Home Business IT Open Source Upstream vendors can harm small projects: OpenBSD dev

What do you propose as a solution to keep projects that are smaller from being crowded out? Or is there no hope at all?

Well, the "crowding out" part definitely wasn't mine. Maybe people should realize that Linux hasn't "won", if there was anything to win. Contrary to what people in lwn.net (Linux Weekly News, a website which wrote about Espie's post without contacing him) did say, there's still a lot of innovation in OpenBSD, and in other BSDs too.

We don't talk about it too much, but seriously, we're still doing real security. You know, not the kind where you add a bunch of stuff on top of a UNIX OS and give a UNIX administrator enough to shoot themselves in the foot ten times over. I still don't get it. Who still thinks that by adding layers and layers of shit to "control" access rights you will get a better system. Capabilities? Everybody is still laughing hard at the old sendmail "compromise".

PAM? Give me a distribution name which never had a major stupid security hole due to PAM. The one reason we still don't have PAM is that THAT security model is flawed. Yes, big corporations and their management will wank all over it. But seriously? A system where you can so easily confuse rights that every distribution got it wrong at some point? And that's secure? Come on. (also, it's a well known non-secret that properly configuring stuff like GRsecurity of SElinux is a full-time job, and that you will often end up disabling it for anything but the most critical stuff, because the added security model doesn't fit with the basic UNIX programming model AT ALL).

Adding sexy features is the easy part. stack protection, W^X, pie. The hard part is making it work, all the way through. Most projects out there have some critical bug-fixes that come from OpenBSD. That includes GCC, KDE, GNOME, Xorg, rsync, Emacs, LibreOffice (I could expand on that list, but I can definitely remember specific bugs in each of these that we had to fix to get those security features to work)

Buffer overflows, buffer underflows, logic errors you name it.

Sometimes, this goes incredibly slow, and this is infuriating. I was involved in several big changes in OpenBSD that took a few releases to polish. In many cases, it got in, we ran into a critical BUG in some external 3rd party software, and it took a lot of time to fix all the 3rd party.

Want a current example? True memory randomization. It breaks all the JITs out there. Both Javascript V8 and all the JDKs expect all their allocated memory to fit within a 2G block of memory... yep, they encode pointer differences into 32 bits integers.

One fun thing about it is that Webkit "works around it" by allocating a big blob of 2G upfront for V8. The irony being that, these days, the browser is the most sensitive part of the desktop, BY FAR, and that you won't get anywhere if you disable Javascript. So you're trusting all your security to a JIT compiler that HAS to have a big blob of 2G of contiguous memory, and hoping there's no hole in there that can lead to running arbitrary code in there ? Like, come on... yeah, it's probably some fairly complicated exploits, and I'm too lazy to even try to write them, but are you sure you're perfectly safe ?

I believe there is hope. Especially since there are several "small" projects out there which can contribute stuff. And heck, Linux isn't sooo sure of its future life anyways. Some vendors are still distributing closed source drivers, and Linux users, as a rule, are fairly complacent about it.

And hey, maybe it's Linux that's going to get crowded out by Android (yeah, I know, it's a Linux kernel. So what? Mac OSX is a BSD kernel for the most part).

If something is not done how is the scenario going to look five or 10 years from now?

I have no idea. I am certain of one thing: a wealthy open source ecosystem benefits from a bit more diversity than just pure Linux and the GPL. Looking at the past, without OpenBSD, you would have no OpenSSH, no bgpd, no pf.

There are some cases where going to the GPL and the GNU build system, like xorg has done, is a step backwards toward isolation.



Are you looking to find the most efficient IT Monitoring tool available?

IT Monitoring is an essential part of the operations of any organisation with a significant network architecture.

Multiple IT monitoring platforms are available on the market today, supporting the various needs of small, medium-sized, and large enterprises, as well as managed service providers (MSPs).

This new report studies and compares eight different IT monitoring products in terms of functionality, operations, and usability on the same server platform with 100 end devices.

Which product is easiest to deploy, has the best maintenance mode capabilities, the best mobile access and custom reporting, dynamic thresholds setting, and enhanced discovery capabilities?

Download your free report to find out.


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.