OpenBSD Foundation Announced

OpenBDSfan writes "KernelTrap is reporting on the creation of the OpenBSD Foundation, a Canadian not-for-profit corporation intended to support OpenBSD and related projects, including OpenSSH, OpenBGPD, OpenNTPD, and OpenCVS. The announcement explains, "the OpenBSD Foundation will initially concentrate on facilitating larger donations of equipment, funds, documentation and resources. Small scale donations should continue to be submitted through the existing mechanisms.""

Accounced?

s/check-it-out dept./spell-check-it dept./

OpenCVS?

Yep, cause this license [tigris.org] ain't free enough and, besides, we don't want anything that is better than CVS.

You're a codin' machine Theo, but I wish you could learn to play well with others.

Re:OpenCVS?

Complex == insecure to them. Which, to me, implies that secure == poverty.

No, you have your negation wrong.... If Complex == Insecure then !Complex = !Insecure, and thus Simple = Secure. The funny thing is: you cannot argue with that: simple is easier to audit and thus easier to audit. It really is that simple (Dah-dum!). Simple doesn't equate poverty, or a Lotus Elise is a poor-mans-car. (Having no radio, AC, etc...) Sorry for the "bad car analogy"(tm).

You also forget the target demographic for OpenBSD: this is not for your Desktop, nor even for your high-load server. You can use it for that, but the niche in which it lives is firewall, NAT, transparent bridging. Places where security matters more than anything else. Sure, a bit more complex to set up, you need to work more, but this is not your moms OS.

Re:OpenCVS?

No, you have your negation wrong.... If Complex == Insecure then !Complex = !Insecure, and thus Simple = Secure.

Technically you should say the following, where "->" is the symbol for "implies":

If Complex -> Insecure, then:
!Insecure -> !Complex; and
Secure -> Simple

Otherwise your method of reasoning would go like this:

Square = Four-sided-figure
!Square = !Four-sided-figure

. . . which doesn't make sense because then you could say "and thus, a non-square rectangle isn't a four-sided figure".

Good old Wikipedia has the details [wikipedia.org].
 

Re:OpenCVS?

Logical terminology! So We Meet Again, My old Arch Nemesis. ;-)

That's for clearing that up, you are of course 100% right.

Re:OpenCVS?

Just read up a little bit about OpenBSD, and you'll notice they are not afraid of complexity. Examples that come to mind are pf, OpenBGPD [openbgpd.org], W^X, etc.

Besides, choosing a stable and secure algorithm is not a bad idea. See this post for a valid example [undeadly.org].

Finally, I can't help but notice that Subversion is available as an OpenBSD package [openbsd.org], so quit your yakking already.

Sheesh, anti-OpenBSD trolls these days.

Re:OpenCVS?

OpenBSD has a long history with CVS. It was the first open source project to run a public CVS server; previously all open source projects had run a private CVS server that only a few people could access, and published snapshots as tarballs.

They have a lot of revision history in their CVS repository, and feel it's important to maintain this due to the way in which their auditing process works. They might switch to something else at some point, but for now CVS is the best way they have of ensuring compatibility with CVS.

Currently, they use GNU CVS, but there have been a number of security problems with it in the recent past. Part of this comes from the fact that, when it was written, GNU projects used the private-CVS-public-snapshots development model, so only trusted people got access to the CVS server anyway. After fixing a few security holes in GNU CVS, the team decided that the code was in such a state that doing a full audit and getting it up to the standard required by OpenBSD would be more effort than writing a replacement, so they decided to replace it instead. So far, they have OpenRCS, which is a drop-in replacement for GNU RCS (on which CVS is built). Now they are working on the CVS component, and seem to be making good progress.

It's really not hard to understand. Considering the code quality of the rest of OpenBSD, I'd be more inclined to use their version than the GNU one if I needed CVS. Take a look at the recent BIND vulnerability that affected every platform except OpenBSD for an example.

Re:OpenCVS?

the license for CVS is perfectly fine

Perhaps for your purposes. However, the CVS license it not consistent with the goals and philosophies of OpenBSD. So they created OpenCVS with a license that is appropriate.

the main source of theo thinking SVN isn't secure, is because that control freak didn't write it himself.

Do you have a link pointing to his quote on that?

openssl and openssh are 2 packages responsible for huge security holes over the years, both of which are his babies.

OpenSSL [openssl.org] is not Theo's "baby".

OpenSSH's security, while not perfect, has been excellent. Your unsubstantiated attribution of "huge security holes" to it seems to be intended as little more than a troll, since you did not provide any citations.

Re:OpenCVS?

the main source of theo thinking SVN isn't secure, is because that control freak didn't write it himself. which is ironic because openssl and openssh are 2 packages responsible for huge security holes over the years, both of which are his babies.

Except, of course, you have no fscking idea what you are talking about, since OpenSSL is not developed, or related to, OpenBSD and Theo de Raadt in any way [openssl.org].

As far as OpenSSH security holes [secunia.com] are concerned, please excuse me while I laugh. Most of these vulnerabilities are either denial of service, or someone who messed up with their OpenSSH implementation. A lot of people think they can improve on a perfectly good product by adding security holes in it.

As far as OpenCVS is concerned, they explain their rationale quite clearly:

The OpenCVS project was started after discussions regarding the latest GNU CVS vulnerabilities that came out. Although CVS is widely used, its development has been mostly stagnant in the last years and many security issues have popped up, both in the implementation and in the mechanisms.

Now, let me ask you: what part of "development has been mostly stagnant in the last years and many security issues have popped up" don't you understand?

Allow me to finish by adding this: read up a little bit before you start trolling. But that would be a waste of a perfectly good troll, right? Sheesh. Go back under your bridge, little troll.

Re:OpenCVS?

Actually, I believe there was a good reason to create OpenCVS. Lots of sites still use CVS, but development GNU CVS is a mess and has become effectively unmaintained (leaving several vulnerabilities open). OpenCVS is intended for those sites who, for whatever reason, wish to continue using CVS, but also want some degree of security.

Re:OpenCVS?

What people seems to forget is that even if CVS usage is replaced with something else (like for example SVN) it doesn't make all the old CVS repositories go away. So, 20 years into the future (when we have flying cars which runs on water) you sit there (on your levitating chair) and wants to extract some files from an old CVS repo you found in the company's archive. No problem, except that GNU CVS isn't available on SuperDuper Windows Extra Deluxe 2027, due to the fact that code base and build system is such a mess that no one manages to make packages for Cygwin anymore (that and the fact that Microsoft (Operating Systems Division) does not any longer permit that GPLed software is used on its products.

Ok, I'm exaggerating, but the point is that there is no fault in having a clean and maintainable code base for the future - even if it's only used for handling legacy projects.

Besides, who are we to tell these people how to use their spare time? If anyone want to re-implement Unix in Brainf*ck, then let them.

Interesting

I wonder what Theo will say about all this? 9 times out of 10 he tends to scorn things, so I wonder if he'll embrace this with open arms, or just shun it [forbes.com] like he does most things.

Either way i'm happy. At least there's even more support for open source software and anything non-windows related.

Re:Interesting

Given the fact that it was stated by Bob Beck, a member of the OpenBSD programming teams, I think he will be OK with it.

Besides, the OpenBSD Foundation stated very clearly [openbsdfoundation.org] that it will focus on large donations (of funds, hardware, etc) and that small donations should be sent directly to OpenBSD through the usual channels. RTFA and all that.

I do think Theo will be A-OK with that.

Did anyone notice the spelling error?

OpenNTPD

I'm pretty sure they meant "OpecCTPD".

Accounced

Slashdot is according to Google already the Nr. 2 Source for accouncing!

Netcraft confirms it!

BSD is ACCOUNCED!

The Race for funds begins

I think this is great. Now it should be easier to see just how well the three *bsd camps are doing. FreeBSD has a list of donors on it's foundation web site. Heck, you can get listed for a $1-$19 donation. Sounds like they took a page from the OpenBSD folks, who would list donors on their web site and printed your name in the instructions with the CD for each release until there got to be too many. Now it is just on the web.

But look at the overhead! NetBSD listed $10k in donations for 2006 and $2k in legal fees, while FreeBSD listed $87k in donations and $54k in payroll expenses. What! Does it take a full time person to collect $150k in donations in 6 months?

On the other hand, OpenBSD prides itself in being run by volunteers, so I think it should have lower overhead. We will see, how the three compare in getting the dollars. My money is going to OpenBSD.

That's the way to go

Congratulations! That's the way to go. This should have done long time ago. Nobody wants to donate/contribute to individuals. Good luck and best wishes. - Sagara

Canadian - It's got piracy written all over it!

Don't they realize that by establishing a Canadian foundation, they're aligning themselves with the greatest piracy threat against the MAFIAA members' intellectual property? Everyone knows OSS is all about piracy and cracking, and basing it in Canada increases that threat!

Not tax deductable!

From their Donations page:

We are not a registered charity, in the sense that we do not issue tax deductible receipts. The reporting overhead (accounting and legal costs) to operate a registered charity in Canada is prohibitive without a sizable revenue stream. Currently, this would divert a great deal of resources that could be better utilized in helping build good free software. We do issue receipts (not tax deductable) for all donations.

If it's so stinking hard to do in Canada, maybe they should have done it in the US. You know, where there are a lot more people and large companies who might like a tax deduction for their donation?

If my mom can run a non-profit 501(c)(3) in the US and get all the paperwork done, anyone should be able to. But these BSD folks never seem to manage it.

Is Theo Involved?

If so, you can pretty much forget about it making a difference.

While i respect him greatly for his technical abilities, as a marketing guy he sucks wind. His political views get in the way every time. ( and his abrasive personality does not help much either )

Do it, do it, do it!

I don't use OpenBSD at home (as mentioned, its niche is in firewalls and routers), but I think it's one of the most underrated and well-designed OSes in the history of modern computing. Theo de Raadt, abrasive as he is, is something like a thinner, paranoid RMS who showers once in a while, and I say that with only the best intentions. Like RMS, he may be hard to get along with, but he's nearly always right. Theo, if you're reading this, good luck!

a disadvantage of foundations

Organisations that handle lots of money tend to attract people who look for a job or opportunities for personal gain and have no interest in its original mission. Considering that the founding members will sometime retire or leave, how can a foundation ensure that its original culture and focus on its mission will pass on to all new members within generations? I always regarded this as a disadvantage of formal organisations. I am not saying this specifically for OpenBSD (which I highly respect), but I am just raising a point for discussion.

Re:Accounced?

Thankfully, nautral lagnuage has evolved enough redudnancy to provide for fairly reliable error corectiuon.

Re:WTF

I was accounced once. It's on my permanent record.

Another time I accounced my neighbours dog for barking while I was trying to sleep. I used a teaspoon. It was fun.

Re:OpenCVS?

CVS has the advantage that it is a fairly simple system compared to for example subversion, and it has also been stable for a long time. This means that it is much easier to audit and secure the code, compared to more complex tools. I have yet to see anyone claim the subversion is inherently more secure than CVS, or the securing subversion is somehow easier than securing CVS.

Re:OpenCVS?

CVS stays very much relevant to whole BSD community (not only OpenBSD).
It's because of the tradition, sure - and rather faint convicting force of some other version control system ...

Just look at the way CVSup http://www.cvsup.org/ [cvsup.org] is used.

These people just need a CVS software they would like to maintain for some time in the future.

Re:The communism is not dead

Most governments are actually pretty good systems, and in theory they work, the reason countries got ruined by communism was corruption, a less corrupt system would have succeeded, and I think we'll soon find countries like Afganistan abusing democracy to become a theocracy and it'll be just as bad.

Re:The communism is not dead

my country used to be in its shadow and now it is ruined.

I very much doubt that. I suspect that what your country was in the shadow of was Stalinism. Just because the nice American man said you were living under communism doesn't mean anything as Americans generally can not tell the difference between Communism, Stalinism, and Socialism (and assume they're all Stalinism).

Communism, like capitalism, is based on a model of the world which only works if everyone acts in exactly the way the inventor of the model thought they should. Neither work in reality; both need socialist elements to prevent them turning into a nightmare for all but the top 500 or so people in a country.

TWW