Hello, As I can see many fixes came out because of Ilja van Sprundel:
https://www.openbsd.org/errata61.html https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf Thanks Ilja for pointing out the problems and for the OpenBSD team to fix them so fast! :) > Sent: Saturday, July 29, 2017 at 4:50 AM > From: "Theo de Raadt" <[email protected]> > To: "Ilya Abimael" <[email protected]> > Subject: Re: A survey of BSD kernel vulnerabilities (DEF CON) [pdf] > > > The maintainers of various BSDs should talk more among each other > > Hey Ilya, > > That happens very rarely. > > In particular, they view us as competition. We aren't competition; > this is a research OS. > > Most of their developers work in corporate environments, pretty > tightly tied to things that happen in California. > > For the millions that FreeBSD collected over the years, not one penny > has been contributed towards OpenSSH or any of our other efforts. > > We've taken almost no code from them. Maybe a driver here or there. > They've taken gobs of code from us, which does make us happy. > > But over the years some of their developers have played sockpuppet > games denouncing us. > > The attacks on against our efforts of trying to audit the whole tree, > build mitigations, etc, got really bad about 10 years ago. > > I decided years ago that anything important, I won't share with them > by talking to them. That's my choice. I told other people of my > choice. Other people act the same way, I suppose. > > However, all our fixes as commited in a public repo. You may have > heard, but we were the first codebase with a public repo -- ie. > anoncvs. Before that, everyone was even more private, only releasing > final tarballs with "changelogs". > > However the reasons for changes sometimes don't show up in commitlogs. > When our developers skip explaining the reasons, I give them heck. > I dislike commit messages which don't explain the reason. > > I think you oversimplify the situation. There are fewer people than > you might assume. OpenBSD is about 80 people at a time, but 40 of them > work in the ports tree. Then about 10 people working in drivers, and > the remaining 30 have a mix of kernel and userland experience, though > it tends towards userland. > > In FreeBSD the total numbers are about 2x as much, but their low-level > grouping is even smaller than ours. > > Surely you realize how large these codebases are. People get spread > out all over the place. > > 7-day moving average of OpenBSD commits at > http://www.oxide.org/cvs/OpenBSD.html appears to be about 50/day. > > Where would people find the time to talk about anything? > > 190,000 commits of divergence in the base trees. Finding common ground > is harder than you think. > > After more than 20 years, there is no such thing as BSD. Deep inside, the > differences are greater than the commonalities. >
