HEADS UP: Importing csup into base
Maxime Henrion
I have released a new snapshot of csup a few minutes ago, called
csup-snap-20060301. You can grab it at http://mu.org/~mux/csup.html.
This last snapshot finally brings in support for the refuse files, as
well as the -i <pattern> and -A <localaddr> options. At this point,
csup is pretty much feature complete as far as checkout mode is
concerned. To sum things up, besides CVS mode, the only features
missing are :
- Authentication (rarely used, plus someone has a patch for this),
- Executes (shell commands sent by the server, even more rarely used),
- The -k and -d <limit> options and the "destDir" parameters that are
more debugging features than real features,
- An Xaw3d GUI (just kidding).
So I think it is now time to import csup in FreeBSD base system so that
our users finally have a way to update their sources with a bare
install, and am requesting comments/opinions/problem reports on the
matter as long as it doesn't degenerate into a bikeshed.
For those interested in CVS mode, I'll now start working on this soon,
but cannot guarantee that I'll ever have it finished. I've been
unemployed for a few months now which allowed me to get this far, but I
will soon need to get a new job for obvious reasons. If you would like
to see CVS mode happening and can spare some money, please consider
making a donation to my Paypal account (id m...@FreeBSD.org). I take
advantage of this mail to thank Garance Drosehn that has generously
donated me some money to help me on this task already.
Cheers,
Maxime
_______________________________________________
freebsd...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-curre...@freebsd.org"
Colin Percival
> So I think it is now time to import csup in FreeBSD base system so that
> our users finally have a way to update their sources with a bare
> install, and am requesting comments/opinions/problem reports on the
> matter as long as it doesn't degenerate into a bikeshed.
Yes please!
I'd love to see CVS mode and authentication support as well, but given
the number of people who don't apply security fixes (over 60% of FreeBSD
6.0 systems running portsnap are still running 6.0-RELEASE) I'd say that
anything which makes updating easier is great.
Colin Percival
Reid Linnemann
> Hey all,
>
>
> I have released a new snapshot of csup a few minutes ago, called
> csup-snap-20060301. You can grab it at http://mu.org/~mux/csup.html.
> This last snapshot finally brings in support for the refuse files, as
> well as the -i <pattern> and -A <localaddr> options. At this point,
> csup is pretty much feature complete as far as checkout mode is
> concerned. To sum things up, besides CVS mode, the only features
> missing are :
> - An Xaw3d GUI (just kidding).
Naturally this is supplanted with an OpenLook GUI, right?
;)
--
Reid Linnemann
Senior Systems Analyst
Oklahoma Department of CareerTech
405-743-5422
rl...@okcareertech.org
-Ars longa, vita brevis-
Freddie Cash
> Maxime Henrion wrote:
> > Hey all,
> > I have released a new snapshot of csup a few minutes ago, called
> > csup-snap-20060301. You can grab it at http://mu.org/~mux/csup.html.
> > This last snapshot finally brings in support for the refuse files, as
> > well as the -i <pattern> and -A <localaddr> options. At this point,
> > csup is pretty much feature complete as far as checkout mode is
> > concerned. To sum things up, besides CVS mode, the only features
> > missing are :
> > - An Xaw3d GUI (just kidding).
> Naturally this is supplanted with an OpenLook GUI, right?
No, no, no. We need to bring this into the 21st century. A system
updater like this needs a flashy, 3D-accelerator,
composite-manager-using, fully transparent, animated GUI with more
buttons, features, and whiz-bang graphics than you can shake a dead dog
at.
After all, we can't let any Linux distro beat us to it. :)
--
Freddie Cash
fc...@ocis.net
Maxime Henrion
[...]
> So I think it is now time to import csup in FreeBSD base system so that
> our users finally have a way to update their sources with a bare
> install, and am requesting comments/opinions/problem reports on the
> matter as long as it doesn't degenerate into a bikeshed.
Just so that people don't waste time reporting this: there is a
use-after-free bug in the last snapshot that is already fixed in CVS.
That will teach me to set malloc.conf to aj!
Wilko Bulte
> On Wednesday 01 March 2006 09:40 am, Reid Linnemann wrote:
> > Maxime Henrion wrote:
> > > Hey all,
> > > I have released a new snapshot of csup a few minutes ago, called
> > > csup-snap-20060301. You can grab it at http://mu.org/~mux/csup.html.
> > > This last snapshot finally brings in support for the refuse files, as
> > > well as the -i <pattern> and -A <localaddr> options. At this point,
> > > csup is pretty much feature complete as far as checkout mode is
> > > concerned. To sum things up, besides CVS mode, the only features
> > > missing are :
>
> > > - An Xaw3d GUI (just kidding).
>
> > Naturally this is supplanted with an OpenLook GUI, right?
>
> No, no, no. We need to bring this into the 21st century. A system
> updater like this needs a flashy, 3D-accelerator,
> composite-manager-using, fully transparent, animated GUI with more
> buttons, features, and whiz-bang graphics than you can shake a dead dog
> at.
Aqua?
> After all, we can't let any Linux distro beat us to it. :)
> --
> Freddie Cash
> fc...@ocis.net
> _______________________________________________
> freebsd...@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-curre...@freebsd.org"
--- end of quoted text ---
--
Wilko Bulte wi...@FreeBSD.org
Scott Long
> Hey all,
>
>
> I have released a new snapshot of csup a few minutes ago,
[...]
>
> - Executes (shell commands sent by the server, even more rarely used),
Are you joking?
Scott
Scott Long
> On Wednesday 01 March 2006 09:40 am, Reid Linnemann wrote:
>
>>Maxime Henrion wrote:
>>
>>> Hey all,
>>>I have released a new snapshot of csup a few minutes ago, called
>>>csup-snap-20060301. You can grab it at http://mu.org/~mux/csup.html.
>>>This last snapshot finally brings in support for the refuse files, as
>>>well as the -i <pattern> and -A <localaddr> options. At this point,
>>>csup is pretty much feature complete as far as checkout mode is
>>>concerned. To sum things up, besides CVS mode, the only features
>>>missing are :
>
>
>>> - An Xaw3d GUI (just kidding).
>
>
>>Naturally this is supplanted with an OpenLook GUI, right?
>
>
> No, no, no. We need to bring this into the 21st century. A system
> updater like this needs a flashy, 3D-accelerator,
> composite-manager-using, fully transparent, animated GUI with more
> buttons, features, and whiz-bang graphics than you can shake a dead dog
> at.
>
> After all, we can't let any Linux distro beat us to it. :)
Bah, I'm so cool and retro-chic that I demand that csup communicate to
me via morse code telegraph. You sissy loosers with your fancy text
consoles are the definition of bourgeois oppulence!
Ha
Scott
Poul-Henning Kamp
>Bah, I'm so cool and retro-chic that I demand that csup communicate to
>me via morse code telegraph. You sissy loosers with your fancy text
>consoles are the definition of bourgeois oppulence!
As long as I can feed the input via paper tape, I'm with you Scott.
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
p...@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
Wilko Bulte
> Freddie Cash wrote:
> >On Wednesday 01 March 2006 09:40 am, Reid Linnemann wrote:
> >
> >>Maxime Henrion wrote:
> >>
> >>> Hey all,
> >>>I have released a new snapshot of csup a few minutes ago, called
> >>>csup-snap-20060301. You can grab it at http://mu.org/~mux/csup.html.
> >>>This last snapshot finally brings in support for the refuse files, as
> >>>well as the -i <pattern> and -A <localaddr> options. At this point,
> >>>csup is pretty much feature complete as far as checkout mode is
> >>>concerned. To sum things up, besides CVS mode, the only features
> >>>missing are :
> >
> >
> >>> - An Xaw3d GUI (just kidding).
> >
> >
> >>Naturally this is supplanted with an OpenLook GUI, right?
> >
> >
> >No, no, no. We need to bring this into the 21st century. A system
> >updater like this needs a flashy, 3D-accelerator,
> >composite-manager-using, fully transparent, animated GUI with more
> >buttons, features, and whiz-bang graphics than you can shake a dead dog
> >at.
> >
> >After all, we can't let any Linux distro beat us to it. :)
>
> Bah, I'm so cool and retro-chic that I demand that csup communicate to
> me via morse code telegraph. You sissy loosers with your fancy text
> consoles are the definition of bourgeois oppulence!
5 channel Baudot code, printed in ASCII rendering on the console, @ 45Baud?
--
Wilko Bulte wi...@FreeBSD.org
Wilko Bulte
> In message <4405F791...@samsco.org>, Scott Long writes:
>
> >Bah, I'm so cool and retro-chic that I demand that csup communicate to
> >me via morse code telegraph. You sissy loosers with your fancy text
> >consoles are the definition of bourgeois oppulence!
>
> As long as I can feed the input via paper tape, I'm with you Scott.
Only if it has a mechanical reader (with sensing pins for the holes).
An optical reader won't do
--
Wilko Bulte wi...@FreeBSD.org
Scott Long
> On Wed, Mar 01, 2006 at 07:40:32PM +0000, Poul-Henning Kamp wrote..
>
>>In message <4405F791...@samsco.org>, Scott Long writes:
>>
>>
>>>Bah, I'm so cool and retro-chic that I demand that csup communicate to
>>>me via morse code telegraph. You sissy loosers with your fancy text
>>>consoles are the definition of bourgeois oppulence!
>>
>>As long as I can feed the input via paper tape, I'm with you Scott.
>
>
> Only if it has a mechanical reader (with sensing pins for the holes).
> An optical reader won't do
>
I assume that your method would include the use of transistors. Go back
to your fancy GUI.
Scott
Larry Rosenman
> On Wed, Mar 01, 2006 at 07:40:32PM +0000, Poul-Henning Kamp wrote..
>> In message <4405F791...@samsco.org>, Scott Long writes:
>>
>>> Bah, I'm so cool and retro-chic that I demand that csup communicate
>>> to me via morse code telegraph. You sissy loosers with your fancy
>>> text consoles are the definition of bourgeois oppulence!
>>
>> As long as I can feed the input via paper tape, I'm with you Scott.
>
> Only if it has a mechanical reader (with sensing pins for the holes).
> An optical reader won't do
Y'all are making me feel real old. I remember asr-33 teletypes as my
main access to my high schools computer for the first 2 years I was there.
LER
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 512-248-2683 E-Mail: l...@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
Garance A Drosehn
>
>So I think it is now time to import csup in FreeBSD base system
>so that our users finally have a way to update their sources
>with a bare install, and am requesting comments/opinions/problem
>reports on the matter as long as it doesn't degenerate into a
>bikeshed.
I wonder if we should handle this more like perl (or X11?), where
it remains a port, but a port which is always installed along
with the base-system install. My hope is that with the new
C-based implementation, 'csup' would be useful to other projects.
(any cvs-based open-source project, not just operating systems).
I would also be happy to see it as part of the freebsd base system,
so I only mention the above alternative because I'm wondering what
would be the best way to handle a project like this...
Whether or not it goes into the base system, I hope more people
can take the time to try it out, and make sure that it will be
well-tested.
>If you would like to see CVS mode happening and can spare some
>money, please consider making a donation to my Paypal account
>(id m...@FreeBSD.org). I take advantage of this mail to thank
>Garance Drosehn that has generously donated me some money to
>help me on this task already.
I've contributed enough to keep him in caffeine, but certainly
not enough to be mistaken for a full-time employer... :-)
I have been very happy to see all the recent progress. Even
though I do like to work with multiple computer languages (and
in fact there is a lot I like about Modula-3), I do think a tool
such as cvsup needs to be in a more universally-available and
widely-known language.
--
Garance Alistair Drosehn = g...@gilead.netel.rpi.edu
Senior Systems Programmer or g...@FreeBSD.org
Rensselaer Polytechnic Institute; Troy, NY; USA
Scott Long
> At 6:03 PM +0100 3/1/06, Maxime Henrion wrote:
>
>>
>> So I think it is now time to import csup in FreeBSD base system
>> so that our users finally have a way to update their sources
>> with a bare install, and am requesting comments/opinions/problem
>> reports on the matter as long as it doesn't degenerate into a
>> bikeshed.
>
>
> I wonder if we should handle this more like perl (or X11?), where
> it remains a port, but a port which is always installed along
> with the base-system install. My hope is that with the new
> C-based implementation, 'csup' would be useful to other projects.
> (any cvs-based open-source project, not just operating systems).
>
perl is the way it is to help ease the transition back 5+ years ago
with FreeBSD 4. I'd kinda like to declare that transition a completed
success. Adding more one-off special cases to sysinstall only makes
it harder to maintain, harder to build releases, etc.
> I would also be happy to see it as part of the freebsd base system,
> so I only mention the above alternative because I'm wondering what
> would be the best way to handle a project like this...
Make it part of the base system. It's no different than having cvs in
the base system. It also doesn't have any foreign dependencies, which
was the main reason that cvsup was never assimilated.
Scott
Lowell Gilbert
> Maxime Henrion wrote:
> > Hey all,
> > I have released a new snapshot of csup a few minutes ago,
>
> [...]
>
> > - Executes (shell commands sent by the server, even more rarely
> > used),
>
> Are you joking?
Are you asking whether he's joking about (1) the idea of ever
implementing it, (2) the fact that he hasn't done it yet, or
(3) the idea that it's rarely used? All of those sound
reasonable to me...
Kris Kennaway
> On Wed, Mar 01, 2006 at 03:33:41PM -0500, Lowell Gilbert wrote:
> > Scott Long <sco...@samsco.org> writes:
> >
> > > Maxime Henrion wrote:
> > > > Hey all,
> > > > I have released a new snapshot of csup a few minutes ago,
> > >
> > > [...]
> > >
> > > > - Executes (shell commands sent by the server, even more rarely
> > > > used),
> > >
> > > Are you joking?
> >
> > Are you asking whether he's joking about (1) the idea of ever
> > implementing it, (2) the fact that he hasn't done it yet, or
> > (3) the idea that it's rarely used? All of those sound
> > reasonable to me...
>
> security perspective. Of course, some kind of sanitization could
> mitigate the issue.
Let's not lose sight of the fact that whoever runs the cvsup server
already owns your machine, since they're giving you unauthenticated
source code [1].
Kris
[1] Please don't take this as an invitation to talk about how Someone
Should Fix This, since it's not on the table until Someone first
writes csupd :-)
Matthew D. Fuller
Wesley Shields, and lo! it spake thus:
>
> I'm questioning (1) myself. This just seems like a bad idea from a
> security perspective.
Well, it should be remember that CVSup is (at least conceptually) not
just "a tool for spreading CVS-held source around like fertilizer",
it's "a software package for distributing and updating collections of
files across a network" (per www.cvsup.org). If you're using it to
sync files between two hosts you control, there are many good reasons
why you'd want to run commands (rather like you would with rdist).
--
Matthew Fuller (MF4839) | full...@over-yonder.net
Systems/Network Administrator | http://www.over-yonder.net/~fullermd/
On the Internet, nobody can hear you scream.
Kövesdán Gábor
Thanks a lot, csup is very great: fast and lightweight. :) CVSup was a
huge pain to install. I hope you'll get enough donation to implement the
cvs mode, too. :)
Regards,
Gabor Kovesdan
Mark Linimon
> 5 channel Baudot code, printed in ASCII rendering on the console, @ 45Baud?
I still have parts for one if anyone cares.
mcl
Wesley Shields
>
> > Maxime Henrion wrote:
> > > Hey all,
> > > I have released a new snapshot of csup a few minutes ago,
> >
> > [...]
> >
> > > - Executes (shell commands sent by the server, even more rarely
> > > used),
> >
> > Are you joking?
>
> Are you asking whether he's joking about (1) the idea of ever
> implementing it, (2) the fact that he hasn't done it yet, or
> (3) the idea that it's rarely used? All of those sound
> reasonable to me...
I'm questioning (1) myself. This just seems like a bad idea from a
security perspective. Of course, some kind of sanitization could
mitigate the issue.
-- WXS
Andrew Reilly
> Even
> though I do like to work with multiple computer languages (and
> in fact there is a lot I like about Modula-3), I do think a tool
> such as cvsup needs to be in a more universally-available and
> widely-known language.
I like Modula-3 too (at least conceptually: I haven't found an
excuse to code in it), but not "widely-known" is perhaps even an
understatement. I came across this site the other day:
http://www.tiobe.com/index.htm?tiobe_index
Which I thought pretty interesting. I noticed that Modula-3
doesn't even make it into the top-100 popular languages, which
puts it below Algol, Oberon, and Modula-2.
Cheers,
--
Andrew
Steve Kargl
> On Wed, Mar 01, 2006 at 03:18:07PM -0500, Garance A Drosehn wrote:
> > Even
> > though I do like to work with multiple computer languages (and
> > in fact there is a lot I like about Modula-3), I do think a tool
> > such as cvsup needs to be in a more universally-available and
> > widely-known language.
>
> I like Modula-3 too (at least conceptually: I haven't found an
> excuse to code in it), but not "widely-known" is perhaps even an
> understatement. I came across this site the other day:
> http://www.tiobe.com/index.htm?tiobe_index
> Which I thought pretty interesting. I noticed that Modula-3
> doesn't even make it into the top-100 popular languages, which
> puts it below Algol, Oberon, and Modula-2.
>
Interesting site. Guess which language in the top 20
has the most recently approved International standard?
--
Steve
Maxime Henrion
> On Wed, Mar 01, 2006 at 04:17:08PM -0500, Kris Kennaway wrote:
> > On Wed, Mar 01, 2006 at 04:19:32PM -0500, Wesley Shields wrote:
> > > On Wed, Mar 01, 2006 at 03:33:41PM -0500, Lowell Gilbert wrote:
> > > > Scott Long <sco...@samsco.org> writes:
> > > >
> > > > > Maxime Henrion wrote:
> > > > > > Hey all,
> > > > > > I have released a new snapshot of csup a few minutes ago,
> > > > >
> > > > > [...]
> > > > >
> > > > > > - Executes (shell commands sent by the server, even more rarely
> > > > > > used),
> > > > >
> > > > > Are you joking?
> > > >
> > > > Are you asking whether he's joking about (1) the idea of ever
> > > > implementing it, (2) the fact that he hasn't done it yet, or
> > > > (3) the idea that it's rarely used? All of those sound
> > > > reasonable to me...
> > >
> > > I'm questioning (1) myself. This just seems like a bad idea from a
> > > security perspective. Of course, some kind of sanitization could
> > > mitigate the issue.
> >
> > already owns your machine, since they're giving you unauthenticated
> > source code [1].
>
> I think a rogue server sending commands that the client exectues is
> pretty close to a rogue server sending malicious source code. At least
> the source is easily verifiable and (in the case of the malicious source
> being inserted at the master site) has a good chance of being noticed.
>
> It's not that I'm 100% against this idea, but rather that I'd like to
> see the client be cautious of the possibility of a rogue server. Of
> course, this could all be the plan and I'm just raising a non-issue.
Just to make things straight, executes are always off by default, and
need to be explicitely enabled by the user. This is how it has always
been in CVSup, and there is no reason for csup to change that when it
will support executes. That said, the mail I sent wasn't about whether
I should implement executes or not. They are just part of the "missing
features" list.
Cheers,
Maxime
Mike Jakubik
> Thanks a lot, csup is very great: fast and lightweight. :) CVSup was a
> huge pain to install. I hope you'll get enough donation to implement
> the cvs mode, too. :)
Not from my experience, last time i tried csup it was much slower than
cvsup, i hope this performance problem has been solved.
Maxime Henrion
> K?vesd?n G?bor wrote:
> >Thanks a lot, csup is very great: fast and lightweight. :) CVSup was a
> >huge pain to install. I hope you'll get enough donation to implement
> >the cvs mode, too. :)
>
> Not from my experience, last time i tried csup it was much slower than
> cvsup, i hope this performance problem has been solved.
Well you should try a recent version of it. In all the tests I have
been doing, csup has always been at least as fast as CVSup, and quite
often faster.
If the problem persists, you need to send me a precise and detailed
problem report.
Cheers,
Maxime
Mike Jakubik
> Mike Jakubik wrote:
>
>> K?vesd?n G?bor wrote:
>>
>>> Thanks a lot, csup is very great: fast and lightweight. :) CVSup was a
>>> huge pain to install. I hope you'll get enough donation to implement
>>> the cvs mode, too. :)
>>>
>> Not from my experience, last time i tried csup it was much slower than
>> cvsup, i hope this performance problem has been solved.
>>
>
> Well you should try a recent version of it. In all the tests I have
> been doing, csup has always been at least as fast as CVSup, and quite
> often faster.
>
> If the problem persists, you need to send me a precise and detailed
> problem report.
>
It was a while ago (i think when its existence was initially mentioned
on the lists), so im sure it has been addressed, but if i see any
problems, i will let you know.
Wesley Shields
> On Wed, Mar 01, 2006 at 04:19:32PM -0500, Wesley Shields wrote:
> > On Wed, Mar 01, 2006 at 03:33:41PM -0500, Lowell Gilbert wrote:
> > > Scott Long <sco...@samsco.org> writes:
> > >
> > > > Maxime Henrion wrote:
> > > > > Hey all,
> > > > > I have released a new snapshot of csup a few minutes ago,
> > > >
> > > > [...]
> > > >
> > > > > - Executes (shell commands sent by the server, even more rarely
> > > > > used),
> > > >
> > > > Are you joking?
> > >
> > > Are you asking whether he's joking about (1) the idea of ever
> > > implementing it, (2) the fact that he hasn't done it yet, or
> > > (3) the idea that it's rarely used? All of those sound
> > > reasonable to me...
> >
> > I'm questioning (1) myself. This just seems like a bad idea from a
> > security perspective. Of course, some kind of sanitization could
> > mitigate the issue.
>
> Let's not lose sight of the fact that whoever runs the cvsup server
> already owns your machine, since they're giving you unauthenticated
> source code [1].
You are right on this point. But on the scale of potentially bad things
I think a rogue server sending commands that the client exectues is
pretty close to a rogue server sending malicious source code. At least
the source is easily verifiable and (in the case of the malicious source
being inserted at the master site) has a good chance of being noticed.
It's not that I'm 100% against this idea, but rather that I'd like to
see the client be cautious of the possibility of a rogue server. Of
course, this could all be the plan and I'm just raising a non-issue.
> Kris
>
> [1] Please don't take this as an invitation to talk about how Someone
> Should Fix This, since it's not on the table until Someone first
> writes csupd :-)
I didn't see it as an invitation as I've seen it discussed many times
before. Either way, I'm very pleased to see a client written in C. :)
-- WXS
Paul Murphy
> Wilko Bulte wrote:
>> On Wed, Mar 01, 2006 at 07:40:32PM +0000, Poul-Henning Kamp wrote..
>>> In message <4405F791...@samsco.org>, Scott Long writes:
>>>
>>>> Bah, I'm so cool and retro-chic that I demand that csup communicate
>>>> to me via morse code telegraph. You sissy loosers with your fancy
>>>> text consoles are the definition of bourgeois oppulence!
>>>
>>> As long as I can feed the input via paper tape, I'm with you Scott.
>>
>> Only if it has a mechanical reader (with sensing pins for the holes).
>> An optical reader won't do
>
> Y'all are making me feel real old. I remember asr-33 teletypes as my
> main access to my high schools computer for the first 2 years I was
> there.
>
> LER
I remember, back in the day, all the CS kids walking around with huge
stacks of PUNCH-CARDS.
Patrick Bowen
First computer I ever saw was programmed with a patch board...
PJB
