Please create an account to participate in the Slashdot moderation system


Forgot your password?
BSD Operating Systems

Theo de Raadt Responds 261

Here you go: straight answers to your questions from Theo de Raadt of OpenBSD. Read, enjoy, and comment away. (Theo might even check in with a comment or two of his own if he has time -- although he's been awfully busy lately, so please don't hold it against him if he can't, okay?)

A book on code auditing?
by LizardKing

Would you and/or other members of the OpenBSD coders consider writing a book on secure, bug-free coding and auditing? Most programming books feature sample code that is written for pedagogical purposes. Quite often this runs contrary to how secure code should be written, leaving a gap in many a programmers knowledge. A book on audinting and how to avoid security pitfalls when coding would also make your life easier - less code to audit for OpenBSD, and more time top concentrate on nifty new features!!!


There is perhaps a split between the two issues you bring up. On the one side is secure coding, as in code written to be secure by the original author(s). On the other side, auditing, which is where an outsider (or an insider) later on goes and tries to clean up the mess which remains. And there is always a mess. Perhaps part of the problem is that a huge gap lies between these two. In the end though, I think that a book on such a topic would probably have to repeat the same thing every second paragraph, throughout the book: Understand the interfaces which you are coding to! Understand the interfaces which you are coding to! Most of the security (or simply bug) issues we audited out of our source tree are just that. The programmer in question was a careless slob, not paying attention to the interface he was using. The repeated nature of the same classes of bugs throughout the source tree, also showed us that most programmers learn to code by (bad) examples. A solid systems's approach should not be based on "but it works". Yet, time and time again, we see that for most people this is the case. They don't care about good software, only about "good enough" software. So the programmers can continue to make such mistakes. Thus, I do not feel all that excited about writing a book which would simply teach people that the devil is in the details. If they haven't figured it out by now, perhaps they should consider another occupation (one where they will cause less damage).

Making the rest secure
by squiggleslash

OpenBSD has a well deserved reputation for security "out of the box" and for the fact the inbuilt tools are as secure as they're ever likely to be. However, the Ports system is, perhaps, an example of where the secure approach currently has limitations - an installation of OpenBSD running popular third-party systems like INN can only be so secure because the auditing of INN, and other such software, is outside the scope of the BSD audit.

My question is, has the OpenBSD team ever proposed looking into how to create a 'secured ports' tree, or some other similar system, that would ensure that many of the applications people specifically want secure platforms like OpenBSD to run could be as trusted as the platforms themselves?


We have our hands already pretty full, just researching new ideas in our main source tree, which is roughly 300MB in size. We also lightly involved ourselves in working with the XFree86 people a while back for some components there. Auditing the components outside of this becomes rather unwieldly. The difficulty lies not only in the volume of such code, but also in other issues. Sometimes communication with the maintainers of these other packages is difficult, for various reasons. Sometimes they are immediately turned off because we don't use the word Linux. Some of these portable software packages are by their nature never really going to approach the quality of regular system software, because they are so bulky.

But most importantly, please remember that we are also human beings, trying to live our lives in a pleasant way, and don't ussually get all that excited about suddenly burning 800 hours in some disgusting piece of badly programmer trash which we can just avoid running. I suppose that quite often some of our auditors look at a piece of code and go "oh, wow, this is really bad", and then just avoid using it. I know that doesn't make you guys feel better, but what can we say...

OpenBSD, security, et al.
by jd

With the release of SGI's B1 code, and the attempts by many U*ixen to secure their contents via capabilities, ACL's, etc, ad nausium, how is OpenBSD approaching the issue of resource control?

On a side note, is OpenBSD likely to ever head in the direction of being a distributed kernel? And, if so, how would security and resource management be maintained? (It's hard enough on a central kernel system.)


On the first question, I think there is great confusion in the land of Orange Book. Many people think that is about security. It is not. Largely, those standards are about accountability in the face of threat. Which really isn't about making systems secure. It's about knowing when your system's security breaks down. Not quite the same thing. Please count the commercially deployed C, B, or even A systems which are actually being used by real people for real work, before foaming at the mouth about it all being "so great". On the other hand, I think we wil see if some parts of that picture actually start to show up in real systems, over time. By the way, I am surprised to see you list ACLs, which don't really have anything to do with B1 systems.

As to the second issue, I have no idea what a distributed kernel is, nor do I see how anything like that would improve security or quality of a system.

Forks and cooperation
by PapaZit

A lot of people know that OpenBSD forked from NetBSD, and there's still some animosity between the two groups. Personally, I think that the competition has helped both groups (NetBSD now ships with far fewer open services, for example).

Egos are delicate things, but do you see any chance for greater cooperation in the future, or do you see more forking and division as inevitable?


Considering that NetBSD has maintained a black-hole route to the OpenBSD project networks for roughly four years, I don't see how any cooperation at higher levels are possible. However, there are developers who work on multiple projects. Some of them used to complain about having troubles from various groups. Nowadays, I think they've got it easier. Politics do not dictate developer relationships these days.

In Linux land, it appears that projects fork for financial reasons. In BSD land, it appears that the forks that have happened were purely political reasons. I don't know what will happen. It's been 5 years since the last fork in the BSD camp. Why are you guys so fork paranoid? Do you want everyone to vote for the same political party, too?

Kernel design
by laertes

I have only been using OpenBSD for a short while now, so forgive me if this question is based upon some incorrect assumtions.

OpenBSD's kernel design seems to be of the monolithic species. OpenVMS (no relation) and NT are two prominent operating systems that use a microkernel archetecture. The microkernel design seems to me to be fundamentally more secure, since there is less priveledged code. Further, if one of the servers is compromised, the damage is minimezed.

My question is this: Is the OpenBSD design fundamentally secure, or is it only a very well done implementation of a basically flawed design?


I don't think it makes any difference, whatsoever. I think your computer science teachers are still teaching you from books written in the 80's, when the word "micro-kernel" was associated with a future utopia. We do not think that NT is a microkernel, and are you really so sure that OpenVMS is? A microkernel is not a kernel that does things through loadable modules. As well, I don't think it makes any difference, as long as a system does what it is supposed to do.

Where Did You Learn Your Code Audit Discipline?
by EXTomar

Did the drive to audit code come from the need or the design of BSD? Or was it initially a whim? More imporantly, where did you learn it from? Is their some "mentor" you looked too for ridge design? I have to admire your team's daunting code reviewing...I wonder if I'll ever have that kind of meticulous coding nature.


The auditing process developed out of a desire to improve the quality of our operating system. Once we started on it, it becames fascinating, fun, and very nearly fanatical. About ten people worked together on it, basically teaching ourselves as things went along. We searched for basic source-code programmer mistakes and sloppiness, rather than "holes" or "bugs". We just kept recursing through the source tree everytime we found a sloppiness. Everytime we found a mistake a programmer made (such as using mktemp(3) in such a way that a filesystem race occured), we would go throughout the source tree and fix ALL of them. Then when we fix that one, we would find some other basic mistake, and then fix ALL of them. Yes, it's a lot of work. But it has a serious payback. Can you imagine if a Boeing engineer didn't fix ALL of the occurances of a wiring flaw? Why not at least try to engineer software in the same way?

Firewall/NAT box
by yamla

Linux has FreeSco, a product that fits on a 3.5 inch floppy disk and acts as a router and NAT (Network Address Translation). I always thought something like this would be ideal for OpenBSD. After all, I would rather trust OpenBSD than Linux for this.

Are there any plans to produce something like this? Something with a very simple user interface that is quick and easy to get set up? I'd love to play with OpenBSD and do it by hand but I simply do not have the time.


I must say that I am not a fan of these floppy-based routers. Essentially, you are taking one of the most unreliable pieces of storage known to man, and trying to build security infrastructure on it. That's madness. Just buy a small disk. Perhaps somethings based on a CD plus some other (non-floppy) persistant storage might be sane. But please. Not floppies. Are you mad?

by AT

Any advise for code auditers? Can you share any tips or techniques you have found useful in uncovering bugs? What do you first look for in a fresh piece of code? What about a mature piece of code?


I suppose the biggest tip would be to become a better programmer. In particular, study what functions that programs are calling, and ensure that the calling code is following the rules of those functions 100%. How many of you understand the complete & correct semantics of every function in libc, or even just the libc functions being called by the program you are looking? (I mean, we went through our entire source tree, and about half the strncat() and strncpy() calls were subtly wrong, even if it only meant they copied a character extra and then zero'd it out -- it is still sloppy).

When you know exactly what the APIs are, you'll spot the bugs very easily. In my mind, it is the same as any other job that requires diligence. Be careful. Humans learn from examples, and yet, in this software programming environment, the tremendous complexity breeds non-obvious mistakes, which we carry along with us, and copy into new chunks of code. We've even found in manual pages where functions were mis-described, and when we found those, lots of programmers had followed the instructions incorrectly...

Dual Processor Support
by dragonfly_blue

Although there has been some indication that people are interested in running OpenBSD on machines with dual or quad processors, it appears that there are not enough resources and volunteers available to make this a reality. Although I use OpenBSD for my web server, I am by no means an expert, at this, but I'm curious nonetheless.

From what I've heard, multiprocessing support is going to be a very tricky thing to implement, because it gives rise to so many possible exploits, particularly with regards to race conditions. I also understand that it would take a remarkable amount of effort and time to rewrite much of the code base for SMP without compromising the OS's integrity.

With that in mind, what kind of resources would you need before you could seriously consider attempting dual or quad processor support? And, if you were given unlimited access to those resources, how long would it take before a -stable release would be ready? I would really like to see this feature get implemented, although I know that at this point your developer team is busy enough as it is.


At this time, we are not working on SMP. It's a lot of work, and not considered the most interesting thing to our developers. Sorry.

Time warp
by rho

Thanks for your work, Theo. I use OBSD every day as a workstation and as a firewall, and the Cop-chasing-script-kiddie t-shirt is the best.

If you could time warp back to the beginning of OpenBSD's development (ignoring the scism that brought you to that point), what would you do differently? Would you have chosen a more commercial focus? Pushed SMP development earlier? Run around in circles waving your hands in the air?

On another note, what's your feeling about commercial use of OpenBSD? i.e., do you support it, tolerate it, or what? (better example, I make a set-top box running OpenBSD, and I need the OS to do "X". If I called you and said, "Theo, I need OpenBSD to support 'X'", would I be told to piss up a rope, write it myself, or would the OpenBSD team do it for a price?)


The licence on our code is pretty clear. We want vendors to use our code. We want commercial operating systems to ship with OpenSSH. Not shipping with an SSH varient causes great grief, and it is time that ends.

Same goes for OpenBSD. We would prefer if companies building commercial network appliances used OpenBSD, rather than writing their own operating systems. Typically, these companies are very comfortable with solving the problems within their application space. Yet, there is a history of these companies writing their own cruddy operating systems, and at the same time writing worse applications.

It would be better if routers, firewalls, telephone switches, fileservers, and whatever else used reliable components, designed by people who care.

So go ahead, use any parts of OpenBSD as parts of commercial systems.

Full Disclosure And Version Numbering
by Effugas

First of all, I want to thank you for the hard work you've done building OpenBSD. It truly is a wonderful package.

Much of the security in OpenBSD lies under the hood in the work you've done cleansing the source of unsafe library calls. While this work is appreciated, I've become more and more concerned lately about the fact that these changes are not necessarily documented and certainly not reflected in the version number of an application or utility.

Version numbers reflect a snapshot in the life of a codebase. They're used to reference unsafe editions or particularly stable builds. Major number reflect code branches, but minor numbers reflect specific states of the code -- such is the expectation of a user or an administrator when a version number is detected. Without granularity of versioning, I have no reason to trust or distrust a given application by its number; I must personally audit its source -- and end up giving it a number of my own.

You and your team are code auditing masters. Rather than pollute the namespace by making indistinguishable your securely built modified code and the original(and, by extension, your secure code and numerous unnamed distributions' "just get it to compile" modifications), wouldn't it be appropriate for OpenBSD to apply a name extension to any package which it has modified, and in the interests of full disclosure, to provide a reasonable CHANGELOG of the fixes contained therein?


Two numbers exist for every component of OpenBSD. One number is the release that the piece came in, ie. 2.8.

The other number exists in each source file that was built. And that number is also in each binary that was built from those files. You can use the what(1) command to determine the revisions of source files which make up each binary.

As to the "original" you talk about, there is no original. OpenBSD uses it's own components. I don't know what packages you are talking about. cat is cat. ftpd is ftpd. tar is tar. It's the one that came with a certain release. In the systems approach, the version numbering that other groups do is sometimes invalid, because pieces (such as libraries) are all part of the picture.

Was the last plane you were on using front wheel version 2.7 or 2.9? You don't care. You do however care greatly that a "systems approach" was used to ensure that it was whole. And in the OpenBSD case, that means pick a version, and install the patches.

Asking for more means that you want us to do less work on the system, and more version numbering.

Where does the money go?
by MrSparkler

I've seen reports of estimated CD sales per release at being as high as 10000. Add in t-shirt/poster sales and donations and a relatively considerable sum of money is flowing around OpenBSD. Combine this with the fact that checks are to be written to Mr. de Raadt and I get curious as to how the finances are handled. Not that I'm suggesting any misappropriation is occurring, I would just like to know who is in charge of the money and whether or not the OpenBSD project is registered as a non-profit organization (and if it is then checks should be made out to - and the CD image should be copyrighted to - that organization). Also, I would like to see a small financial report put out (as would be required if it were a non-profit organization in Alberta) so that users can see where their money is going. Plus, I would also like know exactly how many CDs are sold per release.

I greatly appreciate the work that the OpenBSD project developers have put in, and I plan on continuing to use, purchase, and donate to OpenBSD (and maybe even contribute when I get the technical skills) regardless of the answer to this question: Where exactly does the money go?


We've not yet sold 10,000 CDs in a release. Hopefully we will soon. The project ends up with a bit less than 50% of the revenues from CD sales. The tshirt business is doing OK, but you make a lot less selling textiles. With posters we operate just above break-even. Even though some are sold on the web, most turn out to be free handouts at most conferences. That is how I planned the posters to operate.

We have thought about becoming a non-profit organization, but it is not really a good idea. It would not provide any real benefit -- to you -- as the masses. Especially in Canada, there are costs and serious responsibilities associated with doing such a thing. We would be giving up a lot of freedom, and would need to hire someone to do a lot of accounting. Also, since many of our donations come from outside Canada, we still could not really generate taxable benefits to you. (And I must ask, why are people so cheap, that they only give donations when it provides a partial reduction in their taxes, rather than a real donation? I actually find that pretty fake.)

Money from the project goes to various things. First off, it ensures that I can work full time on OpenBSD, and not need another job. I am also hoping to do the same for other developers in the project, who have indicated that they are interested in doing so. Secondly, certain grimey, unenjoyable, and very important development tasks sometimes put a bit of money in developer pockets. Some OpenSSH work was funded by matching OpenBSD money against donations from a Van Dyke. Thirdly, the project buys a fair amount of hardware: In powerpc land alone, 4 machines this year. Fourth, shipping costs to conferences sometimes severely cut into profits from sales. And finally, when developers get together to do hacking, project money sometimes pays for various things, like airplane tickets, accomodation, and sometimes even some beer. And beer results in ideas, which results in new code.


Before you ask: yes, we'll be doing Slashdot interviews with people from other *BSD projects in the near future - Robin

This discussion has been archived. No new comments can be posted.

Theo de Raadt Responds

Comments Filter:
  • by Anonymous Coward
    I got the same impression. What is with the attitude? I thought the question about producing a book was an excellent idea. There are always students wanting to learn the things that Theo does everyday but instead of trying to teach others these skills they get the brush off. From his arguement, why produce any books at all? Everything that's contained in a book people have figured out on there own so if your not smart enough to think of it, tough luck bud.
  • by Anonymous Coward
    As an OpenBSD user who also reads /. (along with seveal other Linux -or- BSD oriented web sites) and its interviews, I was thinking this past summer that if /. interviewed Theo, it would suck. I was dreading Theo's interview, hoping it would not happen. Not because of Theo, but because of the /. community. A community that is by and large linux centric and generally lacking knowledge of BSDs. Someone would certainly over scrutinize and search for something that would slight or insult them. And find it, and make themselves believe it exists, and post something just inflammatory enough to turn people off.

    In the end, I felt an interview would not *help* the OpenBSD community really, because someone would find fault in *something* and draw it out, enhance it, to really no good point at all. Well, it seems that CyberKNet's post is a nice example of that. It's classic /. style of find some insignificant error (that is in itself debateable) and make it some felony.

    You think his answers were belittling? Look at your questions, for crying out loud:

    LizardKing's Q on a code auditing book--Answered on the OBSD newsgroup already. Search deja.

    Making Ports Secure--Gee, let's ask a question to the person resonsible for OS security about ALL program security that might run on the OS. iow, if there was an interview with Linus, it would be like asking him why perl on some Linux distributions had a security hole because the developers were stupid enough to hard code /usr/bin/mail when they compiled it.

    B1 and OpenBSD Q--Asked and answered when Trusted BSD came out. Search deja and misc.

    Working with other BSD distributions--Communication is a two way road. Look, this is a silly question to ask, not because of the question, but because the answer is so readily apparant. The comments by the NetBSD and FreeBSD groups as well as users is plain to see on the newsgroups, on web pages, etc. It's all *very* public.

    SMP and dual-processor support--Search the mailing lists. Asked and answered.

    Version numbering--Already addressed when there were comments about the lack of a stable branch in OBSD.

    $ issues--Lovely. As if that wasn't an insulting question.

    The "I don't want to teach you" mentality is really the "No, I don't want to feed you with a spoon." No one, including the moderators, checked to see if these questions were asked and answered by simply grepping an email archive. No Linux user in the community is going to point out that, "Hey, last year or so, there was a posting on a Debian mailing list about developers getting sick of answering lame questins too."

    As to the BSD and Linux community differences, well, they are different communities. I moved away from Linux because the communities just got bogged down *for my tastes*. My take is that the Linux community is *incredibly* ignorant of the BSD community, not vice versa.
  • by Anonymous Coward on Monday December 11, 2000 @09:40AM (#567029)
    > Considering that NetBSD has maintained
    > a black-hole route to the OpenBSD
    > project networks for roughly four years,

    Those who do not familiar with Mr. Theo de Raadt's usual action about BSDs should know the following history about the mail filtering.

    • not only NetBSD, but also FreeBSD maintain such filtering.
    • the reason why the filtering exists is that Mr. de Raadt made threat that he will send mail bomb, and he never retract that. You can confirm this by mailing list archive of FreeBSD [] or NetBSD [].
    • NetBSD doesn't maintain a black-hole route to the OpenBSD project networks, but did make a black-hole route to Mr. de Raadt's network. Other OpenBSD developer should not have problem, and there are many developers who have both OpenBSD and NetBSD developers' account. For example, one of NetBSD's core member is a OpenBSD's developer.

    This issue is once raised by a OpenBSD developer in DaemonNews forum [] which has neutral position between FreeBSD, NetBSD and OpenBSD, and its conclusion is that the forum should never have posted the topic []. I don't know why Mr. de Raadt mentioned this filtering again in slashdot. Perhaps He'd like to show that he is still ready to post mail bomb to FreeBSD/NetBSD mailing list?

  • by Anonymous Coward on Monday December 11, 2000 @10:09AM (#567030)
    This has been discussed on the OpenBSD mailing lists. Theo is quite disingenuous when he claims the he wants people to "use his code". He has said in so many words that he really only wants OpenBSD to use his code. The versioning discrepancies are intentional on his part to make it difficult for third parties to track OpenBSD. I'm sorry that I must resort to ad hominum attack, but in Theo's case it's warranted: Theo is a paranoid twit. For example he thinks he "owns" OpenSSH. When a third party started a web site devoted to OpenSSH Theo started a fight over who owned the domain and threatened legal action. He is deathly afraid of other projects "stealing" his code. If you want to truly understand his bizarre mind, you have to read the mailing lists where he lets his true nature be known. Don't fall for his phony public PR persona. As is well known to most members of the *BSD community, Theo has serious problems.
  • First off, most security holes that I hear about tend NOT to be in the OS kernel's themselves, but rather userland software. The assumption that having more or less code running in the kernel changes security in any kind of a significant way is incorrect.

    Secondly, pay attention to what Theo is saying: most security problems come from incorrect use of interfaces. In the microkernel world, you may indeed have fewer interfaces to the kernel, but understanding how to use those interfaces can be an extremely daunting tasks (just ask anyone who's hacked on Mach before). Furthermore, you still need interfaces to all the userland code that's running on top of the kernel (i.e., if you need to interface with the filesystem, it doesn't matter whether it's in the kernel or not, you can still get the interface wrong and thereby create a security problem). In HURD, for example, the interfaces and interdependancies between modules are MORE complex, particularly given that you have to allow for an infinite number of implementations of said interfaces.
  • You're ignoring 3 major problems:
    • While there are supposed to be fewer interfaces in a microkernel, it tends to require a great deal of sophistication to understand how to use them correctly.
    • Even if an interface isn't in the kernel, it still has to be somewhere. Getting it out of the kernel doesn't improve security in any way. If you need to talk to the filesystem, you still can misunderstand the filesystem's interface regardless of whether it's in the kernel or not.
    • In multi-server microkernel systems (such as HURD), you have additional complexity (and therefore security problems) with the interactions between the different servers that make up the operating system. You have to allow for each of the servers to be replaced with something which behaves entirely different (although hopefully fulfills the interface contracts... IF they are understood... ;-). So, you make the problem worse rather than better.
  • by Christopher B. Brown ( 1267 ) <> on Monday December 11, 2000 @08:56AM (#567034) Homepage
    ... indicates that the costs of accounting for the charitable organization eat up much of the would-be benefits.

    ... And if the purchaser pays for an "invoice" for "software/services," then the money given may be deductable as a business expense.

    The big "merit" in the "donation" thing is if this allows the organization to receive individual contributions from individuals that wouldn't otherwise be able to "deduct" the payment for tax purposes.

    While, when you add this sort of thing up across thousands of churches, it adds up to real money, it's not going to be spectacularly worthwhile for a software project that might get $30K in donations and have to spend a chunk of that on organizational costs.

  • First off, I agree 100% that the Orange Book is not about security in the conventional sense of preventing intruders from gaining access.

    However, some form of resource control is essential to preventing users authorised for one thing from doing something else.

    ACL's are -one- way of doing this, the schemes described in B1 are another. You're again 100% right that they're not the same thing. However, they both attempt to deliniate exactly what a user is and is not able to do.

    (As for foaming at the mouth, I'm going to go out on a limb here and guess you've met some pseudo-nerds who're drunk on a mix of power & Agent Orange, and who believe that if it's "Official", it's somehow "better" or mysteriously "all-encompasing". I'm not about to start a cult to the Mighty OB1. :)

    Distributed Kernels are kernels which divide low-level tasks between sub-kernels, where each sub-kernel runs on a seperate processor or even a seperate machine.

    Distributed Kernels are one way of doing hardware-independent parallel processing. You're not tied to SMP, you're not tied to a single motherboard, you're not even tied to a specific manufacturer.

    From a security standpoint, it has two major impacts. On the one hand, breaking one component of the system does NOT necessarily compromise any other component. They run on seperate CPUs, after all. This means that you can have secure intrusion detection at the kernel level, with secure fail-over to a non-compromised system in the event of intrusion.

    On the other, you're now ferrying very low-level data across a network of unknown security. The risk of someone compromising the system by compromising the network is obviously much higher than for a stand-alone kernel.

    Last, but not least, to anyone who may be critical of him, Theo de Raadt is perhaps the most brilliant guy in the BSD world and I'd place him as one of the top 3 coders in the world.

    As for his infamous "moods" - if he's bipolar, HFA or AS, then his moods (and his brilliance) are entirely explicable and nothing to condemn him for.

  • Exactly, Choice is good. The important fact is that all of these OSes are a mere hop, skip, and a jump from each other. All of them also have their technical advantages as well.

    And yes, that includes Linux.

    The beautty is that once compatibility is out of the picture you are free to choose your OS for purely technical reasons.

  • by Jason Earl ( 1894 ) on Monday December 11, 2000 @10:54AM (#567037) Homepage Journal

    SMP is plenty interesting to the Linux crowd. They have spent a huge amount of time working on it. The fact that it isn't interesting to Theo and the folks working on OpenBSD simply highlights one of the benefits to the Open Source way of getting things done.

    If you start your project on OpenBSD and decide that you need SMP to get the performance you need "porting" to Linux shouldn't be much harder than moving your source to a Linux box and typing "make." If, on the other hand, you develop on Linux and then decide that Linux's security isn't good enough for implementation, you can just as easily port to OpenBSD.

    There is never going to be an Uber OS that is specialized for every task (although the generic Unix way of recompiling the kernel does come close). That's why standardized APIs are so important. That way you can change your OS midstream if it isn't giving you what you need. The Open Source community has done a pretty good job of matching up APIs.

  • You are very much misssing the point.

    OpenBSD is not "300MB of source" that Theo thought up. There's quite a bit--likely a majority--of stuff brought in from other coders *WHICH RETAIN IDENTICAL VERSION INFORMATION*.

    Go query Perl. Or vi. Or httpd. They're all external packages, with their own internal version. If Theo wanted to reversion them to "Perl OBSD 2.8" and "Apache OBSD 2.8" and so on, that's fine. But that Perl ain't 5.6.0 unless it was built from the 5.6.0 tree.

  • Yes, alot of other distributions do it.

    Now, why would I put the question to the number one distribution known for doing it right, when everybody else does it to?

    To redefine that which is known as "doing it right", so we don't get any more Debian Secret Backported Bugfixes.


  • Meow:

    Yes, I can definitely hunt down the changes, and Theo is well within his rights to change the source. Hell, I'm thrilled he's fixing problems.

    But should I have to check a changelog to know there's a change?

    That's the bottom line question. Should not a version reflect a snapshot of code? Should not I be able to trust a given codebase by its version alone, rather than have to audit the source by hand?

    If a version *doesn't* refer to a snapshot of code...well, what does it refer to?

  • (Why was there bash in your shell?)

    Because I wanted command completion. What, you think sh is the height of security? Among other things, *any* shell can be trojan'd to attack replace su, or even /bin/su, with a mod that captures the root password. The advice to never log in as root, and rather to su to it, is thus rather dangerous.

    You are correct, of course. Most things shouldn't be done as root. I could theoretically have checked versions without it. This is somewhat on the order of a spelling flame, but I'll take it in stride.

    As for my qualifications, feel free to scan my BugTraq posts, and thank you for helping to prevent my ego from growing too large.

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
  • Actually, that's pretty interesting! Here's my output on OpenBSD for Sparc. Note the lack of "Locally Applied Patches", which I appreciate.

    Still, I question if the version number should stay stable. Suppose, for a moment, that the rest of the world finally discovers major holes in 5.6.0. Should OpenBSD administrators have to root around the Changelogs to realize they're running a safe build? Wouldn't it be better for them to be running 5.6.0_OB2.7 and see that, heh, the Changelog shows that the new stuff protects them?


    $ perl -v

    This is perl, v5.6.0 built for sparc-openbsd

    Copyright 1987-2000, Larry Wall

    Perl may be copied only under the terms of either the Artistic License or the
    GNU General Public License, which may be found in the Perl 5.0 source kit.

    Complete documentation for Perl, including FAQ lists, should be found on
    this system using `man perl' or `perldoc perl'. If you have access to the
    Internet, point your browser at, the Perl Home Page.

    $ perl -V
    Summary of my perl5 (revision 5.0 version 6 subversion 0) configuration:
    osname=openbsd, osvers=2.7, archname=sparc-openbsd
    config_args='-Dopenbsd_distribution=defined -dsE'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
    useperlio=undef d_sfio=undef uselargefiles=define
    use64bitint=undef use64bitall=undef uselongdouble=undef usesocks=undef
    cc='cc', optimize='-O2', gccversion=2.95.2 19991024 (release)
    cppflags='-fno-strict-aliasing -I/usr/local/include'
    ccflags ='-fno-strict-aliasing -I/usr/local/include'
    stdchar='char', d_stdstdio=undef, usevfork=true
    intsize=4, longsize=4, ptrsize=4, doublesize=8
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=8
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, usemymalloc=n, prototype=define
    Linker and Libraries:
    ld='ld', ldflags =''
    libs=-lm -lc
    libc=/usr/lib/libc.a, so=so, useshrplib=true,
    Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=define, ccdlflags=' '
    cccdlflags='-DPIC -fPIC ', lddlflags='-Bshareable '

    Characteristics of this binary (from libperl):
    Compile-time options: USE_LARGE_FILES
    Built under openbsd
    Compiled at May 5 2000 12:35:29

  • Is it really too hard to read the errata?

    YES! It IS! It's too hard for me to read the source code to every app I run. I admit it. I want to trust Theo. I want to believe his prying eyes are protecting me from danger. I don't *want* to have to go diving into the code he writes or even the fixes he claims when a new vulnerability comes out. I want to know: Is this the exact same code that is vulnerable everywhere else? Then upgrade. Is this NOT the exact same code, and therefore I should check the Changelog?

    I'm not asking alot. I'm merely asking the question: What do version numbers mean, if they *aren't* snapshots of code?

  • Umm, you seem reasonably intelligent, would you mind explaining how you got my desire for unique version numbers to mean "I want no fixes"?

  • My point is, if you have to check to see if *your* version of 5.6.0 is the same as the dangerous version of 5.6.0, that version number just lost a hell of alot of relevance and is essentially meaningless.

  • by Effugas ( 2378 ) on Monday December 11, 2000 @09:11AM (#567047) Homepage

    I don't think it's fair to say, as you did, that "ftpd is ftpd" or "tar is tar" for all of OpenBSD. Examples from version lines throughout OpenBSD:

    spork# perl -v
    This is perl, v5.6.0 built for sparc-openbsd

    bash-2.04# ./troff -v
    GNU troff version 1.15

    bash-2.04# nawk -V
    awk version 19990620

    bash-2.04# gcc -v
    Reading specs from /usr/lib/gcc-lib/sparc-unknown-openbsd2.7/2.95.2/s pecs
    gcc version 2.95.2 19991024 (release)

    bash-2.04# ./cvs -v
    Concurrent Versions System (CVS) 1.10.7 (client/server)

    [vi :ve]
    Version 1.79 (10/23/96) The CSRG, University of California, Berkeley.

    bash-2.04# ./tcpdump -V
    tcpdump version 3.4.0
    libpcap version 0.5

    bash-2.04# ./httpd -v
    Server version: Apache/1.3.12 (Unix)
    Server built: May 5 2000 14:44:59

    Look. Some of these you modified. Maybe all of em. Maybe one of em(I *know* you touched Perl.) Lets take the example of tires, why don't we. If I've got Firestone Model X432LFR tires on my car, and I run down to the dealership asking why I'm driving a deathtrap, is he allowed to laugh at me because "Of course *we'd* never put the deadly X432LFR tires on your car, we'd only put the *good* X432LFR tires on! Stupid customer."

    That's essentially what happened with Debian a while back, and it was infuriatingly unfair.

    I'm not asking you to do more work, Theo--you've *done* the work. I'm asking you to admit it, mark it, brand it in such a way that we know you've been forced to do something to it to make it secure. And then all of us can bitch and moan to the author's of whatever package you've taken and say, "Heh, he changed your stuff, maybe there's something you should look at." Maybe we'll be ignored. But, in the end, *you* did the right thing.

    Theo: You and your team rewrote much of an early build of SSH. Technically, you could have said, "Here's SSH1.2.1x, as part of the OpenBSD system." But then nobody would have known what you had pulled off, and people would have had trouble finding your specific improvements. I'm not saying you need to rename every package to show how much you've added. But to keep the original version numbers is to conflate your secure and solid version with whatever bugs you *know* lurk in other people's code. When Foobar 1.2 comes out with a remote root, and OpenBSD ships with Foobar 1.2, do you like--or enjoy--when system administrators frantically upgrade your *already fixed version* of Foobar 1.2 with the original author's possibly broken Foobar 1.3?

    Because that's what your version numbers cause.

    They're easy to fix, Theo. It's just a tag to let us know you fixed something. It's something for us to differentiate your code with. (Incidentally--what does little on my 2.7 Sparc build.) Consider this: As much as you say you've only dealt with the system, I *know* many of the packages from Ports have had patches that didn't modify version numbers--and I have *no* idea if anything's been modified in your packages section. I just don't know.

    This is not a problem specific to you, but I think OpenBSD is in the right place to change what I consider to be a particularly pernicious industry practice. I believe in your systems approach, but a secure system cannot be built from insecure parts. If you've secured your parts--show this, and perhaps let us know where to look to find out how.

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
  • Not really

    What userland protection helps is stability ; less code that can deref a bad pointer, etc. What it can't help is the quality of the code. At the end of the day, an attempted attack will try to make the code make the wrong decision; i.e. allow something to happen that shouldn't have, or do something that is shouldn't have. That has nothing to do with whether or not it causes a segfault somewhere else.

    Although some attacks could make monolithic kernel code do something to other code segments somewhere else, it really isn't all that likely or often used. Attacks tend to be against making code call the wrong routine, set a variable the wrong way, etc. That stuff can't be helped with microkernels.

    Sorry, all microkernels are really good for are (1) loadable features (no recompiling), (2) crash protection. But, they do the traditional tradeoff of speed for it (multiple context switches for a single system call, etc.).

    But, anyone else get the feeling that a good portion of the questions Theo did respond to were all asking the same thing: what common errors do you end up fixing? Not a horrible question to answer by far. Sure you could say 'bad code,' but a list of good examples of security-critical mistakes are far more helpful.


  • by John Siracusa ( 4209 ) on Monday December 11, 2000 @09:12AM (#567053) Homepage
    "The repeated nature of the same classes of bugs throughout the source tree, also showed us that most programmers learn to code by (bad) examples. A solid systems's approach should not be based on "but it works". Yet, time and time again, we see that for most people this is the case. They don't care about good software, only about "good enough" software."

    See also: the "HTML" on the supposed "geek web site" called Slashdot. (as well as, to be fair, the rest of the web.)

  • Whassup? The question I asked made it into the top-10 ranking yet didn't get addressed...

    Mac OS X & BSD []

    I'm curious about how the BSD folks view the impending couple million new users they've got heading their way when MacOS X is released.

    Please, no Mac-rants, they're trite & off-topic. I just wanna know about the question.

  • The thing is, the Linux kernel debugger isn't enough to cause a fork, at least. Linus has already stated that he doesn't care if a Linux kernel debugger exists, nor will he ignore patches that were debugged using such a hypothetical debugger per se. He just believes that the current "only the best coders who can see the problem beyond a debugger can do any kernel work at all" system allows for a darwinism that the touchy-feely "debugger for the people" system wouldn't. And, elitist as this may be, I think he's right. The debugger folks could fork - then again they could just write the damn debugger and have it be unofficial. But they haven't. Because with Linux especially, it's the toughest bastard wins, and the kernel debugger faction is less of a bastard than Linus, which is why their arguments sound so good, but they are ultimately doomed. If they fork, they'll be squashed.
  • by Ed Avis ( 5917 ) <> on Monday December 11, 2000 @09:07AM (#567060) Homepage

    As a Linux user, one comment Mr de Raadt made surprised me:

    As to the "original" you talk about, there is no original. OpenBSD uses it's own components. I don't know what packages you are talking about. cat is cat. ftpd is ftpd. tar is tar.

    In Linuxland, cat is GNU cat, tar is GNU tar, httpd comes from the Apache project, rpm comes from Red Hat, and so on. There is always an upstream maintainer for any particular package and no distributor (AFAIK) tries to maintain its 'own' releases of things. If a bug is found, the fix tries to swim upstream to the breeding ground, where it can add itself to the gene pool for future releases of all distributions. (Alas, I do not have a ten-man team auditing my comments for dodgy metaphors.)

    I suppose it makes sense in a way to have your own codebase, especially if you are concentrating more on security than on adding new features. You have control over every line of code that goes in, and you don't mind missing out on new versions of stuff that is released. Also, if your original 'upstream source' is a group of people you split acrimoniously from, you might prefer not to rely on them. (Although I can't help feeling that if the OpenBSD and NetBSD people made more of an effort to commonize code in both directions, the feud wouldn't have lasted as long. This sort of thing going on between two Linux distros - eg Mandrake and RedHat - would be unthinkable.)

    But not relying on an upstream maintainer for packages does not mean you can't contribute your fixes back. All the BSDs originate from a common code base, right? There must surely be at least 95% common code in the shell and shell utilities (which change relatively slowly), even if the kernels have diverged. So what effort do they make to avoid reinventing the wheel? And when OpenBSD fixes a set of bugs, do they report them to the maintainers of the original package?

    Perhaps the problem would be that they couldn't agree on who should be the original source. Imagine if NetBSD claimed that they were now the 'official' maintainers of BSD make, for example. Would OpenBSD accept that? Perhaps some neutral 'BSD Foundation', with support from all three free BSDs, could take over maintenance of the common or fairly-common BSD code. Or somebody from Berkeley (Bill Joy perhaps?) could make a ceremonial proclamation.

  • Theo, If you get the chance to read this, I'd just like to make a comment or two. First, we are fully aware of the human resource restraints for security audits; however, would it be possible to have third parties audit their own code? I want to see GNUstep security tested and we're working on getting it running well under OBSD anyway right at the moment? Would you trust us to do it ourselves? Would you still have to look at it first?
  • Yes, I feel similarly about this. I respect Theo, and I respect the project. It definitely has its place. However, it occurs to me that Theo has learned to do something very well and is hanging on to it until the last moment because he feels safe there. He has learned to audit code for buffer overruns (OK, I'm oversimplifying), and he has been doing it for a very long time, afraid of trying something new.

    Perserverence is not always a sign of strength or skill. Once you learn how to add, you move on to multiplication.

    I have a similar tendency to like DOS. I have spent a whole lot of time playing with it, and am not afraid to say that I know it well. DOS is very simple, but very stable, meaning that there is rarely anything new for it. I know that the latest version of Norton Utilities for DOS will be 8.0, and the latest version of NC will always be 5.0. I know how to fix things in it.

    However, I also know that it is old and not good, which is why I don't use it anymore (except for the occasional 5-day contract at some company with a bunch of 386es). I am instead trying new things.

    Single processor x86 Unix and C are nice and safe. SMP is new stuff, and you no longer feel warm and comfy there, sort of like getting out of bed on a winter morning. But you have to get out of bed... that's the way the whole thing works. :-)


  • Microkernels are just a whole lot more work to implement... they don't have the resources or the interest.

    I think OpenBSD just wants to produce a simple and secure BSD variant for uniprocessor micros... not be the Ultimate OS.

    "Free your mind and your ass will follow"

  • by fishbowl ( 7759 ) on Monday December 11, 2000 @08:30AM (#567068)
    The point of the question about a "floppy based"
    system (firewall/router, is not to use
    the floppy, but, to make it simpler to configure
    than "BOOTP/Diskless".

    In a floppy-based system like that (firewall), the
    floppy would be used to boot the host, that is all. The goal is to have *NO* disks, or any other
    moving parts.

  • For OpenBSD i have this source:


    And maybe this page:


    For Debian I have:


    If I need to get the code difference I use diff either on the OpenBSD source tree of the debian source tree. But when there comesa security hole it's usally a note on what OS the hole works on. If a patchg exists the time to find out if one need to add the patch is usally very small. (Actually it's selldom upgrade to this new version that has this fix and all this new features...)
  • by Balp ( 7960 )
    You probably could use GPL is you like to on modified BSD-copyright code. But I don't think it's right to take away the users rights like that...
  • by Balp ( 7960 )
    Not realy, if going to sports, comparing with boxing of Ju-Jutsu that train will give a better view.

    How do I became a good refeeree?

    I suppose the best tip is to go a loot of fights.

    (Even thous one could wonder if this fits to boxing.)

    / Balp
  • > I'm glad that there are still geeks out there that aren't ashamed to admit to enjoying steriotypical geek food like Pizza and Beer

    Pizza maybe, I've never seen beer associated with geekdom. Bunch of namby-pambies with their Jolt Cola usually, I prefer to code with a nice thick guiness in hand (tho not with beer, i like fat tire with my pizza)

    For the record, I also hate twinkies.

  • If I understand correctly HURD and probably other Microkernels can run at lot more stuff in userland and that could at least be a advantage when you try to build a very secure system. If Theo is really posting on ./ today, it would be nice of him to eloborate a little more about this general thoughts on kernel design.

    In theory. In theory, microkernels could just swap out pieces of the system for independently developed implementations, and a change in one component need only affect that component (orthogonality). In practice, microkernels tend to just replace function calls with messages and their components remain tightly coupled as ever, so a failure (such as a security flaw) in one will tend to cascade to the other components in the system. Projects like OSKit offer hope for a more orthogonal OS design, but I'm not holding my breath.

  • > I said utopia

    An all-too appropriate word, considering the word means "nowhere". Show me paradise in any OS today. Lead me to the Buddha in the machine.


  • Just because Americans can't make beer that doesn't taste like mouldy water doesn't mean that Canadians are equally challenged.

    Next time you're up in the great white north try and get your hands on something made by Big Rock breweries of Calgary. That's good beer.

    Never heard of them. Just as you've likely never heard of Left Hand or Wynkoop or Broadway Brewing or any of the HUNDREDS of craft breweries in the US, probably an order of magnitude more than any other country in the world. Those three are just three ones in Colorado alone (home of Coors, lightly flavored spring water in a can) that I could name off the top of my head.

    We all carry six-shooters and wear stetson hats too, you know?

  • > I'm NetBSD user. I won't tell you whether there is 140, 1400 or 14000 NetBSD users because I don't really know ...

    YHBT. HAND. This guy you responded to is a troll who posts the exact same post in every single BSD article. Just ignore him, he's just another reason I normally browse at threshold 2 til I get bored.

  • > Could you back up this statement?

    Bill Joy was one of the original authors of BSD. And vi too (*sigh*).

  • > Why must it be a non-profit?

    So that he doesn't get taxed as a for-profit business. Non-profit doesn't mean you can't draw a reasonable (or even comparatively handsome) salary if you choose to take one.

  • > 4) If you don't like it, don't use it. Better yet, if you don't like it, fix it! There's nothing stopping you from writing better documentation if you find it

    You want documentation written by people who needed the documentation in the first place and didn't get any? Neat trick. I think I'll write a treatise on nuclear physics in order to teach myself.

    See Dick ... um ... move his legs real fast.

  • Last I checked, physics students get textbooks too. Last I checked, I wasn't enrolled in a semester-long course on how to use your goddamn application (the generic "you"). If it isn't worth the bother to document, it isn't worth mine to use. And there *are* alternatives I will pay for if necessary.

  • Sometimes communication with the maintainers of these other packages is difficult, for various reasons. Sometimes they are immediately turned off because we don't use the word Linux.


    Why are you guys so fork paranoid?

    Looks to me like you've already answered your own question, Theo.

  • by OWJones ( 11633 ) on Monday December 11, 2000 @08:28AM (#567089)
    ... try and think about what his priorities are. I admit that when I read over the interview my first reaction was "What an ass! People are trying to give him serious questions and he's blowing them off!" Which is half true. Subscribers to Bugtraq will be a bit more familiar with Theo's, uhm, interpersonal style. :) In reality I suspect Theo just wants to write, maintain, and release good, bug-free, secure code and not be hassled with feature creep or random things a good number of his users won't care about or really use.

    And what's wrong with that?

    OK, he's no "Dear Abby", but neither is RMS. I know many here aren't big RMS fans, but are you insecure enough about your own little world that when someone says, "Quit bothering me with stupid details, just write the code" you start flipping out? I attended Supercomputing '99 and went to a talk by Thomas Sterling, one of the original Beowulf pioneers at NASA. A good chunk of his talk was spent complaining about "Linux cruftiness" and "why are you people here when you could be writing code"? I admit I was somewhat pissed coming out of it, but it did have the effect of motivating me to start programming again. I think sometimes we just need a swift kick in the arse from someone (hi Greg!) to get motivated.

    Bottom line: ignore the stupid "Are you mad?" comments from someone whose ego is a bit too big to take the time to be polite, and focus on the "learn your APIs, understand your APIs, and stop writing shitty code." Learn the message, ignore the messenger.


    (I'm ready for my big Mod-down, Mr. Director :)).

  • by swb ( 14022 ) on Monday December 11, 2000 @08:30AM (#567094)
    I think he's missing the point on floppy based routers. The goal of using a floppy is to eliminate the hard disk, both for cost purposes and hardware performance.

    Flash RAM would be perferred, but flash disks are hardly ubiquitous and free-for-the-taking x86 systems that work great as routers don't generally have flash-based disks installed. A floppy drive is almost a given in any system.

    The hardware advantage of a system without a hard disk is the reduction of heat generation, meaning they're easier to put in heat-hostile environments like telephone closets. System upgrades are a snap, since you just move the disk to another platform.

    As far as security goes, other than floppy disks general lack of reliability, what's the problem with them? They're physically write-protecable, which many IDE disks aren't. Sure it's easier to swap a floppy out than a HD, but if your machine doesn't have physical security to begin with you've failed the first checklist item for security.
  • by Roofus ( 15591 ) on Monday December 11, 2000 @09:09AM (#567095) Homepage
    Any advise for code auditers?

    I suppose the biggest tip would be to become a better programmer.

    Bah Humbug! Thats equivalent to
    How do I become a better sprinter??

    I suppose the biggest tip would be to just to run faster

  • I don't know what OpenBSD does, but in Debian, every package's source is distributed in two files - the original upstream version and a diff of everything changed in the Debian release (even if it's only the Debian build scripts).

    In addition, every packages has a Debian.changelog that should have information about what changes have been added in the Debian version.
  • ...many moons ago...and how there is only one (superior) varient around.

    Unneeded complexity is bad, mkay?

  • If Theo is so afraid that others will steal his code, why does OpenBSD use BSD license? I imagine he cannot "relicense" the original BSD code under GPL, but perhaps he can GPL his new code..?

  • by FiDooDa ( 23111 ) on Monday December 11, 2000 @09:53AM (#567105)
    "What is the point? Why bother if you aren't even going to put in SMP?"

    Maybe being able to use a system as a firewall/gateway that makes me sleep at night because i feel confident that it will not get h4X0red.

    I really don't give a fsck if it doens't have SMP support. What's the REAL percentage of online SMP boxes anyway? I'll admit the it is really nice (and usefull) but i'm sure there's a majority of sites that simply don't need it (yet).

    "What is the most effective Windows NT remote management tool?
  • Mind you, a box like that would never, ever, face the Internet directly.

    That's the key point - I wouldn't really use OpenBSD for what you describe; probably one of the commercial unices which are tuned to the specific multi-proc hardware that they run on.

    For x86 and single-proc Sparcs though (the only archs I've used OpenBSD on), it rocks hard! SMP would be 'nice', but certainly not something I'd lose sleep over not having. Also, I would prefer it to be implemented properly, and not with horrible global kernel locks lying all over the place ...
  • by stab ( 26928 ) on Monday December 11, 2000 @10:13AM (#567114) Homepage
    For these types of ultra secure tasks, there should be extremely limited cases, and ideally no class of errors that would be "subtle" when it comes to standard library calls. I would suggest that C is not a good language to write a secure operating system in, because it very obviously requires too much manual labour to weed through the subtleties of it's operation

    Uh, right. So go ahead and write an entire operating system in a new language then. Don't forget to design the language first though! Remember the C-bashing thread on Bugtraq over the summer? Whatever its limitations, we are stuck with C ...

    2. The proper approach seems to be a very limited operating system, perhaps in C, with a virtual machine over that which is proven secure, thereby giving at least strong security to every application then running ontop of that VM.

    Nice theory, much like many of the other 'ground-up' papers I've read. And meanwhile, while you sit posting and postulating on the great designs that will rule the operating systems world, I'll just use OpenBSD, and be happy with the stability and reliability of the system. Perhaps I'll look you up in ten years when you've finished this idea?

    What is the point? Why bother if you aren't even going to put in SMP?

    I really, really don't care whether or not OpenBSD has SMP. If I need a faster box, I'll just upgrade to a faster processor. The majority of server systems these days are either I/O or connectivity bound these days.

  • Why are you so shocked? It's BSD.

    It is NOT exploitation. Nothing is stolen.

    The CVS repository does not disappear when a commercial company uses the software it contains.

    The people behind a given project continue to work on their project. That does not suddenly stop because some company is selling it or something based on it.

    6 months later the project releases a new version. The company is still behind. They could work on it from the point they started using it, or they could use the new release. Since they have to keep tracking new rleases anyway, they could even (and many do) help by giving their changes back to the project.

    And even if they don't (and many do), the project members spent those hundreds of hours of work doing what they loved and could care less what some company does. They want the fruits of their labor to fall into as many hands as possible. BSD allows and encourages that.

    GPL zealots are hypocritical. If you're so worried about The Man making money off of you, why are you writing free software?

    Tell me, would you rather write free software because you WANT to or because you HAVE to?

  • That's a good point about firewalls, that's an important use of this OS. However, I would have though it would be easier to lock down a firewall machine with existing the existing OS than audit the whole thing? It's my understanding that this audit will attempt to make the OS more secure for more "dangerous" tasks, where more ports need to be open, more applications are running and generally the machine is used for more things.

    In that case, then I think SMP starts to become a necessity for any major server OS, otherwise it'll never be put on any of the really big machines that could benefit from all the enhanced security.
  • by Matt2000 ( 29624 ) on Monday December 11, 2000 @09:09AM (#567119) Homepage

    Here's the main point, before we even get started: This project should be scrapped, there are easier and better ways to do what is being done here.

    Now the reasons.

    1. The fact that you need to go back and hand audit libc calls for "subtle" errors means that the wrong language is being used for the majority of these tasks.

    For these types of ultra secure tasks, there should be extremely limited cases, and ideally no class of errors that would be "subtle" when it comes to standard library calls. I would suggest that C is not a good language to write a secure operating system in, because it very obviously requires too much manual labour to weed through the subtleties of it's operation.

    2. The proper approach seems to be a very limited operating system, perhaps in C, with a virtual machine over that which is proven secure, thereby giving at least strong security to every application then running ontop of that VM.

    Yes you'll need to audit that first limited OS and kernel, and yes it'll probably be in C, but let's limit the scope of that code severely. Plan to take a huge performance hit on running everything on that VM but make sure that it's totally secure, do whatever it takes to make sure that everything running on it is protected from itself and other programs. This is the only possible way to make an extensible operating system that is in any way secure, otherwise any software that is later added to the system will either need to be painstakingly audited or not installed. Performance should be a minor concern at this point as VMs can later be optimized, and security should be of prime importance.

    3. After they finish all this auditing, we're left with a non-SMP capable OS with limited software of a similarily secure nature to use it with.

    What is the point? Why bother if you aren't even going to put in SMP?

    4. Theo is obviously so closed minded that no efficiency ideas are ever going to occur to him.

    Witness his response to the question about distributed kernels - (in summary) "I have no idea what they are, but they're not useful to me." Great.

    It is my opinion that people of this caliber of programming should be spending their time at doing more useful, or perhaps better thought out work.

    Moderate at will.

  • Maybe because it doesn't really have any relevance to what Theo does?

    Quite simply, it's about like asking him what he thinks of some large company deploying BSD/OS.

    The users aren't heading at Open/Net/FreeBSD, they're heading at Apple. Not like Theo's gonna get any emails from Joe Machead asking him how to change the system event sounds in OS X or anything.

  • I'm glad that there are still geeks out there that aren't ashamed to admit to enjoying steriotypical geek food like Pizza and Beer. I remember years and years ago I was reading some book on learning UNIX (I can't for the life of me remember what. This was a long time ago...) but it suggested that if a user got stuck with a particularly tough problem, and they'd tried all the obvious approaches, they could probably convince their local UNIX guru to give it a shot in exchange for pizza and beer.
    In any case, lately I've noticed that a lot computer geeks have been trying very hard to shake that reputation, image, and social stigma. The modern "tech boom" has created this new social respect for people who used to be misunderstood, and so many of these people (luckily not including me) have been trying very hard to shake those easily caricatured "typical geek behaviors" while they have their time in the sun.
    I'm glad to see traditional geeks, down to caustic remarks about other people's coding (who else but a geek could that get worked up about it that it's a personal matter!). I'm glad, it makes me smile, 'cause that is the sort of person who made life interresting for me as a young geek, and hell, i hope they are around for ever...
  • by Wah ( 30840 )
    but what kind of practice? What drills should you focus on? Any stretches you've found that help particularly? What about your running technique? Practice might make perfect, but perfect practive makes it happen faster.

    If you think you can become a world-class runner by "just running" I think you are sadly mistaken.

    Besides, he even mentions that many programmers learn how to do it poorly, but when asked how to learn to do it correctly, he says, just do it.

    Overall this is a pretty shallow interview, it's obvious he'd rather be coding than answering questions. A good thing for OpenBSD the software, a bad thing for the image of OpenBSD.


  • It's not caring about someone making money off of one's software--that's a given under any OS license. What GPL-types worry about is someone taking that code base, then closing it off--thus getting all that development work for free. If, say, M$ took a BSD'd Linux and slapped M$ Linux on a thousans store-shelves with a few proprietary incompatibility extensions, it might very well kill off the real 'BSD-Linux.'

    BSD advocates believe, I think, that given a choice between X for free and X' for a price, X' will cost only what the added value of the ' is worth. I would like to agree, and in a perfect market I would agree. But there is no perfect market in the world today. People, being morons, are quite happy to pay $x for X', where $x is the total value of X', not simply the added value, even though economically it would be smarter to use X for free, getting all the functionality of X' save ', but saving an amount of money equal to functionality(X)+'.

    People are the problem.

    The GPL is a nuisance, I agree. If this were a sufficiently more perfect world then I would most definitely use BSD. But it's not, and thus I don't. The BSD license allows more freedom--that's a good thing. But the GPL protects freedom. The one is like three acres of apples, exposed to the birds and the beasts. The latter is like an acra of apples, with farmhands to scare away the animals. At the end of the day, the tended land has more apples. Thus with the GPL.

  • I would disagree.

    Automated code modification would lead to a situation where the developers would just sit around and think of vunerabilites.

    Rather than haveing to look over the same code 14 times, and get to know it. There is something to be said for forcing yourself to pore over every line, every bracket, every semicolon of the code, and check everything.

    From what Theo said, it sounds like while they are fixing one sloppy piece of code, they note another bit when they are part way through.

    This makes lots of sense.

    Where are they going to find new mistakes from if they don't go through all the code.

    This is not just of the top of my head, btw. I write scientific code that has to be correct, where there is no way of testing the output. It's amazing how often subtle bugs are missed.
  • by PapaZit ( 33585 ) on Monday December 11, 2000 @10:22AM (#567126)
    Theo Said:
    In Linux land, it appears that projects fork for financial reasons. In BSD land, it appears that the forks that have happened were purely political reasons. I don't know what will happen. It's been 5 years since the last fork in the BSD camp. Why are you guys so fork paranoid?

    I suspect that the question was rhetorical, but it deserves an answer. I'm putting it here, with the other fork comment, even though it wasn't written as a follow-up to that comment.

    Simply put, it's (too) often used as an object lesson in Linux land. Whenever an argument gets too heated, someone jumps in with "if we keep acting like this, we'll end up like the BSDs." Meaning, I suppose, "fighting over a very tiny percentage of mindshare instead of working together to take over the world."

    I suspect that Linux is headed toward a fork. Linus and Alan Cox have been leaving things out of the kernel (like a debugger) that a lot of people want. As there's no charter or formal organizational structure, I think that a coup of some sort is inevitable. When it happens, the interest in the Net/Open split will rise to a crescendo.

    I have friends who are OpenBSD advocates, and others who are NetBSD advocates. To hear each side talk, the other side writes crappy code between bouts of trying to ruin BSD for everybody. It's depressing, particularly when I think about what could happen if their talents could be combined. Or, if they would just shut up, stop sniping at each other, and code.

    I'd love to see some sort of cross-bsd advocacy organization to help users take that middle step. Help with porting of cool shit between the BSDs. Make generic cross-BSD documentation. Help people decide which OS and user/developer community is right for them. etc.

    Unfortunately, that requires a friendlier attitude than I often see between the BSDs. Charges of "code theft" particularly frustrate me. That's the whole damned point of open source: Seeing the good stuff, learning from it, and using it.


  • by Zurk ( 37028 ) <> on Monday December 11, 2000 @08:32AM (#567131) Journal
    Simple. distributed kernels run on more than one machine at once with an interconnect between them. The interconnect can be NUMA/CrayLink/Ethernet/TCP/IP or something which passes data fast and the kernels have to share memory and processors across differing architectures and types. a good example is MOSIX..which is basically simple extensions to the linux kernel to make it distributed as far as processes go. Add LVM and GFS to distribute disk resources and reasonably fast internconnects and youre all set.
  • Au contraire - I was finishing up a small project for a course I'm taking (pipelined risc processor in Verilog(yuck)) and nothing gets the gate-level modeling flowing like a good pint of Guinness.
    I'll agree that the US and Canada can't seem to make a decent beer... the US has a real bad track record... midwest megabrews, Natural Light, Utica, Keystone, anything that says 'ice', etc...

    Of course, the Guinness doesn't taste as good here in the Midwest, either...
  • I've had plenty of Sam Adams (better than most)... I wouldn't even call it local anymore - If I can buy it in NJ/NY, WI/MN, CA, LA, then it's not really 'local' anymore.

    I know of many pubs that brew their own stuff on the East coast, and it's worth the trip.
  • Maybe I'll try something from Big Rock, but most of the Canadian "beer" that I've seen (especially the big brews) has been as cruddy as the "Rocky Mountain Urina^H^H^H^H^HStreams" that this other "beer" comes from.

    My favorite Canadian beer is Elsinore, since I found a mouse in the bottle...
  • SMP got a lot of attention when NT showed that they scaled significantly better than Linux... Generally, that's all that's needed, is for MS to claim a (legitimate) technical superiority to Linux, then a bunch of people work like hell to improve it. The 2.4 SMP is significantly improved from 2.2. MS doesn't really benchmark against OpenBSD (they aren't the "Big Threat"), and even if they did, security >> performance for OpenBSD, and I doubt that there would be tons of effort poured into performance enhancements...

    As for the UberOS(TM) - That's where the ideas of microkernels and modules really comes into play. Granted, there are always tradeoffs, but theoretically, a microkernel is infinitely adaptable...
  • Note that the POWER/PowerPC line is well past 500MHz, but the dual-core chips with Altivec are the ones that can't make it... kinda sounds like that ceiling on the PPro. Once you lower the clock to the L2, or move it onto the same die, it makes it easier (clock wise, not necessarily yield wise).

    I wouldn't blame IBM for this, but then again, they give me a piece of paper twice a month... that, and I've seen [CENSORED - IBM Confidential]. So there! ;-)
  • by Peter H.S. ( 38077 ) on Monday December 11, 2000 @11:38AM (#567139) Homepage
    We run a floppy based firewall for the reasons that you give. But furthermore; a floppy disk based firewall, will automagically be restored to a sane state in case of a powerfailure.
    It seems very difficult to obtain the same characteristics from a harddisk (or flash ram); I don't know how to physically prevent writing on a standard IDE hd. And if you use the hd just to load the FW into ram, and "hot-swap" it out, then it won't come back up, after powerfailure (even UPS's have their limits).

    Floppy disk reliability is not much of an issue, i think, since the floppy isn't used to as a long term storage medium. Remember your friend dd:

    "$ dd if=/dev/fd0H1440 of=floppy-image
    2880+0 records in
    2880+0 records out
    $ dd if=floppy-image of=/dev/fd0H1440
    2880+0 records in
    2880+0 records out
    $ The first dd makes an exact image of the floppy to the file floppy-image, the second one writes the image to the floppy." (SAG v. 0.6.2)
    (And of course, one can always mount the dd-image; "mount -t ext2 -o loop")

    So you develop, maintain and store, the actual FW information on another box, then write the image to a floppy (and making a backup fd image on the development box). All the floppy has to do, is to survive the initial boot. It may have to survive reboots, caused by powerfailure, but even if it does not (harddisks may fail too), a disaster recovery plan is part of the floppy disk based FW scheme; just write a new image, and boot. How many hd-based FW's has a spare harddisk, with a synced and updated system on it?

    If you just have a slight suspecion, that the FW is compromized, then a reboot will flush out any trojans and root kits. The firewall may still contain som sort of security hole, but rebooting may give you time to discover what the hole was, and deploy a new FW.

    Floppy based firewall is a very cool thing. It doesn't fit everybodies need, but it may be a viable solution to a great many.

    Cdroms may offer similar advantages, but they may be slightly more difficult and expensive to develop and maintain.

    In short; Firewalls on write protected media, seems to be a very good idea.
  • Floppies are the only physically write-protected media that lets you return and change data later (excepting CD-RW since I haven't seen any decent support in *nix please correct me if I'm wrong thank you) and so it's the best solution for now. I've written a FAQ on this point and others at

    It's interesting that someone as massively detail-oriented as Theo de Raadt seems to be shooting from the hip so much when just talking/typing -- maybe Katz should write an expose about detail oriented people being sloppy and neo-Luddite Harper's readers on their off hours.

  • by cyanoacrylate ( 47864 ) on Monday December 11, 2000 @09:21AM (#567145)
    Theo complained about people doing implementations that had subtle bugs. Further, he didn't have confidence, in the masses doing coding, to learn about those subtle bugs and to actually learn how to use the interfaces correctly.

    He then goes on to say that he really doesn't care about kernel design, so long as the kernel design works.

    These two issues are completely different.

    Lets face it - he's an implementation junkie. Which I would guess was not, and still is not, popular with the NetBSD crowd, as he probably had to step on a few toes...

    'You're not using strcat correctly. You've introduced 6 exploitable bugs into the kernel'

    'What do you mean I'm not using strcat correctly?? I've been coding since I was twelve years old!'

  • Why are you guys so fork paranoid? Do you want everyone to vote for the same political party, too?

    I just have to point out the flaw in this reasoning. A political party represents a unique ideology in an abstract sense. A fork also represents a unique ideology, but in a practical sense. If you're a democrat, you believe in welfare. If you're an OpenBSD developer, you believe in security AND you develop software towards that belief.

    The problem with too many forks (not that some aren't good) is that it thins programmer resources. The differences in implementation between two forks are, by definition, going to cause incompatibilities between them, meaning at some level programmers have to "choose sides" and decide which ideology to develop for, or do LCD compatibility. If you get too many forks in the open-source, it will be impossible to maintain the critical mass of programmers necessary for providing a comprehensive library of software which takes advantage of the specialties of any single system.

    In a political party, on the other hand, while many parties exist, "development" (i.e. practical implementation of ideology) is only going on in ONE place: the government. Your analogy would be more like if each political party decided to take over a different part of the US and declare itself sovereign, which is at this point clearly unproductive and inefficient given the way the US has adapted itself to function well as a single entity.

    The corrected analogy carries through well; in other countries we have good forks, which represent ideologies so different that forking is inevitable and staying together would be a resource drain.

    Of course, these things are self-limiting; an unnecessary fork will simply not be able to survive for long, or one of two similar projects will eventually end up gaining dominance and reducing the other one to a minority. The point is, forks are only good sometimes, and it's got nothing to do with political parties.

  • NetBSD has maintained a black-hole route to the OpenBSD project networks for roughly four years

    What exactly does this mean? That packets from to are just swallowed without trace?
  • by divec ( 48748 ) on Monday December 11, 2000 @09:43AM (#567148) Homepage
    If someone has a hint ...

    md5sum the whole floppy[*]. On booting, if the floppy image does not have the same checksum, abort. Then it's possible that the router might not boot one day, but it's impossible for the disk to corrupt without you noticing.

    [*]ok, md5sum all of the floppy apart from a file containing the md5sums.

  • There are plenty of operating system projects taking different approaches and making innovative, if not immediately useful, new operating systems. And in fact I agree with you that the purpose and utility of operating systems, of software development itself, is shifting and needs to be continuously rethought. But I don't understand why you are suggesting OpenBSD developers drop everything they are doing and become computer science grad students playing with theoretical operating systems. They are trying to make BSD Unix more secure. If you don't like that, fine. But you might as well ask me to build a new house instead of "wasting" my effort insulating my current one this winter.
  • by devphil ( 51341 ) on Monday December 11, 2000 @08:26AM (#567153) Homepage
    Can you imagine if a Boeing engineer didn't fix ALL of the occurances of a wiring flaw? Why not at least try to engineer software in the same way?

    Hear, hear! Two of my pet peeves right there:

    (1) Why is it that the same bugs keep reappearing? Why is it that we assume bugs only occur in one place? Why is it that we hear, "I fixed the bug," as if a programmer can only screw up in one place?

    (2) Every other piece of engineering goes through major scrutiny. Teams are brought in from the outside to look over blueprints. For open source software, we assume that just because anybody can look at the code, that everybody is. Even in OSS, we need to go to outside, objective reviewers and say, "Here's some money, and here's our code [or maybe, here's the URL for our code :-) ]. Please review it and tell us where we screwed up."

    Mr. de Raadt knows his stuff; the coders do this themselves, and they take it seriously.

  • (And I must ask, why are people so cheap, that they only give donations when it provides a partial reduction in their taxes, rather than a real donation? I actually find that pretty fake.)

    Econ 101, Theo. It provides you with more money if people don't have to pay taxes on the money that they give. It's the same way that sales taxes are split between the store and the consumer simply because in the absence of sales taxes, the store could charge slightly more for a product.

    Don't make me start drawing supply & demand curves.


  • The classic meaning of the term is that not only do packets from to vanish without a trace, but that is advertising "Hello, world, I'm a great way to reach", so that packets floating nearby destined for get sucked into the black hole.

    I have entirely no knowledge of what events occurred between the two groups or whether they were fighting over a network and its routes, but that's the usual meaning.

  • "(And I must ask, why are people so cheap, that they only give donations when it provides a partial reduction in their taxes, rather than a real donation? I actually find that pretty fake.)"

    I've got an answer for this one! Well, sort of - I don't know why people are cheap. But I do know why people who AREN'T cheap still would prefer to donate to a non-profit organization. First, the constrictions placed on a non-profit organization reassure some people that their donation stands some chance of being used for the purpose they think they're donating it to. Second, if I have $10,000 I don't need, and want to donate it to someone, if I donate it to a charitable organization in the U.S., I can donate $12,000 for the same eventual out-of-pocket as if I donated $10,000 to an organization without charitable tax-exempt status. So the second organization would have to convince me that it will make better use of my money.

    Sure, most people don't explicitly view it that way, but when you look at the bottom line, there's not much difference between "if I give $500 to them, I get $100 back. if I give $500 to THEM, I get nothing." and "if I give $400 to them, I could actually give $500. if I give $400 to THEM, I can only give $400."
  • If you're scared of spamming and mail bombing, stay off the internet. Frankly, any good admin worth his salt would want to see how his boxes stand up under such a load, rather than be a big weenie and run away from a fight.

    So what I read is: Theo threatened to mailbomb, and didn't? Link to mail thread []

    Just bizarre. Frankly there are a lot of high horses out there. OpenBSD is a good system. I'm not a big fan of BSD, but I encourage people to use OpenBSD just to try it and learn. (I did run it for a while on a sparc and it ran better than linux on that box.)

    Every OS has it's place. OpenBSD is just canadian and has balls (big encrypted balls.) It's neat and it ships with things like ssh out of the box.

    I'm just very depressed lately (lately being a long time now) of hate-mailers and winers on slashdot--- the people who write the software (free) that we use (quality) often don't get the respect they deserve.

    Anyway, that's my 2 cents.

  • (note how the BSD troll is responded to in kind. Numbers can be twisted any damn way a person wants. I'd like to see a %age breakdown of what each linux distro has. So, if you have a link to such a %age, please post it! About the only real point is when comparing BSD/Linux market share, FreeBSD has the advantage of market differentation vs the average Linux distro in the Open Source OS market. Otherwise, enjoy the flaming troll twisting of numbers in the spirit of the original AC's post. Merry Xmas!)

    Bob Bruce of BSDi (previously of Walnut Creek) says FreeBSD's user amount is 20% of the size of the linux market.

    If you consider FreeBSD and Linux all fighting for the same slice of the pie, how many of the 180+ linux distros have 20% marketshare? Lets see...given all distros have the same kernel, they are all alike. So the average market share for any linux distro is 0.55% or 1011 users per distro. So FreeBSD has a far greater marketshare and number of users than the average Linux distro for the Open Source OS market.

    36400*5=182000 total linux users. [] says there are 162,680 Linux users. As you can see, the numbers presented as to why BSD is doomed are similar.

    It looks like the individual linux companies, none of them strong enough to get any useful market share (1,011 users per distro) will doom the Open Source OS market to appear as a failure.

    As you can see, Linux is very, VERY sick and its long term survival is very dim. And the stock prices of Linux companies show how doomed linux is. If Linux survives, it will be among OS hobbyists and die-hard users who read /. . But BSDi, having 20% market at present will rise to the top and become the default Open Source OS.

    With the release of Apple's Mac OS X - based on BSD and selling 2 million units a quarter, you can see how just one quarter of Apple sales will outsell *ALL* of the Linux users.

    (So there. Nahy!)

  • a 'good' microkernel based OS:

    -QNX []
    -VSTa []

    "People who bite the hand that feeds them usually lick the boot that kicks them"
  • That quote got me to. as a matter of fact I made it my sig. An argument i hear frequently against the "OpenSource(tm) Movement" is that market leading products will not be produced because parts of that product will not be "sexy" enough to develop.

    this certainly verified that point. can anyone think of other features that open source projects need that aren't done because there not interesting?


  • Can you imagine if a Boeing engineer didn't fix ALL of the occurances of a wiring flaw? Why not at least try to engineer software in the same way?

    but what if?

    it's a lot of work, and not considered the most interesting thing to our developers. Sorry

    shit. what if it's not interesting to fix a big fat gaping hole? what if it's too much work, and "just not interesting!"



  • the proof being that there isnt a 'good' microkernel based OS around.

    While this is a very subjective topic, many people would argue that the Mach Microkernel found in Next/Open Step is pretty good, and IIRC, the BeOS is pretty good Microkernel, too.

    Heh, I bet even l33t j03 [] would say Windows 2000 is a great Microkernel! :-)
  • Personally, I don't believe anyone has the right to bash Theo, especially when they haven't met him; and I believe that this kind of personal slander has no place in the 'open' world, and is simply immature.
  • The problem is he's concentrated on the floppy, which (AFAIK) is not the point of making a floppy distribution.

    In my eyes a floppy distribution includes features such as
    * Write protection
    * VERY VERY MINIMAL install (smaller than openbsd's 60-70 MB minimal install)

    NOT that it sits on a floppy. I usually make a good LRP disk and make a bootable cd. Reburn every month with updated nat forwardings and a new password.

    If someone DID hack into that box, there is no ftp/ssh/telnet on there for them to connect out! There is no way to write to a CD-R in a regular CD-ROM drive.
  • I have to admit I never gave any of the *BSD's a serious try, although I do realize how most of their culture works and how this culture differs from Linux (which it does a lot: note how Theo didn't even *understand* there could be different versions of system utitities such as tar available for one system -- or did he fake that? :-).

    But I have been compiling against the GNU C library a lot, and I loathe it for the most part. Examples? Examples.

    - from man strcpy:
    If the destination string of a strcpy() is not large enough (that is, if the programmer was stupid/lazy, and failed to check the size before copying) then anything might happen. Overflowing fixed length strings is a favourite cracker technique.

    - from man strcat:
    The strcat() function appends the src string to the dest string overwriting the `\0' character at the end of dest, and then adds a terminating `\0' character. The strings may not overlap, and the dest string must have enough space for the result.

    Yes, I especially loathe the string functions. If you feed them too small buffers, or NULL pointers, glibc just plain old crashes. In my not so humble opinion, it is glibc's _responsability_ as a C library to be flexible enough to allocate that stupid little buffer itself, or at least not to crash with segmentation violences! If I do the same things with GTK+'s glib, my program fails with a nice message, like "assert string != NULL failed" -- but even more often, it just allocates that stupid little buffer!

    Now before you're going to say "look, if you want someone to keep your hand, go play with Java, not with C", please realize that all this could just simply _work_ in C with a few checks, and that not a single line of code would need auditing for these "vulnerability" anymore, if only this check had been made in glibc! That's the use of programming libraries, right? Not having to do soemthing again and again, so that you work with well-known interfaces and do not run the risk of making much mistakes.

    You know, even Richard Stallman, author of this particular C library, agrees with me upon this point:

    - from info libc
    It's fairly common for beginning C programmers to "reinvent the wheel" by duplicating this functionality in their own code, but it pays to become familiar with the library functions and to make use of them, since this offers benefits in maintenance, efficiency, and portability.

    Now the only sad thing from this quote is that it actually comes from the part "Strings and Array Utilities" of info libc, about which _I_ would like to say "It's fairly common for beginning C programmers to become familiar with the library functions and make use of them, but it pays to duplicate this functionality in your own code" -- if you catch my drift ;-)

    Which makes me wonder how secure OpenBSD (and *BSD) is at the libc level, that is, how flexible and careful does it work with its input.

    [Hmm and while I'm at it, is char++ endian-independent? Just wondering :-)]

    It's... It's...
  • Absolutely... if you don't like what he has to say or how he says it, don't interview him, or don't read it. It's not like he came to Slashdot begging to answer our questions. I happen to agree with him about coding practices... there are far too many programmers out there who stop coding a feature as soon as it compiles and (more or less) does what it's supposed to do, regardless of how efficient/bug free/foolproof it is or isn't. This only leads to more and more problems later on when the code is copied, reused, or modified. Write it properly the first time, dammit.

    I have actually met Theo in person and he is NOT egotistical or arrogant in the slightest. He's quiet, reserved, and interesting. I think he's just impatient with a world where software quality standards aren't as high a priority as they should be.

  • I wrote the original question. I am indeed a little disappointed that Theo seemed to miss the point. While I personally wouldn't mind a floppy-based firewall, my point was that I am looking for something that takes up very little disk space and provides only firewall and NAT. Why the heck should I need even a 100 meg hard drive? Sure, hard drives are cheap. But I have some spare hard drives sitting around and, therefore, free!

    It would also have to provide a nice (albeit simple and text-based) configuration tool or something similar to set up said box.

    Of course, it could provide more than just NAT and firewall. I don't care. But I do care about keeping the install minimal. That is why I mentioned FreeSco, a floppy-based product. Unfortunately, it seemed as though I was implying that I was only interested in firewall-on-a-floppy. Oh well.

  • YOu ignore a couple things in this though. First, I can't implement it myself, I am a medicore programer at best, and would not know where to begin. The poster was commentlin on the commercial viability of Open Source. Let's say my dad needs an OS for his bussiness, and somehow you mananged to dodge all the issues of actualy teaching him Unix, and getting him accept that that was some valid reason he should learn all this new stuff rather than just pointing and drooling through Windows. So dad here you go.. OpenBSD, the most secure OS in the world, course if you want to use on you dual CPU server, you are going to have to learn how to rewrite the Kernal for SMP support. Dad would laugh all the way to CompUSA. Commercial success is going to require more than "Just develop it yourself", if people were willing and able to do that, Windows would not have a 90 % marketshare.

  • by dencarl ( 138314 ) on Monday December 11, 2000 @09:19AM (#567218)
    That's not how I would paraphrase Theo's comments.

    You wrote ... he contradicts his own previous argument by saying "I don't think it makes any difference, as long as the system does what it is supposed to" ... to paraphrase "As long as it is good enough".

    In his first reponse, Theo wrote They don't care about good software, only about "good enough" software. Which I would paraphrase as software that doesn't make security a design goal.

    In his other response, Theo wrote As well, I don't think it makes any difference, as long as a system does what it is supposed to do. Which I would paraphrase as software should achieve it's design goals, like security, no matter how it's implemented.

    There is no contradiction in those two statements.
  • by schulzdogg ( 165637 ) on Monday December 11, 2000 @09:44AM (#567227) Homepage Journal
    Yet, time and time again, we see that for most people this is the case. They don't care about good software, only about "good enough" software.

    As well, I don't think it makes any difference, as long as a system does what it is supposed to do.

    This is a fairly asinine thing to say, especially since the second post had a very good point (Micro vs Monolithic kernels). My opinion of Theo is fairly low after this. Instead of responding with a mea culpa (yes a micro kernal is better, of course it's better to keep privledged code to a minimum, but it's also difficult to totally re-engineer a kernel especially when it works) we get mindless thrashing about micro kernals..

    (an operating system based on 70's technology dissing ideas from the 80's as obsolete? Kind of ironic..)

  • I thought the guy's responses were informative, and entertaining. It's really silly how some people go out of thier way to point out how somebody else is being insulting or rude. I thought it was pretty damn funny. It seemed to me that you could take what he was saying in many different ways. You just chose to take it in a way that was insulting. Maybe you need to reread it a little less carefully, get a sense of humor and a hide. He's not an HR representative, though you might expect him to be. He's not a salesman, and isn't obligated to entrance users with his charisma. He's a dude that has spent 5 years of hise life redoing a bunch of peoples crappy code. What kind of personality would you expect from a person who is willing to do that? He has better things to do that to cater to what you appreciate... Why don't you appreciate him a little more by assuming that he means well, especially since he is the one that is giving YOU the software.

    In a word: He has no obligation to you, no matter how hard you try to rationalize that he does. He isn't charging you for software, he isn't forcing you to listen, he isn't infringing on your on any aspect of your reality... unless you let him.
  • After reading carefully the entire response, I get the renewed feeling that there are a lot of predjudices between the linux and BSD communities, perhaps more so than the microsoft and bsd communities. And it doesnt help when highly recognised people like Theo de Raadt answer questions with (paraphrased) 'If you're not clever enough already I dont want to teach you' creating feelings of inferiority.

    In the answer to the first question Theo goes into detail about why software should be good, not just "good enough". However in answer to the 5th question "Kernel Design" he contradicts his own previous argument by saying "I dont think it makes any difference, as long as the system does what it is supposed to" ... to paraphrase "As long as it is good enough". Why?

    Theo, throughout your responses, you have personally insulted the intelligence of the people who ask you questions. You have insulted the intelligence of the people who either use, pan to try, or know more than most of the dawdling masses about your distrobution. What I dont understand is why. If you could answer that, I would appreciate it. And if you could answer it without the typical belittling that is ever present throughout the answers to the questions asked before, I would appreciate it even more.



  • first off, I'm neither a kernel hacker nor a comp sci type, so I'm probably writing bullshit right now
    Set aside discussions about NT or OpenVMS, wouldn't a design like the HURD(I'm not saying MK's are better or that I like theme more the monolithic systems) at least be a reasonyble approach to more system security.

    If I understand correctly HURD and probably other Microkernels can run at lot more stuff in userland and that could at least be a advantage when you try to build a very secure system. If Theo is really posting on ./ today, it would be nice of him to eloborate a little more about this general thoughts on kernel design.

  • Also, since many of our donations come from outside Canada, we still could not really generate taxable benefits to you. (And I must ask, why are people so cheap, that they only give donations when it provides a partial reduction in their taxes, rather than a real donation? I actually find that pretty fake.)

    From a different point of view (for Canadians, at least), you can look at the tax break for "charitable donations" as a way of directing government money to the organizations you would like supported. From my point of view, a $100 chariable donation is really only an ~$80 donation from me, plus ~$20 of the government's money that I want directed to organizations I feel are important.

    That's not to say that (non|not-for)-profit is the way to go for OpenBSD, but it may convert a few more anti-charitable donations people to support organizations they feel are important. I only support to those organizations that I feel are important (whether they get me a tax deduction or not), since you don't actually get more out of the tax deduction than you put into the donation.


  • by Pink Daisy ( 212796 ) on Monday December 11, 2000 @08:32AM (#567251) Homepage
    His view of microkernels is pretty standard, but I wonder one thing. As he says, many code errors are due to poor understanding of API's. A microkernel should proved a smaller and more uniform set of API's that are easier to locate and work with. Wouldn't this make correctness easier to obtain? Or is this a goal that is lost in the real world?
  • by Kiss the Blade ( 238661 ) on Monday December 11, 2000 @08:10AM (#567261) Journal
    In Linux land, it appears that projects fork for financial reasons. In BSD land, it appears that the forks that have happened were purely political reasons. I don't know what will happen. It's been 5 years since the last fork in the BSD camp. Why are you guys so fork paranoid? Do you want everyone to vote for the same political party, too?

    I think he is totally correct with this point. The point of a codefork is that you end up with two variants, only one of which, in the long term, will survive (usually). It leads to a sort of Darwinian survival of the fittest, and improves the overall code base in the long term as well as giving people options - they can mould their distro to their needs. I have often wondered why the Linux people are so scared of code forks also - could it be because they look back at the Unix wars of the eighties and shudder? This would suggest that the BSD'ers have not inherited the UNIX philosophy to the same degree as the Linux community - that may give them more freedom.

    I am not suggesting that forks be encouraged, though, rather that people stop whining when they occur, and recognise them as an opportunity.

    Perhaps forks will not be a good thing for Linux in ten years or so, but given that it is presently a sort of 'primordial ooze', and very creative, I do not think it is bad thing for the moment.

    KTB:Lover, Poet, Artiste, Aesthete, Programmer.

  • Making Ports Secure--Gee, let's ask a question to the person resonsible for OS security about ALL program security that might run on the OS. iow, if there was an interview with Linus, it would be like asking him why perl on some Linux distributions had a security hole because the developers were stupid enough to hard code /usr/bin/mail when they compiled it.
    No, it isn't. The question looked at a serious issue - you go out, get an OpenBSD box set up, because you want it as secure as possible, and then you install a bunch of stuff from INN to tircproxy and your machine (potentially) isn't secure any more. Has any thought been done towards a secure ports tree? Theo's answer suggested that it wasn't on the agenda because of manpower, not because of some idiotic assumption that OpenBSD's security ethos isn't undermined by the applications people want to use OpenBSD for.

    I use OpenBSD personally. It makes a great firewall. But other than prevent external access to internal services, there's not much I can do to prevent daemons I run from being compromised if they haven't been through the vigourous code audit that the rest of OpenBSD has been through.

    I asked my question as an OpenBSD user, not as a Linux user. I wouldn't dream of using Linux as a firewall when OpenBSD is open to me. But at the same time, I'm painfully aware that OpenBSD only goes so far.

    I do want to see similar auditing efforts applied to the third party servers, in particular, as are currently applied to OpenBSD. If I had time, I'd start the ball rolling myself...

  • Yes, it is. You're just stuck in a Linux mentality, even if you do use OBSD. You think a program that is included with an OS is the OS. It's not.

    I'd like you to point at anything I've said that even remotely resembles that point of view. Ironically, that point-of-view actually relatively close to the Unix modus-operandi, tools like BIND, sendmail, etc, which were generated outside of the OpenBSD group, have been subjected to the same standards of auditing as the rest of the operating system. Perhaps you'd like to review your history of Unix - Linux wasn't the first Unix, and it was Unix, not Linux, that set in place most of the modes of operation we see in Unixen today, from source-available software to bluring the line between the OS and third party tools when it comes to system software.

    Note my post is not to say the secured ports tree is a bad idea. It's just an utterly silly question to ask. Perl's source is the responsibility of the Perl maintainers. You have to change how they code, not how the OBSD developers do.

    And I guess BSD's source is the responsibility of the University of B. to get sorted out. What tosh. The OpenBSD team currently maintains a ports tree. It would be nice to have a seperate tree, or a categorisation within that tree, of ports that have gone through the same rigorous standards of auditing that the source code to the operating system has done, for some critical tools. Asking the OpenBSD team if they could organise this, as they already organise a ports tree, is perfectly reasonable.

    Nobody other than you seems to regard this as an unfair request. Given Theo's reputation, I wouldn't have expected a non-candid answer if he had felt the question was unfair. If he feels the question is unreasonable or silly, he certainly isn't showing it.

    The reason why people like me use OpenBSD is because it's been through that audit. When we install critical third party tools like INN, we know that the hard work of the OpenBSD developers to make it easy to secure a box has just been compromised. If you think we should just wait on the original third-party developers to announce that their programs have been "secured", you don't have a clue why we're running OpenBSD in the first place.

  • by Anoriymous Coward ( 257749 ) on Monday December 11, 2000 @08:22AM (#567275) Journal
    beer results in ideas, which results in new code

    I find the ideas that I get from beer are generally along the lines of "I think I'll have another beer". TdR is obviously made of sterner stuff than I. Or it could just be that Canada has the 2nd worst beer in the world (after the US).
  • by MrSparkler ( 259864 ) on Monday December 11, 2000 @12:11PM (#567282)
    You'll notice I didn't ask anywhere in my question "How much do you make, Theo?" I have no problem spending money on OpenBSD (I don't have much choice, I like the t-shirts too much and run all my systems on it), and as I said, regardless of Mr. de Raadts answer I would still continue to use and purchase OpenBSD. OpenBSD is lucky to have someone as dedicated as Mr. de Raadt. However, I would still feel more comfortable writing checks to a registered non-profit rather than straight to Theo (and yes, there are other ways to donate, but I think you know what I mean). I have been involved in several non-profit organizations, specifically with fundraising, and I know for a fact that donations are much easier to obtain if the money is going to the organization and not into my pocket. I don't even want to go into the tax problem (any donations given directly to Mr. de Raadt could be considered personal income). Also, I think you misread my question if you think that I'm suggesting that OpenBSD is too expensive. Personally I would pay more, but my company runs on OpenBSD only, and thus we value it highly.

panic: kernel trap (ignored)