Linus takes a jab

[mikeschoon]

http://article.gmane.org/gmane.linux.kernel/706950

[mikeschoon]

I've been supporting OpenBSD routers for close to a year and I have to say, I agree.

[Colin]

I've been supporting OpenBSD routers for close to a year and I have to say, I agree.

Care to explain?
They're focused to much on security?
Because I see plenty of bug fixes around.

[mikeschoon]

Like planting a garden in concrete without a jackhammer. Security is always a balancing act between functionality and protection. They are obsessive about locking down the hatches, and it stifles creativity, iMHO. Administering pf becomes an everyday thing, it's almost creates a condescending tone in and of itself. i also don't agree that all the things pf blocks are necessarily for the sake of security (voip, for example). It freaks out because of packet modifications and unusual ports necessary to route SIP traffic. I have a router running iptables at home and it just does it's job. I input the command to open the port, and it works. Whoever wrote pf has no appreciation for the human mind.

[Colin]

Like planting a garden in concrete without a jackhammer. Security is always a balancing act between functionality and protection. They are obsessive about locking down the hatches, and it stifles creativity, iMHO. Administering pf becomes an everyday thing, it's almost creates a condescending tone in and of itself. i also don't agree that all the things pf blocks are necessarily for the sake of security (voip, for example). It freaks out because of packet modifications and unusual ports necessary to route SIP traffic. I have a router running iptables at home and it just does it's job. I input the command to open the port, and it works. Whoever wrote pf has no appreciation for the human mind.

I can't agree with you. pf.conf is very human readable.
What's the problem with VoIP?

[Tsuroerusu]

Like planting a garden in concrete without a jackhammer. Security is always a balancing act between functionality and protection. They are obsessive about locking down the hatches, and it stifles creativity, iMHO. Administering pf becomes an everyday thing, it's almost creates a condescending tone in and of itself. i also don't agree that all the things pf blocks are necessarily for the sake of security (voip, for example). It freaks out because of packet modifications and unusual ports necessary to route SIP traffic. I have a router running iptables at home and it just does it's job. I input the command to open the port, and it works. Whoever wrote pf has no appreciation for the human mind.

I can't agree with you. pf.conf is very human readable.
What's the problem with VoIP?

Same here, I use PF as a standard firewall for my two OpenBSD servers, and mostly the configuration files just look like this:

Code: Select all

pass in   quick inet proto tcp  from any  to 10.0.2.4 port 80 flags any

If that isn't human readable, I don't know what is. This line is easy to interpret, "pass incoming traffic over internet-protocol-v4 with protocol tcp from any to 10.0.2.4 port 80 with any flags", especially if you have the pf.conf(5) man page handy to look up one or two things.

And speaking of documentation, OpenBSD isn't just about security, if you read their front page it says "Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography.", which is a lot more than just security. Also, they see a flaw in API documentation, just as an example, as a critical problem in a security context, because an application developer might read false API docs and then unintentionally do something that causes a security problem. OpenBSD in general has amazing documentation.

[mikeschoon]

To each his own, I guess. it doesn't process they way I think for some reason. Maybe I need to look into some good books about it. Any suggestions?

[Colin]

To each his own, I guess. it doesn't process they way I think for some reason. Maybe I need to look into some good books about it. Any suggestions?

Take a look at this review of "The Book of PF" published by No Starch Press, written by Peter Hansteen.

[Tsuroerusu]

Absolute OpenBSD: UNIX for the Practical Paranoid by Michael Lucas, is a really great book, albeit a bit old (It's from 2002), about OpenBSD in general, and includes some chapters on PF. I have it myself, and because of OpenBSD's extremely evolutionary development, it's only small details that have changed, so this book is very much still applicable.

[jturning]

Linus apologized for his comments. The OpenBSD developers got the better of him in the argument anyway.

http://www.zdnetasia.com/news/security/ ... d=rss_z_nw

Bugz

[Tsuroerusu]

Linus apologized for his comments.

As he should, the comments, albeit entertaining to a certain degree, were just completely unfounded.

The OpenBSD developers got the better of him in the argument anyway.

Indeed, maybe Linus should shut Emacs down for a few minutes and go surf the web:

Audit Process
Our security auditing team typically has between six and twelve members who continue to search for and fix new security holes. We have been auditing since the summer of 1996. The process we follow to increase security is simply a comprehensive file-by-file analysis of every critical software component. We are not so much looking for security holes, as we are looking for basic software bugs, and if years later someone discovers the problem used to be a security issue, and we fixed it because it was just a bug, well, all the better. Flaws have been found in just about every area of the system. Entire new classes of security problems have been found during our audit, and often source code which had been audited earlier needs re-auditing with these new flaws in mind. Code often gets audited multiple times, and by multiple people with different auditing skills.

Source: http://www.openbsd.org/security.html

Emphasis is mine.

[Gomer_X]

Linus apologized for his comments.

As he should, the comments, albeit entertaining to a certain degree, were just completely unfounded.

I wouldn't say completely unfounded. I thought the point was that OpenBSD is so security focused that they don't care about anything else.

It's a reasonable point. At least from my perspective the BSDs are fighting so hard to differentiate themselves in a narrow market that they can become blind to the big picture. I don't have the experience to know if what he says is true, but there IS a foundation for the argument.

[Tsuroerusu]

Linus apologized for his comments.

As he should, the comments, albeit entertaining to a certain degree, were just completely unfounded.

I wouldn't say completely unfounded. I thought the point was that OpenBSD is so security focused that they don't care about anything else.

It's a reasonable point. At least from my perspective the BSDs are fighting so hard to differentiate themselves in a narrow market that they can become blind to the big picture. I don't have the experience to know if what he says is true, but there IS a foundation for the argument.

Did you not read the rest of my post? I quoted the OpenBSD website, where it for years has said that OpenBSD's approach to security is to audit not only for security flaws, but just for bugs and bad coding practices in general. OpenBSD doesn't just focus on security, if you go to the flipping front page of their website, they say "Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography.", if you read that as "so security focused that they don't care about anything else.", well, you obviously speak a different language than I do. So no, this is not a reasonable point, "it's complete bogosity" to use a good quote from a certain video series on YouTube.

I don't know about FreeBSD, but if you think OpenBSD is "fighting so hard to differentiate themselves in a narrow market" you're seriously mistaken. If OpenBSD were really "competing" with GNU/Linux for market share, why do you think they have this big big focus on software freedom? And they are known for staunchly refusing to do things that to most people seem like the best thing to do. For example, only this year have they started to implement support for WPA, before that they only supported WEP (Which is really encraption, not encryption) and open networks and told people, who asked for a better solution, to use IPsec and AuthPF. OpenBSD doesn't support 3D acceleration either, although there is work going on to add that, that work only started this year.

You should have a good look at that article that jturning posted, for your convenience here's the part the debunks Linus' statement:

"Developer Kjell Wooding agreed that OpenBSD coders treat bugs with equal significance.

"There is a certain irony to Linus's comment there," wrote Wooding in an e-mail to ZDNet UK. "The 'a bug is a bug' principle that he is espousing is exactly the approach taken by the OpenBSD developers that I know. The OpenBSD I know doesn't concentrate on security--it concentrates on correctness."

OpenBSD developer Bob Beck told ZDNet UK that Torvalds's comments showed "ignorance", as OpenBSD coders did take the approach of dealing with bugs equally.

"The comments sound like much of the usual chestbeating we are used to seeing to make all the fanboys and girls on the lists swoon," wrote Beck. "Realistically it just demonstrates an ignorance of the OpenBSD project.""

And at the bottom it says something quite positive:

"OpenBSD developer Artur Grabowski wrote on Thursday that Torvalds had apologized to the OpenBSD community.

"I talked to Linus about this already, he was humble about it and said it didn't look like it from the outside that we shared the same view," wrote Grabowski. "We all had a laugh about it.""

[Colin]

If you start using OpenBSD, you will see it's not all about security.
It's also "Free" like in BSD way, "Functional" as in "just works out of the box" and let's not forget "peer review" too that goes with each commit.

P.S. You can follow the commits to the src and ports tree through freshbsd.org

[Gomer_X]

Did you not read the rest of my post?

Yes. I was only responding to one point, though. You said Linus' argument was completely unfounded. There IS a foundation for this argument. You have made an extreme exaggeration.

I don't know about FreeBSD, but if you think OpenBSD is "fighting so hard to differentiate themselves in a narrow market" you're seriously mistaken. If OpenBSD were really "competing" with GNU/Linux for market share, why do you think they have this big big focus on software freedom?

Again you miss the point. I don't think the BSDs compete with Linux so much as they compete with each other. The BSD market is pretty narrow and they're all trying to find a niche. I'm not arguing whether that's bad or good, but I do think it's happening. That could lead people to think they're ignoring the bigger picture.