Theo de Raadt Discusses OpenBSD and Beyond

emil writes to tell us that NewsForge (Slashdot Sister Site) is running an interview with OpenBSD project leader Theo de Raadt. In the interview Theo explores the upcoming release of OpenBSD 3.9, continuing financial difficulties, and some of the tension between the OpenBSD team and other businesses that some feel are taking advantage of the free software without giving anything back. In related news the Jem Report has an interesting writeup that expounds on widespread difficulties that could be faced if the OpenBSD project continues its downward spiral because of their parallel development of OpenSSH.

stay on topic

Finally, for real, today's topic is: BSD is dying

All other posts are off-topic. Enjoy!

Hmm...

...that some feel are taking advantage of the free software without giving anything back.

Damn. I wonder if there was anything [wikipedia.org] they could have done about that?

Re:Hmm...

I'm pretty sure he's heard of it. While they do appreciate source code contributions, what they're really asking now for is money.

Re:Hmm...

...that some feel are taking advantage of the free software without giving anything back.

Damn. I wonder if there was anything they could have done about that?

No there wasn't, BSD as in Berkeley Software Distribution, as in University of California Berkeley, as in "Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved.", as in paid for by California taxpayers including corporations and individuals who should not be denied access to what they paid for.

BTW, you shouldn't confuse BSD with a very talented but potentially mismanaged team that has a tendency to piss off lucrative sources of income.

Re:Hmm...

They don't like the GPL and are currently removing GPL only licensed code from the base install. The GPL is not an option for OpenBSD.

Subsequently, their moaning about how their self-inflicted mortal wounds hurt horribly is going to rightfully fall on deaf ears, if they are lucky, or will become a butt of jokes, if they are not.

This is what happens if someone is given good advice not to drive their car off the road and into a bog and which they derisively reject and proceed at "what can possibly happen?"-speed into the mud. Following which they sit on top of their sinking vehicle, far into the swamp, waving frantically and complaining loudly about "selfish" people who fail to stop to pull them out of there. So that they can ignore good advice, as soon as rescued, derisively, again.

I say onto Theo: Tough Cookies! You made your bed, you sleep in it! Perhaps placing product placements into the BSD code or performing in a clown outfit at conferences will bring the required revenue, now that the commercial interests do what you have always encouraged them to do: take, take and take ... whatever they can get in return for as least as possible. Its called "business", Theo. Look it up sometime.

BSD vs GPL is not relevant

I say onto Theo: Tough Cookies! You made your bed, you sleep in it!

BSD vs GPL is not relevant. Theo's bed was made by driving away potential sources of income like DARPA.

Re:BSD vs GPL is not relevant

BSD vs GPL is not relevant. Theo's bed was made by driving away potential sources of income like DARPA.

Yes it is, as a part of a very long list of good advice he received over the years on a lot of things, and all of which he proceeded to sneer and snicker on, as only Theo can. DARPA's help is just one item on that very, very long list.

Re:BSD vs GPL is not relevant

"BSD vs GPL is not relevant. Theo's bed was made by driving away potential sources of income like DARPA."

Yes it is, as a part of a very long list of good advice he received over the years on a lot of things

No, that's a fallacy. In general under open source the money is in consulting, not in the development. A BSD based project is more likely to get inside a corporation and possibly more likely to create consulting work. Whether a project is BSD or GPL, if someone doesn't want to code themselves, they can hire others to do the work. The only difference is whether that work goes back to the community at large and for the company that needed specialized changes that is irrlevant and it may even be counterproductive to the company. The GPL is not some magic pill. We've seen numerous GPL based projects in financial trouble and begging for donations around here as well.

Re:BSD vs GPL is not relevant

No, that's a fallacy.

Oh, really? You mean it does not depend on what the purpose of the project is?

In general under open source the money is in consulting, not in the development.

Oh I see, making money for Theo was the whole idea of OpenBSD? NOW you tell us!

A BSD based project is more likely to get inside a corporation and possibly more likely to create consulting work.

Which is a good thing if you are planning to make people appropriate, modify and sell your code while not letting you look at it ever again, in hopes that somehow your celebrity status will make some of them hire you.

Whether a project is BSD or GPL, if someone doesn't want to code themselves, they can hire others to do the work.

True enough, that is why BSD offers no advantage over GPL in this area.

The only difference is whether that work goes back to the community at large and for the company that needed specialized changes that is irrlevant and it may even be counterproductive to the company.

Which, in most cases, as Theo is finding the hard way, is the only type of return expected from commercial involvment in your project. Hoping to get hired by someone using your code is wishful thinking in vast majority of cases. GPL folks understand that, and operate accordingly.

The GPL is not some magic pill. We've seen numerous GPL based projects in financial trouble and begging for donations around here as well.

Of course it is not. But it was never its purpose. The purpose of GPL is to ensure that regardless of who is using or contributing to the code, and regardless of financial circumstaneces of a project, the code remains the property of the community and cannot be stolen and then sold back to us. That is all.

Re:Hmm...

Not really applicable.

They started with a fork of the NetBSD codebase and maintained compatibility for a long while. Many drivers in the Net/OpenBSD tree used to be ifdef-ed for specific OS related parts. In fact one of the reason for OpenBSD to survive for so long especially on obscure architectures has been the fact that it used to rely heavily on Net for low level hardware specific code (disclaimer - I do not know if this is still the case as I have not looked at their source since 3.3).

As a result GPL-ing is not an option. Your codebase is heavily dependant on somebody's else's codebase which is BSD.

As far as the financial difficulties, all business and businesslike entities using GPL rely on support, custom code and consulting for their day to day living expenses. You do not get that money if you have this attitude:
http://www.securityfocus.com/archive/1/428749/30/9 0/threaded [securityfocus.com]. This is just one fresh example (this week).

Another essential factor is that if you write software in the real world you have to go out of your ivory tower on a daily basis and check what your competitors doing. OpenBSD tends to believe its own PR about their security prowess and does not follow Linux, FreeBSD and other OS development as much as it should. One example for this is how it missed the appearance of hardware RNG in AMD hardware for several years. They simply did not know it is there (I actually pointed it to Theo myself a year ago). I bet that they have missed other stuff in a similar fashion as well.

Frankly, the days when Open Source OS projects were PFY jobs and flaming each other out of existence on mailing lists was business as usual are long gone.

Time to grow up or face the dark stairway down down and down towards oblivion.

Let's be Objective about this, was Re:Hmm...

Bravo; you've made the most secure operating system available today. But, then, you have this firmly held belief that the rest of the world owes you something? That you're gracing the rest of the world with your glorious presence and regal software? That attitude is not welcome here.

Actually, no, he's not claiming that the world owes him something. He's claiming that his act of creation and contribution does not cause him (well, specifically, the OpenSSH developers) to be owe anything further to the people who take advantage of their contribution.

That is an entirely different issue.

"From the beginning of history, the two antagonists have stood face to face: the creator and the second-hander. When the first creator invented the wheel, the first second-hander responded. He invented altruism.

"The creator - denied, opposed, persecuted, exploited - went on, moved forward and carried all humanity along on his energy. The second-hander contributed nothing to the process except the impediments. The contest has another name: the individual against the collective." - Howard Roark [davehong.com] in The Fountainhead [amazon.com] by Ayn Rand [wikipedia.org].

Well,

I have thought along similar lines, but it really demonstrates something that we must quit ignoring.

"Free" is an illusion.

When we use "free" software, we pay for it one way or another. Time or money, and, no, time is not money.

Money is green stuff that you through around on the crops to make things grow, as somebody in some famous musical once said, quoting somebody else, I'm sure. When you collect too much money in one place, it goes fetid.

Time is the true currency, although too much time can go fetid as well.

The licenses are gentlemen's agreements. It's a trade of time for time, with rules of courtesy. (EULAs are _not_ gentlemen's agreements, I am not taking about those licenses, they don't deserve to be called licenses.) The licenses form the ground rules for the community that forms around the software. It's very much like the old guilds, although much more open in a very good way.

With the GPL, some of the rules of courtesy which are important for maintaining the infrastructure of the guild are explicit. We might assume that this is because Stallman is a cynic, or because he is a realist, but must people are still confused and think he is an idealist.

With the BSD license, the rules are implicit, derived from the external society, the (Christian, though not entirely uniquely so in the current view of history) principle of casting one's bread on the water. It is expected that the waters will bring the bread back, multiplied. And this is where things have broken down.

Even under the BSD license, the rules of giving back are natural laws, and are not suspended. Humans whose primary product are sales presentations have no idea that they have to give back or the resource will be depleted. Stallman recognized that, Theo has not yet.

People have to be reminded to be courteous, and that's why an idealist and general nice guy like Theo ends up making enemies. The license doesn't remind people, so he has to spend his energy reminding them.

Putting new source under GPL would be one solution, but, as is well known, it is not one that can really be considered yet. A new modified BSD that contains a non-binding reminder that the resources don't renew themselves may be what's in order right now.

Classic Theo de Raadt

Nvidia did not give anyone documentation. Instead, they expect people to load a gigantic blob of binary code into their kernel, and just be happy with that. Some Linux people in Germany reverse-engineered the driver years ago, but the rough story I heard is that Nvidia asked them to stop, and they did. This just astounds me!

Gee, I don't know, maybe they had lives they didn't want to sacrafice for the cause Theo. He then goes on to slag linux developers in general but maintains that he doesn't really go into advocacy.

SunSSH

"I will say it here -- if an OpenSSH hole is found that applies to SunSSH, Sun will not be informed. Or maybe that has happened already." - Theo de Raadt

I'm sure they'll find out when everyone else does.

Re:Sounds almost like a threat

No. It would be extortion if he were threatening to put security holes in SunSSH. He's just saying that without Sun's support, he can't be expected to analyze and warn them of bugs in their product. Or are you saying I have a legal requirement to disclose every bug I notice in every piece of software I use to the developer?

what a whiner

Some of the OpenSSH freeloaders, like Apple Computer and The SCO Group, are notorious for reaping financial rewards from selling open source software bundled with their proprietary products.

What part of the BSD license does Theo not understand? Apple and SCO aren't "freeloaders", they are using the software under the intended license.

Furthermore, what makes Theo think that people want to run OpenSSH? At this point, it's as entrenched as Windows--nobody has a choice.

For our work on OpenSSH, companies using OpenSSH have never given us a cent. What about companies that incorporate OpenSSH directly into their products, saving themselves millions of dollars?

No, they haven't been saving themselves "millions of dollars". If OpenSSH didn't exist, people would implement some other free ssh client or switch to a different standard.

If you release something under a FOSS license, figure out your business model beforehand. Of course, Theo actually did: his work on BSD has given him plenty of exposure and celebrity status, which many would consider ample reward for his work, and something he wouldn't have gotten if he had founded a small software company instead. And I'm sure he could (or could have) translated this into consulting opportunities and other business, without even changing the license on anything. But, like many celebrities, it's just never enough.

Re:what a whiner

Some of the OpenSSH freeloaders, like Apple Computer and The SCO Group, are notorious for reaping financial rewards from selling open source software bundled with their proprietary products.

What part of the BSD license does Theo not understand? Apple and SCO aren't "freeloaders", they are using the software under the intended license.

That part wasn't written by Theo, as far as I can tell.

Re:what a whiner

Just because the BSD license doesn't force companies to give back, doesn't mean they can't do it anyway.

For a business that uses OpenBSD code, it would just make good business sense to support the project at a fraction of what it would cost to develop the same code in-house. It is ridiculous that Sun wouldn't even cover the travel expenses of an OpenBSD developer to go their conference, because the value of the developer's hours would have far exceeded such travel expenses. That's just simply bad business.

Let's Add Some Context Here

First, I think the OpenSSH question was baited. Even disregarding that, you excluded an insightful caveat from Theo's reply:

Of course we did not set out to create OpenSSH for the money -- we purposely made it completely free so that the "telnet infrastructure" of the 1980s would die. But it sure is sad that none of these companies return even a fraction of value in kind.

He acknowledges that not only was there no obligation for these companies to donate money, but that OpenSSH wasn't created to make money. I don't think it is unreasonable for him to ask for money, particularly when he has pointed out that some of the vendors selected OpenSSH after they were quoted high fees (multi-millions of USD) from the commercial SSH vendor.

OpenBSD has done good work & currently depends on receiving financial donations. Enlightened companies should notice that OpenBSD needs some funding right now & that it would be cheaper to fund them than to have to adopt the support and development of the OpenBSD products they use.

Re:what a whiner

Furthermore, what makes Theo think that people want to run OpenSSH? At this point, it's as entrenched as Windows--nobody has a choice.

What are you talking about? People use OpenSSH because it's by far the best out there. Nobody is locked into using it, the specs are open, anyone can code a replacement. It's just not easy to produce something of the same quality and security as OpenSSH. People are locked into Windows because of proprietary file formats and closed source applications; how is that in any way similar to OpenSSH?

But, like many celebrities, it's just never enough.

Sorry. CELEBRITIES? Hmm.. yeah sure, Theo is a celebrity. I'm sure he has paparazzi knocking on his door every day.

Sure Theo can be abrasive, but it's weird to see how gleefully people at the receiving end of his charity will attack him. It's always easy to be an armchair critic.

Re:what a whiner

If OpenSSH didn't exist, the ssh 1.3 source would probably have been picked up by GNU and we'd have free GnuSSH, without Theo's whining.

I'm sure you're right, it's not like we wouldn't have another SSH client, but would it be as good? The fact is that Theo and his team writes really good, really secure code. Someone who does security "for fun" is very rare and valuable. Most developers are quite naturally more interested in cool features than tedious code review.

Re:what a whiner

the ssh 1.3 source would probably have been picked up by GNU and we'd have free GnuSSH

which would suddenly turn off encryption on your channel and pop up RMS's face saying "You are using this software for something *I*, his Imperial Majesty RMS, happen not to like today or maybe in the future, therefore I will stop it. I also hope your OS crashes and burns because it's not running HURD."
Thanks, I'll keep using the *really open* OpenSSH.

Re:what a whiner

Furthermore, what makes Theo think that people want to run OpenSSH? At this point, it's as entrenched as Windows--nobody has a choice.

Actually, it isn't. You can also use LSH [lysator.liu.se] or Dropbear [ucc.asn.au], and for SSH clients there are even more alternatives (PuTTY is available for Linux, for example).

This article almost makes me consider using one of them...

Re:what a whiner

What part of the BSD license does Theo not understand? Apple and SCO aren't "freeloaders", they are using the software under the intended license.
Furthermore, what makes Theo think that people want to run OpenSSH? At this point, it's as entrenched as Windows--nobody has a choice.

Dear friend, herein lies the indelible mark of your misunderstanding of the free software _Movement_, and will live on even after you are dead and gone.

The help he is asking is pocket change for the companies which use OpenSSH. For the work done in making it compatible with major projects of those companies. __If you read the article__ you will also note how IBM sends customer complaints to the OpenSSH team. And how Sun refused to pay for travel!

I find it painful.

Bitchy

Wow, is Jem ever whiney...

You doity raht

Is it just me, or does anyone else always feel the urge to pronounce "Theo de Raadt" as "Theo da Rat" with a mafia godfather style accent?

Problem with BSD licencing

This is a perfect example of the problem with BSD licencing. Under the various BSD licences, its perfectly OK to take a piece of code and sell it, either modified or exactly as found, without in any way recognising or contrubuting to the project. Run "strings c:\windows\system32\ftp.exe" on a WinXP box and you'll see a perfect example of uncredited work. At least under the GPL if someone sells an unmodified program, the project will get recognition (since it will have to remain open source, and thus the origion of the code will be obvious), and if they sell a modified version the project will get the source for the modifications back. Neither directly equates to funding, but publicity and a better code base both help to attract financial support. Both arrangements depend somewhat on the cooperation and altruism of the entity using the code for a profit, but the GPL isn't quite so hopelessly naive.

Re:Problem with BSD licencing

I've mentioned this in another post but be careful with words like "contributing". As California corporations and taxpayers companies like Apple and SCO paid for BSD's development. Apple have every moral and ethical right to use it.

They paid for ancient BSD development. However after the court cases were over, that went away.
They have every *legal* right to use it.
They have an ethical responsibility to contribute but this is in no way required.
Morality is individual, so were you talking about a person it would be their choice as to what their morality is. As you're discussing corporations, they inherently and as required by law are entirely amoral.

This is certainly about as clear a demonstration as you can find of the difference between the BSD license and the GPL, but other than that, which wasn't explicitly in there, there really isn't anything to your post.

Is Theo justified in calling the people who used his code without giving anything back asshats? Absolutely.
Can he force them to? Absolutely not.

That's the license he chose and he's well aware of the ramifications.

The thing to me that most sucks was that Stallman and the BSD folks basically made a bet on human nature.
The optomists are losing badly.

I bought the T-shirt

I bought the T-shirt [openbsd.org]; does that count?

Job interview question

I was recently asked in a job interview "If Theo de Raadt and Dan Bernstein were locked in a room with knives, who would you want to come out alive?"

(and my interviewer is probably reading this, in which case, "Hi there!")

I said I wanted Dan Bernstein to come out alive, because I actually use his stuff in production as opposed to OpenBSD... but after thinking about it for a while I realised that OpenSSH is perhaps more important that Dan Bernstein's stuff. I mean, Dan never updates qmail and any of his tools... Theo may as well bump him off for all I care. ;P

Re:Job interview question

I was recently asked in a job interview "If Theo de Raadt and Dan Bernstein were locked in a room with knives, who would you want to come out alive?"

At which question I would have gotten up, broken off a leg table, and proceeded to ask "Where are they?!" so that I can proceed to give Dan a hand, musing to myself that it is at times like these that I wish I were a gun nut.

I am afraid this kind of a reaction would have been rather popular amongst those who had a pleasure of reading Theos' "conversations" with people on some of the USENET groups of old. Theo is just such a charming, loveable guy that swiss army knives open spontaneously in people's pockets at the very mention of him.

Re:Job interview question

The exact reply to the question didn't really matter. The amount of time you think about it is what I look for.

Was it me, you would have found out that it takes only 0.3 seconds to have a horrible accident with your coffee spilling all over your lap. Applogies and all that, why, I am just such a horrible klutz!

Joking aside, but that sort of question would have me thanking you for the lovely opportunity to get interviewed by you, followed by a mental note not to ever do business with you, under any circumstances.

Has it ever occured to you that these types of smart-ass, self-congratulatory questions, main purpose of which is to show who is the smart alpha-dog in that interview room, are absolutely useless in ascertaining someone's workplace abilities? Oh, what am I talking about, if it had, you would not be asking that and all the other ridiculous "logic" puzzles I am sure you are inflicting on your poor hapless, victims ... err ... applicants.

It's not just openSSH

If you're a Linux user and you like your madwifi driver, you can thank the OBSD ath driver. Also if you ever want a RALink driver, OpenBSD is the only OS that has one right now and it seems almost certain any ports will be based off it. Anonymous CVS? Theo came up with it after NetBSD kicked him off the commit list. Randomized mmap, stack protection ... there's a lot of development being taken from openbsd. We've all got an interest here.

... and licenses

A while back -- pre-SCO -- OpenBSD did a "license audit". I don't have the list in front of me but a sizable number of reasonably well-known open source projects had questionable licences. Theo really did ask nicely and got most of them changed.

TCP Wrappers IIRC was one of them, pppd another (again IIRC).

Like Theo or hate him, he's done more for the Open Source community than just piss people off.

Oh really?

> Also if you ever want a RALink driver, OpenBSD is the only OS that has one right now and it seems almost certain any ports will be based off it.

I thought RALink supported Linux themselves, otherwise, what's this [ralinktech.com]?