DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
Old 19th June 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by daemonfowl View Post
That's unethical
Maybe, maybe not. We don't have all the details, nor is it likely we ever will.

A lot of Open Source development is done for free -- which sounds nice, but developers need to make a living too in order to support themselves & their families. Most any form of development takes a substantial amount of time, so it is always a balancing act between finding employment, keeping overseeing management happy, & making progress on both Open Source interests as well as work which generates income. Finding balance amongst all of these opposing forces is a hard & constant dance. It is not uncommon to short some tasks in order to get others done more quickly. These are the realities of software development everywhere.

The point you should take from this is that the development process is complicated & hazy at best. It is difficult to impossible to know in advance how much time any piece of work will take to complete, & some will do certain tasks more quickly than others.

Does the OpenBSD project require developers to make commitments to what work they will complete? I don't know. From a project management standpoint, I suspect Theo tries to stay on top of anticipated goals along with actual progress made, however, I doubt that any agreement made with individual developers is legally binding. Do developers change jobs while still being official project developers with commit status? I'm sure the answer is yes. Changing jobs is a fact of the industry. Does this change how much time developers can provide to the OpenBSD project? Yes.

So, what is different about Conformal? I don't know other than that a number of experienced OpenBSD project developers have gone to work there, & as a result have left the project altogether. I am sure Theo is not pleased with the number of people leaving, & he is openly voicing displeasure. Could these developers have worked for Conformal AND still be OpenBSD developers?

This question is even harder to answer, & I certainly do not know all details. What you should take away from reading the misc@ thread is that there are some very strong personalities involved who are OpenBSD developers. This is true of most development efforts. Some of those who have broken away to start Conformal also have strong personalities. Currently the two sides disagree, & each has a position they believe is correct. Maybe one is more correct than the other, I don't know.

As we have attempted to elude to here, the differences are large enough between people with sufficiently strong personalities that resolution is not going to happen quickly if ever. I also believe the situation is complicated enough to make labeling as "unethical" far too simplistic a response. We don't know everything involved, & we aren't likely to ever know all the details. Being outsiders, it really isn't any of our business to probe any further other than read what is publicly stated.

All any of us can say with certainty is that it is an unfortunately event for both sides. Nothing more.
Reply With Quote
Old 19th June 2012
backrow backrow is offline
Real Name: Anthony J. Bentley
Shell Scout
 
Join Date: Jul 2009
Location: Albuquerque, NM
Posts: 116
Thanked 10 Times in 4 Posts
Default

Quote:
Originally Posted by ocicat View Post
As we have attempted to elude to here, the differences are large enough between people with sufficiently strong personalities that resolution is not going to happen quickly if ever.
People probably said the same about NetBSD vs. OpenBSD. There are occasional people who haven’t gotten over that, but I think on the whole things have mended, and there is once again some level of collaboration between the two. I just hope the same happens here.
Quote:
Originally Posted by ocicat View Post
All any of us can say with certainty is that it is an unfortunately event for both sides. Nothing more.
Yes, I agree.
__________________
Many thanks to the forum regulars who put time and effort into helping others solve their problems.
Reply With Quote
Old 19th June 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Thanked 0 Times in 0 Posts
Default

Sir ocicat , thank you so much for the interesting post.Yes they are great men ! who can deny this ?
Theo disapproved -not of the fork itself- but of the way it has been done : underhand.
As a simple OpenBSD user/enthusiast, I consider Theo on top of those great men. I first saw him on a Business Channel talking to Howard Green who was astonished at him being the first project leader who's not motivated by money .. dialectically then,what could have motivated Theo and Team all these years ?? the backdoor incident & how Theo reponded to it shew something about it.Some men are not for sale.They can sell the world for an ideal.
And we have to support those to preserve that ideal.
Reply With Quote
Old 17th July 2012
denta denta is offline
Fdisk Soldier
 
Join Date: Nov 2009
Posts: 73
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by gpatrick View Post
the fewer number of vulnerabilities in OpenBSD is statistically insignificant.
Are you saying that OpenBSD having fewer vulnerabilities year after year is just a random occurrence?
Reply With Quote
Old 17th July 2012
gpatrick gpatrick is offline
Shell Scout
 
Join Date: Nov 2009
Posts: 119
Thanked 0 Times in 0 Posts
Default

I'm only comparing numbers. But the fact remains that OpenBSD while great for firewalls or routers is really marginalized in some aspects by advancing technologies.

If you have a 1TB disk and install OpenBSD then you likely will have a lot of wasted disk because OpenBSD will not add virtualization such as FreeBSD Jails or Solaris Zones. Theo can rant all he wants that virtualization leads to vulnerabilities and therefore he refuses to incorporate it. But looking at the numbers, AIX and FreeBSD have virtualization in the base OS and by the numbers it doesn't matter.

OpenBSD may also have a web server in the base install, but it is Apache 1.3. Does it really matter that the Apache code has been audited and may have had some code changes for it to be in the base install, since that version is mostly a relic?

They claim only two remote holes in the base install, which is great, but as outlined in two cases above, once the server adds additional software such as a newer Apache or something else, those claims become less relevant. And what they do for security, which at one time may have been cutting edge (ProPolice, W^X), other OS's have adopted them too.

It is my firewall and mail server, but to continue making such claims while refusing to merge newer technologies what does it matter given that others have statistically no more vulnerabilities but offer more flexibility?
Reply With Quote
Old 18th July 2012
backrow backrow is offline
Real Name: Anthony J. Bentley
Shell Scout
 
Join Date: Jul 2009
Location: Albuquerque, NM
Posts: 116
Thanked 10 Times in 4 Posts
Default

Quote:
Originally Posted by gpatrick View Post
I'm only comparing numbers. But the fact remains that OpenBSD while great for firewalls or routers is really marginalized in some aspects by advancing technologies.
This is true in some respects. OpenBSD could use some more love in a few areas. Volunteers are appreciated ☺

Quote:
Originally Posted by gpatrick View Post
OpenBSD may also have a web server in the base install, but it is Apache 1.3. Does it really matter that the Apache code has been audited and may have had some code changes for it to be in the base install, since that version is mostly a relic?
Indeed, Apache 1.3 is old. Recent versions of OpenBSD have nginx in the base install as well.

Quote:
Originally Posted by gpatrick View Post
They claim only two remote holes in the base install, which is great, but as outlined in two cases above, once the server adds additional software such as a newer Apache or something else, those claims become less relevant. And what they do for security, which at one time may have been cutting edge (ProPolice, W^X), other OS's have adopted them too.

It is my firewall and mail server, but to continue making such claims while refusing to merge newer technologies what does it matter given that others have statistically no more vulnerabilities but offer more flexibility?
Such as the recent sysret vulnerability that affected FreeBSD and NetBSD, but not OpenBSD?
__________________
Many thanks to the forum regulars who put time and effort into helping others solve their problems.
Reply With Quote
Old 18th July 2012
gpatrick gpatrick is offline
Shell Scout
 
Join Date: Nov 2009
Posts: 119
Thanked 0 Times in 0 Posts
Default

Quote:
Such as the recent sysret vulnerability that affected FreeBSD and NetBSD, but not OpenBSD?
That is incorrect.
http://marc.info/?l=openbsd-misc&m=134004484816443&w=2
Reply With Quote
Old 18th July 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Thanked 0 Times in 0 Posts
Default

who's still using 4.9 or earlier ??
Reply With Quote
Old 18th July 2012
vermaden's Avatar
vermaden vermaden is offline
Administrator
 
Join Date: Apr 2008
Location: pl_PL.lodz
Posts: 1,052
Thanked 118 Times in 93 Posts
Default

@daemonfowl

It does not matter, it does show that OpenBSD has got the same vulnerability as others, nothing special about OpenBSD's security policy here
__________________
religions, worst damnation of mankind
"If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds

Linux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”.
vermaden's: links resources deviantart spreadbsd
Reply With Quote
Old 19th July 2012
angryfirelord angryfirelord is offline
Port Guard
 
Join Date: Jul 2008
Posts: 20
Thanked 0 Times in 0 Posts
Default

Quote:
They claim only two remote holes in the base install, which is great, but as outlined in two cases above, once the server adds additional software such as a newer Apache or something else, those claims become less relevant. And what they do for security, which at one time may have been cutting edge (ProPolice, W^X), other OS's have adopted them too.
To add to it (I haven't used OpenBSD very much), they encourage the use of binary packages, but they don't update them until the next release (or running -current, which you wouldn't do on a server). The index doesn't show anything changed past February 13th.

Granted, the same thing is there on the FreeBSD release packages, but you at least have the option with ports or tracking -stable.
Reply With Quote
Old 19th July 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Thanked 0 Times in 0 Posts
Default

Angry hackers are always invited to discover *more* security holes and express their moral right to help advance IT and Sec , or their human right to undermine a reputation .. :-)
Many forget the size of the project and just want it to provide full security+bleeding edge tech+all that every soul would want :
" You can have anything you waaaaant ,
You can drift you can dream even walk on water anything you want .. "
(What do you want from me , Pink Floyd)
Until then , OpenBSD is what it claims to be : FFS , Free/Functional/Secure.
Reply With Quote
Old 21st July 2012
backrow backrow is offline
Real Name: Anthony J. Bentley
Shell Scout
 
Join Date: Jul 2009
Location: Albuquerque, NM
Posts: 116
Thanked 10 Times in 4 Posts
Default

Quote:
Originally Posted by gpatrick View Post
My mistake, I misinterpreted that email when I first read it.

Nonetheless, OpenBSD does still have unique security features that others don’t. For instance, it has several extra malloc() options and other memory protections that are extremely helpful at flushing out bugs. I once tried to run some NetBSD code (encryption code, no less!) on OpenBSD, but it crashed instantly. There were several double free()s and reads past the end of buffers, yet the program ran without complaint on NetBSD. I sent the fixes upstream, of course ☺
Quote:
Originally Posted by angryfirelord View Post
To add to it (I haven't used OpenBSD very much), they encourage the use of binary packages, but they don't update them until the next release (or running -current, which you wouldn't do on a server). The index doesn't show anything changed past February 13th.
Unfortunately, this is a manpower issue; everybody agrees -stable port upgrades would be nice, but most developers use -current and are unwilling to downgrade to maintain packages there…
__________________
Many thanks to the forum regulars who put time and effort into helping others solve their problems.
Reply With Quote
Old 26th July 2012
vermaden's Avatar
vermaden vermaden is offline
Administrator
 
Join Date: Apr 2008
Location: pl_PL.lodz
Posts: 1,052
Thanked 118 Times in 93 Posts
Default

Quote:
Originally Posted by backrow View Post
Such as the recent sysret vulnerability that affected FreeBSD and NetBSD, but not OpenBSD?
So OpenBSD team patched that vulnerability in the 2nd half of 2011 (OpenBSD 5.0 is from 2011/11/01) but Linux seems to have patched [1] that in 2006, 5 years earlier then OpenBSD.

But does that mean that Linux is more secure then OpenBSD?

[1] http://www.esecurityplanet.com/windo...six-years.html
__________________
religions, worst damnation of mankind
"If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds

Linux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”.
vermaden's: links resources deviantart spreadbsd
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
why does it fail to create drawable ? daemonfowl OpenBSD General 4 11th May 2012 03:33 PM
g4u -> create just one boot floppy ccc NetBSD General 4 19th June 2011 04:46 PM
Create ISO from Dump Files revzalot OpenBSD Installation and Upgrading 3 2nd December 2010 08:49 PM
How to Create a Bootable CD from an .iso file rtwingfield FreeBSD Installation and Upgrading 4 22nd June 2010 10:08 AM
OpenBSD: create user sh script J65nko Guides 3 31st January 2010 08:29 PM


All times are GMT. The time now is 05:01 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick