Home Business IT Open Source Upstream vendors can harm small projects: OpenBSD dev
Get all your tech news delivered to your mail box five days a week
iTWire UPDATE - it's FREE!


What do you propose as a solution to keep projects that are smaller from being crowded out? Or is there no hope at all?

Well, the "crowding out" part definitely wasn't mine. Maybe people should realize that Linux hasn't "won", if there was anything to win. Contrary to what people in lwn.net (Linux Weekly News, a website which wrote about Espie's post without contacing him) did say, there's still a lot of innovation in OpenBSD, and in other BSDs too.

We don't talk about it too much, but seriously, we're still doing real security. You know, not the kind where you add a bunch of stuff on top of a UNIX OS and give a UNIX administrator enough to shoot themselves in the foot ten times over. I still don't get it. Who still thinks that by adding layers and layers of shit to "control" access rights you will get a better system. Capabilities? Everybody is still laughing hard at the old sendmail "compromise".

PAM? Give me a distribution name which never had a major stupid security hole due to PAM. The one reason we still don't have PAM is that THAT security model is flawed. Yes, big corporations and their management will wank all over it. But seriously? A system where you can so easily confuse rights that every distribution got it wrong at some point? And that's secure? Come on. (also, it's a well known non-secret that properly configuring stuff like GRsecurity of SElinux is a full-time job, and that you will often end up disabling it for anything but the most critical stuff, because the added security model doesn't fit with the basic UNIX programming model AT ALL).

Adding sexy features is the easy part. stack protection, W^X, pie. The hard part is making it work, all the way through. Most projects out there have some critical bug-fixes that come from OpenBSD. That includes GCC, KDE, GNOME, Xorg, rsync, Emacs, LibreOffice (I could expand on that list, but I can definitely remember specific bugs in each of these that we had to fix to get those security features to work)

Buffer overflows, buffer underflows, logic errors you name it.

Sometimes, this goes incredibly slow, and this is infuriating. I was involved in several big changes in OpenBSD that took a few releases to polish. In many cases, it got in, we ran into a critical BUG in some external 3rd party software, and it took a lot of time to fix all the 3rd party.

Want a current example? True memory randomization. It breaks all the JITs out there. Both Javascript V8 and all the JDKs expect all their allocated memory to fit within a 2G block of memory... yep, they encode pointer differences into 32 bits integers.

One fun thing about it is that Webkit "works around it" by allocating a big blob of 2G upfront for V8. The irony being that, these days, the browser is the most sensitive part of the desktop, BY FAR, and that you won't get anywhere if you disable Javascript. So you're trusting all your security to a JIT compiler that HAS to have a big blob of 2G of contiguous memory, and hoping there's no hole in there that can lead to running arbitrary code in there ? Like, come on... yeah, it's probably some fairly complicated exploits, and I'm too lazy to even try to write them, but are you sure you're perfectly safe ?

I believe there is hope. Especially since there are several "small" projects out there which can contribute stuff. And heck, Linux isn't sooo sure of its future life anyways. Some vendors are still distributing closed source drivers, and Linux users, as a rule, are fairly complacent about it.

And hey, maybe it's Linux that's going to get crowded out by Android (yeah, I know, it's a Linux kernel. So what? Mac OSX is a BSD kernel for the most part).

If something is not done how is the scenario going to look five or 10 years from now?

I have no idea. I am certain of one thing: a wealthy open source ecosystem benefits from a bit more diversity than just pure Linux and the GPL. Looking at the past, without OpenBSD, you would have no OpenSSH, no bgpd, no pf.

There are some cases where going to the GPL and the GNU build system, like xorg has done, is a step backwards toward isolation.

 

ITWIRE SERIES - REVENUE-CRITICAL APPS UNDERPERFORMING?

Avoid War Room Scenarios and improve handling of critical application problems:

• Track all transactions, end-to-end, all the time and know what your users experience 24/7

• View code level details with context and repair problems quickly

• Fix problems in minutes before they wreak havoc

• Optimize your most important applications, Java, .NET, PHP, C/C++ and many more

Start your free trial today!

CLICK FOR FREE TRIAL!

ITWIRE SERIES - IS YOUR BACKUP STRATEGY COSTING YOU CLIENTS?

Where are your clients backing up to right now?

Is your DR strategy as advanced as the rest of your service portfolio?

What areas of your business could be improved if you outsourced your backups to a trusted source?

Read the industry whitepaper and discover where to turn to for managed backup

FIND OUT MORE!

Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.

Connect

Displaying dp_logo_transparent.png