Dear Free Software friends,
A self organized development hosting facility, Gna!, is available to all Libre Software developpers and users at http://gna.org/. It was created in January 2004 and is offering the same services as Savannah (http://savannah.gnu.org/) and SourceForge (http://sf.net).
Philosophically, Gna! follows the lead of the Free Software Foundation. Projects hosted on Gna! will be distributed under licensing terms compatible with each other so that they can be mixed freely. Running these projects on your own machine will not require any non-free software.
The self organized side of Gna! means that it is run by its users. Anyone is welcome to contribute to the maintainance of the hardware and software platform. Entering the Gna! maintainers team can happen within the hour : propose yourself, answer support requests if you can, provide a patch to implement the feature you want. No contribution will be ignored or discarded : if you make a mistake we rely on you to fix it.
Because Gna! is philosophically and technically compatible with Savannah, we started to implement an import/export procedure so that projects can move freely between Gna! and Savannah. The compromission of Savannah last year showed that it is critical to have many Free Software development facilities where projects can be backed up easily.
Happy Hacking,
About:
Gna! has been started in January 2004 by Loic Dachary (Savannah's project iniator), Mathieu Roy (myself, deeply involved in Savannah since 2002) and Vincent Caron (involved in Savannah since the summer 2003). The hardware is provided by the Free Software Foundation France (http://fsffrance.org/) and the bandwidth is offered by Free, a French Internet Services Provider (http://free.fr).
Will this influence Savannah in any way? gna.org is all good and fine. but it is probably EU-centered in many ways, if for nothering other than its location on the Internet. For free software developers in North America, a local repository is definitely what we like to use. I hope savannah's services are not impacted (or if you will focus on gna.org, new, North America-based volunteers are found to support savannah...)
This issue was somehow discussed on the arch mailing list (archived here), at least in the perspective of arch-oriented services. As you point out, having "local" repositories is a nice thing, which can be achieved with arch quite naturally: savannah and gna! could then provide mirrored services. Given the recent attacks on our collaborative development sites, this would certainly be a way to increase resilience.
(just noticed that it was you, atai, that posted on arch's ml :-))
I've started moving my projects to my own hosting facility as I do not like the usual savannah/sourceforge bugtracking tools, versioning system,... I think it can be useful to separate the needs for the core developers of a project, which can be covered by ad-hoc means, and the distribution, support, ... issues, which involve much more costs (bandwidth, storage,...) and can be handled by more generic solutions.
Is the compromise of Savannah the _only_ reason Gna! exists?
Would Gna! not be susceptible to any crack Savannah was?
Why is it called "Gna!"? What does it stand for?
Why on earth did you name it with an exclamation point? (It's really irritating to write, as it messes up people's low-level punctuation routines.)
Gerv
« Is the compromise of Savannah the _only_ reason Gna! exists? »
In some way, yes.
« Would Gna! not be susceptible to any crack Savannah was? »
No computer on earth is not susceptible to any crack. There was major bugs in CVS and rsync, both where used by Savannah, that have been found after the compromise. Not to mention several holes in the kernel itself. Nobody can be sure that it will never happen again.
« Why is it called "Gna!"? What does it stand for? »
Someones suggested Gna is Not an Acronym.
« Why on earth did you name it with an exclamation point? (It's really irritating to write, as it messes up people's low-level punctuation routines.) »
It does not seems complicated to me. The origin for the exclamation mark is maybe in the French onomatope "na !", who knows?
I didn't put my second question clearly enough.
If the only reason Gna! exists is because of the Savannah crack, and if Gna! runs all the same software as Savannah, surely it provides no extra protection? If a hole appears which lets people into Savannah, it'll let people into Gna! too.
Gerv
« If the only reason Gna! exists is because of the Savannah crack, and if Gna! runs all the same software as Savannah, surely it provides no extra protection? If a hole appears which lets people into Savannah, it'll let people into Gna! too. »
If a security bug is found one more time in CVS, sure, both Savannah and Gna! can be affected by the issue, like any other CVS server on earth.
However, compromission can be handled in several ways. The FSF USA in December decided to manage itself the compromission with his own views and methods. These methods and views are not bad, however it is very probable that Gna! people would have made differents choices, in several regards.
In the end, it is important for projects not being stopped in their development because they have no alternative than sticking with an hosts which is completely offline for a long time.
Being the person that handled over years the most of the Savannah users requests (almost 500 in the support tracker) since it exists, I think having some experience in users expectations and Gna! will provides users a development platform where importants decisions will be made by persons like me. We have a written constitution https://gna.org/about/ that explains to users how Gna! will go.
Finally, the FSF USA decided of a lot of security measures for Savannah, and at Gna! many security checks and protections have been implemented or standardized from the start. Both servers are more secure than Savannah was.
So I think it is a good thing for the Free Software community to have at disposal several 100 % Free Software development platform available.
« If the only reason Gna! exists is because of the Savannah crack, and if Gna! runs all the same software as Savannah, surely it provides no extra protection? If a hole appears which lets people into Savannah, it'll let people into Gna! too. »
If a security bug is found one more time in CVS, sure, both Savannah and Gna! can be affected by the issue, like any other CVS server on earth.
However, compromission can be handled in several ways. The FSF USA in December decided to manage itself the compromission with his own views and methods. These methods and views are not bad, however it is very probable that Gna! people would have made differents choices, in several regards.
In the end, it is important for projects not being stopped in their development because they have no alternative than sticking with an hosts which is completely offline for a long time.
Being the person that handled over years the most of the Savannah users requests (almost 500 in the support tracker) since it exists, I think having some experience in users expectations and Gna! will provides users a development platform where importants decisions will be made by persons like me. We have a written constitution https://gna.org/about/ that explains to users how Gna! will go.
Finally, the FSF USA decided of a lot of security measures for Savannah, and at Gna! many security checks and protections have been implemented or standardized from the start. Both servers are more secure than Savannah was.
So I think it is a good thing for the Free Software community to have at disposal several 100 % Free Software development platform available.
(sorry for the duplicated posted, advogato somethings severely lags on posting items)
« yeupou, can you tell us how this impacts Savannah? »
It does not.
« Other people can volunteer to help Savannah if you won't. »
Other people can always volunteer to help Savannah.
It's good to have an alternative site. It's bad that you cannot just move everything when Savannah is down. Maybe distributed Savannah would be better? If one server goes down, another one takes its place. It should be possible to allow data replication without opening any ways to escalate security compromise from one server to another. Of course, if the repository was compromised, it should be reset to the known good date. Maybe some kind of cryptography could prevent unauthorized changes?
I discussed about that option when I was working at CERN. It is indeed a good idea, but it requires heavy work.
New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.
Keep up with the latest Advogato features by reading the Advogato status blog.
If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!
del.icio.us
Digg
Google bookmark
reddit
Simpy
StumbleUpon
Furl
Newsvine
Technorati
Tailrank