me see if I understand this... there were some security problems with CVS as-is, so the OpenBSD folks did the right thing and reviewed the code, discovered any remaining problems and submitted... no, no it seems they instead wrote their own CVS.

Actually, they did review the code, find the bugs, make patches for them, and submit the patches to the CVS crew. The CVS folks did the same thing Apache did, which was to ignore the patches. The OpenBSD people were in the same boat again. They had improvements to an existing project that the project wasn't accepting. They could've forked the CVS code, which was probably what they were going to do, but the existing CVS code turned out to be so bad that starting from scratch would've been easier than forking. In light of this, most of the rest of your comment is pointless to reply to, because it's based on information you didn't have before you shot off your mouth.

For those not familiar with the state of the world, this is going to mean a slower/longer transition to subversion (the logical successor to CVS), less interoperability between operating systems for developers and yet another tool that the OpenBSD people (who clearly did not have enough work to do already), to support.

Subversion isn't the logical successor to CVS. Subversion has a handful of issues that stand in the way of it becoming even a viable competitor to CVS, much less a successor, and that doesn't address the svn design issues.

OpenCVS is also compatible with CVS, except where CVS has design issues that affect security. For the most part, most people won't ever notice the difference, and the world is better for having OpenCVS around, especially when the original CVS group doesn't want to take security patches.

Finally, the OpenBSD developers are very experienced. It's likely that OpenCVS already has fewer bugs in it than the original CVS; furthermore, the code is cleaner than CVS's and will be far easier to maintain.

What happened to OpenBSD? Wasn't it an actual member of the open source community at one point?

OpenBSD is taking care of OpenBSD. If that methodology results in a better operating system than others, then there's something flawed with the other methodologies. It's not OpenBSD's problem if you don't like them.

Oh well, as long as no one tries to make me use their mutant CVS, I'll be happy.

I'll bet that within two years, you'll be using OpenCVS with 95% exclusivity because it's a better, more secure, more stable product. It's not a good thing to rail against software projects in their infancy, because you don't know where your needs will be in time. Nobody will blame you later on for using OpenCVS.

Lastly, I'm putting an OpenCVSup on my Christmas list. It would be outstanding to not have to choose between installing a binary package and installing a Modula-3 compiler.

Re:OpenNTP problems

[LurkerXXX]

And in response:

http://www.ie.openbsd.org/faq/faq6.html#OpenNTPD

More power to them...

[psykocrime]

I personally think it's something of a waste to write yet another replacement for CVS, but if they feel they need it, then great. It's open-source, it's volunteer, so nobody has any business telling these people *not* to write OpenCVS.

That said, I (and many others) consider Subversion to be the logical successor to CVS, and it seems to me that any effort spent on revision control would be better spent contributing to Subversion (or Arch maybe) instead of writing yet another version of something that's essentially obsolete.

OTOH, if they have major disagreements with the fundamental architecture of Subversion (and I understand that some people do) then maybe it would be better to just start from scratch, and design their own vision of an ideal revision control system?

Either way, it probably means more quality open source code, and in the long run, everybody ultimately benefits.

Re:We need a new one?

[Azul]

You know, this is precissely how OpenBSD was born. Theo de Raadt was contributing to NetBSD until the NetBSD core decided to remove his write privileges from its sources. Theo, upset, decided to fork and start OpenBSD.

Originally, it had nothing to do with security, but rather with "openness" (from Theo's point of view, after he was kicked out). I suppose it would be called SecureBSD had security been the reason Theo started working on it.

You can find out more about this straight from the horse's mouth.

So, I suppose, forking established projects due to disagreements such as these is nothing new for the OpenBSD people.

Re:IPv6?

[mirabilos]

Eh? cvs uses ssh for connecting to the server, or
operates locally.

What? You're using pserver/kserver? Don't.

You can even use anoncvs to make non-anynomous
read/write accounts for users to access the CVS
repository by means of cvs server, preventing them
from directly writing into the repo.
http://mirbsd.bsdadvocacy.org/cvs.cgi/src/l ibexec/ anoncvssh/