Hi Nathan,
Nathan Hartman wrote on Mon, Jul 22, 2019 at 04:25:14PM -0400:
> I always assumed that the OpenBSD devs have audited the heck
> out of CVS for security issues
While many parts of the tree received auditing - and some even get
re-autited - that doesn't mean that *all* parts of the tree got
audited. In particular, stuff living in the subtree /usr/src/gnu/,
an acronym which stands for "Gigantic and Nasty but Unavoidable",
is much less likely to receive auditing. For stuff there that is
indeed Gigantic, the reason is obvious. But even smaller /gnu/
stuff is less likely to receive auditing for several reasons:
1. It's harder to audit.
If you don't apply KNF and don't change the way the code is
organized to match OpenBSD conventions, it is obvious why
it is hard to audit. If you do, that implies forking.
And applying KNF and cleaning up code organization is really
a lot of work.
2. With a bad license, it's hardly worth it.
Who would want to waste their time auditing GPL'ed code?
Who would want to waste their time forking GPL'ed code?
It will never become free anyway.
So rewriting it from scratch is better - if you have the time.
3. It's less fun.
Auditing is (1) easier, (2) more effective, (3) and the more
rewarding for the auditor the better the code quality already
is. Auditing low-quality or poorly written code is a real
pain: slow, tedious, and it constantly keeps you wondering
"yeuch, yet another bad habit - should i expunge that one,
too, or would that mean going down a rabbit hole and never
completing this audit at all?"
The latter point no. 3 may scare you. Am i saying that work may
not get done because it is not fun? Am i saying that code may not
get audited precisely because it is bad quality? Yes, i am.
But isn't bad quality code in *more* need of auditing than good
quality code? Yes, it is.
But we are talking about volunteer work here. Many eyes only make
bugs shallow if the code is appealing enough to look at. To a
certain degree, we do take importance of work work into account
when deciding what to work on. But the fact is, only about 17.8%
of us are true masochists (mostly those attending certain ports
hackathons, easily reconizable by their explicit T-shirts).
That's not nearly enough for getting all of /usr/src/gnu audited.
> and are sticking to it for that reason.
No, i never heard anyone say that they audited GNU cvs, and it doesn't
seem very likely that i missed it. Looking at the commit history, e.g.
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/cvs/src/?sortby=date
doesn't suggest it either. There are many bug fixes and it was
touched by several specialized tree sweeps (like the "%s" tree sweep
a year ago), but i see nothing that looks like an audit. It looks
like Stefan Esser & Sebastian Krahmer did some auditing of CVS in
2004, but that was not work done in the context of the OpenBSD
project.
Besides, sometimes software does get forked for OpenBSD and then
thoroughly audited, like Apache 1 was, and then replaced by something
leaner anyway, httpd(8) in the case of Apache 1. And as far as i
know, henning@ and reyk@ are still on friendly terms with each
other. ;-)
Yours,
Ingo
