Changes since 1.11.22:
**********************

NEW FEATURES

* A new log option -n reverts the -N option which may be in a .cvsrc
  file.

* The `cvs blame' command is now a synonym for the `cvs annotate' command.

* The :extssh: method will use $CVS_SSH if set, or fall back on "ssh"
  by default (but may be explicitly set using the --with-ssh flag to
  configure).

* There is a new IgnoreUnknownConfigKeys option available for
  CVSROOT/config to aid in the transition to newer versions of CVS.

BUG FIXES

* Merges of file removals using -j options are a little smarter.

* `cvs add' checks more thoroughly for `CVS' directories in the argument list.

* `cvs server' now accepts `--allow-root=PATH' options.

* `cvs import' no longer attempts to send CVS metadata to the server.

* `cvs import' makes more of an effort not to import paths containing files
  and directories named `CVS'.

* The CVS server will no longer allow clients to run `cvs init'.

* Applying diffs when checking out very old revisions has been reduced from an
  O(n^2) operation to an O(n) thanks to a patch from Michael J. Smith
  <msmith@ideorlando.org> and additional touch-up work from the CVS team.

* Thanks to report from Paul Eggert <eggert@CS.UCLA.EDU>, an assertion failure
  that could occur when "." was in the path (e.g. `cvs co /cvsroot/./module')
  has been removed.

* Thanks to a report from Peter Toft <pto@linuxbog.dk>, CVS server now sends
  correct patch files more often when the RCS `Name' keyword is present in
  a working file (bug #17302).

* Thanks to a report from Dan Peterson <dbpete@aol.com>, clients now send the
  right set of commands to the server when asked to update directories with
  trailing slashes on their name.

* Thanks to a report and patch from <mbarabas@redhat.com>, potential stack
  corruption during pserver login is avoided (bug #16961).

* The :extssh: method is now properly recognized as an alias for :ext:.

DEVELOPER ISSUES

* We've standardized on Autoconf version 2.61 to get a bug fix that notes
  that the AIX C compiler's default mode isn't quite C89 and sets the
  correct mode instead.

* We've standardized on Autoconf version 1.10 because it lets us simplify our
  sources.

Changes from 1.11.21 to 1.11.22:
********************************

BUG FIXES

* The CVS client again correctly reports files with conflicts when using
  servers running CVS 1.11.20/1.12.12, or earlier (and maybe 3rd party
  servers).

* The GSSAPI server should now build under HP-UX.

* `cvs rtag' now correctly tags files that have been removed from the trunk.

* Code efficiency has been improved slightly.

* A rare race condition that could leave a lock on the val-tags file has been
  avoided.

* A potential buffer overflow in the history command has been fixed.

* Thanks to a report and patch from Garrett Rooney <grooney@collab.net>, paused
  trigger processes no longer cause the CVS server to consume 100% CPU.

* Thanks to a suggestion from Joseph P. Skudlarek <Jskud@Jskud.com>, an
  :extssh: has been added as a synonym of the :ext: access method, as a
  kindness to users of old version of Eclipse.

* Misc documentation updates and minor bug fixes.

Changes from 1.11.20 to 1.11.21:
********************************

BUG FIXES

* Thanks to Serguei E. Leontiev <lse@CryptoPro.ru>, CVS with Kerberos 5 GSSAPI
  should automatically link on FreeBSD 5.x. (bug #14639).

* Thanks to Rahul Bhargava <rahul@wandisco.com>, heavily loaded systems
  suffering from a disk crash or power failure will not lose data they claimed
  to have committed.

* CVS server now handles conflict markers in Entry requests as documented.

* CVS now remembers that binary file merge conflicts occurred until the
  timestamp of the updated binary file changes.

* CVS client now saves some bandwidth by not sending the contents of files
  with conflicts to the server when it isn't needed.

* CVS now does correct locking during import.

* A problem where the server could block indefinitely waiting for an EOF from
  the client when compression was enabled has been fixed.

* `cvs diff' no longer splits its arguments on spaces.

* Thanks to an old report and patch from Stewart Brodie <stewart@eh.org>, a
  potential crash in response to a corrupt RCS file has been fixed.

* CVS now locks the history and val-tags files before writing to them.
  Especially with large repositories, users should no longer see new warnings
  about corrupt history records when using the `cvs history' command.  Existing
  corrupt history records will still need to be removed manually.  val-tags
  corruption should have had less obvious effects, but removing the
  CVSROOT/val-tags file and allowing a 1.11.21 or later version of CVS to
  regenerate it may eliminate a few odd behaviors and possibly cause a slight
  speed up of read transactions in large repositories over time.

BUILD ISSUES

* The RPM spec file works again with the most modern versions of `rpm'.

DEVELOPER ISSUES

* We've standardized on Automake 1.9.6 to get some at new features that make
  our jobs easier.  See the HACKING file for more on using the autotools with
  CVS.

Changes from 1.11.19 to 1.11.20:
********************************

SERVER SECURITY FIXES

* Thanks to a report from Alen Zukich <alen.zukich@klocwork.com>, several minor
  security issues have been addressed.  One was a buffer overflow that is
  potentially serious but which may not be exploitable, assigned CAN-2005-0753
  by the Common Vulnerabilities and Exposures Project
  <http://www.cve.mitre.org>.  Other fixes resulting from Alen's report include
  repair of an arbitrary free with no known exploit and several plugged memory
  leaks and potentially freed NULL pointers which may have been exploitable for
  a denial of service attack.

* Thanks to a report from Craig Monson <craig@malachiarts.com>, minor
  potential vulnerabilities in the contributed Perl scripts have been fixed.
  The confirmed vulnerability could allow the execution of arbitrary code on
  the CVS server, but only if a user already had commit access and if one of
  the contrib scripts was installed improperly, a condition which should have
  been quickly visible to any administrator.  The complete description of the
  problem is here: <https://ccvs.cvshome.org/issues/show_bug.cgi?id=224>.  If
  you were making use of any of the contributed trigger scripts on a CVS
  server, you should probably still replace them with the new versions, to be
  on the safe side.

  Unfortunately, our fix is incomplete.  Taint-checking has been enabled in all
  the contributed Perl scripts intended to be run as trigger scripts, but no
  attempt has been made to ensure that they still run in taint mode.  You will
  most likely have to tweak the scripts in some way to make them run.  Please
  send any patches you find necessary back to <bug-cvs@nongnu.org> so that we
  may again ship fully enabled scripts in the future.

  You should also make sure that any home-grown Perl scripts that you might
  have installed as CVS triggers also have taint-checking enabled.  This can be
  done by adding `-T' on the scripts' #! lines.  Please try running
  `perldoc perlsec' if you would like more information on general Perl security
  and taint-checking.

BUG FIXES

* Thanks to a report and a patch from Georg Scwharz <georg.scwarz@freenet.de>
  CVS now builds without error on IRIX 5.3

DEVELOPER ISSUES

* We've standardized on Automake 1.9.5 to get some at new features that make
  our jobs easier.  See the HACKING file for more on using the autotools with
  CVS.

Changes from 1.11.18 to 1.11.19:
********************************

BUG FIXES

* Thanks to a patch from Jim Hyslop <jhyslop@ieee.org>, issuing
  'cvs watch on' or 'cvs watch off' in an empty directory no longer
  clears any watchers in that directory.

* An intermittant assertion failure in checkout has been fixed.

* Thanks to a report from Chris Bohn <cbohn@rrinc.com>, all the source files
  needed for the Windows "red file" fix are actually included in the
  distribution.

* Misc bug and documentation fixes.

Changes from 1.11.17 to 1.11.18:
********************************

BUG FIXES

* Thanks to a report from Gottfried Ganssauge <gotti@cvshome.org>, CVS no
  longer exits when it encounters links pointing to paths containing more
  than 128 characters.

* Thanks to a report from Dan Peterson <dbpete@aol.com>, error messages from
  GSSAPI servers are no longer truncated.

* Thanks to a report from Dan Peterson <dbpete@aol.com>, attempts to resurrect
  a file on the trunk that was added on a branch no longer causes an assertion
  failure.

* Thanks to a report from Dan Peterson <dbpete@aol.com>, imports to branches
  like "1.1." no longer create corrupt RCS archives.

* Thanks to a report from Chris Bohn <cbohn@rrinc.com>, links from J.C. Hamlin
  <jchamlin@ibsys.com>, and code posted by Jonathan Gilligan, we think we have
  finally corrected the Windows "red-file" (daylight savings time) bug once and
  for all.

* Thanks to a patch from Jeroen Ruigrok/asmodai <asmodai@wxs.nl>, the
  log_accum.pl script should no longer elicit warnings from Perl 5.8.5.

* The r* commands (rlog, rls, etc.) can once again handle requests to run
  against the entire repository (e.g. `cvs rlog .').  Thanks go to Dan Peterson
  <dbpete@aol.com> for the report.

* A problem where the attempted access of files via tags beginning with spaces
  could cause the CVS server to hang has been fixed.  This was a particular
  problem with WinCVS clients because users would sometimes accidentally
  include spaces in tags pasted into a dialog box.  This fix also altered some
  of the error messages generated by the use of invalid tags.  Thanks go to Dan
  Peterson <dbpete@aol.com> for the report.

* Thanks to James E Wilson <wilson@specifixinc.com> for a bug fix to
  modules processing "gcc-core -a !gcc/f gcc" will no longer exclude
  gcc/fortran by mistake.

* Thanks to Conrad Pino <conrad@pino.com>, the Windows build works once again.

* Misc updates to the manual.

DEVELOPER ISSUES

* We've standardized on Automake 1.9.3 to get some at new features that make
  our jobs easier.  See the note below on the Autoconf upgrade for more
  details.

* We've standardized on Autoconf version 2.59 to get presumed bug fixes and
  features, but nothing specific.  Mostly, once we decide to upgrade one of the
  autotools we just figure it'll save time later to grab the most current
  versions of the others too.  See the HACKING file for more on using the
  autotools with CVS.

Changes from 1.11.16 to 1.11.17:
********************************

SERVER SECURITY FIXES

* Thanks to Stefan Esser & Sebastian Krahmer, several potential security
  problems have been fixed.  The ones which were considered dangerous enough
  to catalogue were assigned issue numbers CAN-2004-0416, CAN-2004-0417, &
  CAN-2004-0418 by the Common Vulnerabilities and Exposures Project.  Please
  see <http://www.cve.mitre.org> for more information.

* A potential buffer overflow vulnerability in the server has been fixed.
  This addresses the Common Vulnerabilities and Exposures Project's issue
  #CAN-2004-0414.  Please see <http://www.cve.mitre.org> for more information.

Changes from 1.11.15 to 1.11.16:
********************************

SERVER SECURITY FIXES

* A potential buffer overflow vulnerability in the server has been fixed.
  Prior to this patch, a malicious client could potentially use carefully
  crafted server requests to run arbitrary programs on the CVS server machine.
  This addresses the Common Vulnerabilities and Exposures Project's issue
  #CAN-2004-0396.  Please see <http://www.cve.mitre.org> for more information.

BUG FIXES

* The Microsoft Visual C++ workspace and project files have been repaired and
  regenerated with MSVC++ 6.0.

* The cvs.1 man page is now generated automatically from a section of the CVS
  Manual.

* Thanks to a report from Mark Andrews at the Internet Systems Consortium, the
  :ext: connection method no longer relies on a transparent transport that uses
  an argument processor that can handle arbitrary ordering of options and other
  arguments when using a username other than the caller's.

* Thanks to Ken Raeburn at MIT, directory deletion, whether via `cvs release'
  or empty directory pruning, now works on network shares under Windows XP.

Changes from 1.11.14 to 1.11.15:
********************************

SERVER SECURITY ISSUES

* Piped checkouts of paths above $CVSROOT no longer work.  Previously, clients
  could have requested the contents of RCS archive files anywhere on a CVS
  server.  This addresses CVE issue CAN-2004-0405.  Please see
  <http://www.cve.mitre.org> for more information.

CLIENT SECURITY ISSUES

* Clients now check paths from the server to verify that they are within one of
  the sandboxes the user requested be updated.  Previously, a trojan server
  could have written or overwritten files anywhere the user had access,
  presenting a serious security risk.  This addresses CVE issue CAN-2004-1080.
  Please see <http://www.cve.mitre.org> for more information.

GENERAL USER ISSUES

* Method options (used by WinCVS & CVS 1.12.7+) in CVSROOTs are ignored.

* Configure no longer checks the $TMPDIR, $TMP, & $TEMP variables to set the
  default temporary directory.

* CVS on Cygwin correctly handles X:\ style paths.

* Import now uses backslash rather than slash on Windows when checking for
  "CVS" directories to ignore in import commands.

* Relative paths containing up-references (`..') should now work in
  client/server mode (client fix).

* A race condition between the ordering of messages from CVS and messages from
  called scripts in client/server mode has been removed (server fix).

* Resurrected files now get their modes and timestamps set correctly and a
  longstanding bug involving resurrection of an uncommitted removal has been
  fixed (server fix).

* Some resurrection (cvs add) status messages have changed slightly.

* `cvs release' now works with Kerberos or GSSAPI encryption enabled (server
  fix).

* File resurrection from a previously existing revision no longer just reports
  that it works (server fix).

* Misc error & status message corrections.

* Diffing of locally added files against arbitrary revisions in an RCS archive
  is now allowed when a file of the same name exists or used to exist on some
  branch (server fix).

* Misc documentation fixes.

Changes from 1.11.13 to 1.11.14:
********************************

GENERAL USER ISSUES

* Imports will now always ignore directories and files named `CVS' to avoid
  violating assumptions made by other parts of CVS.

* A problem with `cvs release' of subdirs that could corrupt CVS/Entries files
  has been fixed (client/server).

* The CVS server's protocol check for unused data from the client is no longer
  called automatically at program exit in order to avoid potential recursive
  calls to error when the first close is due to memory allocation or similar
  problems that cause calls to error() to fail.  The check is still made when
  the server program exits normally.

* The spec file has been updated to work with more recent versions of RPM.

* Several memory leaks have been plugged (client/server).

DEVELOPER ISSUES

* Misc cosmetic, readability, and commenting fixes.

Changes from 1.11.12 to 1.11.13:
********************************

GENERAL USER ISSUES

* Several memory leaks have been plugged.

* Thanks to Ville Skyttä the man page has a few less spelling errors and is
  slightly more accurate.

* An unlikely potential segfault when using the :fork: connection method has
  been fixed.

* The CVS server has had the protocol check for unused data from the client
  partially restored.

* A fix has been included that should avoid a very rare race condition that
  could cause a CVS server to exit with a "broken pipe" message.

* A minor problem with the nmake build file that was preventing the source from
  compiling under Windows has been fixed.

* Tests have been added to the test suite.

DEVELOPER ISSUES

* Misc cosmetic, readability, and commenting fixes.

Changes from 1.11.11 to 1.11.12:
********************************

GENERAL USER ISSUES

* Infinite alias loops in the modules file are now checked for and avoided.

* Clients on case insensitive systems now preserve the case of directories in
  CVS/Entries, in addition to files, for use in communications with the CVS
  server.

* Some previously untested behavior is now being tested.

* Server support for case insensitive clients has been removed in favor of the
  server relying on the client to preserve the case of checked out files, as
  per the CVS client/server protocol spec.  This is not as drastic as it may
  sound, as all of the current tests still pass without modification when run
  from a case insensitive client to a case sensitive server.  This change
  disables little previous functionality, enables access to more of the
  possible namespace to users on systems with case insensitive file systems,
  fixes a few bugs, and in the end this should provide a major stability
  improvement.

* Thanks to Ville Skyttä the man page is a bit more accurate.

* Thanks to Ville Skyttä some unused variables were removed from the log_accum
  Perl script in contrib.

* Thanks to Alexey Mahotkin, a bug that prevented CVS from being compiled with
  Kerberos 4 authentication enabled has been fixed.

* A minor bug that caused CVS to fail to report an inifinte alias loop in the
  modules file when portions of the alias definition contained trailing slashes
  has been fixed.

* A bug in the gzip code that could cause heap corruption and segfaults in CVS
  servers talking to clients less than 1.8 and some modern third-party CVS
  clients has been fixed.

* mktemp.sh is now included with the source distribution so that the rcs2log
  and cvsbug executables may be run on systems which do not contain an
  implementation of mktemp.

* Misc documentation fixes.

Changes from 1.11.10 to 1.11.11:
********************************

SERVER SECURITY ISSUES

* pserver can no longer be configured to run as root via the
  $CVSROOT/CVSROOT/passwd file, so if your passwd file is compromised, it no
  longer leads directly to a root hack.  Attempts to root will also be logged
  via the syslog.

Changes from 1.11.9 to 1.11.10:
*******************************

SERVER SECURITY ISSUES

* Malformed module requests could cause the CVS server to attempt to create
  directories and possibly files at the root of the filesystem holding the CVS
  repository.  Filesystem permissions usually prevent the creation of these
  misplaced directories, but nevertheless, the CVS server now rejects the
  malformed requests.

GENERAL USER ISSUES

* Case insensitive clients using a case sensitive server can now use a
  `cvs rm -f file; cvs add FILE' command sequence to add a file with the same
  name in a new case.

* CVSROOTs which contain a symlink to a real repository should work.

* The configure script now tests whether it is building CVS on a case
  insensitive file system.  If it is, CVS assumes that all file systems on this
  platform will be case insensitive.  This is useful for getting the case
  insensitivity flag set correctly when compiling on Mac OS X and under Cygwin
  on Windows.  Autodetection can be overridden using the
  --disable-case-sensitivity and --enable-case-sensitivity arguments to
  configure.

* A behavior change in `cvs up -jrev1 -jrev2' for modified files with a base
  revision of rev2 (ie, checked-out version matches rev2 and file has been
  modified).  The operation is no longer ignored and instead is passed to
  diff3.  This will potentially re-apply the diffs between the two revisions to
  a modified local file.  Status messages like from a standard merge have also
  been added when the file would not or does not change due to this merge
  request ("[file] already contains the changes between [revisions]...").

* A bug which could stop `cvs admin -mTAG:message' from recursing has been
  fixed.

* Misc documentation cleanup and fixes.

* Some of the contrib scripts, some of the documentation, and sanity.sh were
  modified to use and recommend more portable commands rather than using and
  recommending commands which were not compatible with the POSIX 1003.1-2001
  specification.

DEVELOPER ISSUES

* A new set of tests to test issues specific to case insensitive clients and
  servers has also been added.

* Support has been added to the test suite to support testing over a :ext: link
  to another machine, subject to some stringent requirements.  This support can
  be used, for instance, to test the operation of a case insensitive client
  against a case sensitive server.  Please see the comments in TEST and the
  src/sanity.sh test script itself for more.

* We've standardized on Automake 1.7.9 to get a bug fix.  See the note below
  on the Autoconf upgrade for more details.

* We've standardized on Autoconf version 2.58 to avoid a bug and get at a few
  new macros.  Again, this should only really affect developers, though it is
  possible that CVS will now compile on a few new platforms.  Please see the
  section of the INSTALL file about using the autotools if you are compiling
  CVS yourself.

Changes from 1.11.8 to 1.11.9:

* CVS now knows how to report, as well as record, `P' record types.

* When running the `cvs history' command, clients will now send the
  long-accepted `-e' option, for all records, rather than explicitly requesting
  `P' record types, a request which servers prior to 1.11.7 will reject with a
  fatal error message.

* A problem with locating files requested by case insensitive clients which was
  accidentally introduced in 1.11.6 as part of a fix for a data loss problem
  involving `cvs add's from case insensitive clients has been fixed.  The
  relevant error message was `cvs [<command> aborted]: filE,v is ambiguous;
  could mean FILE,v or file,v'.

* Attempts to use the global `-l' option, removed from both client and server
  as of version 1.11.6, will now elicit a warning rather than a fatal error
  from the server.

Changes from 1.11.7 to 1.11.8:

* A problem in the CVS getpass library that could cause passwords to echo on
  some systems has been fixed.

Changes from 1.11.6 to 1.11.7:

* A segfault that could occur in very rare cases where the stat of a file
  failed during a diff has been fixed.

* Any user with write privleges to the CVSROOT/checkoutlist file could pass
arbitrary format strings directly through to a printf function.  This was
probably bad and has been fixed.  White space at the beginning of error strings
in checkoutlist is now ignored properly.

* In client/server mode, most messages from CVS now contain the actual
command name rather than the generic "server".

* A long-standing bug that prevented most client/server updates from being
logged in the history file has been fixed.

* Updates done via a patch ("P" status) are now logged in the history file
by default and the corresponding "P" history record type is now documented.
If you're setting the LogHistory option in your CVSROOT/config file, you may
want to add "P" to the list of record types.

* CVS now will always compile and its own getpass() function (originally from
GNULIB) in favor of any system one that may exist.  This avoids some problems
with long passwords on some systems and updates us to POSIX.2 compliance, since
getpass() was removed from the POSIX.2 specification.

* A bug that allowed a write lock to be created in a directory despite
there being existing read locks when using LockDir in CVSROOT/config has
been fixed.

* A bug with short patches (`rdiff -s') which caused rdiff to sometimes report
differences that did not exist has been fixed.

* Some minor corrections were made to the diff code to keep diff & rdiff from
printing diff headers with empty change texts when two files have different
revision numbers but the same content.

* The global '-l' option, which suppressed history logging, has been removed
from both client and server.

Changes from 1.11.5 to 1.11.6:

* A warning message is now issued if an administrative file contains
more than one DEFAULT entry.

* An error running a verifymsg script (such as referencing an unset user
variable or the script not existing) now causes the verification to
fail.

* Errors in administrative files commands (like unset user variables)
are no longer reported unless the command is actually executed.

* When a file is initially checked out, its last access time is now set
to the current time rather than being set to the time the file was last
checked in like the modification time is.

* The Checkin.prog and Update.prog functionality has been removed.  This
fuctionality previously allowed executables to be specified in the modules file
to be run at update and checkin time, but users could edit these files on a per
workspace basis, creating a security hole.

* contrib/rcs2log and src/cvsbug now use the BSD mktemp program to create
their temp files and directories on systems which provide it.

* Corrected the path in a failed write error message.

* Autoconf and Automake are no longer run automatically unless you run
configure with --enable-maintainer-mode.  Accordingly, noautomake.sh is
no longer needed and has been removed.

* We've standardized on Automake version 1.7.5 and Autoconf version 2.57 to get
at a few new macros.  Again, this should only really affect developers.  See
the section of the INSTALL file about using the autotools if you are compiling
CVS yourself.

Changes from 1.11.4 to 1.11.5:

* Fixed a security hole in the CVS server by which users with read only access
could gain write access.  This issue does not affect client builds.  The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2003-0015 to this issue.  See
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0015> for more
information.

* Fixed some bugs where revision numbers starting with 0 (like 0.3)
weren't correctly handled.  (CVS doesn't normally use such revision
numbers, but users may be able to force it to do so and old RCS files
might.)

Changes from 1.11.3 to 1.11.4:

* Some minor changes to allow the code to compile on Windows platforms.

Changes from 1.11.2 to 1.11.3:

* The tag/rtag code has been fixed to once again lock just a single
directory at a time.

* There was a bug where certain error conditions could cause the server
to go into an infinite loop.  There was also a bug that caused a
compressed connection from an older client to hang on shutdown.  These
bugs have been fixed.

* Fixed a bug that caused the server to reject most watch commands.

* When waiting for another user's lock, the message timestamps are now
in UTC rather than the server's local time.

* The options.h file is no longer used.  This fixes a bug that occurred when
1.11.2 was compiled on Windows platforms.

* We've standardized on Automake version 1.6.3 and Autoconf version 2.53.
They are cleaner, less bug prone, and will hopfully allow me to start updating
sanity.sh to use Autotest and Autoshell.  Again, this should only really affect
developers.  See the section of the INSTALL file about using the autotools if
you are compiling CVS yourself.

* Fixed a bug in the log/rlog code when a revision range crosses a
branch point.

* Fixed a bug where filenames starting with - would be misinterpreted as
options when using client/server mode.

Changes from 1.11.1p1 to 1.11.2:

* There is a new feature, enabled by RereadLogAfterVerify in CVSROOT/config,
which tells CVS to reread the log message after running the verifymsg
script.  This allows the verifymsg script to reformat or otherwise
modify the log message.

* The interpretation of revision ranges using :: in "log" and "rlog"
has changed: a::b now excludes the log message from revision a but
includes the log message from revision b.  Also, revision ranges that
cross branch points should now work.

* zlib has been updated to version 1.4.  There is a security advisory
out in regards to 1.3.  This should fix that problem.

* The "log" and "rlog" commands now have a -S option to suppress the
header information when no revisions are selected.

* A serious error that allowed read-only users to tag files has been
corrected.

* The "annotate" command will no longer annotate binary files unless
you specify the new -F option.

* The "tag" and "rtag" commands will no longer move or delete branch
tags unless you use the new -B option.  (This prevents accidental
changes to branch tags that are hard to undo.)

* We've standardized on the 1.5 Automake release for the moment.  Again, this
should only really affect developers.  See the section of the INSTALL file
about using the autotools if you are compiling CVS yourself.

Changes from 1.11.1 to 1.11.1p1:

* Read only access was broken - now fixed.

Changes from 1.11 to 1.11.1:

* There was a locking bug in the tag/rtag code that could lose changes
made to a file while the tag operation was in progress.  This has been
fixed, but all of the directories being tagged are now locked for the
entire duration of the tag operation rather than only one directory at a
time.

* The "cvs diff" command now accepts the -y/--side=by-side and -T/
--initial-tab options.  (To use these options with a remote repository,
both the client and the server must support them.)

* The expansion of the loginfo format string has changed slightly. 
Previously, the expansion was surrounded by single quotes ('); if a file
name contained a single quote character, the string would not be parsed
as a single entity by the Unix shell (and it would not be possible to
parse it unambiguously).  Now the expansion is surrounded by double
quotes (") and any embedded dollar signs ($), backticks (`), backslashes
(\), and double quotes are preceded by a backslash.  This is parsed as a
single entity by the shell reguardless of content.  This change should
not be noticable unless you're not using a Unix shell or you have
embedded the format string inside a double quoted string.

* There was a bug in the diff code which sometimes caused conflicts to
be flagged which shouldn't have been.  This has been fixed.

* New "cvs rlog" and "cvs rannotate" commands have been added to get log
messages and annotations without having to have a checked-out copy.

* Exclusive revision ranges have been added to "cvs log" using ::
(similar to "cvs admin -o").

* The VMS client now accepts wildcards if you're running VMS 7.x.

* ZLIB has been updated to version 1.1.3, the most current version.  This
includes mostly some optimizations and minor bug fixes.

* The ~/.cvspass file has a slightly modified format.  CVSROOTs are now
stored in a new canonical form - hostnames are now case insensitive and
port numbers are always stored in the new format.  Until a new login for
a particular CVSROOT is performed with the new version of CVS, new and
old versions of CVS should interoperate invisibly.  After that point, an
extra login using the old version of CVS may be necessary to continue to
allow the new and old versions of CVS to interoperate using the same
~/.cvspass file and CVSROOT. The exception to this rule occurs when the
CVSROOTs used with the different versions use case insensitively
different hostnames, for example, "empress", and "empress.2-wit.com".

* A password and a port number may now be specified in CVSROOT for
pserver connections.  The new format is:

    :pserver:[[user][:password]@]host[:[port]]/path

Note that passwords specified in a checkout command will be saved in the
clear in the CVS/Root file in each created directory, so this is not
recommended, except perhaps when accessing anonymous repositories or the
like.

* The distribution has been converted to use Automake.  This shouldn't
affect most users except to ease some portability concerns, but if you
are building from the repository and encounter problems with the
makefiles, you might try running ./noautomake.sh after a fresh update
-AC.

Changes from 1.10 to 1.11:

* The "cvs update" command has a new -C option to get clean copies from
the repository, abandoning any local changes.

* The new "cvs version" command gives a short version message.  If
the repository is remote, both the client and server versions are
reported.

* "cvs admin -t" now works correctly in client/server mode.

* The "cvs history" command output format has changed -- the date
now includes the year and is given is ISO 8601 format (yyyy-mm-dd).
Also, the new LogHistory option in CVSROOT/config can be used to
control what information gets recorded in the log file and code has
been added to record file removals.

* The buggy PreservePermissions code has been disabled.

* Anonymous read-only access can now be done without requiring a
password.  On the server side, simply give that user (presumably
`anonymous') an empty password in the CVSROOT/passwd file, and then
any received password will authenticate successfully.

* There is a new access method :fork: which is similar to :local:
except that it is implemented via the CVS remote protocol, and thus
has a somewhat different set of quirks and bugs.

* The -d command line option no longer updates the CVS/Root file.  For
one thing, the CVS 1.9/1.10 behavior never had updated CVS/Root in
subdirectories, and for another, it didn't seem that popular in
general.  So this change restores the CVS 1.8 behavior (which is also
the CVS 1.9/1.10 behavior if the environment variable
CVS_IGNORE_REMOTE_ROOT is set; with this change,
CVS_IGNORE_REMOTE_ROOT no longer has any effect).

* It is now possible for a single CVS command to recurse into several
CVS roots.  This includes roots which are located on several servers,
or which are both remote and local.  CVS will make connections to as
many servers as necessary.

* It is now possible to put the CVS lock files in a directory
set by the new LockDir option in CVSROOT/config.  The default
continues to be to put the lock files in the repository itself.

Changes from 1.9 to 1.10:

* A bug was discovered in the -t/-f wrapper support that can cause
serious data loss.  Because of this (and also the fact that it doesn't
work at all in client/server mode), the -t/-f wrapper code has been
disabled until it can be fixed.

* There is a new feature, enabled by TopLevelAdmin in CVSROOT/config,
which tells CVS to modify the behavior of the "checkout" command.  The
command now creates a CVS directory at the top level of the new
working directory, in addition to CVS directories created within
checked-out directories.  See the Cederqvist for details.

* There is an optional set of features, enabled by PreservePermissions
in CVSROOT/config, which allow CVS to store unix-specific file
information such as permissions, file ownership, and links.  See the
Cederqvist for details.

* One can now authenticate and encrypt using the GSSAPI network
security interface.  For details see the Cederqvist's description of
specifying :gserver: in CVSROOT, and the -a global option.

* All access to RCS files is now implemented internally rather than by
calling RCS programs.  The main user-visible consequence of this is
that there is no need to worry about making sure that CVS finds the
correct version of RCS.  The -b global option and the RCSBIN setting
in CVSROOT/config are still accepted but don't do anything.  The
$RCSBIN internal variable in administrative files is no longer
accepted.

* There is a new syntax, "cvs admin -orev1::rev2", which collapses the
revisions between rev1 and rev2 without deleting rev1 or rev2
themselves.

* There is a new administrative file CVSROOT/config which allows one
to specify miscellaneous aspects of CVS configuration.  Currently
supported here:

  - SystemAuth, allows you to prevent pserver from checking for system
  usernames/passwords.

For more information see the "config" section of cvs.texinfo.

* When setting up the pserver server, one now must specify the
allowable CVSROOT directories in inetd.conf.  See the Password
authentication server section of cvs.texinfo for details.  Note that
this implies that everyone who is running a pserver server must edit
inetd.conf when upgrading their CVS.

* The client no longer needs an external patch program (assuming both
the client and the server have been updated to the new version).

* "cvs admin [options]" will now recurse.  In previous versions of
CVS, it was an error and one needed to specify "cvs admin [options] ."
to recurse.  This change brings admin in line with the other CVS
commands.

* New "logout" command to remove the password for a remote cvs
repository from the cvspass file.

* Read-only repository access is implemented for the
password-authenticated server (other access methods are just governed
by Unix file permissions, since they require login access to the
repository machine anyway).  See the "Repository" section of
cvs.texinfo for details, including a discussion of security issues.
Note that the requirement that read-only users be able to create locks
and write the history file still applies.

* There is a new administrative file verifymsg which is like editinfo
but merely validates the message, rather than also getting it from the
user.  It therefore works with client/server CVS or if one uses the -m
or -F options to commit.  See the verifymsg section of cvs.texinfo for
details.

* The %s format formerly accepted in loginfo has been extended to
formats such as %{sVv}, so that loginfo scripts have access to the
version numbers being changed.  See the Loginfo section of cvs.texinfo
for details.

* The postscript documentation (doc/cvs.ps) shipped with CVS is now
formatted for US letter size instead of A4.  This is not because we
consider this size "better" than A4, but because we believe that the
US letter version will print better on A4 paper than the other way
around.

* The "cvs export" command is now logged in the history file and there
is a "cvs history -x E" command to select history file entries
produced by export.

* CVS no longer uses the CVS_PASSWORD environment variable.  Storing
passwords in cleartext in an environment variable is a security risk,
especially since (on BSD variants) any user on the system can display
any process's environment using 'ps'.  Users should use the 'cvs
login' command instead.


Changes from 1.8 to 1.9:

* Windows NT client should now work on Windows 95 as well.

* New option "--help-synonyms" prints a list of all recognized command
synonyms.

* The "log" command is now implemented internally rather than via the
RCS "rlog" program.  The main user-visible consequence is that
symbolic branch names now work (for example "cvs log -rbranch1").
Also, the date formats accepted by -d have changed.  They previously
had been a bewildering variety of poorly-documented date formats.  Now
they are the same as the date formats accepted by the -D options to
the other CVS commands, which is also a (different) bewildering
variety of poorly-documented date formats, but at least we are
consistently bewildering :-).

* Encryption is now supported over a Kerberos client/server
connection.  The new "-x" global option requests it.  You must
configure with the --enable-encryption option in order to enable
encryption.

* The format of the CVS commit message has changed slightly when
committing changes on a branch.  The tag on which the commit is
ocurring is now reported correctly in all cases.

* New flag -k in wrappers allows you to specify the keyword expansion
mode for added files based on their name.  For example, you can
specify that files whose name matches *.exe are binary by default.
See the Wrappers section of cvs.texinfo for more details.

* Remote CVS with the "-z" option now uses the zlib library (included
with CVS) to compress all communication between the client and the
server, rather than invoking gzip on each file separately.  This means
that compression is better and there is no need for an external gzip
program (except to interoperate with older version of CVS).

* The "cvs rlog" command is deprecated and running it will print a
warning; use the synonymous "cvs log" command instead.  It is
confusing for rlog to mean the same as log because some other CVS
commands are in pairs consisting of a plain command which operates on
a working directory and an "r" command which does not (diff/rdiff;
tag/rtag).

* "cvs diff" has a bunch of new options, mostly long options.  Most of
these work only if rcsdiff and diff support them, and are named the
same as the corresponding options to diff.

* The -q and -Q command options to "cvs diff" were removed (use the
global options instead).  This brings "cvs diff" into line with the
rest of the CVS commands.

* The "annotate" command can now be used to annotate a revision other
than the head revision on the trunk (see the -r, -D, and -f options in
the annotate node of cvs.texinfo for details).

* The "tag" command has a new option "-c" which checks that all files
  are not locally modified before tagging.

* The -d command line option now overrides the cvsroot setting stored
in the CVS/Root file in each working directory, and specifying -d will
cause CVS/Root to be updated.

* Local (non-client/server) CVS now runs on Windows NT.  See
windows-NT/README for details.

* The CVSROOT variable specification has changed to support more
access methods.  In addition to "pserver," "server" (internal rsh
client), "ext" (external rsh client), "kserver" (kerberos), and
"local" (local filesystem access) can now be specified.  For more
details on each method, see cvs.texinfo (there is an index entry for
:local: and each of the other access methods).

* The "login" command no longer prompts the user for username and
hostname, since one will have to provide that information via the `-d'
flag or by setting CVSROOT.

Changes from 1.7 to 1.8:

* New "cvs annotate" command to display the last modification for each
line of a file, with the revision number, user checking in the
modification, and date of the modification.  For more information see
the `annotate' node in cvs.texinfo.

* The cvsinit shell script has been replaced by a cvs init command.
The cvs init command creates some example administrative files which
are similar to the files found in the examples directory (and copied
by cvsinit) in previous releases.

* Added the patterns *.olb *.exe _$* *$ to default ignore list.

* There is now a $USER internal variable for *info files.

* There is no longer a separate `mkmodules' program; the functionality
is now built into `cvs'.  If upgrading an old repository, it is OK to
leave in the lines in the modules file which run mkmodules (the
mkmodules actions will get done twice, but that is harmless); you will
probably want to remove them once you are no longer using the old CVS.

* One can now specify user variables in *info files via the
${=varname} syntax; there is a -s global option to set them.  See the
Variables node in cvs.texinfo for details.

Changes from 1.6 to 1.7:

* The default ignore list has changed slightly: *.obj has been added
and CVS* has been changed to CVS CVS.adm.

* CVS now supports password authentication when accessing remote
repositories; this is useful for sites that can't use rsh (because of
a firewall, for example), and also don't have kerberos.  See node
"Password authenticated" (in "Remote repositories", in
doc/cvs.texinfo) for more details.  Note: This feature requires both
the client and server to be upgraded.

* Using the -kb option to specify binary files now works--most cases
did not work before.  See the "Binary files" section of
doc/cvs.texinfo for details.

* New developer communication features.  See the "Watches" section of
doc/cvs.texinfo for details.

* RCS keyword "Name" supported for "cvs update -r <tag>" and "cvs
checkout -r <tag>".

* If there is a group whose name matches a compiled in value which
defaults to "cvsadmin", only members of that group can use "cvs
admin".  This replaces the CVS_NOADMIN option.

* CVS now sets the modes of files in the repository based on the
CVSUMASK environment variable or a compiled in value defaulting to
002.  This way other developers will be able to access the files in
the repository regardless of the umask of the developer creating them.

* The command names in .cvsrc now match the official name of the
command, not the one (possibly an alias) by which it was invoked.  If
you had previously relied on "cvs di" and "cvs diff" using different
options, instead use a shell function or alias (for example "alias
cvsdi='cvs diff -u'").  You also can specify global CVS options (like
"-z") using the command name "cvs".

Changes from 1.5 to 1.6:

* Del updated the man page to include all of the new features
of CVS 1.6.

* "cvs tag" now supports a "-r | -D" option for tagging an already
tagged revision / specific revision of a file.

* There is a "taginfo" file in CVSROOT that supports filtering and
recording of tag operations.

* Long options support added, including --help and --version options.

* "cvs release" no longer cares whether or not the directory being
released has an entry in the `modules' file.

* The modules file now takes a -e option which is used instead of -o
for "cvs export".  If your modules file has a -o option which you want
to be used for "cvs export", change it to specify -e as well as -o.

* "cvs export" now takes a -k option to set RCS keyword expansion.
This way you can export binary files.  If you want the old behavior,
you need to specify -kv.

* "cvs update", "cvs rdiff", "cvs checkout", "cvs import", "cvs
release", "cvs rtag", and "cvs tag" used to take -q and -Q options
after the command name (e.g. "cvs update -q").  This was confusing
because other commands, such as "cvs ci", did not.  So the options
after the command name have been removed and you must now specify, for
example, "cvs -q update", which has been supported since CVS 1.3.

* New "wrappers" feature.  This allows you to set a hook which
transforms files on their way in and out of cvs (apparently on the
NeXT there is some particular usefulness in tarring things up in the
repository).  It also allows you to declare files as merge-by-copy
which means that instead of trying to merge the file, CVS will merely
copy the new version.  There is a CVSROOT/cvswrappers file and an
optionsl ~/.cvswrappers file to support this feature.

* You can set CVSROOT to user@host:dir, not just host:dir, if your
username on the server host is different than on the client host.

* VISUAL is accepted as well as EDITOR.

* $CVSROOT is expanded in *info files.

Changes from 1.4A2 to 1.5:

* Remote implementation.  This is very helpful when collaborating on a
project with someone across a wide-area network.  This release can
also be used locally, like other CVS versions, if you have no need for
remote access.

Here are some of the features of the remote implementation:
- It uses reliable transport protocols (TCP/IP) for remote repository
  access, not NFS.  NFS is unusable over long distances (and sometimes
  over short distances)
- It transfers only those files that have changed in the repository or
  the working directory.  To save transmission time, it will transfer
  patches when appropriate, and can compress data for transmission.
- The server never holds CVS locks while waiting for a reply from the client;
  this makes the system robust when used over flaky networks.

The remote features are documented in doc/cvsclient.texi in the CVS
distribution, but the main doc file, cvs.texinfo, has not yet been
updated to include the remote features.

* Death support.  See src/README-rm-add for more information on this.

* Many speedups, especially from jtc@cygnus.com.

* CVS 1.2 compatibility code has been removed as a speedup.  If you
have working directories checked out by CVS 1.2, CVS 1.3 or 1.4A2 will
try to convert them, but CVS 1.5 and later will not (if the working
directory is up to date and contains no extraneous files, you can just
remove it, and then check out a new working directory).  Likewise if
your repository contains a CVSROOT.adm directory instead of a CVSROOT
directory, you need to rename it.

Fri Oct 21 20:58:54 1994  Brian Berliner  <berliner@sun.com>

	* Changes between CVS 1.3 and CVS 1.4 Alpha-2

	* A new program, "cvsbug", is provided to let you send bug reports
	directly to the CVS maintainers.  Please use it instead of sending
	mail to the info-cvs mailing list.  If your build fails, you may
	have to invoke "cvsbug" directly from the "src" directory as
	"src/cvsbug.sh".

	* A new User's Guide and Tutorial, written by Per Cederqvist
	<ceder@signum.se> of Signum Support.  See the "doc" directory.  A
	PostScript version is included as "doc/cvs.ps".

	* The Frequesntly Asked Questions file, FAQ, has been added to the
	release.  Unfortunately, its contents are likely out-of-date.

	* The "cvsinit" shell script is now installed in the $prefix/bin
	directory like the other programs.  You can now create new
	CVS repositories with great ease.

	* Index: lines are now printed on output from 'diff' and 'rdiff',
	in order to facilitate application of patches to multiple subdirs.

	* Support for a ~/.cvsrc file, which allows you to specify options
	that are always supposed to be given to a specific command.  This
	feature shows the non-orthogonality of the option set, since while
	there may be an option to turn something on, the option to turn
	that same thing off may not exist.

	* You can now list subdirectories that you wish to ignore in a
	modules listing, such as:

		gcc  -a gnu/gcc, !gnu/gcc/testsuites

	which will check out everything underneath gnu/gcc, except
	everything underneath gnu/gcc/testsuites.

	* It is now much harder to accidentally overwrite an existing tag
	name, since attempting to move a tag name will result in a error,
	unless the -F (forc…