NetBSD Status Report January - March 2005

jschauma writes "The NetBSD Foundation published its first quarterly status report in 2005, covering the months January through March of 2005. Among many other things, this status report covers the addition of TCP/SACK and PAM support, the opening of the Foundations Online Store, the new stable pkgsrc branch and various port-specific items."

Re:BSD

[gardyloo]

Easy.

"Nigel!"
"Yessir!"
"Give us the state of NetBSD."
"Same as last year, sir. We're re-re-re-reconfirming it."

Wow, that's a bit slow

[vadim_t]

PAM has been available on Linux for ages. And it doesn't look as a very complicated thing either.

Just curious, have there been problems with the adoption of PAM, or it just wasn't a priority?

Re:Wow, that's a bit slow

[Anonymous Coward]

PAM has been around for a while, but it's a huge pain in the ass to get working right. It was around when I was building my LFS-4.0 system, and the only thing it served was to confuse me. It's used by some apps, but not by most, although the apps not using it could be blocked by apps using it if you didn't have the settings correct.

Since this is a BSD PAM, at least we know there'll be good documentation concerning it (ie, more than what it is and what it can do).

Re:Wow, that's a bit slow

[Brandybuck]

PAM has been around for a while... It was around when I was building my LFS-4.0 system

So which is it? LFS-4.0 is current events.

Re:Wow, that's a bit slow

[idiotnot]

AFAIK, Slackware doesn't use PAM.

I've setup linux pam on NetBSD, and it works okay (for LDAP auth).

Re:Wow, that's a bit slow

[Ava3ar]

correct Slackware doesnt use PAM, and GNOME has been dropped from Slackware, and that was one of the reasons, because so many things need none-PAM GNOME and soem need PAM GNOME, so its been dropped so people can choose to install which ever they want after completion

Re:Wow, that's a bit slow

[sudog]

It wasn't adopted because PAM is a steaming pile, and the people on the NetBSD mailing lists have been arguing ceaselessly about the only benefit that PAM has over other, technologically superior schemes: support for closed-source binary authentication modules.

Part of the reason for the push for PAM adoption has been the recent commercial slant of the decisions of NetBSD core. I wouldn't call it "selling out" per se, but I would say that it is no longer just about the code.

It's unfortunate. It's reluctance to incorporate things like PAM, or use Linux-like exploding version numbering, was the primary reason I was such a pro-NetBSD supporter. Now that those attractions are gone and the NetBSD foundation seems to want to play catch-up with Linux, I might as well just go with FreeBSD, or a version of Linux.

I believe the reason for the recent commercial slant is simple: I think the commercial customers of Wasabi Systems are pushing them to build an OS which is as close to Linux as possible but is not encumbered by the GPL. The commercial advantages of that are obvious, but disheartening.

NetBSD's old niche of extreme portability and purity is now overshadowed by these commercial interests. Too bad.

Re:Wow, that's a bit slow

[vadim_t]

huh?

Now, I'm perfectly willing to believe that PAM is crap, provided good evidence (which you didn't). I've written a PAM module myself, and didn't see anything majorly wrong with it. So, please tell me what exactly is wrong with PAM and why, as I'm very interested.

However, I strongly disagree with the closed source part. Why exactly should the authentication system a closed thing, and what's the good in it? Unix has a well designed mechanism - it's perfectly well known, the password database can be left

Re:Wow, that's a bit slow

[Morth]

The big problem with PAM is that it wants to stay in control of the thread and only use callbacks when it needs some information from the user. This cause several problems if you're not willing do dedicate a separate thread to authenticating. If you for example have periodic tasks or want to support multiple users at the same time, you have to make various hacks to make PAM return control of the thread to you.

I think you misunderstood the closed source part. It was about corporations pressuring to be able

Re:Wow, that's a bit slow

[SA Stevens]

Huh? FreeBSD has a single source tree that I can download once and build, from scratch, on my PPC, Mac68K, i386, Sparc, MIPS, VAX, and ARM hardware?

No, FreeBSD is partway along the way to this, but since portability hasn't historically been a primary consideration (in fact, not caring about portability, just the x86 platform, was a primary reason for the FreeBSD fork in the first place) Why reinvent the 'portability' wheel by trying to port something all over to different archs, when a working codebase s

Re:Wow, that's a bit slow

[setagllib]

Is that really what bothers you? I have to report that in spite of the PAM inclusion, NetBSD 3.0-beta is still a world of performance and efficiency, and EVERYTHING works properly. Things that always broke on Linux 2.6.11, for instance.

It's good that it's moving to be able to replace Linux, that means it can gain market share while still retaining its quality. What the hell is wrong with you? If implementing features of questionable design (even though the implementation, Open PAM, is about as good as you

Re:Wow, that's a bit slow

[Anonymous Coward]

Interesting troll.

Care to provide any examples of a "decrease" in quality, or things that "always" break under the most recent version of the Linux kernel? Or are you too much of a juvennile to back yourself up?

Re:Wow, that's a bit slow

[setagllib]

I don't think you know what I mean at all. I didn't deny any of that. I am refuting that its (accused) move to replace Linux is not hampering its quality (where 'quality' is 'does what it's supposed to properly', not 'does what Linux does', which is a stupid argument).

Do you know why I dropped Linux on my gateway? It couldn't handle IPSec properly. On certain protocols (yes, it actually had protocol-specific bugs, even though IPSec is meant to be protocol agnostic) it would just drop packets without any c

Re:Wow, that's a bit slow

[setagllib]

Actually, smartass, I DID test it thoroughly, and (in 2.6.11, and continuing to 2.6.12-rc2 - no other kernels tried) it consistently fails to connect the MSN protocol (any client) and POP3, and some HTTP seems to behave badly but mostly okay. It IS a bug in Linux because none of the BSDs exhibit this, and it is also a bug that isn't fixed in 2.6.12-rc2 despite numerous changes to IPSec (and related) components.

When you show me a BSD exposing a significant security hole (like the Linux signal exploit) or b

Re:Wow, that's a bit slow

[setagllib]

You know what? You're absolutely right. To be honest, this IPSec thing (which I insist I am not doing wrong, since even with years of iptables experience I could not identify anything wrong with my script that could have affected this) is the only real bug I've had with Linux, which is much better than anything I can say about ANY BSD I've used. I'm a whingy bastard who just tries to level the playing field and give BSD a chance.

Although it would still be nice to have this worked out. In the meantime I've

Re:Wow, that's a bit slow

[setagllib]

Yeah, Linux happens to be a flagship of open source these days, fair enough. If that keeps it in open testing then it's a Good Thing.

Out of curiosity, what was the really awesome security framework Linux has OpenBSD can't touch? Or is it one of the out-of-tree jobs? I'm disappointed in Linus for not wanting to merge in grsecurity patches - the instability they cause is minimal (but I have had some..) and could be removed with some decent testing, but they bring Linux up to no less a level of proactive sec

Re:Wow, that's a bit slow

[setagllib]

Well, pf's syntax is much more flexible, it has advanced features like packet normalisation ('scrubbing'), implicit antispoofing, packet filtering by OS fingerprint (which appears to be completely unique to pf), and is the first packet filter I know to log in pcap format which means you can watch with tcpdump and see the whole packet and analyse it. All of these are things that iptables could learn from and bring to a bigger audience. But it'd be better, at this stage, to just write a new filter entirely. M

Re:Wow, that's a bit slow

[Anonymous Coward]

Now that those attractions are gone and the NetBSD foundation seems to want to play catch-up with Linux, I might as well just go with FreeBSD, or a version of Linux.

Have you considered OpenBSD? I think we can safely say that OpenBSD will never "play catch up" by going against core project ideals. They'd rather implement from scratch if the need arose.

If only OpenBSD had Unified Buffer Cache I might be using it 100% of the time, as opposed to 90/10 Open/Net.

At least I can rest assured that OpenBSD moves

Re:Wow, that's a bit slow

[Anonymous Coward]

In my experience, NetBSD's UBC does not increase performance vs OpenBSD in any realworld situations.

I had to write some shell scripts to parse some large log files and expand them via lookup tables. The log file was larger than half the current free memory. The result was that running this under OpenBSD caused the hard drive light to pretty much be permanently hard-on, whereas running this under NetBSD on the same machine showed NetBSD running very many times faster than OpenBSD and the hard drive light o

Re:Wow, that's a bit slow

[vadim_t]

Yup, actually I have, I wrote a little module for it. Nothing very impressive though.

Now, the architecture is certainly debatable. PAM is essentially a library that replaces the code that would have inside the program itself instead. In that sense it's a massive improvement.

Now, a replacement in the form of a daemon would be interesting. I wonder if there is anything like that out there. Especially something PAM compatible, if possible.

Re:Wow, that's a bit slow

[setagllib]

The problem is that even the loopback interface can be sniffed on (usually only by root, admittedly, but still) so any authentication happening with sockets is going to be a bit on the dangerous side. Libraries are still in the protected address space of their host process, so there's no problem. I like daemons, don't get me wrong, but I wouldn't trust one to handle authentication - especially since there's no real advantage to it.

Now, if we were talking about network authentication with decent SSL or oth

Re:Wow, that's a bit slow

[Guy Harris]

The problem is that even the loopback interface can be sniffed on (usually only by root, admittedly, but still) so any authentication happening with sockets is going to be a bit on the dangerous side.

Socket traffic between processes on the same machine doesn't have to go over the loopback interface.

(Hint: "UNIX-domain sockets".)

Re:Wow, that's a bit slow

[overbom]

On Darwin, that would be netinfod and lookupd, though they encompass much more than just authentication. I know they're open sourced, but I don't know if they've been ported or not.

hth

MOD PARENT UP!

[Anonymous Coward]

OMG! OMG! OMG! OMG! OMG! OMG! OMG! OMG!
It's so FUNNY! So hillarious! Haha! Get it? Netcraft! Haha! They confirmed BSD being dead and it wasn't. Haha! It's so funny!

Robustness of Xen support

[LaughingLinuxMan]

Regarding Xen support, is it robust enough to "jail" applications like web servers or ftp servers? Or, at least, can it be used to provide multiple personal "servers" as we have seen with VMware? -LLM

Re:Robustness of Xen support

[Lemming Mark]

[disclaimer: I'm a Xen developer]
Xen 2.0 itself is pretty robust by now, plenty of people running it in production environment. The tools could do with some work but they are quite nice to use.

I can't say I've played with the NetBSD port yet but NetBSD will have vested interest in making it work well, since they use Xen internally.

You should also be able to boot virtual machines running Linux 2.4 / 2.6.

Re:Robustness of Xen support

[Anonymous Coward]

That's exactly the point of Xen. As it says on the Xen page, each domain is a completely separate virtual machine. So no only are you "jailing" the web server application, your jailing the entire OS image that it is runnning on. In this way it's just like VMware. The difference is that by requiring some small changes to the guess OSes, Xen can avoid needing to trap and emulate any protected instructions which results in much better performance.

So...

[Anonymous Coward]

...what are the differences between the various BSDs, out of curiosity?

Re:So...

[SA Stevens]

The 2.0 release of NetBSD runs faster than NetBSD ever has in the past.

In fact, it SCREAMS on my Quad-CPU intel machine. I still need to roll it out and evaluate it on my Quad-Sparc box.

Re:So...

[setagllib]

FreeBSD 5.x is free but not very fast, and while this will improve over time, the bugginess and complexity in the meantime isn't worth it for most.

NetBSD got much faster in 2.0. It can now compete with FreeBSD 4 in UP, and can run a not-bad SMP (if you know what you're doing, that is).

OpenBSD is useful, because it doesn't stop you from running a text editor - in this case vi. That's a lot better than the 'default install' of a lot of Linux distributions I know.

Re:So...

[Stween]

http://www.daemonnews.org/200104/bsd_family.html [daemonnews.org]

Re:So...

[DarthBart]

FreeBSD - Originally started out as an x86 only port. Screams on x86 hardware. Other ports are kinda lackluster. Its the BSD for people who don't want to run Linux. NetBSD - Runs on everything from a Sun Ultra 60 to a toaster. Has an extremely robust IP stack and a very well designed architecture independant framework for both host machines and device drivers OpenBSD - Supposedly "secure out of the box" via large amounts of code review for security holes. Eh. The biggest thing with OpenBSD is Theo's ego. Yes, I'm kinda partial to NetBSD.

Re:So...

[DarthBart]

Sigh. I must learn to use preview.

Re:So...

[Anonymous Coward]

OpenBSD - Supposedly "secure out of the box" via large amounts of code review for security holes. Eh. The biggest thing with OpenBSD is Theo's ego. Yes, I'm kinda partial to NetBSD.

Funny. I've been using OpenBSD since 2.5 and just recently started using NetBSD 2.0 quite heavily. NetBSD is fast. However it's documentation (user guide and man pages) are nowhere near as clean and complete as OpenBSD's.

I have found myself checking OpenBSD man pages for hints that I just don't get from NetBSD man pages.

If yo

Re:So...

[DarthBart]

You can use pkg_add on any supported NetBSD platform, assuming someone built a package. Otherwise, you'll have to download pkgsrc.tar.gz, untar it, and use "make && make install"

Re:So...

[Qwerpafw]

there's also Darwin [apple.com], which is the BSD-core of Apple's Mac OS X. Darwin is Open Source, though Apple is pretty finnicky about who they let contribute for obvious reasons (it's the core of a commercial Operating System). There's also OpenDarwin [opendarwin.org] which is basically a community controlled branch of Darwin that occasionally serves as a testbed for standard Darwin features. Darwin is based on a Mach 3.0 microkernel, though it's more of a hybrid than that simplistic description would suggest.

Re:So...

[aliquis]

BSD/OS is commercial.

FreeBSD _was_ performing very good on x86 hardware (only), FreeBSD 5.x is often slower on single-cpu machines because they try to improve SMP performance and functionality. 5.x supports quite a few architectures aswell.

DragonFly is a fork of FreeBSD 4.x, better performance than FreeBSD 5.x but not for production (if you ask them), if I've understood everything correct their goal is among others fast IPC and beeing able to run the OS on a cluster. Right now they are going x86 only I th

Re:So...

[aliquis]

Define "many". A comment like this could be made about ANYTHING. It is completely pointless. People will always have opinions and most will continue to be wrong.
I have no idea, I just see the comments from people and webpages sometimes, I personally have to little knowledge to know if something is wrong/stupid or not. Part of it is probably because they brag so much about security and then it becomes more fun for some people when they fail.

Maybe you became bored of OpenBSD because you couldn't figure ou

Re:So...

[aliquis]

I know it's not recommended, however the comment section in the kernel config says "atleast one is needed", it doesn't say "remove old cpu support and it will break". I also know optimization doesn't do much different at all but often being able to is reason enough to do it.

And also optimization can bring forward errors in bad hardware, so it's might not break on another machine.

And anyway the locale part isn't there. So far NetBSD seem to run fine with march=athlon-tbird -O 2 -pipe.

BSD???

[PhotoGuy]

But I thought....????

-d

News flash

[Jacer]

It's dead. We...Think?

Sorry, I'm trolling...

[pp]

TCP SACK was introduced in 1996. Linux introduced it some time between 2.0 and 2.2 (that is, around 1999-2000). It's quite useful if you have a high-bandwidth link with some packet loss, since you can now retransmit only those packets that actually did get lost.

Good to see that the we-are-the-defacto-internet-standard-tcpip-stack people are finally catching up. NetBSD does get some very impressive single-CPU TCP/IP benchmarks though. Oh. They forgot fine-grained locking in their network stack. I suppose pe

PAM support?

[_pruegel_]

This Pam [google.com]? What took the BSD guys so long?

Re:An observation...

[malraid]

3. The previous 2 points are COMPLETLY hypotetical due to lack of ANY real evidence of such events