Slashdot Mirror

http://www.deadly.org/article.php3?sid=20030206041 352

I understand getting tired of people here, but you gotta know that's your problem and not theirs. People have a right to post their opinion here. A lot of people know by posting "anti" opinions they get the opportunity to be "modded up" - it's just a game to them, and there's nothing you can do. Upping your threshold doesn't really help because trolls get modded up and a lot of good comments come too late to be modded at all. I read at 0 and just zoom down my scrollwheel until something catches my attention that looks interesting.

I don't think there's really a solution other than to move on. Either put up with it here, or go somewhere else where the conversation is more intelligent. Unfortunately i'm not sure many other sites online have this kind of feel to them. OpenBSD Journal can be nice, but a lot of foul-mouthed children have turned up recently. kuro5hin used to be okay, but in my eyes it's gotten way too clique-y and faux intellectual for me. A friend of mine loves InfoAnarchy but that's very specific to "Your Rights Online" kind of posts. I don't know, i don't have any solutions. For the time being i pop in here every day or two and see what's going on. Whatever, you know? It's just a website.

You also might be interested in this OpenBSD Journal article about the same subject. Usually the discussions about the articles are very insightful on deadly.org

According to OpenBSD Joural, OpenBSD is not affected. NOT AT ALL!!!


- Pcap and Tcpdump are brought in only periodically and after a thorough code review.

- OpenBSD rolls its own build system (for pcap and tcpdump).


The trojan affected the configure script and was activated at build time.
I Love OpenBSD!!!

According to OpenBSD Joural, OpenBSD is not affected. NOT AT ALL!!!


- Pcap and Tcpdump are brought in only periodically and after a thorough code review.

- OpenBSD rolls its own build system (for pcap and tcpdump).


The trojan affected the configure script and was activated at build time.
I Love OpenBSD!!!

This here is also interesting.

Here

• ELF for Sparc
• Non executable stack on many architectures (including x86), non executable heap on many architectures
• More support for hardware crypto accelerators
• Apache runs chrooted by default (if you want)
• systrace

• ELF for Sparc
• Non executable stack on many architectures (including x86), non executable heap on many architectures
• More support for hardware crypto accelerators
• Apache runs chrooted by default (if you want)
• systrace

...is OpenBSD recommended as an internet server over all of the other distros?

Depends who you talk to ;)

A good place to start is here, to find out what the intentions of the OBSD project are. Then check out the OpenBSD Journal to see what people do with it.

My two cents: OBSD really shines as a secure inet server. Things like httpd, sshd, firewalling, bridging, routing. People do use it as a desktop, but IMHO it is not as desktop-friendly as FreeBSD. *shrug* I run it basically headless, as does everyone I know.

Then again, a cutting-edge desktop system is not a primary concern of the OBSD project.

I don't really mind there not being a real GUI-based installer. Although I would appreciate the comfort in having one, I've found OpenBSD installs extremely painless and easy, the installation on my (slightly dated) router box takes no more than 15 minutes. Even as a beginner, a quick read-through of the really excellent FAQ provides all the information you need to get started in no time.

But then, there's this article I stumbled across on Deadly:

G.O.B.I.E, a "Graphical OpenBSD Installer Engine", and I have to say the screenshots look pretty damn slick. They are also working on other cool things. From the web site:

[G.O.B.I.E] wishes to add some value to the product by developing installation modules to known servers such as Bind, Sendmail, Inn Apache..

Among them, you will find help to configure PF(Packet Filter), authpf, altq and some other tools.

We have planed to build a kernel configuration tool too !!!

I think that sounds like an interesting project and (though IMHO not absolutely needed) I would like to see it being officially presented as an alternative to the current installer.

Yep, I'm a troll, but OpenBSD is my OS of choice.

• Screaming Electron - Excellent message board
  
• Nomoa BSD - Slightly out-of-date but still a good resource
  
• OpenBSD Journal - Great OpenBSD news site
  
• subscribe to the Mailing Lists
  

Linux iptables HOWTO
How to Build a FreeBSD-STABLE Firewall with IPFILTER
The OpenBSD Packet Filter HOWTO

I'm certainly glad that someone was able to read the recent OpenBSD xdr_array patch and found that it was incorrect. I didn't read the patch myself, but someone else did, and it's a good thing.

Some of the layer-7 firewalls can prevent certain application exploits. Even something like this SSH hole could potentially be blocked by such a firewall

Which is not very surprising for an OS that has had "One remote hole in the default install, in nearly 6 years!". An interesting read 'though.

By the way, there is a slashbox for OpenBSD Journal, which can be enabled here. It featured this story yesterday.

Run *BSD? Chances are that your SSH *will* be comprimised sometime after tuesday.

www.deadly.org

Quick hacks to fix:
filter out port 22 on your firewall.
shut down sshd process.

Proper fix:
Upgrade to OpenSSH 3.3 and you *must* have privilage separation on. Then, after Monday, upgrade to the new OpenSHH that will be released.

3.3 is only vunerable if pivilage separaiton is off. No true patches are being released as nasty-type people will be able to quickly find trhe vunerability by reading the patch.

For your consideration:
As a tempory hack, I ssh'ed into my servers, started Telnetd and loged into them via Telnet. I then killed telnetd, and kept my open Telnet connection. I've left these open telnet connections in case I have to manage my servers.
I've firewalled port 22 from the outside and will upgrade the systems at my leasure when the new version of SSH comes out around monday or tuesday.

"IP is traditionally held by an individual or corporation. GPL forces it to be owned by everyone"

W R O N G

You still maintain copyright control over work contributed to GPLed projects (unless you made some other agreement). This is why the Mozilla project is looking for developers with which they've lost contact so they can ask for their permission before they relicense the codebase.

"You can't re-negotiate the license for a private party."

If you have agreement of all contributors/copyright owners OF COURSE YOU CAN.

Just because many developers might not really enforce their rights over works they have contributed, doesn't mean they don't still have those rights. Weren't you paying attention when OpenBSD replaced IPF with PF and underwent a license audit ? NVIDIA specifically removed some GPLed code they accidentally added to their binary driver. I seem to recall some other proprietary company got slapped when they tried to freeload off the GPL also. But this is no different than you or I including and distributing some piece of somebody else's proprietary software in our own software.

These might be also helpful:

OpenBSD Packet Filter

Re: pf and statesfull filtering on a bridge

The OpenBSD Packet Filter HOWTO

I agree with the grandparent of this post. OpenBSD is pretty easy to set up (and its gotten easier with every version since I started using it at 2.7) and the man pages are fantastic.

psxndc

NFS has a long history of insecurities.(Link takes a little while to load...)
Also in the article he claims: "You can reboot a server and the client won't crash." Maybe not crash but at least with Solaris (in my experience) you hang the entire system during the reboot. Sometimes it comes back and sometimes it doesn't.
For a secure alternative that runs on *BSD/Solaris/Linux w/(2.4 Kernels) try out:
Self-Certifying Filesystem.
The authors do warn that it is in alpha stage but also claim they have never lost a file. VERY cool project.

And of course as the OpenBSD Journal has noted, SysAdmin Mag is running an article on Tunneling NFS over SSH.

Valuable information about the FreeSoftware/OpenSource/Linux movements and their excellent, superior software can be found here, here, here, here and here.

Examples of the excellent community spirit within that movement that will help us bring down the evil, illegal Microsoft monopoly: here, here, here, here, here, here and here.

Support Free Software! Buy a mug or t-shirt today! This is how open source morons earn their money, you know! By being beggars!

Michael Sims is a liar and void of ethics.

thiz iz already the 4th account i am roasting karma under.

Please follow the first aol.com link!

YHBT. YHL. HAND.

Valuable information about the FreeSoftware/OpenSource/Linux movements and their excellent, superior software can be found here, here, here, here and here.

Examples of the excellent community spirit within that movement that will help us bring down the evil, illegal Microsoft monopoly: here, here, here, here, here, here and here.

Support Free Software! Buy a mug or t-shirt today! This is how open source morons earn their money, you know! By being beggars!

Michael Sims is a liar and void of ethics.

But bring your own lube!

Valuable information about the FreeSoftware/OpenSource/Linux movements and their excellent, superior software can be found here, here, here, here and here.

Examples of the excellent community spirit within that movement that will help us bring down the evil, illegal Microsoft monopoly: here, here, here, here, here, here and here.

Support Free Software! Buy a mug or t-shirt today! This is how open source morons earn their money, you know! By being beggars!

Michael Sims is a liar and void of ethics.

Valuable information about the FreeSoftware/OpenSource/Linux movements and their excellent, superior software can be found here, here, here, here and here.

Examples of the excellent community spirit within that movement that will help us bring down the evil, illegal Microsoft monopoly: here, here, here, here, here, here and here.

Support Free Software! Buy a mug or t-shirt today! This is how open source morons earn their money, you know! By being beggars!

Michael Sims is a liar and void of ethics.

Valuable information about the FreeSoftware/OpenSource/Linux movements and their excellent, superior software can be found here, here, here, here and here.

Examples of the excellent community spirit within that movement that will help us bring down the evil, illegal Microsoft monopoly: here, here, here, here, here, here and here.

Support Free Software! Buy a mug or t-shirt today! This is how open source morons earn their money, you know! By being beggars!

Michael Sims is a liar and void of ethics.

Valuable information about the FreeSoftware/OpenSource/Linux movements and their excellent, superior software can be found here, here, here, here and here.

Examples of the excellent community spirit within that movement that will help us bring down the evil, illegal Microsoft monopoly: here, here, here, here, here, here and here.

Support Free Software! Buy a mug or t-shirt today! This is how open source morons earn their money, you know! By being beggars!

Michael Sims is a liar.

Valuable information about the FreeSoftware/OpenSource/Linux movements and their excellent, superior software can be found here, here, here, here and here.

Examples of the excellent community spirit within that movement that will help us bring down the illegal Microsoft monopoly: here, here, here, here, here, here and here.

Support Free Software! Buy a mug or t-shirt today! This is how open source morons earn their money, you know! By being beggars!

Michael Sims is a liar.

Valuable information about the FreeSoftware/OpenSource/Linux movements and their excellent, superior software can be found here, here, here, here and here.

Examples of the excellent community spirit within that movement that will help us bring down the illegal Microsoft monopoly: here, here, here, here, here, here and here.

Let's all work together to improve free software.

Valuable information about the FreeSoftware/OpenSource/Linux movements and their excellent, superior software can be found here, here, here, here and here.

Examples of the excellent community spirit within that movement that will help us bring down the illegal Microsoft monopoly: here, here, here, here, here, here and here.

Let's all work together to improve free software.

Valuable information about the FreeSoftware/OpenSource/Linux movements and their excellent, superior software can be found here, here, here, here and here.

Examples of the excellent community spirit within that movement that will help us bring down the illegal Microsoft monopoly: here, here, here, here, here, here and here.

Let's all work together to improve free software.

Valuable information about the FreeSoftware/OpenSource/Linux movements can be and their excellent, superior software can be found here, here, here, here and here.

Examples of the excellent community spirit within that movement that will help us bring down the illegal Microsoft monopoly: here, here, here, here, here, here, here.

Let's all work together to improve free software.

Valuable information about the FreeSoftware/OpenSource/Linux movements can be and their excellent, superior software can be found here, here, here, here and here.

Examples of the excellent community spirit within that movement that will help us bring down the illegal Microsoft monopoly: here, here, here, here, here, here, here.

Let's all work together to improve free software.

of what happened to date.

You can read the original mix of hurt feelings, screams of piglethood, and resentment here

Try deadly.org

This news (both Theo interview and others) has been up for a few days on OpenBSD Journal.

Slashdot readers who have made an account and are logged in can customize their display to add the headlines from OpenBSD journal and other sites to their main slashdot page, and catch news like this as it happens. It's a neat feature. ;)

I would leave the FreeBSD docs alone. There are enough little differences to be really annoying for the new guy (such as yourself). It is similar to all the little differences between the different versions of windows. All the docs for OpenBSD are electronic. The FAQ will probably answer your cvs question. And don't forget the manpages. The problem with the manpages is that you don't know what you are looking for until you find it. Use 'man -k keywork' or the web interface to do searchs. Also check out OpenBSD Journal. For installation there are lots of files of interest on the CD or ftp site such as the INSTALL.* files. It may be worth your while to print some of those off.

You are kinda screwed if you dont want online docs. At the same time *BSD is a moving target so dead tree versions tend to get out of date quickly.

I happen to recall a very simple go-between device that will solve all your problems.

It's a very simple & small (matchbox size) device that plugs in between your line and phone, and allows you to set a 4 digit code that you give only to people you want to have access. You don't hear anything unless the caller has the right code, and you can change the code to your liking (if your number falls into the wrong hands perhaps.) You can use the same device to add a little security to remote-access modems as well.

It's called the Tele-Screen, and cost $40, but I couldn't find their site on the web (or in the EdgeCo catalog where I found it). be sure and post if you've got a URL.

But personally, I'm more interested in ELIMINATING SPAM as it is much higher volume, and more annoying (for me at least).

Umm, in the past year, there have been at least 3 how-to articles in SysAdmin using OpenBSD. You need to get your eyes checked.

Read OBSDJ or the cvs-commits if OpenBSD is all you care about. Personally, I've found several of the articles (eg. on Snort and Cisco ACLs) quite useful, and the high-availability jury-rigging tips are invaluable.

The Perl Journal had gone downhill quite a bit (IMHO) as of last issue. I hope it will return to its former glory, but I'm not holding my breath.

Just go to OpenBSD Journal and search for the thread called "License audit progress". Then you will find a nice list of programs which had incompatible license with their defined goals. He managed Wietse Wenema to change Tcpwrappers' license, and he is bragging that he even got Xerox to change license. Also, don't make much assumptions about the case from the ports@ mailing list. It doesn't have much info about the emailings about the license which resulted in the pulling of the two programs. Theo is not a saint, and he definitely said some unfortunate things, but so did DJB. Also, as others pointed out, Theo is merely sticking to their goals. I think what we see here is two colliding giants and neither of them is backing off.

Vilmos

Theo and the rest of the OpenBSD have been performing a licence audit of OpenBSD, as part of the fall-out of Darren Reed changing (sorry, "clarifying" *cough*) the IPFilters licence. This is a responsible thing to do, given that many third parties redistribute OpenBSD.

In most cases where a licence collision has been found, the licencer has agreed to changes, or the OpenBSD team have been able to make simple substitutions. In this case, the licencers have stuck by their guns. Not surprisingly, the OpenBSD team have opted to stay out of the compound, rather than risk being shot at.

Theo gets a lot of stick largely because he has a reputation for being abrasive, not least because of the whole reason why OpenBSD was created in the first place. However, if a licencer puts out a licence for a piece of software demanding that nobody make changes to it, or in Darren Reed's case, pretends that his licence, which previously granted a blanket right to use and redistribute, always had such a no-modify clause, then what do you think the responsible thing for the OpenBSD team to do is?

If developers want to have their code in OpenBSD, which they have every right not to want, then it is they who need to bend. Theo, and the rest of the OpenBSD team, is quite right to demand that the only code present in OpenBSD be modifyable by both the OpenBSD team and by end users. That's not childish. That's commonsense, and that's legally the only responsible position to take.

The funny part about the mail achive is that Theo's words imply they have put some deep thought into removing the qmail port. The funnny part is that he could have at least asked the author of qmail to change his license. Granted Theo doesn't really have time to influence/argure every developer into using a more open stance on modification, redistribution, and a general warm-fuzzy license.

However, if you read this link over on the OpenBSD journal website, you will find that Theo et'all have been working with other authors of software in the ports tree, and have actually got the Xerox people to change their license. This indicates that Theo didn't bother to approch The author of qmail. Also Theo implied in his writings that he doesn't intend to ever let the qmail software back into the ports tree.

This should serve as a warning to all developers that OpenBSD only advocates free software, and to a greater extent will not tolerate any software that claims to be distributed as "free-software". In other words, don't call your software "free", unless it really is free in the true meaning of the word. Free by trial is not free, free by default is what is required.

This issue only server to widen the divid between the BSD style license folks, and the GNU style folks. This is the true battle being waged. It is the people in the grey area thhat are the first victems of Theo's little moral clash. Rather, the people who have a custom license that is neither BSD style, or GNU.

I'll admit that I used to be a punk, with a mowhawk and a very rebel outlook on the world. The true essence of a punk is to have the "fuck it" attitude towards life. In other words, the solution to most problems faced by a punk is quickly solved by the phrase: "fuck it", and the issues is solved, nice and neat. I've detected this essence in Theo's stance on this touchy subject. It is obvious Theo knew this was gonna cause dramma, but he doens't care. He is intelligent enough argue his stance in a way that is difficult to opose.

The bigest issue that these developers have is that Theo simply, and randomly, droppes software from his OS without first consulting the software authors. The authors at first seem upset that Theo is so harsh, and does't give them a chance to change the license, or at least argure that their license does in fact let OpenBSD use it. Either way, Theo does't really care to talk about either subjects since he knows he isn't an idot, and can read the licensed that these developers so carefully write. In effect, if Theo drops your software from his ports tree, your software must not be free in the first place, and too bad it snuck in there to begin with or it wouldn't have been yank'd out. And just because the FreeBSD camp doesn't remove the ports doens't mean anything. The FreeBSD folks do not hold claim of ownership over the ports tree. In other words, the FreeBSD ports tree is not really considered part of FreeBSD proper. The FreeBSD CD-ROM doesn't distribute any packages that have a restrictive license. So when you install FreeBSD, the ports come after the base system has been installed, and the ports tree itself is regarded as not part of the OS. The people who maintain the ports function seperatly from the folks who are core the the OS. Another difference is the fact that FreeBSD will remove a port when and if the developer request it be removed. This is different than OpenBSD's more proactive stance.

In the End, it is this reason why I use OpenBSD, and FreeBSD instead of Finux. I think that Theo is a champion of software-liberty in this very touchy stage of human evolution. I liken him to a Thomas Jefferson, or Benjamin Franklin of software development. Theo's stance, and attitude is like a constitution of good form, graces in way of enlightend software.

One last point I'd like to make regarding comments I see about Theo's ego. First off, dont' confuse his perfection'ism with his ego. There is a difference in being a perfectionist, and an ego-maniac. Theo does not try to force people to appeance "open" to the begining of software that uses a open license, unlike a certain somebody in the Free Software Foundation. You do not hear developers of free software complain about Theo tring to take-over their projects behind their backs as your favorit person from the FSF recently did with GCC.

The funny part about the mail achive is that Theo's words imply they have put some deep thought into removing the qmail port. The funnny part is that he could have at least asked the author of qmail to change his license. Granted Theo doesn't really have time to influence/argure every developer into using a more open stance on modification, redistribution, and a general warm-fuzzy license.

However, if you read this link over on the OpenBSD journal website, you will find that Theo et'all have been working with other authors of software in the ports tree, and have actually got the Xerox people to change their license. This indicates that Theo didn't bother to approch The author of qmail. Also Theo implied in his writings that he doesn't intend to ever let the qmail software back into the ports tree.

This should serve as a warning to all developers that OpenBSD only advocates free software, and to a greater extent will not tolerate any software that claims to be distributed as "free-software". In other words, don't call your software "free", unless it really is free in the true meaning of the word. Free by trial is not free, free by default is what is required.

This issue only server to widen the divid between the BSD style license folks, and the GNU style folks. This is the true battle being waged. It is the people in the grey area thhat are the first victems of Theo's little moral clash. Rather, the people who have a custom license that is neither BSD style, or GNU.

I'll admit that I used to be a punk, with a mowhawk and a very rebel outlook on the world. The true essence of a punk is to have the "fuck it" attitude towards life. In other words, the solution to most problems faced by a punk is quickly solved by the phrase: "fuck it", and the issues is solved, nice and neat. I've detected this essence in Theo's stance on this touchy subject. It is obvious Theo knew this was gonna cause dramma, but he doens't care. He is intelligent enough argue his stance in a way that is difficult to opose.

The bigest issue that these developers have is that Theo simply, and randomly, droppes software from his OS without first consulting the software authors. The authors at first seem upset that Theo is so harsh, and does't give them a chance to change the license, or at least argure that their license does in fact let OpenBSD use it. Either way, Theo does't really care to talk about either subjects since he knows he isn't an idot, and can read the licensed that these developers so carefully write. In effect, if Theo drops your software from his ports tree, your software must not be free in the first place, and too bad it snuck in there to begin with or it wouldn't have been yank'd out. And just because the FreeBSD camp doesn't remove the ports doens't mean anything. The FreeBSD folks do not hold claim of ownership over the ports tree. In other words, the FreeBSD ports tree is not really considered part of FreeBSD proper. The FreeBSD CD-ROM doesn't distribute any packages that have a restrictive license. So when you install FreeBSD, the ports come after the base system has been installed, and the ports tree itself is regarded as not part of the OS. The people who maintain the ports function seperatly from the folks who are core the the OS. Another difference is the fact that FreeBSD will remove a port when and if the developer request it be removed. This is different than OpenBSD's more proactive stance.

In the End, it is this reason why I use OpenBSD, and FreeBSD instead of Finux. I think that Theo is a champion of software-liberty in this very touchy stage of human evolution. I liken him to a Thomas Jefferson, or Benjamin Franklin of software development. Theo's stance, and attitude is like a constitution of good form, graces in way of enlightend software.

One last point I'd like to make regarding comments I see about Theo's ego. First off, dont' confuse his perfection'ism with his ego. There is a difference in being a perfectionist, and an ego-maniac. Theo does not try to force people to appeance "open" to the begining of software that uses a open license, unlike a certain somebody in the Free Software Foundation. You do not hear developers of free software complain about Theo tring to take-over their projects behind their backs as your favorit person from the FSF recently did with GCC.

My guess is the former has happened, which then raises of the issue of how many BSD developers will be happy about continuing to work on something that, in some cases, they've decided to work on because of "freedom" issues concerning Linux (and the oh-so-hated GPL)?

Either way it's a nasty can of worms. Reed is entitled, of course, to control the licencing of his project as he sees fit, but at the same time, the onus is on free operating systems to eschew non-free components. On the conversations on OpenBSD journal Reed has indicated somewhat strong hostility to the idea of free rivals to IPFilter being produced. But just as he has the right to restrict the use of IPFilter, so he cannot prevent others from producing replacements, and has to expect that if he overly restricts use of IPFilter, that will have negative consequences for the future of the IPFilter project.

It's his ball. He can take it away. He can only let people he thinks are his friends play with it. But if he forces his friends to play by his rules only, rules contrary to those his friends want to play, those friends may disappear and play with others, and he can't stop the people who aren't his friends from getting their own ball.

All of which is a shame. IPFilter is a good product. It'll be a waste to see it go.
--

Want to see what's really going on? Visit This thread. Darren Reed (the author of IPF) has been poking his head in there. It's not a pretty sight either. Unfortunatly. Intreped (a poster) has made some intelligent commentary about the copyright law / policy near the bottom.

Darren answers a lot of your questions in a similar IPF article at the OpenBSD Journal.

3. He clarifies the license (the distribution policies of HIS software).

He changed it, adding restrictions that were not stated, and that therefore did not exist originally in the license...

No, he did not change it. The point is made in this thread .

The license was never *BSD. Nobody is free to modify the code, since the right of modification doesn't exist if it isn't explicitly offered.

So there is no question of forking the code. If "OpenIPF" is ever produced it will have to be a clean-sheet development. Darren owns IPF.

And with the war of words that's under way, Darren would have to be a saint or a wuss to open-source it now.

http://wap.jcs.org/

Serves Slashdot, Freshmeat, and deadly.org.

RedHat 7 will include OpenSSH by default, according to this article that I found linked from deadly.org

If I want BSD news, I'd just head to BSD Today, Daily Daemon News, or the OpenBSD User's Journal, rather than waiting a month for new stuff.

Granted, BSD doesn't move quite as fast as Linux, but one issue every four weeks? That's just not enough any more.

-- Floyd