Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: 5 days old?

On Mon, Apr 27, 2020 at 07:24:30PM +0000, Thomas Mueller wrote:
> > > Then what will be the primary way to track NetBSD src and pkgsrc trees?
> > > Now it's CVS, mirrored to git.  What will replace CVS, will it be git, hg, or something else, and will it be in the base system, or will it have to be built or pkg_add'ed from pkgsrc?
> > > Is it a matter of CVS being less secure?  I see that OpenBSD, the great security-minded OS, still uses CVS, mirrored on Github.
> > Hi Thomas,
> > The main motivation to move away from CVS is that it's lacking in
> > features. The plan so far is to move to Mercurial, and not have it in
> > base. "Bootstrapping" is still possible using tarballs.
> > While I would hesitate to connect to a malicious CVS server, I don't see
> > a reason to suspect CVS is significantly worse than Git-over-SSH, for
> > example. A lot of the security in CVS relies on the SSH implementation.
> Git is much more widely used than Mercurial, as far as I can see.
> I have never been to a repository where Mercurial was the only or primary VCS.
> I've built and installed git from ports (FreeBSD) and pkgsrc (NetBSD), but never Mercurial.
> If a Mercurial repository/archive is bootstrapped from a tarball, how is it updated?
> FreeBSD switched from cvsup and csup to svn in summer 2012 due to a security breach.
> The full svn is not in FreeBSD base system; base system has an optional svnlite, which I decline in favor of building the devel/subversion port, which I have done in both FreeBSD (ports) and NetBSD (pkgsrc).

This is an old discussion. If you are interested in this, read the
archives of the tech-repository mailing list.

Short version: we're migrating to hg, it goes slowly, but progress is


Home | Main Index | Thread Index | Old Index