> > Then what will be the primary way to track NetBSD src and pkgsrc trees? > > Now it's CVS, mirrored to git. What will replace CVS, will it be git, hg, > > or something else, and will it be in the base system, or will it have to be > > built or pkg_add'ed from pkgsrc? > > Is it a matter of CVS being less secure? I see that OpenBSD, the great > > security-minded OS, still uses CVS, mirrored on Github.
> Hi Thomas, > The main motivation to move away from CVS is that it's lacking in > features. The plan so far is to move to Mercurial, and not have it in > base. "Bootstrapping" is still possible using tarballs. > While I would hesitate to connect to a malicious CVS server, I don't see > a reason to suspect CVS is significantly worse than Git-over-SSH, for > example. A lot of the security in CVS relies on the SSH implementation. Git is much more widely used than Mercurial, as far as I can see. I have never been to a repository where Mercurial was the only or primary VCS. I've built and installed git from ports (FreeBSD) and pkgsrc (NetBSD), but never Mercurial. If a Mercurial repository/archive is bootstrapped from a tarball, how is it updated? FreeBSD switched from cvsup and csup to svn in summer 2012 due to a security breach. The full svn is not in FreeBSD base system; base system has an optional svnlite, which I decline in favor of building the devel/subversion port, which I have done in both FreeBSD (ports) and NetBSD (pkgsrc). Tom
