Home Business IT Open Source Upstream vendors can harm small projects: OpenBSD dev

What do you propose as a solution to keep projects that are smaller from being crowded out? Or is there no hope at all?

Well, the "crowding out" part definitely wasn't mine. Maybe people should realize that Linux hasn't "won", if there was anything to win. Contrary to what people in lwn.net (Linux Weekly News, a website which wrote about Espie's post without contacing him) did say, there's still a lot of innovation in OpenBSD, and in other BSDs too.

We don't talk about it too much, but seriously, we're still doing real security. You know, not the kind where you add a bunch of stuff on top of a UNIX OS and give a UNIX administrator enough to shoot themselves in the foot ten times over. I still don't get it. Who still thinks that by adding layers and layers of shit to "control" access rights you will get a better system. Capabilities? Everybody is still laughing hard at the old sendmail "compromise".

PAM? Give me a distribution name which never had a major stupid security hole due to PAM. The one reason we still don't have PAM is that THAT security model is flawed. Yes, big corporations and their management will wank all over it. But seriously? A system where you can so easily confuse rights that every distribution got it wrong at some point? And that's secure? Come on. (also, it's a well known non-secret that properly configuring stuff like GRsecurity of SElinux is a full-time job, and that you will often end up disabling it for anything but the most critical stuff, because the added security model doesn't fit with the basic UNIX programming model AT ALL).

Adding sexy features is the easy part. stack protection, W^X, pie. The hard part is making it work, all the way through. Most projects out there have some critical bug-fixes that come from OpenBSD. That includes GCC, KDE, GNOME, Xorg, rsync, Emacs, LibreOffice (I could expand on that list, but I can definitely remember specific bugs in each of these that we had to fix to get those security features to work)

Buffer overflows, buffer underflows, logic errors you name it.

Sometimes, this goes incredibly slow, and this is infuriating. I was involved in several big changes in OpenBSD that took a few releases to polish. In many cases, it got in, we ran into a critical BUG in some external 3rd party software, and it took a lot of time to fix all the 3rd party.

Want a current example? True memory randomization. It breaks all the JITs out there. Both Javascript V8 and all the JDKs expect all their allocated memory to fit within a 2G block of memory... yep, they encode pointer differences into 32 bits integers.

One fun thing about it is that Webkit "works around it" by allocating a big blob of 2G upfront for V8. The irony being that, these days, the browser is the most sensitive part of the desktop, BY FAR, and that you won't get anywhere if you disable Javascript. So you're trusting all your security to a JIT compiler that HAS to have a big blob of 2G of contiguous memory, and hoping there's no hole in there that can lead to running arbitrary code in there ? Like, come on... yeah, it's probably some fairly complicated exploits, and I'm too lazy to even try to write them, but are you sure you're perfectly safe ?

I believe there is hope. Especially since there are several "small" projects out there which can contribute stuff. And heck, Linux isn't sooo sure of its future life anyways. Some vendors are still distributing closed source drivers, and Linux users, as a rule, are fairly complacent about it.

And hey, maybe it's Linux that's going to get crowded out by Android (yeah, I know, it's a Linux kernel. So what? Mac OSX is a BSD kernel for the most part).

If something is not done how is the scenario going to look five or 10 years from now?

I have no idea. I am certain of one thing: a wealthy open source ecosystem benefits from a bit more diversity than just pure Linux and the GPL. Looking at the past, without OpenBSD, you would have no OpenSSH, no bgpd, no pf.

There are some cases where going to the GPL and the GNU build system, like xorg has done, is a step backwards toward isolation.

 

WEBINAR 7th May 11am - WOW 802.11

Learn how Ruckus Redefines High-Speed, High Capacity Wi-Fi with Industry’s First 802.11ac Wave 2 Access Point

THIS IS ONE NOT TO MISS SO REGISTER NOW

DON'T MISS OUT - REGISTER NOW!

FREE WHITEPAPER - RISKS OF MOVING DATABASES TO VMWARE

VMware changed the rules about the server resources required to keep a database responding

It's now more difficult for DBAs to see interaction between the database and server resources

This whitepaper highlights the key differences between performance management between physical and virtual servers, and maps out the five most common trouble spots when moving production databases to VMware

1. Innacurate metrics
2. Dynamic resource allocation
3. No control over Host Resources
4. Limited DBA visibility
5. Mutual ignorance

Don't move your database to VMware before learning about these potential risks, download this FREE Whitepaper now!

DOWNLOAD!

Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.

Connect