Are the BSDs Dying? Some Security Researchers Think So (csoonline.com) 196
itwbennett writes: The BSDs have lost the battle for mindshare to Linux, and that may well bode ill for the future sustainability of the BSDs as viable, secure operating systems, writes CSO's JM Porup. The reason why is a familiar refrain: more eyeballs mean more secure code. Porup cites the work of Ilja von Sprundel, director of penetration testing at IOActive, who, noting the "small number of reported BSD kernel vulnerabilities compared to Linux," dug into BSD source code. His search 'easily' turned up about 115 kernel bugs. Porup looks at the relative security of OpenBSD, FreeBSD and NetBSD, the effect on Mac OS, and why, despite FreeBSD's relative popularity, OpenBSD may be the most likely to survive.
BSD is Dying? (Score:5, Funny)
I won't believe it until Netcraft confirms it!
Re:BSD is Dying? (Score:5, Funny)
"more eyeballs mean more secure code"?! (Score:5, Insightful)
After Heartbleed and the other issues affecting OpenSSL, and Shellsheck affecting bash, why the hell would anyone still be pushing this disproven "more eyeballs" narrative?!
The OpenBSD project proves that security doesn't come from "more eyeballs". It comes from having software developers who know what they're doing, and who take their work very seriously, and who show immense discipline, and who don't put up with bullshit, and who put security first and foremost.
You could have two million "eyeballs" of offshore "programmers" in India looking at some code, and it will likely still end up being much less secure than code doing the same work but written by a couple of OpenBSD's developers.
Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.
Re: (Score:1)
Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.
"he easily found around 115 kernel bugs across the three BSDs, including 30 for FreeBSD, 25 for OpenBSD, and 60 for NetBSD. Many of these bugs he called "low-hanging fruit." He promptly reported all the bugs, but six months later, at the time of his talk, many remained unpatched."
This does not speak highly of the quality of the people working on the code.
Re: "more eyeballs mean more secure code"?! (Score:3, Interesting)
Give us links to each and every one of those bug reports so we can judge the severity of these alleged bugs on our own. If the BSD devs aren't fixing them it's probably because they're very minor bugs, or perhaps aren't even valid bugs to begin with.
Re: (Score:3, Informative)
van Sprundel also praised OpenBSD's response to his bug findings, saying that De Raadt responded within a week, and OpenBSD patched the flaws within a few days.
Re: (Score:2)
It's not the quality of people but perhaps how much they are being paid. The difference between Linux and the BSDs is that there are many more paid developers working on the Linux kernel than the BSDs.
Everybody has to find a way to put groceries on the table.
Re: (Score:3)
I am fine on groceries. I want code that is reliable and secure. I will continue using OpenBSD - but not as my dinner.
Re: (Score:1)
The BSDs work on the principle that you can shoot into your foot if you so desire. That's why you get a stern warning if you enable the troves of security holes (aka known as compat-X). Not to mention that to sum up all the security holes before comparing them to the Linux side was a little bit disappointing. You have to compare each flavour of BSD to Linux.
Yes there are lots of holes left and they will stay until someone really needs an old version secured. There is a reason LINT is called lint. If you don
Re:"more eyeballs mean more secure code"?! (Score:5, Insightful)
Why the hell would anyone still be pushing this disproven "more eyeballs" narrative?!
It's important to not that if there weren't eyeballs on the code we would never have known about the vulnerabilities to fix to begin with.
They would have only been discovered and exploited by the malicious and never disclosed unless the attack was discovered while the company responsible would spin the issue and would ( in most cases ) not spend the money to secure other installations.
Because flaws cannot be hidden, overlooked or covered up, researchers and other interested parties can perform their own independent audit of the software powering their systems.
-- More eyeballs does in fact mean more secure code. -- Think of it as a global oversight committee.
Why was the Shellshock bug there for 25 years? (Score:1)
You should read up about the Shellshock bug that affected bash [wikipedia.org].
Once you do that, you'll learn that it was present in bash back in 1989.
When it was finally publicly announced in 2014, the bug had been present for around 25 years!
We aren't talking about an obscure piece of software here, either. Bash is probably among the most widely available and used open source software projects out there, and has been like this for a long time.
Brag about your "global oversight committee" all you want. It's clear that all
Re:"more eyeballs mean more secure code"?! (Score:5, Insightful)
That comment is neither interesting nor insightful. It's just pushing the age old misrepresentation of the quote.
Many eyeballs makes all bugs shallow does not - and have never - meant that there will be no bugs, or that they will not lie dormant for a potentially long time. It simply refers to the fact the the more eyes that see a bug, the quicker someone will come up with a fix. Exactly what these researchers are claiming.
The OpenBSD project proves that security doesn't come from "more eyeballs".
I'm sorry, that you didn't RTFA is pretty damned obvious, but did you even read the blurb? There is no such "proof". Rather, they proved the opposite.
Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.
Again, a half-truth. Yes, it's true, but the more people who are involved in a project, the greater the probability that your "good people" turn out to be really good. And the more people you have, the more people you have to fix mundane stuff which doesn't require "really good people" to fix - which frees up your "really good people" to deal with the hairy stuff, and the more eyeballs you have who might for some reason find bugs which needs the attention of the "really good people".
Quantity is a quality of it's own.
Re:"more eyeballs mean more secure code"?! (Score:5, Informative)
Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.
Did you read the article? Theo De Raadt says as much:
Re: (Score:2)
After Heartbleed and the other issues affecting OpenSSL, and Shellsheck affecting bash, why the hell would anyone still be pushing this disproven "more eyeballs" narrative?!
People keep repeating the law incorrectly. Linus' Law states that "with many eyeballs, all bugs are shallow", it doesn't say anything about secure code.
Re: (Score:2)
"BSD users are fat, have fleas and spend all their time posting on kuro5hin [wikipedia.org]" as the troll goes
Re: (Score:1)
> Darwin was based on Linux.
Obvious troll is obvlivious...
Re: BSD is Dying? (Score:1)
What? It's the only BSD that's actually certified Unix.
Re:BSD is Dying? (Score:5, Funny)
Re: (Score:2)
Re: (Score:3)
BSD has been dying almost as long as Apple has been going out of business . . .
hawk
Re: (Score:2)
Re: (Score:2)
Yes, but did it make you pour hot grits down your pants?
Re:BSD is Dying? (Score:4, Funny)
Re: (Score:2)
FYI on an unrelated matter, from a previous discussion, SpaceX is now *tentatively* launching Falcon Heavy on Feb 6th or 7th, which is a couple days ahead of Hamcation.
So you may have to make your way out there a few days early.
Re: BSD is Dying? (Score:2)
Re: (Score:1)
Funnily enough, when I worked for Netcraft a large number of their machines were running FreeBSD :)
That was over six years ago though, and we were moving more towards Linux when we left, so I wouldn't be surprised if most of those are gone now.
Is it now official (Score:2, Funny)
Re: (Score:2)
Re: (Score:3)
Dude, that is one of the oldest memes on Slashdot.
YHBT. YHL. HAND.
BSDs dying? I won't believe it... (Score:2)
Re: (Score:2)
He already did - look further up the page [slashdot.org].
The *BSDs have the most intelligent mindshare. (Score:1, Interesting)
I think that this is a laughable idea. The *BSDs have the best mindshare possible. They have the mindshare of the most intelligent and forward-looking software developers, IT specialists, and executives.
Linux's mindshare is closer to that of Windows. It's not so much based on technical excellence or intelligence or foresight as it is based on hype and name recognition.
The mindshare that the *BSDs have is the best there is.
Re: (Score:2)
As a PC-BSD/TrueOS user, I wonder about that. It used to be that the updates were pretty smooth. Since TrueOS succeeded PC-BSD in ver 11 onwards as a rolling update, I've found it next to impossible to upgrade my revs, but can't work in the older revs either. Which is a pity.
BSDs dying? (Score:2, Insightful)
Re: (Score:1)
I'd be more concerned about the effects of systemd on the Linux distributions. :)
Mod Parent Up.
After running Linux for a decade, systemd pushed me to try both FreeBSD and OpenBSD for the first time ever.
Re: (Score:2)
One word: slackware.
The oldest (still available), and IMO still the best.
Re: (Score:2)
Wow.... get defensive much? I wasn't disparaging BSD in comparison to Slackware, I was just pointing that that Slackware doesn't use systemd.
That you would call modern Slackware a "1996 user experience" is indicative of either deliberate ignorance or having so much confirmation bias that I don't think it would be worth my time or anyone else's to try and convince you that you might be wrong about it. You go and use whatever satisfies you, nobody's twisting your arm here.
Re: (Score:2)
Re: (Score:2)
I've heard systemd is under suspicion of being a serial killer!
Re:BSDs dying? (Score:4, Funny)
So that explains why my serial ports don't work any more!
Re: (Score:1)
Yeah SystemD is really bad. It fails constantly, and crashes my entire system usually taking out my hard drive too requiring a full new install every time. WHen I tried to add new services they faild for unknown reasons and there is no error message or logs that help. Also I noticed that the SystemD process takes up 100% cpu and most of my free ram and there is no setting I can use to change it. I and my freinds have all switched to open bsd and things are way better for everyones. Totally faster and
Re: (Score:1)
systemd had an affair with my wife.
Re: (Score:2, Flamebait)
Uhhmmmmm
apt-get install sysvinit
apt-get remove systemd-sysv
Done and done. No more fscking systemd to fsck everything in the A.
Re: BSDs dying? (Score:5, Interesting)
Re: (Score:2, Informative)
And being able to install straight onto ZFS is huge; Debian and Ubuntu need to get this into their installers.
I don't see how that can be done legally, as Linux and ZFS have incompatible copyright licenses.
Re: (Score:2)
The line is distributing the combination (Score:2)
Based on what I have read of previous discussions, though the user may add third-party kernel modules under an incompatible license to a private installation, a distributor is not allowed to distribute the combination. This is why third-party kernel modules available separately cannot be included in an install image distributed to the public, as the distributor of an install image has to distribute the combination.
Re: (Score:2)
Why is ZFS such a huge advantage for a home user? It uses a lot of RAM and many features are just not needed for anything less than a massive NAS/SAN. Sure a 787 is great and has a lot of features but it just is not good from running down to the local grocery store.
Re: (Score:3)
Re:BSDs dying? (Score:5, Funny)
Re: BSDs dying? (Score:1)
Re: (Score:2)
Re: (Score:1)
Needs to run something baroque. (Score:2)
I realize you are joking, but it's interesting that Linus is using Fedora, which was one of the first distros to switch to systemd, meaning he was one of the early systemd adopters.
Linus needs to use something with a lot of the popular bells and whistles, at least part of the time, so he can see what's fouled up. B-)
That means he needs to run some really baroque stuff - the better to keep it from being totally broke(n).
Re: (Score:2)
Why not: given the complete and utter ubiquity of MS-Windows across the entire computing landscape, I'd say it's positive (that is Linux is dying) ?
What about our quarterly reports?!?!? (Score:1)
The whole world does NOT revolve around accountants and their twisted view of progress.
MacOS X? (Score:5, Interesting)
Re: (Score:1)
Yes. The Mac OS X kernel does come from BSD heritage. Also the command line utilities are ported over on a regular basis from FreeBSD. The same goes for iOS (the iPhone OS).
The GUI is of course it's own thing with some basis from NeXT's GUI (same with many libraries).
Re: (Score:2, Informative)
I'm a Mac user and I've downloaded and installed FreeBSD, NetBSD and Minix 3 in virtual machines, so I could work through tutorials that were geared toward these systems.
The question then became, what can I actually DO with them that I can't do already with Mac OS? I couldn't find anything. So those VMs went in the trash.
Hogwash (Score:5, Funny)
The authorities here on Slashdot have repeatedly said that right now was the golden age of BSD due to Debian's adoption systemd. There are no Linux users left. BSD is the only system that remains in widespread use.
Re: (Score:2)
The authorities here on Slashdot have repeatedly said that right now was the golden age of BSD due to Debian's adoption systemd. There are no Linux users left. BSD is the only system that remains in widespread use.
I noticed this too. Also, I am not concerned about the low hanging fruit when it comes to security. The reality is that humans are error prone so there is no way to make a system that is 100% secure. Theo de Raadt has to prioritize things and really spend the lion's share of his team's time on the serious stuff that can result in intrusion and privilege escalation. OpenBSD's security record stands ... "Only two remote holes in the default install, in a heck of a long time!" I don't think any Linux distribut
Re: (Score:1)
Enough potential eyeballs (Score:1)
FreeBSD is from 1993, when the potential number of eyeballs was just a fraction of what it is today: the world. Some kid in China who wasn't online in 1993, could be their next contributor. Even if their market share has gone done, the number of users has gone up dramatically.
No (Score:5, Interesting)
Re:How would they No (Score:2)
It's not like BSD users go around saying "I run BSD" or that they leave ports open so that they can be electronically surveyed.
My SNES Classic runs BSD. Lots of routers, firewalls and NAS devices run BSD.
The thing with BSD is it gets professionally used, not professionally blogged. Maybe BSD should consider a marketing team is it's really an issue for them.
Re: (Score:2)
Re: (Score:2)
How is it that different from Linux?
Re: (Score:3)
"Some" researchers are saying the BSDs are dying so it must be true, huh? "Read it on the internet, hot damn, must be true then." Bullshit! The BSDs have a large community that is passionate about their choice of operating system. I have been using OpenBSD since 1998 and I will only stop using it once the community completely collapses, development ceases, and the foundation folds. The day that happens, I will have to find another hobby altogether and just keep a smartphone and tablet handy. Learning and using OpenBSD has made me far more knowledgeable about computers, operating systems, networks, and security than any other platform out there. If it weren't for my college roommate introducing me to OpenBSD, I believe I would just be another Microsoft wanker. OpenBSD taught me how the internet works and opened a wealth of knowledge. OpenBSD turned me from a computer power user into a true System Administrator. Ever since that day when I asked my roommate just what the heck OpenBSD was, my life would never be the same.
Here's the problem, in 1998 the BSDs and Linux were still on fairly equal footing, so it made just as much sense for you to learn a BSD.
In 2018 Linux has a giant community, a huge ecosystem, and major companies behind it.
You can get a job on the basis of your Linux expertise and will be able to do so for a while, even if there are corporate BSD systems right now how much longer do you think they're going to last?
How old are the members of that BSD community? If an undergrad is looking to learn BSD or Linux
Re: (Score:2)
I wouldn't put my stock in the BSD is dying chant. That's been appearing on Slashdot since October 5, 1997.
Re: (Score:2)
I get heartily sick of the OS wars, you use the correct tool for the job (regardless off zealotry. I used to be a toolchain maintainer for a "From Source" pseudo linux distro)
I use OpenBSD (my own custom built perimeter devices), *BSD (Vendor supplied storage devices, load balancing gear, network gear ie: EMC/F5/Juniper), Solaris (backend "have to stay up forever" devices, predominately databases), Linux (Frontend scale-out services, Open
BSD isn't Blue Screen of Death? (Score:2)
The summary doesn't make a clear distinction...
If true, it's a shame (Score:5, Interesting)
IMO:
BSDs have a superior architecture in many respects. This is especially true since the systemd takeover.
Administration on BSD servers just makes more sense. Linux seems to be all over the map. I think there are over 1000 Linux distros. Many distros want to change around the directory structure. Simple things, like starting services on bootup, and setting up static IP, become difficult with Linux because everybody wants to pull Linux in different direction - often for no good technical reason.
Linux certainly has advantages over BSD. But I think BSD gets a lot of stuff right.
Again: all JMHO.
Re:If true, it's a shame (Score:5, Interesting)
1000 distros sure, but you can completely ignore 990 of them. The other Of the remaining 10, probably 6 are copies of the major 4, Debian, RedHat, Gentoo, Arch.
People keep bringing up the many distro thing but honestly, no one really gives a shit. Those are hobbyist toys and they almost universally die out after a few years. In those few years a handful of people learn a lot and contribute to the community.
The BSD's are fine. I used them once upon a time. The problem is they are inflexible and all they want to do is emulate a long gone era of computing that just isn't functional today. Linux will at least adapt to peoples needs, BSD's will stand there and bitch about you being on their lawn.
Re: (Score:3)
BSDs have a superior architecture in many respects. This is especially true since the systemd takeover.
1000 distros sure, but you can completely ignore 990 of them. The other Of the remaining 10, probably 6 are copies of the major 4, Debian, RedHat, Gentoo, Arch.
Gentoo doesn't use systemd by default. I don't know about the others. There's nothing wrong with GNU/Linux itself just because some distros decide to ruin themselves by including systemd.
I remember trying NetBSD back around 2002, and I really liked some aspects of it compared to the Linux distros I knew back then. Hardware support was pretty bad, though. Fortunately, I soon discovered Gentoo whose package management is derived from the BSDs, but having the hardware support of Linux and the nicer (IMHO) G
Re: (Score:2)
> Gentoo doesn't use systemd by default. I don't know about the others. There's nothing wrong with GNU/Linux itself just because some distros decide to ruin themselves by including systemd.
I am using a gentoo based distro right now. No systemd, but gentoo is not a very standard Linux.
Also you post about "some distros" as if there are just a few systemd distros. In reality, systemd has fairly well taken over, especially in the corporate world. Very few individuals, and even fewer corporations, want to bot
Re: (Score:1)
There is really only two distros. RedHat and Debian. Debian is a mess while RedHat combined what made sense. It's a really good mature OS with industrial grade applications. I've been around since the VMS days. One of the first real operating systems. Don't get me wrong, I used to know and love BSD back in the 1980s. I remember it fit on around 50 3.5" disks that I punched out from the University. Used to build X11 from source. However BSD today isn't that. It hasn't been a real player for a couple of decad
Re: (Score:3)
Maybe not your needs - definitely mine:
Re: (Score:2)
> the BSD's aren't changing to meet the newer needs of the current world.
The BSDs are improving all the time. They just don't feel the compulsion to make change for the sake of change.
The overwhelming number of changes in Linux - especially recently - either do not help at all, or make Linux worse.
Is it just that the pie is growing? (Score:5, Interesting)
First off, I submit that BSD is finding its home in appliances. FreeNAS and pfSense are both fairly popular, and both BSD based. Commercially, the Nintendo Switch is based on BSD, and Cisco, McAffee, and Juniper all have appliances using BSD at their core. Also, as others have pointed out, OSX.
That said, there are so many copy/paste tutorials for Debian and its derivatives like Ubuntu and Raspbian. With BSD lagging behind severely, for every person who prefers BSD and can successfully use it to do what they need, there are five more less-technical users who are able to fall into the pit of success with a Bitnami or Turnkey Linux distribution.
BSD may well be superior for certain tasks, especially networking, but the fact of the matter is that expecting BSD to simultaneously be competitive in the numbers game against Linux when Linux has an ecosystem which BSD lacks. That ecosystem encourages users looking to get something done to use that product, rather than adhere to principles which otherwise have little effect on them. I know systemd is hated in these parts, almost universally, but if I need to spin up a Wordpress instance, it takes me ten minutes to grab Turnkey Linux and start addding my content, rather than the half hour or more it would take to spin up BSD, manually install an AMP stack, figure out the BSD equivalent of /var/www, Google all the MySQL commands to create the database at the CLI since I don't have Adminer or phpMyAdmin to do it, and then add Wordpress. As a non-developer and non-distributor, the BSD vs. GPL vs. MIT license situation affects me very little, so the fact that both Debian and BSD are free-as-in-beer means that they compete on how much of my time they take to spin up.
This is why I use pfSense and FreeNAS. It's also why most of my appliances are Turnkey Linux based.
Re: (Score:2)
Is "pkg install phpmyadmin" not sufficient to add all the necessary AMP components, phpMyAdmin, etc? /var/www = /usr/local/www (/www ... and this is a lot more logical than putting them under /var!!!!)
A few different things for controlling service startup (/etc/rc.conf) but that should be about it?
Don't doubt that there are finely tuned Linux distros specifically for spinning up your use cases (and I'm not experienced with any of them), but FreeBSD is pretty easy to get up and running today too!
Re: (Score:2)
Yo buddy not sure what you are getting at. Setting up wordpress on a Linux system or a BSD system is the same amount of work. Just because you are familiar with one installation process does not mean that you know all. Just by your comment I know you haven't even looked at BSD. So let me help you. System config files /etc. User installed config files /usr/local/etc. Log files /var/log. Very constant, been so for over 25 years. Every program you listed is available and I can go from bare bone to full firewal
Re: (Score:2)
I come from a traditional Unix background, I want to say the first system I used was running SunOS 3.5. In college I found out about OpenBSD and ran it on my P-90 beige box. It was great for servers, but trying to run desktop apps was a hassle since you either hoped what you wanted was there in the ports collection or were forced to build it yourself. Back in those days just getting X11 to work with your graphics card could be difficult to impossible.
Eventually I got tired of dealing with a limited port
Re: (Score:1)
Not trying to start a flame war even remotely, but nothing in your reply refutes the fact that the licensing is why these companies choose the BSDs. They don't pick BSD for superiority; Legal likes BSD license because it's compatible with IP, while GPL inherently isn't. I'll even add Netflix into the company list: they use FreeBSD on very specific back-end machines (and very few of them), but everything else is Linux (this comes from someone who actually works there).
FreeBSD was a good solid OS in the 4.x
Man, I hope not (Score:1)
Using FreeBSD (Score:1)
*BSD = Elitism (Score:3, Interesting)
You know, some 20 years ago, I used to be a huge supporter of FreeBSD. I swore by the OS, and wouldn't touch anything else. A diehard fanboi. Then I asked for help with some legacy hardware and discovered the hostile elitism of BSD community.
They basically told me to make my own drivers and to fuck off. Yeah, not very helpful. I switched to Linux cuz it worked with my legacy hardware and never looked back.
Today I have zero respect for *BSD people and software. They can jump off a cliff and I'd just smile. I would sooner touch a Mac than a *BSD system. Treat people like shit, they might just be totally alienated from your offerings.
Re: (Score:2)
Sorry you were exposed to the raw elitism in a *nix community. I know that our GNU/Linux communities can get pretty damn elitist too. See, even I'm doing it with the "GNU."
Re: (Score:2)
I switched to Linux cuz it worked with my legacy hardware and never looked back.
Funny how the BSDs were once known to run on any toaster, but it's been ages since Linux took over in the number of hardware architectures, not to mention the countless device drivers. Linux might be lacking in some traditional Unix purity, but for practical purposes it is much more useful, and it's not at the expense of openness. If you use a grown-up distro like Gentoo that doesn't have training wheels or atrocities like systemd, you can get the best of both worlds.
Re: (Score:2)
What do you have against Macs?
I am a Linux Developer, I have MacBook Pro "The old one that lets you upgrade the ram and drives", a Windows system for FSX, several Linux boxes, an Android phone and tablet, a Kindle tablet, Apple IIc, and an Amiga 3000 with a video toaster!
Really folks stop making certain tech into your God. Tech is just a tool and frankly, all tools are kind of cool in their own way.
The first person to solve the issue should be you (Score:2)
Here is an article worth reading that explains that "The first person that should solve that issue, the one you wrote, should be no other than yourself [hackernoon.com]."
Let me also share with you a few names behind well-known open source projects: Poul-Henning Kamp (FreeBSD, Varnish Cache) runs his own independent consulting business, Paul Vixie (Cron, BI
Well you can go a long way with little people... (Score:2)
... when you don't have the FreeDesktop or SystemD crowd, solving trivial projects in the most complex way to deal with weird use cases nobody has.
The Unix philosophy was meant to achieve a lot with little effort, and that's gradually getting lost on Linux.
Re: (Score:2)
Re: (Score:2)
Agreed. I used NetBSD for 15 years and had to give it up a year or two ago. The project completely lost direction. Unfortunately the NetBSD foundation laid the groundwork for the collapse a very long time ago with their "hostile takeover".
Rust in peace.
Re: (Score:2)
NetBSD is great, still, but... is not progressing much. SMP is relatively low performance compared to Linux. Drivers for newer hardware are lacking. Etc. It doesn't have enough critical mass for significant forward progress.
mod parent up! (Score:2)
Very well put. Those are my feelings exactly.