On Mon, Apr 27, 2020 at 07:24:30PM +0000, Thomas Mueller wrote: > > > Then what will be the primary way to track NetBSD src and pkgsrc trees? > > > > Now it's CVS, mirrored to git. What will replace CVS, will it be git, > > > hg, or something else, and will it be in the base system, or will it have > > > to be built or pkg_add'ed from pkgsrc? > > > > Is it a matter of CVS being less secure? I see that OpenBSD, the great > > > security-minded OS, still uses CVS, mirrored on Github. > > > Hi Thomas, > > > The main motivation to move away from CVS is that it's lacking in > > features. The plan so far is to move to Mercurial, and not have it in > > base. "Bootstrapping" is still possible using tarballs. > > > While I would hesitate to connect to a malicious CVS server, I don't see > > a reason to suspect CVS is significantly worse than Git-over-SSH, for > > example. A lot of the security in CVS relies on the SSH implementation. > > Git is much more widely used than Mercurial, as far as I can see. > > I have never been to a repository where Mercurial was the only or primary VCS. > > I've built and installed git from ports (FreeBSD) and pkgsrc (NetBSD), but > never Mercurial. > > If a Mercurial repository/archive is bootstrapped from a tarball, how is it > updated? > > FreeBSD switched from cvsup and csup to svn in summer 2012 due to a security > breach. > > The full svn is not in FreeBSD base system; base system has an optional > svnlite, which I decline in favor of building the devel/subversion port, > which I have done in both FreeBSD (ports) and NetBSD (pkgsrc).
This is an old discussion. If you are interested in this, read the archives of the tech-repository mailing list. https://mail-index.netbsd.org/tech-repository/tindex.html Short version: we're migrating to hg, it goes slowly, but progress is made. Cheers, Thomas
