Hello, 

As I can see many fixes came out because of Ilja van Sprundel: 

https://www.openbsd.org/errata61.html

https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf

Thanks Ilja for pointing out the problems and for the OpenBSD team to fix them 
so fast! :)

> Sent: Saturday, July 29, 2017 at 4:50 AM
> From: "Theo de Raadt" <dera...@openbsd.org>
> To: "Ilya Abimael" <ilyaabimae...@mail.com>
> Subject: Re: A survey of BSD kernel vulnerabilities (DEF CON) [pdf]
>
> > The maintainers of various BSDs should talk more among each other
> 
> Hey Ilya,
> 
> That happens very rarely.
> 
> In particular, they view us as competition.  We aren't competition;
> this is a research OS.
> 
> Most of their developers work in corporate environments, pretty
> tightly tied to things that happen in California.
> 
> For the millions that FreeBSD collected over the years, not one penny
> has been contributed towards OpenSSH or any of our other efforts.
> 
> We've taken almost no code from them.  Maybe a driver here or there.
> They've taken gobs of code from us, which does make us happy.
> 
> But over the years some of their developers have played sockpuppet
> games denouncing us.
> 
> The attacks on against our efforts of trying to audit the whole tree,
> build mitigations, etc, got really bad about 10 years ago.
> 
> I decided years ago that anything important, I won't share with them
> by talking to them.  That's my choice.  I told other people of my
> choice.  Other people act the same way, I suppose.
> 
> However, all our fixes as commited in a public repo.  You may have
> heard, but we were the first codebase with a public repo -- ie.
> anoncvs.  Before that, everyone was even more private, only releasing
> final tarballs with "changelogs".
> 
> However the reasons for changes sometimes don't show up in commitlogs.
> When our developers skip explaining the reasons, I give them heck.
> I dislike commit messages which don't explain the reason.
> 
> I think you oversimplify the situation.  There are fewer people than
> you might assume.  OpenBSD is about 80 people at a time, but 40 of them
> work in the ports tree.  Then about 10 people working in drivers, and
> the remaining 30 have a mix of kernel and userland experience, though
> it tends towards userland.
> 
> In FreeBSD the total numbers are about 2x as much, but their low-level
> grouping is even smaller than ours.
> 
> Surely you realize how large these codebases are.  People get spread
> out all over the place.
> 
> 7-day moving average of OpenBSD commits at
> http://www.oxide.org/cvs/OpenBSD.html appears to be about 50/day.
> 
> Where would people find the time to talk about anything?
> 
> 190,000 commits of divergence in the base trees.  Finding common ground
> is harder than you think.
> 
> After more than 20 years, there is no such thing as BSD.  Deep inside, the
> differences are greater than the commonalities.
> 

Reply via email to