Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On Mon, Nov 19, 2012 at 07:08:13PM -0800, Zach Leslie wrote: > > http://www.fossil-scm.org/ > > > > I'm not fossil user, but it's BSD licensed in written in C. > > Baptise Daroussin probably could tell us more about fossil pro and cons. > > This misses one of of the main points raised in the orig

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

Zach Leslie wrote: >> http://www.fossil-scm.org/ l >> >> I'm not fossil user, but it's BSD licensed in written in C. >Also, this particular tool bails out on the unix philosophy, with its >web >gui, ticket tracker etc. Do one thing. Do it well. I would argue that git bails on that as well, b

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On 19 November 2012 22:04, Zach Leslie wrote: > I've always been confused by this. Which source repo is the true source > of truth? This changed a few months ago when ports and doc switched. As of now: - SVN is *the* source of truth. - CVS is exported from svn. It will eventually go away - g

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

> http://www.fossil-scm.org/ > > I'm not fossil user, but it's BSD licensed in written in C. > Baptise Daroussin probably could tell us more about fossil pro and cons. This misses one of of the main points raised in the original post. The proliferation of git as a revision control system. Also,

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

> There's a git repository. It's public. You can look at what goes into > the FreeBSD git clone to get your assurance that things aren't being > snuck in. People are using it, right now. I've always been confused by this. Which source repo is the true source of truth? To obtain the FreeBSD sourc

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

According to C. P. Ghost on Mon, Nov 19, 2012 at 02:10:40PM +0100: > Even if it was BSD licensed, Mercurial has a huge dependency: > Python; > and Git is Perl-based. So neither of them is ideal, IMHO. Nope, git is almost all C even though some other tools relying on git are in Perl. > If at

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

http://www.fossil-scm.org/ I'm not fossil user, but it's BSD licensed in written in C. Baptise Daroussin probably could tell us more about fossil pro and cons. -- Regards, Alexander Yerenkow ___ freebsd-hackers@freebsd.org mailing list http://lists.fr

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On Mon, Nov 19, 2012 at 1:47 PM, Volodymyr Kostyrko wrote: > 19.11.2012 14:34, Ivan Voras wrote: >> >> On 17/11/2012 22:48, Chris Rees wrote: >> >>> (and is GPL btw) >> >> >> Since we're discussing it, Mercurial is BSDL-ed, and apparently has >> proper crypto signing using GPG: >> >> >> http://mer

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On Mon, Nov 19, 2012 at 5:10 AM, C. P. Ghost wrote: > On Mon, Nov 19, 2012 at 1:47 PM, Volodymyr Kostyrko > wrote: > > 19.11.2012 14:34, Ivan Voras wrote: > >> > >> On 17/11/2012 22:48, Chris Rees wrote: > >> > >>> (and is GPL btw) > >> > >> > >> Since we're discussing it, Mercurial is BSDL-ed,

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

on 19/11/2012 15:08 Chris Rees said the following: > > On 19 Nov 2012 13:05, "Andriy Gapon" > > wrote: >> >> on 18/11/2012 16:17 Chris Rees said the following: >> > On 18 November 2012 14:04, Adrian Chadd > wrote: >> >> On 18 November 2012 02:4

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

on 19/11/2012 03:53 Nathan Whitehorn said the following: > git would be a huge step backward from svn for the central repo in lots of > ways. Dramatic statements ("huge", "lots") require dramatic evidence. > Besides being (in my experience) extremely fragile and error-prone and the Ditto ("extr

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On 19 Nov 2012 13:05, "Andriy Gapon" wrote: > > on 18/11/2012 16:17 Chris Rees said the following: > > On 18 November 2012 14:04, Adrian Chadd wrote: > >> On 18 November 2012 02:48, Andriy Gapon wrote: > >> > >>> What you describe is not a workflow issue, but a local development > >>> environmen

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

on 18/11/2012 16:17 Chris Rees said the following: > On 18 November 2012 14:04, Adrian Chadd wrote: >> On 18 November 2012 02:48, Andriy Gapon wrote: >> >>> What you describe is not a workflow issue, but a local development >>> environment(s) setup issue. >> >> Which is a workflow issue. >> >> I

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On 19/11/2012 13:47, Volodymyr Kostyrko wrote: > 19.11.2012 14:34, Ivan Voras wrote: >> On 17/11/2012 22:48, Chris Rees wrote: >> >>> (and is GPL btw) >> >> Since we're discussing it, Mercurial is BSDL-ed, and apparently has >> proper crypto signing using GPG: >> >> http://mercurial.selenic.com/wik

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On Mon, Nov 19, 2012 at 4:34 AM, Ivan Voras wrote: > On 17/11/2012 22:48, Chris Rees wrote: > > > (and is GPL btw) > > Since we're discussing it, Mercurial is BSDL-ed, and apparently has > proper crypto signing using GPG: > > > http://mercurial.selenic.com/wiki/FAQ#FAQ.2FTechnicalDetails.How_do_M

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

19.11.2012 14:34, Ivan Voras wrote: On 17/11/2012 22:48, Chris Rees wrote: (and is GPL btw) Since we're discussing it, Mercurial is BSDL-ed, and apparently has proper crypto signing using GPG: http://mercurial.selenic.com/wiki/FAQ#FAQ.2FTechnicalDetails.How_do_Mercurial_hashes_get_calculated

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On 17/11/2012 22:48, Chris Rees wrote: > (and is GPL btw) Since we're discussing it, Mercurial is BSDL-ed, and apparently has proper crypto signing using GPG: http://mercurial.selenic.com/wiki/FAQ#FAQ.2FTechnicalDetails.How_do_Mercurial_hashes_get_calculated.3F signature.asc Description: Ope

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

> I won't fail to defend general anti-nym opinion or guidance d-oh, s/defend/defend against/ ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

>> grarpamp >> the various good uses for nyms. > cpgh...@cordula.ws > I hope you realize whom you're trying to lecture here! > Joerg Wunsch is a highly appreciated long-time FreeBSD contributor Of course. No one here has any question as to anyone's FreeBSD participation. That would be silly :) I

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On 11/18/12 01:31, Konstantin Belousov wrote: On Sat, Nov 17, 2012 at 11:05:40PM -0800, Perry Hutchison wrote: [trimmed some of the lists] Chris Rees wrote: ... git doesn't work with our workflow. I'm sure the workflow itself is documented somewhere, but is there a good writeup of _how_ git

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On Sun, Nov 18, 2012 at 1:57 AM, Garrett Wollman wrote: >> the various good uses for nyms. > > There are no such uses on the FreeBSD mailing-lists; if you wish for > anyone to pay attention to you, then use a real name. Otherwise, > FOAD. > > -GAWollman It appears you have not reviewed the maili

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

on 18/11/2012 16:04 Adrian Chadd said the following: > On 18 November 2012 02:48, Andriy Gapon wrote: > >> What you describe is not a workflow issue, but a local development >> environment(s) setup issue. > > Which is a workflow issue. Well, this is what I understand as workflow: google://git w

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

Why not make few such places? This will be harder to compromise simultenously two or more. Regards, Alexander Yerenkow 18.11.2012 16:13 пользователь "Aldis Berjoza" написал: > > 18.11.2012, 16:10, "Alexander Yerenkow" : > > How about each commit will make a "tweet"? I'm sure > > twitter could ar

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On 18 November 2012 14:04, Adrian Chadd wrote: > On 18 November 2012 02:48, Andriy Gapon wrote: > >> What you describe is not a workflow issue, but a local development >> environment(s) setup issue. > > Which is a workflow issue. > > I mean, we could bang heads on semantics for hours on end, or w

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On 18 November 2012 09:09, Alexander Yerenkow wrote: > Integrity could be provided by storing some kind of commit ( each, and > additionally each 1000nd full) checksums (even for svn) somewhere on > readonly format. Google "Merkle Tree" for a method of verifying a log. -- Eitan Adler

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

18.11.2012, 16:10, "Alexander Yerenkow" : > How about each commit will make a "tweet"? I'm sure > twitter could arrange create-records-only (no edit) acount for such project > as FreeBSD is. > This isn't so hard to make, and it's so social :) And you would trust twitter? -- Aldis Berjoza FreeBS

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

Integrity could be provided by storing some kind of commit ( each, and additionally each 1000nd full) checksums (even for svn) somewhere on readonly format. How about each commit will make a "tweet"? I'm sure twitter could arrange create-records-only (no edit) acount for such project as FreeBSD is

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On 18 November 2012 02:48, Andriy Gapon wrote: > What you describe is not a workflow issue, but a local development > environment(s) setup issue. Which is a workflow issue. I mean, we could bang heads on semantics for hours on end, or we can realise that git isn't a magic bullet for FreeBSD dev

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

on 18/11/2012 10:15 Adrian Chadd said the following: > On 17 November 2012 23:31, Konstantin Belousov wrote: > >> Git would work well with our workflow. It supports the centralized >> repository model, which the project employs right now. > > It may work with your workflow, but it doesn't work w

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

Hello, Adrian. You wrote 18 ноября 2012 г., 8:55:54: AC> There's a git repository. It's public. You can look at what goes into AC> the FreeBSD git clone to get your assurance that things aren't being AC> snuck in. People are using it, right now. But commits in this repo aren't signed by developer

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On 17 Nov 2012, at 23:05, Perry Hutchison wrote: > [trimmed some of the lists] > > Chris Rees wrote: >> ... git doesn't work with our workflow. > > I'm sure the workflow itself is documented somewhere, but is > there a good writeup of _how_ git doesn't work with it, e.g. what > capabilit{y,ies

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On 17 November 2012 23:31, Konstantin Belousov wrote: > Git would work well with our workflow. It supports the centralized > repository model, which the project employs right now. It may work with your workflow, but it doesn't work with mine. :-) Right now the source tree isn't very good at bui

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On Sat, Nov 17, 2012 at 11:05:40PM -0800, Perry Hutchison wrote: > [trimmed some of the lists] > > Chris Rees wrote: > > ... git doesn't work with our workflow. > > I'm sure the workflow itself is documented somewhere, but is > there a good writeup of _how_ git doesn't work with it, e.g. what >

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

[trimmed some of the lists] Chris Rees wrote: > ... git doesn't work with our workflow. I'm sure the workflow itself is documented somewhere, but is there a good writeup of _how_ git doesn't work with it, e.g. what capabilit{y,ies} is/are missing? Seems this might be of interest to the git deve

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On Sat, Nov 17, 2012 at 11:55 PM, Adrian Chadd wrote: > Those who want to use git can use it, right now. Honest. Yup: https://github.com/freebsd/ ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To u

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

[snip] There's a git repository. It's public. You can look at what goes into the FreeBSD git clone to get your assurance that things aren't being snuck in. People are using it, right now. Honestly, I'd rather see subversion grow this kind of cryptographic signing of each commit in the short term

FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

http://www.freebsd.org/news/2012-compromise.html http://it.slashdot.org/story/12/11/17/143219/freebsd-project-discloses-security-breach-via-stolen-ssh-key This is not about this incident, but about why major opensource projects need to be using a repository that has traceable, verifiable, built-in

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On 17 Nov 2012 21:00, "Michael Ross" wrote: > > On Sat, 17 Nov 2012 21:11:43 +0100, Ivan Klymenko wrote: > >> В Sat, 17 Nov 2012 15:00:06 -0500 >> grarpamp пишет: >> >>> http://www.freebsd.org/news/2012-compromise.html >>> http://it.slashdot.org/story/12/11/17/143219/freebsd-project-discloses-se

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

On Sat, 17 Nov 2012 21:11:43 +0100, Ivan Klymenko wrote: В Sat, 17 Nov 2012 15:00:06 -0500 grarpamp пишет: http://www.freebsd.org/news/2012-compromise.html http://it.slashdot.org/story/12/11/17/143219/freebsd-project-discloses-security-breach-via-stolen-ssh-key This is not about this incide

Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident]

В Sat, 17 Nov 2012 15:00:06 -0500 grarpamp пишет: > http://www.freebsd.org/news/2012-compromise.html > http://it.slashdot.org/story/12/11/17/143219/freebsd-project-discloses-security-breach-via-stolen-ssh-key > > This is not about this incident, but about why major opensource > projects need to