Is BitKeeper (bk) a client for Gnu Arch? I read about another program that is gaining ground on CVS. Forget the name! Zach --- Bob Tanner <basic at us.netrek.org> wrote: > In a previous post I mentioned the "future of cvs" as a > tool of development in > the vanilla/netrek project. > > I have really become disenchanted with cvs. 4 reasons > why this has happened. > > 1. My last contract introduced me to BitKeeper (bk) and > all the hype on lkml > about how wonderful this tool can be, is all true. Using > bk shows all the > problems with cvs. > > 2. Another FOSS project I contribute had our main cvs > server compromised. > Given that this project runs as root(!) it's ideal > candidate for being Trojan > horsed. We spent months(!) integrity checking the source > files. Wasted time! > This is because cvs doesn't have any sort of repository > integrity check. > > 3. While doing the software inventory, it was discovered > that cvs commits we > applied to the repository as a legitimate writer > (developer with write > access), only to find out that this person, had -not- > committed the code. The > commits where by an imposter, who was using this > developers "identity". This > is because cvs doesn't have any sort of commit > integrity/identity check. > > 4. cvs central development model, is adequate, but it is > elitist. Potential > developers must ask (beg?) to have write access to the > repository. My > example here is on another FOSS project I started writing > unit tests. I have > hundreds of tests now and still no commit access. So, I > end up making diffs, > putting them into SF's patch manager (time consuming!) > and wait for upstream > developers to merge those patches back into cvs (time > consuming!) only to > have certain diffs rejected because upstream code changed > between the time I > made the diff and the time the diffs where applied to > upstream cvs. I could > rant here more, but you get the picture. > > Now my proposed solution; migrate from cvs to GNU arch. > > #1. While I love bk, it's license is not FOSS friendly > (imho) and it won't sit > well with many people to require it as development tool. > But a very close > equivalent to it is GNU arch. Which is FOSS and works > great. > > These are the recommended "Executive Summaries" you > should look at: > > What is Arch? > http://wiki.gnuarch.org/moin.cgi/What_20is_20Arch_3f > > Why Arch? > http://wiki.gnuarch.org/moin.cgi/WhyArch > > The comparison sections are good as well. > > #2. GNU arch allows for gnupg signed archives. So we have > a crypto-signed > archive of files which would make integrity checking > (after a compromise) > much easier. > > Signing Archives > http://wiki.gnuarch.org/moin.cgi/Signing_20Archives > > #3. GNU arch allows for gnupg signed changesets (cvs > commits). We get both > authorization/authentication with gnupg signed > changesets. As a side effect, > we get the ability to track every changeset to a > developer via their gnupg > key. > > Signed changeset > http://wiki.gnuarch.org/moin.cgi/Signing_20Archives#head-53c693c1951e2566cd4c58547848c077ff24ae41 > > #4. GNU arch is totally distributed. There is no need to > beg for commit > access, since everyone can have their own private > archive. GNU arch makes it > very easy to merge changes from one archive into your own > archive. > > This is not to say, we cannot have a central development > model. > > Centralized Development > http://wiki.gnuarch.org/moin.cgi/Centralized_20Development > > Versioning strategies > http://wiki.gnuarch.org/moin.cgi/Versioning_20strategies > > But it does allow for distribution of the source code so > we don't have a > single point of failure, like we do now with > cvs.us.netrek.org > > We do not have to stop cvs cold-turkey. We can migrate > slowly(?) if we have > to. > > Interoperating with CVS > http://wiki.gnuarch.org/moin.cgi/Interoperating_20with_20CVS > > Tracking a project that doesn't use Arch > http://wiki.gnuarch.org/moin.cgi/Tracking_20a_20project_20that_20doesn_27t_20use_20Arch > > What does everyone think? > > -- > Bob Tanner <basic at us.netrek.org> > Key fingerprint = AB15 0BDF BCDE 4369 5B42 1973 7CF1 > A709 2CC1 B288 > > ATTACHMENT part 1.2 application/pgp-signature > _______________________________________________ > vanilla-devel mailing list > vanilla-devel at us.netrek.org > https://mailman.real-time.com/mailman/listinfo/vanilla-devel > __________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail _______________________________________________ vanilla-devel mailing list vanilla-devel at us.netrek.org https://mailman.real-time.com/mailman/listinfo/vanilla-devel