Re: BSD derivatives
Chad Perrin wrote: I'm not saying that's what the OpenBSD project does. I'm just saying that, for instance, the availability of the ath driver contradicts a claim that security is a top priority of the FreeBSD project. Only if it was installed and operational by default would that really be the case. Obviously, I'm assuming it's not installed by default. From what I've read so far, it's not -- please correct me if I'm wrong. Actually to set the record straight, the ath driver is installed by default in 6.2 RELEASE. Installed by default meaning the card is recognized during FreeBSD setup and the user is able to configure it immediately from sysinstall. The ath driver was also present in 6.1 RELEASE (and maybe earlier?) although it had to be manually activated as a kernel module and it was not immediately obvious it was supported since it was not present in sysinstall during setup. Although the whole security issue is of course highly debatable, don't forget how much more secure FreeBSD (or other open source OSes) are compared to proprietary systems. I've been (and still am) a competent Windows 200X server admin for years and have seen oh so many holes. Mind you, most of them actually get exploited. It is nowhere near this in FreeBSD. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: BSD derivatives
On Sun, Jun 03, 2007 at 09:15:22AM +0300, Manolis Kiagias wrote: Chad Perrin wrote: I'm not saying that's what the OpenBSD project does. I'm just saying that, for instance, the availability of the ath driver contradicts a claim that security is a top priority of the FreeBSD project. Only if it was installed and operational by default would that really be the case. Obviously, I'm assuming it's not installed by default. From what I've read so far, it's not -- please correct me if I'm wrong. Actually to set the record straight, the ath driver is installed by default in 6.2 RELEASE. Installed by default meaning the card is recognized during FreeBSD setup and the user is able to configure it immediately from sysinstall. The ath driver was also present in 6.1 RELEASE (and maybe earlier?) although it had to be manually activated as a kernel module and it was not immediately obvious it was supported since it was not present in sysinstall during setup. That still sounds like it's not installed by default in the sense that I meant it. By installed by default, I mean you install the system and, without even knowing it (or making a decision), you discover you have a closed-source driver in your system. Although the whole security issue is of course highly debatable, don't forget how much more secure FreeBSD (or other open source OSes) are compared to proprietary systems. I've been (and still am) a competent Windows 200X server admin for years and have seen oh so many holes. Mind you, most of them actually get exploited. It is nowhere near this in FreeBSD. One of the keys for this is the fact that they're open source software, of course. To the extent that something like the ath driver is part of your system whether you want it or not, that additional security benefit is reduced. I'm just trying to differentiate between closed source software that affects system security and closed source software that doesn't -- because anything that isn't actually running doesn't affect security (all else being equal). -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Leon Festinger: A man with a conviction is a hard man to change. Tell him you disagree and he turns away. Show him facts and figures and he questions your sources. Appeal to logic and he fails to see your point. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: BSD derivatives
Chad Perrin wrote: On Sun, Jun 03, 2007 at 09:15:22AM +0300, Manolis Kiagias wrote: Chad Perrin wrote: I'm not saying that's what the OpenBSD project does. I'm just saying that, for instance, the availability of the ath driver contradicts a claim that security is a top priority of the FreeBSD project. Only if it was installed and operational by default would that really be the case. Obviously, I'm assuming it's not installed by default. From what I've read so far, it's not -- please correct me if I'm wrong. Actually to set the record straight, the ath driver is installed by default in 6.2 RELEASE. Installed by default meaning the card is recognized during FreeBSD setup and the user is able to configure it immediately from sysinstall. The ath driver was also present in 6.1 RELEASE (and maybe earlier?) although it had to be manually activated as a kernel module and it was not immediately obvious it was supported since it was not present in sysinstall during setup. That still sounds like it's not installed by default in the sense that I meant it. By installed by default, I mean you install the system and, without even knowing it (or making a decision), you discover you have a closed-source driver in your system. I see your point, bear in mind however that someone who is installing a system that he believes consist of only free software may easily overlook the fact one of the drivers is not, esp. if it is silently recognized and configured with little intervention during setup. A security-conscious admin would of course research both the OS and the market and choose his hardware wisely. This leaves this kind of vulnerability to smaller systems (maybe home systems) where the OS is installed to existing hardware that was previously used with proprietary OSes and where the user / admin is not experienced or knowledgeable enough to care. In fact it would be better if proprietary drivers were clearly marked as such (or a relevant message shown in FreeBSD setup). It's been quite some time since I setup my atheros in FreeBSD but I cannot recall seeing any warning or indication about the ath driver. Although the whole security issue is of course highly debatable, don't forget how much more secure FreeBSD (or other open source OSes) are compared to proprietary systems. I've been (and still am) a competent Windows 200X server admin for years and have seen oh so many holes. Mind you, most of them actually get exploited. It is nowhere near this in FreeBSD. One of the keys for this is the fact that they're open source software, of course. To the extent that something like the ath driver is part of your system whether you want it or not, that additional security benefit is reduced. I'm just trying to differentiate between closed source software that affects system security and closed source software that doesn't -- because anything that isn't actually running doesn't affect security (all else being equal). Agree with you completely on this, binary-only drivers can cause trouble even if well written. If nothing else, the company which writes them has limited resources or even incentive to support them and had they been open source fixes - security or other - would be implemented in a timely manner. I do prefer total open source on my server for security and peace of mind. The desktop is however a different thing, I can live with the occasional atheros or nvidia driver. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: BSD derivatives
Hi Blake, On 02/06/07, Blake Finley, MA, ABD-2 [EMAIL PROTECTED] wrote: I am primarily concerned about security from internet hacking, and am therefore considering setting up a separate internet computer with BSD. Are you trying to secure a network with a secure gateway? To have a secure PC? What is your goal exactly? What is your association with Open BSD? with Linux? They are both BSDs...I am not developing any of both, but i don't see any reason why not adding a very good piece of code from the Free to the Open BSD or the opposite. I am 99.9% sure that the association between them is not competition. What do you mean by Linux? Do you have any distro in mind? anyway... FreeBSD is what it claims to be *clearly* on top of the page: http://www.freebsd.org and Linux is what it claims to be on http://www.linux.org (you need to read a little more than the top of the page here though, to see what it is). Also check this link: http://www.linux.org/dist/list.html (*press go*) Are there copyright or other related issues involved? It appears that FreeBSD is the most closely associated with the original Berkeley programmers. (1) I was told that OpenBSD provided the best security. But I also note that changes have occurred at OBSD, and wonder if this is still true. It would have been better if the above questions were posted in other, separate posts... :) These are irrelevant ((1) - see below) to security from internet hacking Are you trying to decide if BSD is more secure than a Linux distro? It seems to me that you place random questions/information here and this way you can only get random replies and information that will remain information and won't help you being secured (considering that you said that primarily you are concerned about security) If you know/learn how to setup a system and keep it up to date and monitor it appropriately and spend a lot of time on it and many other things, then it will be as much secured as possible from attacks. ...Supposedly, you decide that any of the OSs in question is the most secure: You spend 3 days setting it up and you do nothing else for the next 2 years. Your system won't be secure, no programmers will be responsible for this and the copyrights usually claim/provide the software AS IS, whatever its name is. (1)Programmers try to give you as much functionality and options ( obviously along with security) possible. You are responsible to disable functionality that you don't need, to install the patches/updates they implement when vulnerabilities are found, etc. If for example they exclude things (i.e a driver) from the OS, for security, you would have an OS with limitations. Their goal is to write nice, neat, secure code. Not preventing people from attacking you nor you from not installing security updates to your computer. It would be like asking the hardware vendor not to put a network card in your computer, for security from internet hacking. The answer you want though is this: FreeBSD is derived from BSD, the version of UNIX(r) developed at the University of California, Berkeley which is BY FAR more impressive **in my opinion* *than this: http://www.slackware.com/~msimons/slackware/grfx/ :P Regards Spiros ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: BSD derivatives
On Sun, Jun 03, 2007 at 10:42:33AM +0300, Manolis Kiagias wrote: Chad Perrin wrote: On Sun, Jun 03, 2007 at 09:15:22AM +0300, Manolis Kiagias wrote: Chad Perrin wrote: I'm not saying that's what the OpenBSD project does. I'm just saying that, for instance, the availability of the ath driver contradicts a claim that security is a top priority of the FreeBSD project. Only if it was installed and operational by default would that really be the case. Obviously, I'm assuming it's not installed by default. From what I've read so far, it's not -- please correct me if I'm wrong. Actually to set the record straight, the ath driver is installed by default in 6.2 RELEASE. Installed by default meaning the card is recognized during FreeBSD setup and the user is able to configure it immediately from sysinstall. The ath driver was also present in 6.1 RELEASE (and maybe earlier?) although it had to be manually activated as a kernel module and it was not immediately obvious it was supported since it was not present in sysinstall during setup. That still sounds like it's not installed by default in the sense that I meant it. By installed by default, I mean you install the system and, without even knowing it (or making a decision), you discover you have a closed-source driver in your system. I see your point, bear in mind however that someone who is installing a system that he believes consist of only free software may easily overlook the fact one of the drivers is not, esp. if it is silently recognized and configured with little intervention during setup. A security-conscious admin would of course research both the OS and the market and choose his hardware wisely. This leaves this kind of vulnerability to smaller systems (maybe home systems) where the OS is installed to existing hardware that was previously used with proprietary OSes and where the user / admin is not experienced or knowledgeable enough to care. In fact it would be better if proprietary drivers were clearly marked as such (or a relevant message shown in FreeBSD setup). It's been quite some time since I setup my atheros in FreeBSD but I cannot recall seeing any warning or indication about the ath driver. I agree with that idea -- that any proprietary software should be clearly and unavoidably marked as such. In fact, I'd be happier if every pkg-descr file in the ports tree included a mention of the license terms under which the software is distributed. Although the whole security issue is of course highly debatable, don't forget how much more secure FreeBSD (or other open source OSes) are compared to proprietary systems. I've been (and still am) a competent Windows 200X server admin for years and have seen oh so many holes. Mind you, most of them actually get exploited. It is nowhere near this in FreeBSD. One of the keys for this is the fact that they're open source software, of course. To the extent that something like the ath driver is part of your system whether you want it or not, that additional security benefit is reduced. I'm just trying to differentiate between closed source software that affects system security and closed source software that doesn't -- because anything that isn't actually running doesn't affect security (all else being equal). Agree with you completely on this, binary-only drivers can cause trouble even if well written. If nothing else, the company which writes them has limited resources or even incentive to support them and had they been open source fixes - security or other - would be implemented in a timely manner. I do prefer total open source on my server for security and peace of mind. The desktop is however a different thing, I can live with the occasional atheros or nvidia driver. Until such time as there are high quality laptops that provide the functionality I want/need and also do not use any hardware that requires closed source drivers for full functionality, I'll be forced to use closed source drivers for my primary system. Actually, at present I'm not using any closed source drivers for my primary system, but only because the closed source drivers don't bloody well work. Because of this, I have to maintain an entire closed source operating system on another partition. It may eventually be replaced with a Linux partition so I can use the drivers I need, but something seems strange and wrong about dual-booting Linux with FreeBSD. It's a personal hang-up, I guess. Uh . . . so my point is simply that I, too, prefer no closed source software, but make exceptions for desktop systems sometimes. I wish I didn't have to. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Dr. Ron Paul: Liberty has meaning only if we still believe in it when terrible things happen and a false government security blanket beckons. ___
BSD derivatives
I am primarily concerned about security from internet hacking, and am therefore considering setting up a separate internet computer with BSD. What is your association with Open BSD? with Linux? Are there copyright or other related issues involved? It appears that FreeBSD is the most closely associated with the original Berkeley programmers. I was told that OpenBSD provided the best security. But I also note that changes have occurred at OBSD, and wonder if this is still true. Blake Finley ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: BSD derivatives
Blake Finley, MA, ABD-2 [EMAIL PROTECTED] wrote: I am primarily concerned about security from internet hacking, and am therefore considering setting up a separate internet computer with BSD. You shouldn't use FreeBSD, then. It's written by hackers: http://en.wikipedia.org/wiki/Hacker If you're trying to protect yourself from Internet criminals, though, you'll find FreeBSD very useful. What is your association with Open BSD? with Linux? There have got to be a jillion explanations of this on the WWW. Are you familiar with google?: http://people.freebsd.org/~murray/bsd_flier.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/history.html Those are just two that I found quickly. Are there copyright or other related issues involved? Sure. Although I don't really know what you mean by that. It appears that FreeBSD is the most closely associated with the original Berkeley programmers. Depends on who you ask. I was told that OpenBSD provided the best security. But I also note that changes have occurred at OBSD, and wonder if this is still true. What changes are those? OpenBSD puts security higher on its list of project goals and motivating factors than any other OS I know. Whether or not that actually causes it to be more secure or not is a subject of some debate, although the general consensus seems to be that they are largely successful. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: BSD derivatives
Bill Moran wrote: OpenBSD puts security higher on its list of project goals and motivating factors than any other OS I know. I disagree. I'd say that OpenBSD and FreeBSD put security in exactly the same place -- at the top of the list. I think the distinction to draw is that FreeBSD has a longer (albeit unwritten) list of project goals, with the effect that a smaller proportion of the development being done on FreeBSD is security-related; this may make it look like we care less about security, but it's really just a sign that FreeBSD is a larger project. Colin Percival ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: BSD derivatives
Blake Finley, MA, ABD-2 wrote: Hello. Hope it's not too tongue-in-chic, but it's practically irresistable. I am primarily concerned about security from internet hacking, and am therefore considering setting up a separate internet computer with BSD. What is your association with Open BSD? Hmm, three letters, and, long, long ago in a galaxy far away (1993, California), the same codebase. These days, it's possible that some developers work on both the FreeBSD and OpenBSD projects (I don't know for sure), and, once in a great while, when somebody over here says something, um, wrong(?), Theo De Raadt drops by to Set Us Straight(TM). [I can only assume that some of us go over there first to invite combat. Indeed, I might be doing it now. Generally, I respect the OpenBSD team's outlook on life in general, etc., and I download _all_ the songs.] You might wish to also read about and/or consider NetBSD and DragonFlyBSD. Also, PCBSD and Desktop BSD are relatively new projects that are based on the work of the FreeBSD Project, with an eye to being, maybe, more user friendly in regard to installation in particular and configuration in general. Lastly, you might want to consider obtaining FreesBIE, a Live CD system based on FreeBSD. You can boot a computer from CDROM into FreeBSD and 1 of a few different types of user environments, maybe get a feel for it, test your hardware, read the manpages, read /COPYRIGHT, perhaps other read documentation, courtesy of some hard-working Italian hackers (and some from some other places). with Linux? What's that? /evil grin If you are familiar with Linux, search at Google with the string BSD Linux Matthew Fuller rant. It's a fairly well thought-through tirade on some of the differences Linux users perceive when they look at (Free)BSD. If you _aren't_ familiar with Linux, let's just say that FreeBSD is to Linux as Ferrari is to Pontiac (or, maybe vice-versa, depending on whom you read --- of course, many people these days are pathological liars and can't be trusted, right?), and then leave it dead somewhere near there. Both are computer operating systems with several similarities, enough that if you can drive one, you can probably get around in the other. They just aren't the *same*. Are there copyright or other related issues involved? You will need to be more specific. *-BSD systems are under the BSD Copyright, which I'm sure you can find with a web search. Some software on FreeBSD (and by extension PCBSD and 'Desktop BSD') may also be under the FSF's GPL. The compiler comes to mind, for starters. I believe that one of the goals of many BSD developers is to ultimately be rid of GPL'ed software; but, then again, one of many humans' goals it to ultimately build a Utopian society without many of the societal ills we face. It's not so likely to happen very soon at all. It appears that FreeBSD is the most closely associated with the original Berkeley programmers. Maybe. NetBSD and FreeBSD were both originally based heavily on UC Berkley work, most notably 4.3BSD/Net 2, and then 4.4BSD after it became unencumbered. Speaking of Copyright above, and, if you are referring to issues such as the SCO/Linux court battle or the recent Microsoft claim that Linux infringes on $n of their patents, as far as we know, no one has any commercial copyright, per se, in the FreeBSD source code. The lawsuit on that one was settled in 1993, out of court IIRC. The contestants were BSDI (and, to some extent, by extension, U. Cal), and ATT's Unix Systems Laboratories. I was told that OpenBSD provided the best security. But I also note that changes have occurred at OBSD, and wonder if this is still true. Actually, OpenBSD does have an excellent security track record. They might also welcome a large monetary donation, should you be so endowed and inclined. OTOH, it's totally Free, also, in rather the same way as FreeBSD. OpenBSD forked from NetBSD many years ago for some reason or another that I'm sure you can read up on with resources on the WWW (or, maybe the aforementioned Mr. De Raadt will Set Me Straight(TM)). Let me encourage you to read appropriate sections of, or even all of the FreeBSD handbook (www.freebsd.org/handbook). It is probably the best open-source operating system documentation in existence (and perhaps better than any proprietary OS docs, also). Bah, too many words. Good luck with your search for security! Kevin Kinsey -- The devil finds work for idle glands. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: BSD derivatives
On Sat, Jun 02, 2007 at 04:18:33PM -0700, Blake Finley, MA, ABD-2 wrote: I am primarily concerned about security from internet hacking, and am therefore considering setting up a separate internet computer with BSD. What is your association with Open BSD? with Linux? Are there copyright or other related issues involved? You can read the copyright information on the web site. It will give you better information than repeating it hear. It appears that FreeBSD is the most closely associated with the original Berkeley programmers. Essentially true. I was told that OpenBSD provided the best security. But I also note that changes have occurred at OBSD, and wonder if this is still true. Well, OpenBSd has made a point of being security conscious, but FreeBSD fixes any problems that come up in it as well. For real work situations I think the differences are quite small nowdays insofar as security is concerned. But, I am sure someone would enjoy splitting bits over that. jerry Blake Finley ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: BSD derivatives
On Sat, 02 Jun 2007 18:10:27 -0700 Colin Percival [EMAIL PROTECTED] wrote: Bill Moran wrote: OpenBSD puts security higher on its list of project goals and motivating factors than any other OS I know. I disagree. I'd say that OpenBSD and FreeBSD put security in exactly the same place -- at the top of the list. Sorry but I have to disagree here. FreeBSD ships with closed source software including following drivers: ath, nve, oltr, rr232x, hptmv. Closed source software implies potential insecurity. If security is at the top of the list then I see a clear contradiction here. Jona -- I am chaos. I am the substance from which your artists and scientists build rhythms. I am the spirit with which your children and clowns laugh in happy anarchy. I am chaos. I am alive, and tell you that you are free. Eris, Goddess Of Chaos, Discord Confusion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: BSD derivatives
--On June 3, 2007 4:33:01 AM +0200 Jona Joachim [EMAIL PROTECTED] wrote: On Sat, 02 Jun 2007 18:10:27 -0700 Colin Percival [EMAIL PROTECTED] wrote: Bill Moran wrote: OpenBSD puts security higher on its list of project goals and motivating factors than any other OS I know. I disagree. I'd say that OpenBSD and FreeBSD put security in exactly the same place -- at the top of the list. Sorry but I have to disagree here. FreeBSD ships with closed source software including following drivers: ath, nve, oltr, rr232x, hptmv. Closed source software implies potential insecurity. If security is at the top of the list then I see a clear contradiction here. Sorry, but that's an incredibly naive statement. *All* software implies potential insecurity. It's the nature of software. If it were untrue, there would be no security patches for open source software. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Re: BSD derivatives
On Sat, Jun 02, 2007 at 08:53:52PM -0500, Kevin Kinsey wrote: Blake Finley, MA, ABD-2 wrote: If you are familiar with Linux, search at Google with the string BSD Linux Matthew Fuller rant. It's a fairly well thought-through tirade on some of the differences Linux users perceive when they look at (Free)BSD. If you _aren't_ familiar with Linux, let's just say that FreeBSD is to Linux as Ferrari is to Pontiac (or, maybe vice-versa, depending on whom you read --- of course, many people these days are pathological liars and can't be trusted, right?), and then leave it dead somewhere near there. Both are computer operating systems with several similarities, enough that if you can drive one, you can probably get around in the other. They just aren't the *same*. I'd say it's probably more like Linux is a two-rail snow sled with an Exocet rocket motor bolted to it while FreeBSD is a racing snowmobile. At least, that's how they feel in comparison with one another, to someone who made the switch from Debian to FreeBSD starting in November of last year (that's me). I prefer the snowmobile, but some people just like an out-of-control ride at 315m/s. Go figure. You will need to be more specific. *-BSD systems are under the BSD Copyright, which I'm sure you can find with a web search. Some software on FreeBSD (and by extension PCBSD and 'Desktop BSD') may also be under the FSF's GPL. The compiler comes to mind, for starters. I believe that one of the goals of many BSD developers is to ultimately be rid of GPL'ed software; but, then again, one of many humans' goals it to ultimately build a Utopian society without many of the societal ills we face. It's not so likely to happen very soon at all. That's something I've been wondering about. Do you (or anyone else here) happen to know if there's an ongoing project/effort to replace gcc for the *BSDs? Actually, OpenBSD does have an excellent security track record. They might also welcome a large monetary donation, should you be so endowed and inclined. OTOH, it's totally Free, also, in rather the same way as FreeBSD. OpenBSD forked from NetBSD many years ago for some reason or another that I'm sure you can read up on with resources on the WWW (or, maybe the aforementioned Mr. De Raadt will Set Me Straight(TM)). Totally free except the format of the official installer, that is. It may seem like a minor matter, but for perfect accuracy it should probably be mentioned at least in passing. Let me encourage you to read appropriate sections of, or even all of the FreeBSD handbook (www.freebsd.org/handbook). It is probably the best open-source operating system documentation in existence (and perhaps better than any proprietary OS docs, also). Judging by my experience with proprietary OSes, they tend to be worse than pretty much all of the major Linux distros, which puts FreeBSD even further ahead of proprietary OS documentation. YMMV. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Paul Graham: Real ugliness is not harsh-looking syntax, but having to build programs out of the wrong concepts. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: BSD derivatives
On Sun, Jun 03, 2007 at 04:33:01AM +0200, Jona Joachim wrote: On Sat, 02 Jun 2007 18:10:27 -0700 Colin Percival [EMAIL PROTECTED] wrote: Bill Moran wrote: OpenBSD puts security higher on its list of project goals and motivating factors than any other OS I know. I disagree. I'd say that OpenBSD and FreeBSD put security in exactly the same place -- at the top of the list. Sorry but I have to disagree here. FreeBSD ships with closed source software including following drivers: ath, nve, oltr, rr232x, hptmv. Closed source software implies potential insecurity. If security is at the top of the list then I see a clear contradiction here. More accurately, I'd say that the closed source drivers only imply priorities contradictory to security if they're installed and active in default configuration. If it's just a binary lump that never executes, on the other hand, or is on a server or CD somewhere waiting to be installed if you want it, that doesn't imply insecurity in the system -- only in the configuration of a system where someone chooses to use the closed source software. Hopefully that made some sense. While I tend to agree with the OpenBSD approach to closed source software in general, I don't think that specifically making it effectively impossible to use without rewriting key parts of the OS yourself is a security-oriented decision. Security involves not using closed source software, not telling everyone else that they can't use it either. I'm not saying that's what the OpenBSD project does. I'm just saying that, for instance, the availability of the ath driver contradicts a claim that security is a top priority of the FreeBSD project. Only if it was installed and operational by default would that really be the case. Obviously, I'm assuming it's not installed by default. From what I've read so far, it's not -- please correct me if I'm wrong. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Amazon.com interview candidate: When C++ is your hammer, everything starts to look like your thumb. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: BSD derivatives
On Sat, Jun 02, 2007 at 10:10:08PM -0500, Paul Schmehl wrote: --On June 3, 2007 4:33:01 AM +0200 Jona Joachim [EMAIL PROTECTED] wrote: I disagree. I'd say that OpenBSD and FreeBSD put security in exactly the same place -- at the top of the list. Sorry but I have to disagree here. FreeBSD ships with closed source software including following drivers: ath, nve, oltr, rr232x, hptmv. Closed source software implies potential insecurity. If security is at the top of the list then I see a clear contradiction here. Sorry, but that's an incredibly naive statement. *All* software implies potential insecurity. It's the nature of software. If it were untrue, there would be no security patches for open source software. Discovery of vulnerabilities in need of patching is not the same as an unsecured system. The key to the above statement that closed source software implies a lack of security is that with closed source software there is an unavoidable and necessary assumption that the vendor has your best security interests at heart and will achieve the same security success that you would, in addition to any success it might itself achieve. The facts have shown that not only are proprietary, closed source software vendors prone to ignoring or hiding vulnerabilities dismayingly often rather than fixing them, but they also (even more dismayingly, but hopefully less often) intentionally include functionality that we the end users would consider security vulnerabilities, and pretend such back doors, rootkits, and spyware do not exist. In short -- software is not trustworthy, which is why double-checking it (in the form of peer review and personal source code access) is so important to security. When peer review and personal source code access are not available, your only option is trust, which is a losing proposition by definition when dealing with software. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] print substr(Just another Perl hacker, 0, -2); ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]