Re: arch, svn, cvs (was: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security)
On Fri, Aug 19, 2005 at 02:22:26PM +0200, Marc Haber wrote: On Fri, 19 Aug 2005 13:06:49 +0200, Steinar H. Gunderson [EMAIL PROTECTED] wrote: I'd love to see people migrating to Arch Compared to SVN from the view of somebody who is acquainted with CVS, arch sucks badly. I tend to agree with most of the things that Florian Weimer lists on http://www.enyo.de/fw/software/arch/design-issues.html Comparing svn and arch is like comparing apples and tomatos. They have completely different purposes (i.e. centralized vs distributed). -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
On 8/21/05, Matthew Palmer [EMAIL PROTECTED] wrote: I'm quite confident that there will be an upgrade path from Arch archives to bzr archives. Canonical, amongst other people, have too much invested in Arch to just let that history fester. As for hct, I understand it is a wrapper frontend to baz/bzr to provide the sorts of functionality that package maintainers need, instead of being a general-purpose revision control tool. Agreed. And in case I didn't agree, Martin Poole has just posted a message mentioning that Canonical is slowly shifting focus from baz to bzr and will provide an upgrade path. I can't find it in any useful archive to provide a link. Sorry. Arch is being slowly abandoned. The SCM space is vibrant, but Arch won't be here (as an evolving tool) for long. I'm not _that_ sad about it. regards, martin
Re: arch, svn, cvs (was: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security)
Daniel Stone wrote: vim! emacs! And my cats looked out to see who was calling them... :) -- .''`. Follow the white Rabbit - Ranty (and Lewis Carroll) : :' : `. `'Proudly running Debian GNU/Linux (Sid 2.6.11 Ext3) `- www.amayita.com www.malapecora.com www.chicasduras.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
Daniel Burrows [EMAIL PROTECTED] writes: On Saturday 20 August 2005 02:20 pm, Thomas Bushnell BSG wrote: How does their extensive use of it explain why they would reimplement it? Is there anyone who's used CVS extensively and HASN'T thought about reimplementing it? Sure. Me, for example. It has lots of difficulties, but that calls for implementing something else, not reimplementing CVS. What's broken with CVS is not the implementation, but the specification. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
Matthew Palmer [EMAIL PROTECTED] writes: On Sun, Aug 21, 2005 at 07:01:37PM -0700, Daniel Burrows wrote: On Saturday 20 August 2005 02:20 pm, Thomas Bushnell BSG wrote: How does their extensive use of it explain why they would reimplement it? Is there anyone who's used CVS extensively and HASN'T thought about reimplementing it? Judging by the number of revision control systems springing up out there, I'd say the answer to that question is No, and furthermore most of them have gone further than just thinking about it. Huh? None of those reimplement cvs, they produce replacements. arch and svn and bitkeeper are *not* reimplementations of cvs. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
On 8/19/05, Steinar H. Gunderson [EMAIL PROTECTED] wrote: I'd love to see people migrating to Arch Being a long-time Arch user, let me tell you that Arch has been orphaned upstream. Currently baz is the only version being developed, and it's unclear for how long, as Canonical has their eyes on bzr and hct. Myself, I'm moving my projects quickly to git/cogito. It's proving to be fast, and better designed than Arch by a garden mile. Currently writing an Arch to GIT conversion. Now, for an on-topic comment: CVS is going to be part of the FOSS infrastructure for a long time to come. OpenCVS sounds like a very good thing to use if you have to support CVS. Opposing the ITP because you're using shinier toys is... rude. You package your shiny toys, and Luciano packages his toy. cheers, martin
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
On Sun, Aug 21, 2005 at 10:05:43PM +1200, Martin Langhoff wrote: On 8/19/05, Steinar H. Gunderson [EMAIL PROTECTED] wrote: I'd love to see people migrating to Arch Being a long-time Arch user, let me tell you that Arch has been orphaned upstream. Correction: tla, an Arch frontend, has been orphaned upstream. Most of the interesting development work for the past 6 months or so has been on baz, another Arch frontend. Saying Arch has been orphaned upstream because of Tom Lord's announcement is roughly similar to saying that Linux has been orphaned because the 2.0 kernel series is no longer maintained... and it's unclear for how long, as Canonical has their eyes on bzr and hct. I'm quite confident that there will be an upgrade path from Arch archives to bzr archives. Canonical, amongst other people, have too much invested in Arch to just let that history fester. As for hct, I understand it is a wrapper frontend to baz/bzr to provide the sorts of functionality that package maintainers need, instead of being a general-purpose revision control tool. - Matt signature.asc Description: Digital signature
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
On Sun, Aug 21, 2005 at 09:11:20PM +1000, Matthew Palmer wrote: On Sun, Aug 21, 2005 at 10:05:43PM +1200, Martin Langhoff wrote: On 8/19/05, Steinar H. Gunderson [EMAIL PROTECTED] wrote: I'd love to see people migrating to Arch Being a long-time Arch user, let me tell you that Arch has been orphaned upstream. Correction: tla, an Arch frontend, has been orphaned upstream. Most of the interesting development work for the past 6 months or so has been on baz, another Arch frontend. Saying Arch has been orphaned upstream because of Tom Lord's announcement is roughly similar to saying that Linux has been orphaned because the 2.0 kernel series is no longer maintained... Oh, thanks for the news, I didn't know that. [snip] Regards: David -- /) David Weinehall [EMAIL PROTECTED] /) Rime on my window (\ // ~ // Diamond-white roses of fire // \) http://www.acc.umu.se/~tao/(/ Beautiful hoar-frost (/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
also sprach Florian Weimer [EMAIL PROTECTED] [2005.08.21.0306 +0200]: Uhm, CVS implements RCS, but exposes a different interface. I don't think this is accurate. CVS uses RCS internally, but provides its own implementation in case $RCSBIN/$PATH don't contain the RCS binaries. It does not advertise to support RCS features at all, nor does it export any of the RCS functionality to the user. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! Most Intelligent Customers Realise Our Software Only Fools Them. signature.asc Description: Digital signature (GPG/PGP)
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
On Sat, 2005-08-20 at 14:20 -0700, Thomas Bushnell BSG wrote: Javier Fernández-Sanguino Peña [EMAIL PROTECTED] writes: On Thu, Aug 18, 2005 at 07:31:38PM -0400, Roberto C. Sanchez wrote: most popular open source revision control software. And among the most horrible ones. Agreed. Why anyone would bother to reimplement an already existing free tool is beyond me. For several reasons, one being that the BSD folks use CVS extensively, it's part of how the ports system (and upgrades) work. How does their extensive use of it explain why they would reimplement it? Maybe they like the tool, but think it was implemented poorly? -- - Ron Johnson, Jr. Jefferson, LA USA PGP Key ID 8834C06B I prefer encrypted mail. In politics, being ridiculous is more damaging than being extreme. Roy Hattersley signature.asc Description: This is a digitally signed message part
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
On Saturday 20 August 2005 02:20 pm, Thomas Bushnell BSG wrote: How does their extensive use of it explain why they would reimplement it? Is there anyone who's used CVS extensively and HASN'T thought about reimplementing it? Daniel -- /--- Daniel Burrows [EMAIL PROTECTED] --\ | DROP THE SCYTHE AND TURN AROUND SLOWLY. | |-- Terry Pratchett, Reaper Man | \ The Turtle Moves! -- http://www.lspace.org ---/ pgpzg6gR5lrKo.pgp Description: PGP signature
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
On Sun, Aug 21, 2005 at 07:01:37PM -0700, Daniel Burrows wrote: On Saturday 20 August 2005 02:20 pm, Thomas Bushnell BSG wrote: How does their extensive use of it explain why they would reimplement it? Is there anyone who's used CVS extensively and HASN'T thought about reimplementing it? Judging by the number of revision control systems springing up out there, I'd say the answer to that question is No, and furthermore most of them have gone further than just thinking about it. OpenCVS is one of the few to not think and I can make it Suck Less, to boot. - Matt signature.asc Description: Digital signature
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
[Romain Francoise] Perhaps not. These days RCS isn't really used as a revision control system but as a component in a variety of applications: some are related to revision control, some are not (wiki engines, etc). We don't keep it solely for interoperability. And we don't have multiple implementations of it in Debian, either. That is the *real* point. signature.asc Description: Digital signature
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
Peter Samuelson, 2005-08-20 13:50:10 +0200 : And we don't have multiple implementations of it in Debian, either. That is the *real* point. Of course, we don't have multiple implementations of a minimal shell aiming at POSIX compliance. Or an X server. Or a light, fast yet configurable window manager. Or an FTP server. Or a tool to tag collection of MP3 files. ...or do we? Roland. -- Roland Mas Plant a radish, get a radish, never any doubt! -- Bellamy Hucklebee, in The Fantasticks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
Javier Fernández-Sanguino Peña [EMAIL PROTECTED] writes: On Thu, Aug 18, 2005 at 07:31:38PM -0400, Roberto C. Sanchez wrote: most popular open source revision control software. And among the most horrible ones. Agreed. Why anyone would bother to reimplement an already existing free tool is beyond me. For several reasons, one being that the BSD folks use CVS extensively, it's part of how the ports system (and upgrades) work. How does their extensive use of it explain why they would reimplement it?
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
Norbert Tretkowski [EMAIL PROTECTED] writes: * Luciano Bello wrote: I really think that OpenCVS must be part of Debian. Agreed. However, if it has interoperability problems (and they more or less promise it will), then it must have a different command-line name. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
* Peter Samuelson: [Romain Francoise] Perhaps not. These days RCS isn't really used as a revision control system but as a component in a variety of applications: some are related to revision control, some are not (wiki engines, etc). We don't keep it solely for interoperability. And we don't have multiple implementations of it in Debian, either. That is the *real* point. Uhm, CVS implements RCS, but exposes a different interface. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
On Thu, Aug 18, 2005 at 07:31:38PM -0400, Roberto C. Sanchez wrote: most popular open source revision control software. And among the most horrible ones. Agreed. Why anyone would bother to reimplement an already existing free tool is beyond me. For several reasons, one being that the BSD folks use CVS extensively, it's part of how the ports system (and upgrades) work. Not only that, but the stated purpose of OpenCVS, AIUI, is to be a reimplementation of CVS under the BSD license. It makes no sense to try and have both in Debian. I also agree with you that there are far better alternatives. It does make sense, there are some features (like CVS syncing, which is useful for remote backups) that OpenCVS *might* (I haven't looked) implement straight out of the box and that the current CVS lacks. Also notice that some of our services (web pages, documentation project) use CVS and will do so for a long time. Having a CVS server available to switch to if a security issue in the current standard CVS server is found is something that would be useful to prevent downtime of those services if the debian admins have to switch them off. I say go for it. Javier signature.asc Description: Digital signature
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
also sprach Javier Fernández-Sanguino Peña [EMAIL PROTECTED] [2005.08.19.1136 +0200]: Also notice that some of our services (web pages, documentation project) use CVS and will do so for a long time. Having a CVS server available to switch to if a security issue in the current standard CVS server is found is something that would be useful to prevent downtime of those services if the debian admins have to switch them off. So instead of preparing the package, I suggest investing the time to migrate projects from CVS to SVN or bazaar instead. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! a scientist once wrote that all truth passes through three stages: first it is ridiculed, then violently opposed and eventually, accepted as self-evident. -- schopenhauer signature.asc Description: Digital signature (GPG/PGP)
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
* martin f krafft [Fri, 19 Aug 2005 00:54:45 +0200]: I oppose to this ITP for the single reason that CVS should be faded out and its users starved and deprived and forced towards SVN and bazaar! Har har har! I don't see opencvs failing to meet any of the requirements of Policy 2.2.1, or other common-sense criteria that is usually applied to ITPs in this list, so I think this ITP can go on. I'm told on IRC that the above was meant as a personal opinion. I think it'd would've been nice to point that out; perhaps others disagree, but I oppose to this ITP seems like strong wording to me. * martin f krafft [Fri, 19 Aug 2005 11:41:16 +0200]: So instead of preparing the package, I suggest investing the time to migrate projects from CVS to SVN or bazaar instead. FWIW, that instead of is killing me, but perhaps it's just me being overly sensitive this morning. Please excuse me. -- Adeodato Simó EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621 The problem I have with making an intelligent statement is that some people then think that it's not an isolated occurrance. -- Simon Travaglia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
On Fri, Aug 19, 2005 at 11:41:16AM +0200, martin f krafft wrote: So instead of preparing the package, I suggest investing the time to migrate projects from CVS to SVN or bazaar instead. I'd love to see people migrating to Arch (and you get the added benefit of GPG-signed commit, if you want to talk from a security-related perspective), but making a more secure CVS (if they really manage to do that) will probably be a _lot_ easier than migrating the entire world to Arch, and thus give increased security quite a lot in the meantime. (Of course, that is given that everybody migrates to it, but if it's a drop-in replacement people probably will...) /* Steinar */ -- Homepage: http://www.sesse.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
also sprach Steinar H. Gunderson [EMAIL PROTECTED] [2005.08.19.1306 +0200]: a security-related perspective), but making a more secure CVS (if they really manage to do that) will probably be a _lot_ easier ... it's already been done, kind of: Subversion. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! la lune, c'est comme les canards il faut aimer caresser les chats pour avoir envie d'y aller. signature.asc Description: Digital signature (GPG/PGP)
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
Le Ven 19 Août 2005 11:36, Javier Fernández-Sanguino Peña a écrit : Also notice that some of our services (web pages, documentation project) use CVS and will do so for a long time. Having a CVS server available to switch to if a security issue in the current standard CVS server is found is something that would be useful to prevent downtime of those services if the debian admins have to switch them off. I say go for it. seconded. moreover, there is a lot of *nix users that uses CVS because they don't want to use anything else (whatever the good or bad reasons are) and that impose to their sysadmin to secure the CVS server ... if we can make that task easier, let's do it. -- ·O· Pierre Habouzit ··O[EMAIL PROTECTED] OOOhttp://www.madism.org pgpiMzi2mKcJR.pgp Description: PGP signature
arch, svn, cvs (was: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security)
On Fri, 19 Aug 2005 13:06:49 +0200, Steinar H. Gunderson [EMAIL PROTECTED] wrote: I'd love to see people migrating to Arch Compared to SVN from the view of somebody who is acquainted with CVS, arch sucks badly. I tend to agree with most of the things that Florian Weimer lists on http://www.enyo.de/fw/software/arch/design-issues.html Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834
Re: arch, svn, cvs (was: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security)
also sprach Marc Haber [EMAIL PROTECTED] [2005.08.19.1422 +0200]: Compared to SVN from the view of somebody who is acquainted with CVS, arch sucks badly. I tend to agree with most of the things that Florian Weimer lists on http://www.enyo.de/fw/software/arch/design-issues.html I won't go through the trouble to compile the extensive list of problems and design issues with SVN. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! memory is like an orgasm. it's a lot better if you don't have to fake it. -- seymour cray commenting on virtual memory but virtual memory still gets the job done. -- gr signature.asc Description: Digital signature (GPG/PGP)
Re: arch, svn, cvs (was: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security)
On Fri, Aug 19, 2005 at 02:33:31PM +0200, martin f krafft wrote: also sprach Marc Haber [EMAIL PROTECTED] [2005.08.19.1422 +0200]: Compared to SVN from the view of somebody who is acquainted with CVS, arch sucks badly. I tend to agree with most of the things that Florian Weimer lists on http://www.enyo.de/fw/software/arch/design-issues.html I won't go through the trouble to compile the extensive list of problems and design issues with SVN. vim! emacs! zsh! bash! something else! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: arch, svn, cvs (was: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security)
also sprach Marc Haber [EMAIL PROTECTED] [2005.08.19.1422 +0200]: Compared to SVN from the view of somebody who is acquainted with CVS, arch sucks badly. I tend to agree with most of the things that Florian Weimer lists on http://www.enyo.de/fw/software/arch/design-issues.html Looking over the list, I primarly note that it's about arch/tla. When we speak about arch these days, we mean baz. And that takes care of a lot of the concerns that Florian raises. And while baz is also not perfect, it does at the very least serve as a good lab for the development of bazaar-ng. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! es ist immer etwas wahnsinn in der liebe. es ist aber auch immer etwas vernunft im wahnsinn. - friedrich nietzsche signature.asc Description: Digital signature (GPG/PGP)
Re: arch, svn, cvs (was: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security)
On Fri, Aug 19, 2005 at 02:22:26PM +0200, Marc Haber wrote: Compared to SVN from the view of somebody who is acquainted with CVS, arch sucks badly. I tend to agree with most of the things that Florian Weimer lists on http://www.enyo.de/fw/software/arch/design-issues.html Note that it's over a year old, and seems to apply to tla 1.2. Many of the issues are handled with tla 1.3 and baz, but of course, far from all. I see the point of not turning this into an RCS flamewar, though :-) /* Steinar */ -- Homepage: http://www.sesse.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
On Fri, Aug 19, 2005 at 11:41:16AM +0200, martin f krafft wrote: So instead of preparing the package, I suggest investing the time to migrate projects from CVS to SVN or bazaar instead. I rather waste my limited time doing more useful things. Besides, you can't compare the migration of a CVS project to the packaging of a tool. Completely different tasks that required vastly different amount of time. Specially if it is used extensively and is part of the OS development (like it is in the BSD camp). Regards Javier signature.asc Description: Digital signature
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
On Fri, 2005-08-19 at 11:41 +0200, martin f krafft wrote: So instead of preparing the package, I suggest investing the time to migrate projects from CVS to SVN or bazaar instead. Beyond the description of the program (from the website), OpenCVS is simply another option at the time of implementing a CVS solution. It puts emphasis in security and lose some features in order to this priority. Maybe this can be useful for some Debian user in particular. Maybe not, it's the user's choice, like GNOME/KDE, vi/emacs, evolution/thunderbird, etc/etc. I really think that OpenCVS must be part of Debian. And I will work in it, unless somebody has a *really_reasonable_objection*. Like always, sorry for my English. -- Luciano Bello [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
Luciano Bello writes: On Fri, 2005-08-19 at 11:41 +0200, martin f krafft wrote: So instead of preparing the package, I suggest investing the time to migrate projects from CVS to SVN or bazaar instead. Beyond the description of the program (from the website), OpenCVS is simply another option at the time of implementing a CVS solution. It puts emphasis in security and lose some features in order to this priority. Maybe this can be useful for some Debian user in particular. Maybe not, it's the user's choice, like GNOME/KDE, vi/emacs, evolution/thunderbird, etc/etc. I really think that OpenCVS must be part of Debian. And I will work in it, unless somebody has a *really_reasonable_objection*. The project page states it will break compatibility with the currently deployed version of CVS as they deem necessary. People in this thread have listed some of the known and severe problems with CVS as compared to real revision control systems. OpenCVS has not yet identified any specific problem (except the GPL) that the project would address. Intentional incompatibility, designed-in misfeatures, and NIHness do not make for useful software. What benefit does it bring Debian's users, or what benefit does it being in Debian bring to the larger free software community? Michael Poole -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
Michael Poole on 2005-08-19 10:32:27 -0400: OpenCVS has not yet identified any specific problem (except the GPL) that the project would address. It has indeed. GNU CVS has a poor security record; OpenCVS plans not to. It should be noted that OpenCVS has not been released, OpenBSD still uses GNU CVS, and there is not a non-OpenBSD-specific version available yet (as with OpenSSH, OpenNTPD, and other OpenBSD projects). pgphVY2Pew6H7.pgp Description: PGP signature
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
Alec Berryman writes: Michael Poole on 2005-08-19 10:32:27 -0400: OpenCVS has not yet identified any specific problem (except the GPL) that the project would address. It has indeed. GNU CVS has a poor security record; OpenCVS plans not to. What part of specific was unclear? I could plan to write an OS with no security issues, but that is far from actually delivering such a thing or identifying what flaws would go away. Besides, rewriting software to fix security bugs while ignoring that same software's gaping design flaws is short-sighted. Michael Poole -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
martin f krafft [EMAIL PROTECTED] writes: Javier Fernández-Sanguino Peña [EMAIL PROTECTED] writes: Also notice that some of our services (web pages, documentation project) use CVS and will do so for a long time. Having a CVS server available to switch to if a security issue in the current standard CVS server is found is something that would be useful to prevent downtime of those services if the debian admins have to switch them off. So instead of preparing the package, I suggest investing the time to migrate projects from CVS to SVN or bazaar instead. We still package RCS, and for good reason. *If* it's an improved version of CVS, I think it's still a good idea to package it. A lot of us still use CVS for various reasons, ranging from familiarity with CVS on the part of people who don't like change, use of CVS revision numbers as a cheap versioning system with simple repositories that don't need good branching and tagging, use of CVS repositories in a shared file system like AFS (which Subversion does not handle well), interacting with other open source projects that use CVS, or just out of pure inertia. I don't think it's not a good revision control system is a good reason to refuse the package, for exactly the same reason that Debian still packages a telnet client even though everyone really should be using SSH. Switching to Subversion requires more than individual action on the part of one person, and therefore isn't always possible even if it's a good idea. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
* Luciano Bello wrote: I really think that OpenCVS must be part of Debian. Agreed. And I will work in it, unless somebody has a *really_reasonable_objection*. Go for it. Norbert -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
On Fri, 19 Aug 2005 09:39:49 -0700 Russ Allbery [EMAIL PROTECTED] wrote: martin f krafft [EMAIL PROTECTED] writes: Javier Fernández-Sanguino Peña [EMAIL PROTECTED] writes: Also notice that some of our services (web pages, documentation project) use CVS and will do so for a long time. Having a CVS server available to switch to if a security issue in the current standard CVS server is found is something that would be useful to prevent downtime of those services if the debian admins have to switch them off. So instead of preparing the package, I suggest investing the time to migrate projects from CVS to SVN or bazaar instead. We still package RCS, and for good reason. *If* it's an improved version of CVS, I think it's still a good idea to package it. A lot of us still use CVS for various reasons, ranging from familiarity with CVS on the part of people who don't like change, use of CVS revision numbers as a cheap versioning system with simple repositories that don't need good branching and tagging, use of CVS repositories in a shared file system like AFS (which Subversion does not handle well), interacting with other open source projects that use CVS, or just out of pure inertia. I don't think it's not a good revision control system is a good reason to refuse the package, for exactly the same reason that Debian still packages a telnet client even though everyone really should be using SSH. Switching to Subversion requires more than individual action on the part of one person, and therefore isn't always possible even if it's a good idea. There is a really good reason to have telnet *client* on board, and that is accessing IMAP / SMTP etc. servers for testing purposes. Bye Racke -- Debian maintainer of Courier, Pure-FTPd, Interchange, Sympa LinuXia Systems = http://www.linuxia.de/ Expert Interchange Consulting and System Administration
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
Stefan Hornburg [EMAIL PROTECTED] writes: Russ Allbery [EMAIL PROTECTED] wrote: I don't think it's not a good revision control system is a good reason to refuse the package, for exactly the same reason that Debian still packages a telnet client even though everyone really should be using SSH. Switching to Subversion requires more than individual action on the part of one person, and therefore isn't always possible even if it's a good idea. There is a really good reason to have telnet *client* on board, and that is accessing IMAP / SMTP etc. servers for testing purposes. You don't need a *telnet* client for that, just something like netcat. telnet doesn't actually speak the telnet protocol to ports other than the telnet port. But yeah, that wasn't a great example. :) A better example would be that Debian packages traditional rsh and rlogin clients, which are far more obsolete than CVS is but which some sites still need for interoperability with legacy systems and configurations. Or just the example of RCS, which is probably the most to point. Or uuencode (shouldn't everyone use base64?), or sharutils (shouldn't everyone use tar?), or There are good reasons to keep shipping implementations of software that some people consider obsolete. The technology world sometimes doesn't move as fast as we would all like, and sometimes there are good reasons to keep using an older method (if for no other reason than that it works and there's no good reason, in that particular case, to change). -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
Stefan Hornburg [EMAIL PROTECTED] wrote: [...] There is a really good reason to have telnet *client* on board, and that is accessing IMAP / SMTP etc. servers for testing purposes. beside the point FWIW I do prefer gnutls-cli for that purpose, as it supports STARTTLS. ;-) / cu andreas -- See, I told you they'd listen to Reason, [SPOILER] Svfurlr fnlf, fuhggvat qbja gur juveyvat tha. Neal Stephenson in Snow Crash http://downhill.aus.cc/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: arch, svn, cvs (was: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security)
On Fri, Aug 19, 2005 at 02:33:31PM +0200, martin f krafft wrote: also sprach Marc Haber [EMAIL PROTECTED] [2005.08.19.1422 +0200]: Compared to SVN from the view of somebody who is acquainted with CVS, arch sucks badly. I tend to agree with most of the things that Florian Weimer lists on http://www.enyo.de/fw/software/arch/design-issues.html I won't go through the trouble to compile the extensive list of problems and design issues with SVN. OK. Then please just name two or three. I am geniunely interested. I switched from CVS to subversion exclusively for my own use when Sarge went stable. I still use CVS occasionally since some projects to which I contribute use CVS (e.g., on sourceforge). -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto pgpVGR3CfOBiW.pgp Description: PGP signature
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
On Fri, 19 Aug 2005, Alec Berryman wrote: It has indeed. GNU CVS has a poor security record; OpenCVS plans not to. Just like with OpenSSH? Sorry, could not resist.. --j -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
* Roberto C. Sanchez: There is a good reason that CVS development has stagnated. CVS is broken and there are better alternatives. Some people say it's its rotten codebase. A rewrite from scratch hasn't got this problem. The RCS-based file format isn't too bad and optimizes for some common (access to recent version) and not-so-commonn (annotate) operations. (Try annotate with cogito..) I welcome a OpenCVS package, subject to two conditions: The description should describe the virtues of the package, and not dismiss GNU CVS as bad. And it should not provide cvs unless permanent comaptibility is a goal, including the command line switches. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
Russ Allbery [EMAIL PROTECTED] writes: Or just the example of RCS, which is probably the most to point. Perhaps not. These days RCS isn't really used as a revision control system but as a component in a variety of applications: some are related to revision control, some are not (wiki engines, etc). We don't keep it solely for interoperability. -- ,''`. : :' :Romain Francoise [EMAIL PROTECTED] `. `' http://people.debian.org/~rfrancoise/ `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
OT: Re: arch, svn, cvs (was: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security)
On Fri, 19 Aug 2005, Daniel Stone wrote: On Fri, Aug 19, 2005 at 02:33:31PM +0200, martin f krafft wrote: also sprach Marc Haber [EMAIL PROTECTED] [2005.08.19.1422 +0200]: Compared to SVN from the view of somebody who is acquainted with CVS, arch sucks badly. I tend to agree with most of the things that Florian Weimer lists on http://www.enyo.de/fw/software/arch/design-issues.html I won't go through the trouble to compile the extensive list of problems and design issues with SVN. vim! emacs! zsh! bash! something else! apt! rpm! shudderautopackage/shudder -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
Package: wnpp Severity: wishlist Owner: Luciano Bello [EMAIL PROTECTED] * Package name: opencvs Version : unknown, posible release: 1st Sep Upstream Author : Jean-François Brousseau [EMAIL PROTECTED] * URL : http://www.opencvs.org/ * License : BSD Description : OpenBSD CVS implementation with special emphasis in security OpenCVS is a FREE implementation of the Concurrent Versions System, the most popular open source revision control software. It can be used as both client and server for repositories and provides granular access control over data stored in the repository. It aims to be as compatible as possible with other CVS implementations, except when particular features reduce the overall security of the system. The OpenCVS project was started after discussions regarding the latest GNU CVS vulnerabilities that came out. Although CVS is widely used, its development has been mostly stagnant in the last years and many security issues have popped up, both in the implementation and in the mechanisms. OpenCVS is primarily developed by Jean-François Brousseau as part of the OpenBSD Project. The software is freely usable and re-usable by everyone under a BSD license. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.10-1-686-smp Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
also sprach Luciano Bello [EMAIL PROTECTED] [2005.08.18.2350 +0200]: OpenCVS is a FREE implementation of the Concurrent Versions System, the What's non-free about the current implementation? most popular open source revision control software. And among the most horrible ones. I oppose to this ITP for the single reason that CVS should be faded out and its users starved and deprived and forced towards SVN and bazaar! Har har har! -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! it has been said that there are only two businesses that refer to customers as users: illegal drug trade and the computer industry. signature.asc Description: Digital signature (GPG/PGP)
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
On Fri, Aug 19, 2005 at 12:54:45AM +0200, martin f krafft wrote: also sprach Luciano Bello [EMAIL PROTECTED] [2005.08.18.2350 +0200]: OpenCVS is a FREE implementation of the Concurrent Versions System, the What's non-free about the current implementation? I think that the original implementation was not free enough for the OpenBSD folks. most popular open source revision control software. And among the most horrible ones. Agreed. Why anyone would bother to reimplement an already existing free tool is beyond me. I oppose to this ITP for the single reason that CVS should be faded out and its users starved and deprived and forced towards SVN and bazaar! Har har har! Not only that, but the stated purpose of OpenCVS, AIUI, is to be a reimplementation of CVS under the BSD license. It makes no sense to try and have both in Debian. I also agree with you that there are far better alternatives. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto pgp4bGCmYg6or.pgp Description: PGP signature
Re: Bug#323855: ITP: opencvs -- OpenBSD CVS implementation with special emphasis in security
On Thu, Aug 18, 2005 at 06:50:47PM -0300, Luciano Bello wrote: Package: wnpp Severity: wishlist Owner: Luciano Bello [EMAIL PROTECTED] * Package name: opencvs Version : unknown, posible release: 1st Sep Upstream Author : Jean-Fran?ois Brousseau [EMAIL PROTECTED] * URL : http://www.opencvs.org/ * License : BSD Description : OpenBSD CVS implementation with special emphasis in security OpenCVS is a FREE implementation of the Concurrent Versions System, the most popular open source revision control software. It can be used as both client and server for repositories and provides granular access control over data stored in the repository. It aims to be as compatible as possible with other CVS implementations, except when particular features reduce the overall security of the system. The OpenCVS project was started after discussions regarding the latest GNU CVS vulnerabilities that came out. Although CVS is widely used, its development has been mostly stagnant in the last years and many security issues have popped up, both in the implementation and in the mechanisms. There is a good reason that CVS development has stagnated. CVS is broken and there are better alternatives. Please look into those. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto pgpF1oik07cJ0.pgp Description: PGP signature
