Slashdot Mirror

You fail to see two sides of Nessus here, which might lead to it being eventually being dropped from Debian. Be it a vulnerability scanner, an antivirus or an IDS yo uhave:

• the engine
• the rules

An engine without rules is not useful at all. And Tenable closed-source those already a while back. Just like Sourcefire closed sourced the Snort rules.

Quite sincerely, If I were the Debian maintainer (ehem), I would consider dropping support for both packages in Debian even though I believe it would be as much a loss to Debian users as to the projects themselves (less user-base => less exposure => less bug reports => less enhancements => .... => product dead?). It seems that Sourcefire, however, now has Check Point to sustain the project and fund its development even if the OSS crowd turns away from it.

References:
http://archives.neohapsis.com/archives/firewalls/2 000-q3/2361.html
http://www.issociate.de/board/post/218692/The_prob lem_with_Zone_Alarm.html
http://www.forbes.com/forbes/2002/0318/102_2.html
http://www.whatreallyhappened.com/spyring.html

You mean the Data Execute Protection from Microsoft? OpenBSD has had that for a long time already, only they named it w^x.

This new feature from OpenBSD is the use of guard pages and the immediate freeing of memory. In essence this means that both bad programming and exploit attempts are much more likely to result in a core dump then some unidentifiable and non reproducible corruption or a working exploit. Many people consider that a good thing because it will result in bugs being found in userland applications that would have otherwise stayed unnoticed. So even if you don't use OpenBSD yourself this is helping your system becomming more secure and better. And if you are running OpenBSD there is o need to worry too much about the stability of this feature, it was actually enabled shortly after the 3.7 release and has been in every snapshot on the way to 3.8.

And I have to agree with the author that the best thing is that we get all the goods without ever having to switch them on!

Another step to improve security if there are very few users is just to ONLY allow public key authentication. I've never seen such a box compromised remotely.

No kidding? By disallowing password authentication you've stopped the script kiddies dead in their tracks. As for disallowing root access, here are some words from an OpenBSD developer:

... All unmitigated horseshit. Sorry. Look I use sudo, and I like it. but it is no substitute for allowing root login to a box, and is no substitute for "su", Sorry. They are different. I don't want to add a billion sudoable local accounts to run boxen in a distributed authentication environment. I want "root" local, and be done with it. I want root exposed if someone knows the root password, not if someone knows the root password or fourteen other idiot's passwords that are used every day. That's not more secure. If you want a useful diff to help stop this ridiculous discussion from propping up every little while. Here's what I propose: ....

Saying "don't login as root" is horseshit. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw, and decreast the chance you got spoofed as to your telnet host target, You'd get your password spoofed but not root's pw. Gimme a fucking break. this is 2005 - We have ssh, used properly it's secure. used improperly none of this 1989 bullshit will make a damn bit of difference. -Bob

it generates a bunch of bits into files... the bits are the same AS LONG AS THE COMPILER IS THE SAME on all systems.

It doesn't run any of these bits so it doesn't NEED to have the build target hardware.

There was a recent thread about cross compiling on OpenbSD misc@. Perhaps this one summarize it nicely :

Re: Cross-Compiling OpenBSD

From: Artur Grabowski (artblahonga.org)
Date: Tue Jul 12 2005 - 09:11:01 CDT

* Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Brett Lymn <blymnbaesystems.com.au> writes:

> > ASSUMING YOU EVER SEE IT.
> > If you don't see a bug, you ship crap.
> >
>
> That applies for both native and cross-built. THERE IS NO DIFFERENCE
> AN UNSEEN BUG MAY BE THERE REGARDLESS. It has happened in the past to
> OpenBSD and it may just happen again.

Seriously. You really don't see the correlation between using something
and finding bugs? What planet are you from?

//art

Theo de Raadt on Linux quality :

Re: Theo gave an interview to Forbes Mag. about Linux

From: Theo de Raadt (deraadtcvs.openbsd.org)
Date: Fri Jun 17 2005 - 11:13:37 CDT

> On Fri, Jun 17, 2005 at 04:48:31PM +0200, J. Lievisse Adriaanse wrote:
> > Theo gave an interview to Forbes Magazine, in which he stated: "It's
> > terrible," De Raadt says. "Everyone is using it, and they don't
> > realize how bad it is. And the Linux people will just stick with it
> > and add to it rather than stepping back and saying, 'This is garbage
> > and we should fix it.'"
>
> Heh. Theo never did pull his punches. I suppose there's now a war going
> on in /. ? :)

If the Linux people actually cared about Quality, as we do, they would
not have had as many localhost kernel security holes in the last year.

How many is it... 20 so far?

One day notice for "external" projects

http://archives.neohapsis.com/archives/postfix/200 5-05/1770.html

The postfix-users list wound up in SORBS because the admin was sloppy.

Read the thread. That's the attitude that you get from blacklists. It's *never* "their fault" - somehow it's *your* fault. That's just bullshit.

I don't follow it closely enough to know.

It shows. As does your arrogance. I've been using OpenBSD for 6 years and Linux for 8 years. I have been following OpenBSD very closely.

X? I don't think so. gcc? No.

Such strong statements for someone who does not follow it closely enough.

Xfree forked.

x11 - Houses OpenBSD's adaptation of the XFree86-3 software project. xf4 - Houses OpenBSD's adaptation of the XFree86-4 software project.

gcc is worked on within OpenBSD's source tree and part of their work enabled an mvme88k port.

A few choice quotes from here.

FB: Another license war has started and it seems worse than before. Does OpenBSD really want to fork XFree starting from the last 4.4.0-RC2?
ME: Yes.

And I'm one of the guys who works on gcc and binutils on a continuing basis.

Anil took it one step further and introduced an extension attribute to gcc: bounded, that can tie two function parameters, so that you can say, "Here is the buffer and the corresponding size, try to check that it fits."

With a few small changes to gcc, and with declaring that read is such a function, gcc is now able to detect erroneous code, such as:

ME: ProPolice is a gcc extension developed by Hiroaki Etoh, from IBM, based on older concepts such as StackGuard. ProPolice makes several advances compared to StackGuard:

Hiroaki is also an OpenBSD developer, by the way.

Integrating ProPolice in OpenBSD has been hard work. ProPolice has found tons of bugs in various programs that shipped with the system. It's also been the first real-scale test of ProPolice itself. With a lot of hard work from Hiroaki Etoh and Miod Vallat (and Peter Valchev and Christian Weisgerber...). ProPolice itself modifies gcc a wee little bit. But, like most programs of its size, gcc itself is buggy, partly due to its gigantic design that is not quite sane in places. In a typical release of gcc, you don't see the bugs, because the corresponding code paths are never taken. Add ProPolice, and suddenly you're sending gcc through some dark venues that have seen less attention, and all of a sudden you are fixing actual, genuine bugs in gcc.

Not it is not maintained, it is called packaged. That they might have a few patches of their own isn't at all unusual - even if they are leet security fixes.

They have made major changes to Apache and as evidenced here and here, they forked it and are taking care of their own branch. Much as they have done for years before the Apache license change. Bundling some software up into a package might be what some Linux distros do, but not OpenBSD with Apache.

"Bolt Apache on" isn't very descriptive. That could be applied to the OpenBSD process too.

There is no way it can be applied to OpenBSD. They have made major changes over the years to the Apache they provide.

Sorry, no. OpenBSD does not maintain X, they do not maintain Apache. That is an insulting and slighting to the developers who do maintain those packages.

I was not saying OpenBSD developers maintain THE xfree and Apache code bases. It should have been obvious from my English that I was referring to the xfree and Apache which they release as part of their base OS. Thier changes do make it back to parent projects though from time to time.

Linux distros

I don't follow it closely enough to know.

It shows. As does your arrogance. I've been using OpenBSD for 6 years and Linux for 8 years. I have been following OpenBSD very closely.

X? I don't think so. gcc? No.

Such strong statements for someone who does not follow it closely enough.

Xfree forked.

x11 - Houses OpenBSD's adaptation of the XFree86-3 software project. xf4 - Houses OpenBSD's adaptation of the XFree86-4 software project.

gcc is worked on within OpenBSD's source tree and part of their work enabled an mvme88k port.

A few choice quotes from here.

FB: Another license war has started and it seems worse than before. Does OpenBSD really want to fork XFree starting from the last 4.4.0-RC2?
ME: Yes.

And I'm one of the guys who works on gcc and binutils on a continuing basis.

Anil took it one step further and introduced an extension attribute to gcc: bounded, that can tie two function parameters, so that you can say, "Here is the buffer and the corresponding size, try to check that it fits."

With a few small changes to gcc, and with declaring that read is such a function, gcc is now able to detect erroneous code, such as:

ME: ProPolice is a gcc extension developed by Hiroaki Etoh, from IBM, based on older concepts such as StackGuard. ProPolice makes several advances compared to StackGuard:

Hiroaki is also an OpenBSD developer, by the way.

Integrating ProPolice in OpenBSD has been hard work. ProPolice has found tons of bugs in various programs that shipped with the system. It's also been the first real-scale test of ProPolice itself. With a lot of hard work from Hiroaki Etoh and Miod Vallat (and Peter Valchev and Christian Weisgerber...). ProPolice itself modifies gcc a wee little bit. But, like most programs of its size, gcc itself is buggy, partly due to its gigantic design that is not quite sane in places. In a typical release of gcc, you don't see the bugs, because the corresponding code paths are never taken. Add ProPolice, and suddenly you're sending gcc through some dark venues that have seen less attention, and all of a sudden you are fixing actual, genuine bugs in gcc.

Not it is not maintained, it is called packaged. That they might have a few patches of their own isn't at all unusual - even if they are leet security fixes.

They have made major changes to Apache and as evidenced here and here, they forked it and are taking care of their own branch. Much as they have done for years before the Apache license change. Bundling some software up into a package might be what some Linux distros do, but not OpenBSD with Apache.

"Bolt Apache on" isn't very descriptive. That could be applied to the OpenBSD process too.

There is no way it can be applied to OpenBSD. They have made major changes over the years to the Apache they provide.

Sorry, no. OpenBSD does not maintain X, they do not maintain Apache. That is an insulting and slighting to the developers who do maintain those packages.

I was not saying OpenBSD developers maintain THE xfree and Apache code bases. It should have been obvious from my English that I was referring to the xfree and Apache which they release as part of their base OS. Thier changes do make it back to parent projects though from time to time.

Linux distros

I don't follow it closely enough to know.

It shows. As does your arrogance. I've been using OpenBSD for 6 years and Linux for 8 years. I have been following OpenBSD very closely.

X? I don't think so. gcc? No.

Such strong statements for someone who does not follow it closely enough.

Xfree forked.

x11 - Houses OpenBSD's adaptation of the XFree86-3 software project. xf4 - Houses OpenBSD's adaptation of the XFree86-4 software project.

gcc is worked on within OpenBSD's source tree and part of their work enabled an mvme88k port.

A few choice quotes from here.

FB: Another license war has started and it seems worse than before. Does OpenBSD really want to fork XFree starting from the last 4.4.0-RC2?
ME: Yes.

And I'm one of the guys who works on gcc and binutils on a continuing basis.

Anil took it one step further and introduced an extension attribute to gcc: bounded, that can tie two function parameters, so that you can say, "Here is the buffer and the corresponding size, try to check that it fits."

With a few small changes to gcc, and with declaring that read is such a function, gcc is now able to detect erroneous code, such as:

ME: ProPolice is a gcc extension developed by Hiroaki Etoh, from IBM, based on older concepts such as StackGuard. ProPolice makes several advances compared to StackGuard:

Hiroaki is also an OpenBSD developer, by the way.

Integrating ProPolice in OpenBSD has been hard work. ProPolice has found tons of bugs in various programs that shipped with the system. It's also been the first real-scale test of ProPolice itself. With a lot of hard work from Hiroaki Etoh and Miod Vallat (and Peter Valchev and Christian Weisgerber...). ProPolice itself modifies gcc a wee little bit. But, like most programs of its size, gcc itself is buggy, partly due to its gigantic design that is not quite sane in places. In a typical release of gcc, you don't see the bugs, because the corresponding code paths are never taken. Add ProPolice, and suddenly you're sending gcc through some dark venues that have seen less attention, and all of a sudden you are fixing actual, genuine bugs in gcc.

Not it is not maintained, it is called packaged. That they might have a few patches of their own isn't at all unusual - even if they are leet security fixes.

They have made major changes to Apache and as evidenced here and here, they forked it and are taking care of their own branch. Much as they have done for years before the Apache license change. Bundling some software up into a package might be what some Linux distros do, but not OpenBSD with Apache.

"Bolt Apache on" isn't very descriptive. That could be applied to the OpenBSD process too.

There is no way it can be applied to OpenBSD. They have made major changes over the years to the Apache they provide.

Sorry, no. OpenBSD does not maintain X, they do not maintain Apache. That is an insulting and slighting to the developers who do maintain those packages.

I was not saying OpenBSD developers maintain THE xfree and Apache code bases. It should have been obvious from my English that I was referring to the xfree and Apache which they release as part of their base OS. Thier changes do make it back to parent projects though from time to time.

Linux distros

Not likely. RMS has already stated that Free Software should not be restricted from use for a particular purpose. He even used the example of Free Software being not restricted by use from either an abortion clinic or an anti-abortion campaigner.

I prefer Theo de Raadt's hypothetical baby mulching machines.

with their GUID server and attempts to make cookies cross domains [bugtraq] bypassing any security restrictions the browser has implemented, nice huh

the answer is to just block all MSN sites, why micorosft are allowed to produce an OS and then re-direct users to its homepage by default (and average user doesnt know how to change their homepage), how anti-trust/competitives hasnt pulled them on it shows you what they can get away with

The Vulnwatch alert shows how a Firewire port can directly access system memory, without needing a soldering iron or undoing the case.

According to this article on Full Disclosure you better have your credit card within reach in case you are planning to use this product.

Nils

Here's the original post:

Hi,

On Christmas Day last Saturday, Comair Airlines had to completely stop
flying
all of its planes due to computer problems. Comair blamed the computer
problems on their pilot scheduling software being overloaded after bad
weather earlier in the week forced many flights to be rescheduled. Comair
now hopes to have all of its 1,100 daily flights restored by tomorrow.

An article which was published today at the Cincinnati Post Web site
provides some interesting details of a software failure in Comair's pilot
scheduling software:

How it happened
http://www.cincypost.com/2004/12/28/comp12-28-2004 .html

According to the article, Comair is running a 15-year old scheduling
software package from SBS International (www.sbsint.com). The software has
a hard limit of 32,000 schedule changes per month. With all of the bad
weather last week, Comair apparently hit this limit and then was unable to
assign pilots to planes.

It sounds like 16-bit integers are being used in the SBS International
scheduling software to identify transactions. Given that the software is 15
years old, this design decision perhaps was made to save on memory usage.
In retrospect, 16-bit integers were probably not a good choice.

An anonymous message posted to Slashdot the day after Christmas first
described the software failure at Comair:

http://slashdot.org/comments.pl?sid=134005&cid=111 85556

Earlier this year, an overflow of a 32-bit counter in Windows shut down air
traffic control over southern California for 3 hours:

Microsoft server crash nearly causes 800-plane pile-up
http://www.techworld.com/opsys/news/index.cfm?News ID=2275

This problem occurred because of a known design flaw in older versions of
Windows:

http://tinyurl.com/5n9gc

Richard M. Smith
http://www.ComputerBytesMan.com

http://www.mail-archive.com/
http://archives.neohapsis.com/
http://readlist.com/
http://marc.theaimsgroup.com/

Some of the sites have their own search, and some have a nice readable interface. Take your pick. Though I'm sure hundreds of mailing lists aren't indexed anywhere, perhaps thats what gmail is for ;-)

The security focus mailing list dedicated to forensics is also good lurking, for those interested...

http://archives.neohapsis.com/archives/sf/forensic s/

Is no-one else concerned about the length of time it has taken Sun to respond to this. According to the article, it took 4 months to patch, but in reality, it was nearer 6 months. Sun were informed on April 29, so we can add a month (possibly more) to the figure of 4 months. (I can't determine when the patched version was released while @work).

Most OSS is patched within a day or so, certainly less than a week. So why did Sun sit on this for so long, and then fail to publicise the fix as soon as it was available?

"found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday."

But according to the Bugtraq posting Sun Microsystems was informed on April 29, 2004.

Actually the Java in Opera is even worse: http://archives.neohapsis.com/archives/bugtraq/200 4-11/0250.html

Why don't we look instead at security vulnerabilities in a Server OS that are relative to functions a server should be performing. How many vulnerabilities has IIS 6.0 had versus Apache in the year and a half Server 2003 has been out?

Hmmm one of those has had zero, and it sure the hell ain't Apache.

Here is an interesting write up

Comparing Windows NT 4.0 Server to Windows Server 2003 during the
first 300 days of Windows Server 2003

Windows NT 4.0 Server = 22 vulnerabilities
Windows Server 2003 = 24 vulnerabilities

I then compared IIS versions. Given the timeframe of the products,
the numbers are very different;

IIS 4.0 = 231 vulnerabilities
IIS 5.0 = 282 vulnerabilities
IIS 6.0 = 60 vulnerabilities

You wrote: Hmmm one of those has had zero, and it sure the hell ain't Apache.

In IE 6, I had scripting (JVM) and Active-X enabled and it cost me... I got hit with a 0-day exploit that executed on render of the page I visited (It was a old Doom cheats page - I was looking for the command for "all-map"). If it were not for ZoneAlarm, TCPView, and pskill, I might not have caught the ton of spyware that followed.
It was a situation quite like the one described in this thread: http://archives.neohapsis.com/archives/fulldisclos ure/2004-10/0077.html
(atpartners, "megasearchbar," chtb, 4 or 5 seperate exe's downloaded and run from prefetch in all.

A week ago, I sent this email to a major AV vendor (xxxx) of and have not received a reply:

This is a pre-sales question relating to future purchases, but may require technical assistance to satisfy.

--
Are there any single-user-licensed xxxxx antivirus products that do not rely on Active Scipting, or can use a different Security Zone than "Internet"? Or a differnt browser than IE?
--

I am tired of arbitrary code execution in IE and have locked it down. It is also no longer my default browser. Viewing the xxxxx readme.txt tells me that I must substantially weaken my security in order to continue using xxxx.

I'm not willing to do that. I would sooner find another antivirus vendor.

Your antivirus fails to protect from prefetch code, rendered-on-the-fly, not because of faults in xxxxxx, but because of faults in the configuration of Windows. I should be able to correct those faults and still be able to effectively use a "security product" such as an antivirus.

US-CERT (us-cert.gov), the operational arm of the National Cyber Security Division at the Department of Homeland Security (among many others) recommended a recently that users switch to a more secure browser than IE, and advocated the limiting of mobile code execution for users that do not switch.

Slightly related, someone recently posted to the Full Disclosure mailing list, with a guide for how to get the Pharos GPS-360 (as sold in the "Microsoft Streets & Trips 2005 with GPS locator" package) working under linux. Might be useful to some people

NTFS supports hard links. Note how Microsoft conveniently removed the article. I remember reading it a few years ago... *sigh*

Two questions:

1. Dave Cutler, mastermind of the Windows NT kernel, once described UNIX as a "junk OS designed by a committee of Ph.D.s.".

   Given two important facts:

   • Windows NT is mostly written in C and C++, both Bell Labs innovations, and
   • IE/Mediaplayer integration has turned the Windows NT codebase into a security disaster

   How would you respond to Cutler's assertions, and how would you rate the code quality of the NT kernel (assuming that you might have perused the recent leaked NT4 source)?

2. While UNIX-like operating systems are growing in popularity, actual Bell Labs code is rarely encountered in free operating systems because of licensing issues (with a few notible exceptions).

   This is a frustrating situation for all of us. Do you see any possibility that major portions of UNIX and Plan 9 source being released under licensing that major distributions would find acceptable?

Please also accept my personal thanks for your work in the field of computer science. The influence of the community of researchers at Bell Labs will be felt for many generations to come.

I'm not quite sure how you can so decisively say that it was confirmed false when the link you gave has some questions about that conclusion. Also this reply flat out rejects the conclusion that Trillian was not using GPLed code.

No, it was suspected that the Cerulean Studios were using GPL code in Trillian, but it has been determined to be false.

The BMP remote flaw.

What kind of a world do we live in where you have to be careful opening pictures and movies?!!?!

Maybe the post meant "0.9 must be ported, or I will mark Firefox (0.8) as broken due to security issues". I'm not familiar with the process and jargon surrounding distributions, so I can't be sure.

In that thread: http://archives.neohapsis.com/archives/openbsd/200 4-08/2068.html
Interesting... :(

The mozilla-firefox-0.8 package lists ports at openbsd.org as maintainer.

Not just to complain..., but has the Slashdot reflow bug been fixed in 1.0? It's been known for ages, but it's recently gotten much worse in 0.9.x

Security-wise, the 0.9 series are worse as well. Enough so that the port maintainers at OpenBSD will not yet upgrade from 0.8 to 0.9.x until later. OpenBSD will mark the port as broken rather than upgrade.

It is explained clearly by Russ Cooper in this bugtraq post.

He's not suggesting that there's software that can do this. He's saying that if you were to take a tunneling electron microscope, you would be able to read more than just one layer of "erased" data. There was a VERY LONG and detailed thread about this on Full-Disclosure last month. Check the archive for the thread "Erasing a hard drive easily".

Googling around a little, I came across this message in several places.
The interesting bit is the text file linked to at the end: spy.txt

Googling around a little, I came across this message in several places.
The interesting bit is the text file linked to at the end: spy.txt

This popped up six windows which installed both the default-homepage-network hijacker and also some nasty stuff [...]

This crashed Windows Media Player and then it was overwritten with a small windows executable (I have it if you want it) - this was called wmplayer.exe and was in the Windows Media Player folder. The real Windows Media Player had been deleted. [...]

The next time a WMP media file was accessed the new wmplayer.exe file ran and installed lots of adware, junkware, spyware etc, etc. [...]

AVG free edition sygate personal firewall and Spybot seach and destroy (site down) will complete your collection nicely. Might want to have a look at Hijack this and this tutorial as well.

Yes, this is a lot of work for the price of keeping windows running. Some people don't have a choice... Me, as soon as my favourite IDE gets ported to Linux, I'll swap ;-)

Seriously though, if there are any other tools you guys use to try and keep windows secure, please share.

Accordingly, word on the street is that significant effort this hackathon will be put into fixing the first ever OpenBSD virus...

I think a fix has already been found for this particular "virus".

Other plans include replacing BIND with djbdns, and integrating SPF+ with sendmail.

Hotmail is known for it's bad "load balancing" tech. They always had a lot of servers randomly delaying and refusing connections on SMTP port and just a few answering them on time.

There are whole threads about that behaviour on most MTA devel lists, like this one, from years ago. Nothing changed since then.

...you could at least do stuff like turn every surface into a solar panel to help a hybrid car along, however, suspect nanotech might be more useful for reducing the embodied energy in a vehicle than for revolutionising the propulsion system.

WRT you tagline, been there, done that.

A link for you.

But you're right, it's a very content-free post.

From what I've read, NX support on older i386 CPUs either 1) puts all of a process's code below the code segment limit (1 GB) and all data above that, with an unmapped gap in between, or 2) hooks into the translation lookaside buffer (the cache for virtual memory page table lookups) at a speed cost.

"Subject line" is pushing it -- I don't believe that this is a major problem.

Buffer overflows based on parsing mail is not an uncommon problem, though.

Let's take a look (I'm not going to bother with more than one per client).

Here are bugs for mutt, pine, evolution, kmail, elm (elm is apparently vulnerable to an overflow in the Subject line :-) ).

I assume that the last is what the grandparent was referring to.

> I do not see Americans blacklisting their major ISPs.

Then you obviously didn't look very hard: try here. SPEWS did it, and they're not alone. I'll let you google for the rest.

It's amazing how trolls can take a simple issue and try to turn it into an 'us vs them' situation.

Perhaps Theo de Raadt of OpenBSD summs up the sentiment best in his response to new Xfree86 license:

It seems like every 8 years or so we have to go through some period where someone tries to take free software and makes it less free because they don't feel they are getting enough credit.

FreeBSD Security Advisory

FreeBSD Advisory

Another FreeBSD Advisory (note comments)

OpenBSD Advisory

The new apache license is not acceptable. Code written under that new license will never go into our tree. Look, I am quite frankly getting sick and tired of this. It is time for the user community to tell these software developers who have gotten themselves involved with lawyers to stop it. They are NOT making their software better, they are NOT protecting anyone, and they we NOT making their software any more free when they add new terms. As of this moment in time, therefore, it looks like the httpd in OpenBSD has now become a fork. It will continue to be managed under the existing license.

Wow, I guess I should be really impressed by the foresight of Motorola and IBM, who put that feature in the PowerPC series of chips back in 1994 (beginning in the PowerPC 603).

This is continually raised, for example here, here, and why it's a bad idea anyway

And so on...