So....
Throwing a hissy fit and taking the ball home not found endearing..
Shocked surprise.
OpenBSD founder Theo De Raadt said OpenSSL maintainers appeared to have intentionally not informed it about dangerous vulnerabilities found in the platform and patched today. The apparent feud stems from the April break away LibreSSL which was forked after developers found the OpenSSL code base to be unacceptably insecure in …
I naively thought that folk who were willing to be open about providing code, etc, to help others would also be cooperative to achieve the same goals. Then I got involved in one of the open source projects and found out just how difficult and assholeish that some otherwise very smart folk can be.
Sigh, as a natural pessimist I should have expected that really.
(AC for obvious reasons)
I naively thought that folk who were willing to be open about providing code, etc, to help others would also be cooperative to achieve the same goals. Then I got involved in one of the open source projects and found out just how difficult and assholeish that some otherwise very smart folk can be.
People often talk about OSS being developed by people 'for free' - maybe the reward for their work is sometimes the boost to their egos - "look at me, I write clever software used by lots and lots of people!".
Aside from the money, there are plenty of other factors in deciding what job you will take. For OSS I am willing to bet there are a lot of reasons as well.
In my case I needed that project's capabilities, but also needed it to work better. If I just forked it for my own personal use I would have to back-port any future fixes and features, so it makes rational sense for me to get my fixes and features added in and supported by the project. Ego was not part of it.
This post has been deleted by its author
Or alternatively, act like a kid and responsible adults still do their best to keep you safe.
How can anyone take open source seriously when major bits of software are managed by pouty children? "He did it first" is not an excuse that works when it comes to software security.
"How can anyone take open source seriously when major bits of software are managed by pouty children?"
Have you ever worked in a large company? The management layer can be every bit as bad, though for subtly different reasons.
In any case there are plenty of examples of closed source products that only ever got reluctantly patched once a breach had occurred, and not when they were notified of it. Should we not take commercial software seriously as a result?
" He has explicitly said that any security bugs in OpenSSH, he will not report it to the FreeBSD project, because someone once made him cry."
Interesting -- may we have a reference?
You aren't familiar with Theo de Raadt, are you? The guy's basically a 5 year old in the body of an adult, throwing tantrums on everything. This is the guy that called Linux a hackjob just because it ended up being more popular than his renegade branch off BSD (itself a product of another of his tantrums). LibreSSL seems to be his most recent tantrum, though his concerns might be actually valid on OpenSSL (how the hell did they let something like Heartbleed sit around for 2 years?!). But notice that one of the things LibreSSL cut was FIPS 140-2 support, which is probably dumb. Oh well...
More throwing tantrums like an infant (L’enfant terrible if I have't mangled it) going through the terrible twos on methamphetimines. Theo's been a fixture for a long, long time and BSD was always my favorite distro. However..., he gives me more than sufficient reason to drink and friends don't let friends drink and code (or do message groups**) !!
With that, I need a drink. A toast to my shiny, shiny new server!
[**There are more than a few tantrums out there from moi so I know of what I type.]
"...[Theo Radt] is the guy that called Linux a hackjob just because it ended up being more popular than his renegade branch off BSD..."
Theo did not call Linux a hackjob because of that. He called it a hackjob because Linux has quite sloppy code. Even Linus Torvalds himself confirms this. See links below.
http://www.tomshardware.com/news/Linux-Linus-Torvalds-kernel-too-complex-code,14495.html#comments
"In an interview with German newspaper Zeit Online, Torvalds recently stated that Linux has become "too complex" and he was concerned that developers would not be able to find their way through the software anymore. He complained that even subsystems have become very complex and he told the publication that he is "afraid of the day" when there will be an error that "cannot be evaluated anymore."
http://www.forbes.com/2005/06/16/linux-bsd-unix-cz_dl_0616theo.html
“[Linux] is terrible,” De Raadt says. “Everyone is using it, and they don’t realize how bad it is. And the Linux people will just stick with it and add to it rather than stepping back and saying, ‘This is garbage and we should fix it.’”
"Lok Technologies , a San Jose, Calif.-based maker of networking gear, started out using Linux in its equipment but switched to OpenBSD four years ago after company founder Simon Lok, who holds a doctorate in computer science, took a close look at the Linux source code.
“You know what I found? Right in the kernel, in the heart of the operating system, I found a developer’s comment that said, ‘Does this belong here?’ “Lok says. “What kind of confidence does that inspire? Right then I knew it was time to switch [away from Linux].”
http://www.theregister.co.uk/2009/09/22/linus_torvalds_linux_bloated_huge/
"LinuxCon 2009 Linux creator Linus Torvalds says the open source kernel has become "bloated and huge," with no midriff-slimming diet plan in sight."
There are many many similar links of how bad the Linux code can be sometimes, I can post 20ish links with ease.
The problems are because Linux focuses on getting newest hottest functionality as fast as possible. That is the reason Linux has five sound APIs right now, all of them broken. Five sound APIs adds to the bloat that Linus Torvalds talks about in the link above. And the broken device driver model, lets not talk about that, there are always threads in every Linux forum on "i upgraded the kernel and now sound/etc/etc stopped work"...
BSD has another philosophy, they add code more slowly with emphasize on stability and good design. OTOH, Linux has no design. Linus Torvalds himself said so "Linux does not have a design, and never will have. We rewrite it all the time, until we have evolved into something better. Just like nature has evolved humans. Trial and error is superior to any design, look at how mother nature does it". This leads Linux to have a very high code turnover, basically every part is rewritten all the time. Which means the code is never old and mature. It is always new and new code has always lot of bugs.
Do you understand why Linux is a hackjob? It is not stable and well designed, as Linus Torvalds himself opposes stable and well thought design; trial and error is better, according to Linus (what a dumb thing to say!!). With emphasize on "error". That is the reason the prominent Andrew Morton Linux developer said this:
http://lwn.net/Articles/285088/
Q: Is it your opinion that the quality of the kernel is in decline? Most developers seem to be pretty sanguine about the overall quality problem.
A: I used to think it was in decline, and I think that I might think that it still is. I see so many regressions which we never fix.
http://www.kerneltrap.org/Linux/Active_Merge_Windows
"The [linux source code] tree breaks every day, and it's becoming an extremely non-fun environment to work in. We need to slow down the merging, we need to review things more, we need people to test their f--king changes!"
Bassbeast writes regarding the broken Linux device driver model (when Linus Torvalds changes the internal ABI, you need to hack/recompile all device drivers):
"You have a MINIMUM of 150,000 drivers for Linux, yes? And we have several thousand NEW deices released weekly...how many Linux kernel devs are there again? 500? 1000? if you kept them working 24/7/365 on NOTHING but drivers the math still wouldn't work, all it would take is Torvalds changing a pointer (which considering I can wallpaper this page with "update foo broke my driver" posts appears to be Torvalds SOP) and it would take 3 to 4 YEARS just for them to give 5 minutes to each driver.
So I'm sorry but you can bang your Linux bible all day long, what you are selling is about as believable as Adam riding a dinosaur. When every single OS on the planet OTHER than Linux has a stable device driver ABI are you REALLY gonna sit here and argue that Torvalds is smarter than every single OS designer on the entire planet? Really? if his driver model was good others would adopt it, they haven't and the reason why is obvious, its not good.
I'll leave you with this, if one of the largest OEMs on the entire planet can't get Linux to work without running their own fork, what chance does the rest of us have? "
http://www.theinquirer.net/inquirer/news/1530558/ubuntu-broken-dell-inspiron-mini
MadMike, personally I am quite reassured when the main people involved in a project show a keen awareness of the complexity and limitations of said project. It also gives me more confidence on their decisions, knowing that they have been taken on the basis of a frank and honest look at the problem. Those decisions might still turn out to be wrong sometimes, but none is perfect and we try to learn from it.
What I value about Linux at this level, is precisely the openness and willingness to criticise and be criticised. As a FOSS contributor, I can assure you it takes quite some balls to post your code out there, with your name on it, for it to be potentially ripped to bits by unknown others for decades to come.
You may have the nicest LinkedIn profile in the world, but I'd rather work with or hire somebody whose most spectacular fuck-ups are just one Google search away. At least I know exactly what I'm getting, and I also know that thin skin probably does not come with the package.
Conversely, when your code gets praise from a developer that you know and respect, that's quite an uplifting feeling too. :)
So in short, yes, our code sometimes sucks, but we're big enough to admit it and do something about it, if something needs to be done. What about yours?
Interesting -- may we have a reference?
Sure:
You are welcome. Stuart Henderson wrote the draft, but he forgot that part, and Damien Miller and I realized it was needed. We sensed there might be some ambiguity... we'll take care the next time an OpenOffice problem also.
... as long as you aren't using FreeBSD or a derivative (hint: Jupiper), you are fine. That's the only place I know of an OpenSSH hole.
Oh now I sense some angst. Please ask Kirk McKusick, he knows the story about why this is not being disclosed to FreeBSD. Sometimes I feel a bit sorry for them (and for him), but then the next minute I don't feel sorry because there's damn good reasons they won't be told about what I found.
> Throwing a hissy fit
Can you please point out where?
I take it you have read the actual discussions from where the quotes are taken, and which the author of this article has helpfully linked to.
You are aware that you are reading a red-top, and that things will sometimes (often) be taken out of context for sensationalist effect, right? Some of us find this occasionally entertaining and that's why ElReg has an audience, but a responsible reader would not go making judgements without being in possession of sufficient and reliable facts and information.
forking a codebase brings with it the requirement (on the forker) to continue monitoring, at least for a period of time, the progress on the project you fork. Consequently if aforementioned BSD person had done this he would have seen these changes and be professional enough to enquire about details. Ho hum
if aforementioned BSD person had done this he would have seen these changes and be professional enough to enquire about details
He (actually they) shouldn't have to. It's crap like this from people like the OpenSSL team that make me believe that the only responsible disclosure is immediate disclosure when you cannot rely on the maintainers (open or closed source) to not act like arseholes.
As the article clearly points out, they have an ethical requirement to tell the OpenBSD project. This appears to be what happened to other major projects that rely on OpenSSL, as evidenced by the release of updates from other projects or platforms similar to OpenBSD that were simultaneous with the security announcement.
As for those people questioning the need to fork OpenSSL, I suggest they take a look at the commit logs for LibreSSL and various blog postings from the likes of TedU (most of which predate the decision to fork). These clearly show that the quality of the OpenSSL code is shocking with no apparent code reviews for third party submissions leading to a maintenance nightmare - code duplication, no consistency in error handling, dead code all over the place, bogus comments, etc. There is also the unwillingness of the OpenSSL developers to incorporate any but the most critical bug fixes from third parties, leading to a slew of fixes being left ignored in the OpenSSL bug tracker for years. Sure, they'll blindly accept third party submissions of entire subsystems or implementations of specific features - with no attempt to cleanly integrate them into the existing codebase - but once they're in the developers seem to be completely disinterested or incapable of applying third party improvements or fixes.
But shouldn't it be the job of those who decide to fork something? Checking on development on what they forked and not the otherway round? That would seem to be make more sense
If I have a project on a public site like github... and 500 people make forks of it, and some people make forks of those forks, should it be upto me to tell everyone who forked it that there is a serious bug? Surely they should all be monitoring my project and see for themselves.
As the article clearly points out, they have an ethical requirement to tell the OpenBSD project.
De Raadt basically said "You guys can't be trusted with it, we are going to take care of it from now on." He accepted the responsibility, he has no-one else to blame when his inaction means that there is a problem with his code.
Maybe the OpenSSL devs are stonewalling them, maybe not. To be honest I neither know nor care, but if you simultaneously insult a group of people and take credit for their work that means taking responsibility for the problems too.
About what to do about bugs that are so severe that it is kept off public bug trackers but can affect other forks/variants/systems?
Here I guess the beef is they informed others but not the new fork.
Well, honestly, you're not required to inform others, but, it is an opensource project, and the whole system works on a system of honor, so it's kinda irresponsible to not disclose it to dependent forks.
But then again, if a project were to just disclose all such severe bugs to all who "wants" it, I'd question it's security. For all we know, the fork's developer could be working for the NSA/KGB/GCHQ :), I'm sure they could put to use such window of opportunity. IMO LibreSSL isn't used or important enough to need to know such details at this moment in time.
They (the developers of LibreSSL) basically said that they'd make a secure version but were incapable of finding the undisclosed bugs in the existing code. I guess they didn't sit down and really dig through the code they'd forked even though they must have known it was flawed. Doesn't sound too promising for the future of their code.
<they must have known it was flawed
How does one do that? Though making sure these flaws can be discovered at all is the whole point of the effort.
Doesn't sound too promising for the future of their code.
The OTHER conclusion is that there may well be additional bugs of the same class still hanging around in OpenSSL as these bugs do not exactly declare themselves even when one is cleaning up the existing codebase.
They always said that their plan was to get rid of the crap and only then could they start on the proper bugs, when they can actually read the code. They've been doing that for a month and a half but OpenSSL is the gift that keeps on giving.
I suppose someone's pride at OpenSSL was wounded when their code was (very rightly) criticised. They also don't seem to be backporting LibreSSL's fixes which is also irresponsible.
They day that the OpenSSL library can be removed and replaced with a softlink to the LibreSSL library is the day the security of the internet will go up 100%.
His statements were met with some criticism centered on the original decision to fork OpenSSL rather than working with developers to improve its security.
Name and shame, please!
People who recommend turd polishing should not be allowed to operate in the vicinity of high-assurance code.
http://www.openwall.com/lists/oss-security/2014/05/02/7
<cite>
Date: Fri, 02 May 2014 14:33:12 -0600
From: Theo de Raadt <deraadt@....openbsd.org>
> Also cc'ing Theo so OpenBSD gets
> notified for sure. Speaking of which Theo: should we get you or an
> OpenBSD deputy (Bob Beck?) onto distros@?
...
We don't get paid. And therefore, I don't know where I should find
the time to be on another mailing list. It is not like I would have
sent a mail to anyone. In general our processes are simply commit &
publish. So I'll decline.
</cite>
https://plus.google.com/+MarkJCox/posts/L8i6PSsKJKs
OpenSSL's timeline, that list was notified on 2014-06-02.
OpenSSLs "official reason" for this is there too, it's because
they're not on os-distros, see MarkJCox's post @08:53.
(and there's a fine flame war in the comments there too)
Meantime, Theo cranks it up a gear [NSFW] in openbsd-misc@
http://marc.info/?l=openbsd-misc&m=140202938032160&w=2
Could this actually be down to the fact that no release versions of OpenBSD actually use the LibreSSL library yet? I mean, they say themselves it is scheduled to be included in a future release, so it isn't production code yet. They told all the players who have that code on production equipment as it will have a real affect on them, how will a couple of days delay make any different to a library not in production use?
As much as TdR is abrasive in style, he does actually care about security, and having been involved in forking software and having to deal with patches, I fully sympathise with his point of view.
In fact, I just donated to OpenBSD because the OpenBSD project actually cares about code quality - and that means users benefit too. That's really important.
Except I invited Theo to join distros@ publicly:
http://seclists.org/oss-sec/2014/q2/232
and he turned it down:
http://seclists.org/oss-sec/2014/q2/233
I then privately emailed beck@ and invited him to join on June 1st, and he also turned it down.
So not for lack of trying.
And then Theo sent a large number of abusive emails privately and publicly:
http://marc.info/?l=openbsd-tech&m=140202939732165&w=2
And he has now decided he wants to join the list.
So .. the only story here is that he chose not to participate, and then when he wasn't told he threw a tantrum. Classic Theo. And like most press you took the easy story and did no research. Shame on you.
I'm so very tired of this.
Lol @
I HAD TO CHANGE MY PASSWORD AT ALL OF MY ONLINE BANKING ACCOUNTS!
THEY KNOW THAT OPENSSL IS SHIT! HOW LONG DO YOU THINK THEY WILL
CONTINUE TO USE SHITE FROM OPENSSL?
THEY ARE NOT STUPID!
Goes a long way to explain why Microsoft IIS is about to overtake Apache for market share for the first time ever. There have consistently been far fewer security vulnerabilities in the Microsoft stack for a long time now...
This post has been deleted by its author