Slashdot Mirror
Theo de Raadt gets 2004 FSF Award
Caligari writes "Richard Stallman, presents this year's award to Theo de Raadt.
"For recognition as founder and project leader of the OpenBSD and OpenSSH projects. Theo de Raadt's work has also led to significant contributions to GNU/Linux and other BSD distributions. Of particular note is Theo's work on OpenSSH. Theo's leadership of OpenBSD, his selfless commitment to Free Software and his advancement of network security, were cited by this year's award committee.""
Looking at past winners, no doubt they all deserve it .. but what about Linus Torvalds?
.. OpenSSH rocks. Theo de Raadt and everyone else who contributes to OpenSSH should be proud.
Is there a reason he didnt get this award?
That said
Not only from a pure lines-of-code point-of-view, but also by the way the OpenBSD-project scrutinizes licenses and pushes security and cryptography forward every day.
Congratulations, Theo - keep on fighting !
Windows 2000 - from the guys who brought us edlin
..by refusing the award on the grounds that the GNU license "isn't free enough". ;-)
"Your admirers in the street
Got to hoot and stamp their feet
in the heat from your physique" -King Crimson
That's pretty cool of Stallman really. Showing respect and recognition to the importance of BSD, despite their mutual differences in ideology about what constitutes truly free software.
Imagine a world without the networking Swiss Army knife that is ssh.
OpenBSD is a totally underrated OS too. Even if it is a bit slow, its packet filter actually works.
Eventually, Stallman is going to ask us to call it Gnu/OpenBSD ;-)
Previous winners of the Free Software Award * 2003 Alan Cox * 2002 Lawrence Lessig * 2001 Guido van Rossum * 2000 Brian Paul * 1999 Miguel de Icaza * 1998 Larry Wall Why he is no yet on the list?. May be because his public use of some proprietary software
I use Linux every day, and appreciate the fact that I have a good method to connect to my servers in a secure manner, thanks to Theo.
And I want to thank him for his other contributions, as it has made me some good cash, installing BSD boxes in front of Windows email servers with packet filtering!
Again Thanks Theo. I wish this type of stuff could reach more mainstream news, but we can all know just like other major happenings in the world, there is a army of unsung heros who make things happen.
They've done this quite a bit in the past in terms of licenses:
(The following uses GPL for LGPL... and BSD for BSD, X...)
2004 Theo de Raadt (BSD)
2003 Alan Cox (GPL license)
2002 Lawrence Lessig (ALL)
2001 Guido van Rossum (Python license / BSDish license)
2000 Brian Paul (X license/BSDish )
1999 Miguel de Icaza (LGPL/GPLish)
1998 Larry Wall (Artistic/ closer to BSD than GPL but...)
Actually the differences in ideology between the GNU and BSD developers are more in the outlook and means than any other thing. Free software is free software for both camps, and most sane people in both sides shares a common idea of what free software is. The licences, that are generally the main difference between the two, try to achieve an end using different approaches, but all in all both GNU and BSD people are great contributors to a common free software community. The noise many times created is more on the "newly convert" section of each side :).
It's IMHO rather silly to watch the flame wars between the GNU/Linux and *BSD sides when there is so much more that unites us than what divides us. This award make perfect sense. In the end a gnu, a penguin and a daemon can sometimes be noisy neighbourghs, but in the end they stick together to defend their building. Shitty alegory, I know, eh.
cheers,
fsmunoz
Reading this FAQ entry should shed some light on why linus has never been, and probably will never be up for this award.
"Your admirers in the street
Got to hoot and stamp their feet
in the heat from your physique" -King Crimson
There will be a number of talks this week in Dublin, Ireland from Theo de Raadt, Henning Brauer and Ryan McBride which are open to the public and completely free of charge!
Not so. Specifically, since the fsf announcement excludes Linus and RMS. Here is from the announcement: "People such as Alan Cox, Miguel de Icaza, Donald Knuth, Larry Lessig, Brian Paul, Guido van Rossum, Richard Stallman, Linus Torvalds, and Larry Wall who have already received this or other awards for their contributions, are not eligible for the Award for the Advancement of Free Software."
Basically, it is the past year winners + Linus + RMS + Knuth + Larry Lessig. Looks like an august company and no slight meant, certainly to Linus. Being in the same league as Knuth is pretty good, I would say, even for Linus.
[Just FYI, even after all these years, Knuth pays money if you find a bug in his TeX program, or in his Art of Programming books].
If you had any kind of clue about the way `proactive security' works, you wouldn't write such drivel.
Why is OpenBSD called OpenBSD ? because it was the first BSD to make its CVS tree accessible for everyone. That's right, anyone can subscribe to source-changes and see the commit messages. And anyone can get the sources.
Now, most security fixes are NOT tagged as security fixes. They're tagged as clean-up, or reliability issues, or normal bug-fixes.
Why is this so ?
Quite simply, because those fixes are done while reading the code, NOT in reaction to a security hole.
That's what `proactive security' means. When you find something fishy, you just go and fix it, you don't sit on your fat ass and wait for months until someone finds a way to exploit it.
As a result, OpenBSD is more secure than most other OSes out there. Not because of cool technology like ProPolice or W^X, but simply because of good engineering practices.
OpenBSD doesn't have the latest cool feature. It's never been about that. But it has obsessive-compulsive developers who care about security.
Security is not a plug-in. It's not something you add to a distribution after you've put in all the carelessly designed and dangerous features.
Security is a process.
Security is a state of mind.
Security is a priority: either you put it right there, in front of you, and FIX THINGS when you think they might get broken, or... you will run into actual nasty holes, and make the front page of bugtraq.
... because NetBSD development was not free. Theo lost his access to the CVS tree. Read the email exchange, and you'll find out that's where the main problem was. ... because SSH was not free. OpenSSH started with the last release from Tatu Ylonen with a free licence. ... because the CVS people don't get the OpenBSD patches. For instance, CVS client/server is still not officially supported, even though that's what everybody uses. ... because NTP is thoroughly insecure, and NOT free. NTP is released under a variation of the ISC licence, which means it CAN'T be distributed freely.
In the CVS case, collaboration with the CVS team was impossible. In all other cases, it was a question of freedom. Those other projects had strings attached, Theo yanked the strings and had the balls to restart things.
BTW, thanks to NetBSD. If you hadn't forcibly taken out Theo, he probably wouldn't have done so much for free software. Starting his own project off NetBSD was probably the boldest move he's ever done.
You still don't know what you are talking about.
Yes, most bugs we fix have some kind of security relevance. This is obvious. Now, are we going to tag each single entry we commit with `possible security fix' ? Are we going to spend a lot of time convincing other people this might be relevant ?
Nope, we are not.
We tried. This is simply a waste of time. It doesn't work. A lot of other projects don't have a clue. You tell them that what you're doing might be security-related, and you waste hours explaining the issue to them.
Think about it. Every time you simplify a piece of code, or replace an obfuscated algorithm with something simpler, you ARE handling security issues... or you might be. That's not important.
You are not going to waste time figuring out whether that fix is an actual security fix, or just some clean-up.
Because you can use the same amount of time fixing other issues, and that's more useful.
Want actual proof ? Look at all the changes in OpenBSD that replaced strcpy/strcat with strlcpy/strlcat. Now, go out on the linux lists, and ask why strlcpy still isn't a part of the glibc, but strfry is. Or look for comments on the above subject from Ulrich Drepper.
Make up your own mind.
Who do you think has a clue ?
The people who found out countless potential buffer overflows all over the place, fixed these, and still find that new code has the same mistakes and buffer overflows ?
Or the people who think that strlcpy is irrelevant because good programmers don't write buffer overflows ?
You could also look at tmpnam and mkstemp, and countless other examples.
As another instance, look at chroot and privilege separation. In many cases, the added safety translates to less features (like, a chroot'ed daemon that can no longer read its configuration file on a kill -HUP, or an http server that needs a whole set of libraries to run cgi). Bottomline, do you want the extra features, or the added security.
Most time, there is a trade. Those security fixes rely on non-portable parts of the libc. In many cases, third party software will buy back the extra stuff (look at rsync, kde and strlcpy), but this takes time...
try to do some development work, instead of posting opiniated, clueless comments on slashdot. Spend some time fixing security issues. See your patches take months to get accepted upstream. See the next release still have the bug, because some clueless, feature-conscious developer added some code with the exact same wrong pattern in another area than the one you've been fixing...
Now mod this insightful!!!
Back then, there was no anonymous cvs access to the sources. You had to be a part of NetBSD inner circle to get access to the development sources.
All that was free was the released version. There was some amount of political control of information.
Reread the exchange between Theo and the other members of NetBSD-core. One persistent complaint from Theo is that he could no longer easily work on the sparc port, because he did not have access to not yet released code.
Let's put aside any re-definition of freedom by the FSF, OSI and whatever group of the month is running this show.
No, this is not free development. Theo was not free to see what was going on in NetBSD in a technical sense. He had lost control. And the people in netbsd-core used that power to try and get Theo to promise he would change his behavior.
Whatever you might think of Theo's attitude (yes, he can be a complete fucker sometimes), that's not freedom, by any sense of the world.
Now, look at the world today. All BSDs have open cvs trees. I think that would have happened, eventually, but I'm 100% certain Theo's decision to make sure OpenBSD CVS tree would be totally open to public scrutiny at all times has a HUGE role to play in that change.
"The freedom of BSD has the danger of making you a prisoner of its distributed derivatives."
How? If you don't like the version the company you're dealing with (Sun, Apple) is shipping, you can always get the official software from openssh.org.
"GPL code belongs to you for the asking. That is also why GPL will eventually out-evolve all other software."
No. What has become obvious is that the community of developers is what drives the evolution of a system. Either can stagnate, either can advance quickly.
I rarely criticize things I don't care about.
If you choose to distribute BSD licensed code, your stuff doesn't become less free because you chose to allow those distribution terms. You are only a 'prisoner,' as you said, of your own right to choose how to distribute some code. The GPL has numerous restrictions placed upon how you can use GPL software that the BSD license doesn't, therefore it grants far more freedom to everyone. The GPL is not a magic bullet and is not suitable for all situations, and simply having a 500 page license behind your software does not make it any better then anything else or guarantee that it will 'out evolve' anything else.
BTW, care to explain how MS locks me in by using BSD code that I can go and pick up just about anywhere else.
"I use a Mac because I'm just better than you are."
Richard: "We have gathered here to honor another Free Software giant. Ladies (hello you two geeky, but quite cute girls in the back) and gentlemen, I hereby present this award to Theo de -"
Theo: "What?! An award??? I thought we were going to discuss you ditching GNU/Hurd and adopting OpenBSD as its replacement?! You got me here under false pretense, I can't fucking believe this!!!"
Richard: "Well, we knew you wouldn't have come otherwise, so I -"
Theo: "Do you realize you robbed me out of a whole day of code auditing?! Do you?! That's it, I'm suing!"
Richard: "What do you mean, you don't even have an account and I don't give out root - "
Theo: "Ohhh, veeery funny! I'm taking you to the bank for everything you've got, buddy!"
Richard: "Well, then I should just give you the $2.49 because that's all I got."
Theo: "No, here's $10, now go and have that beard trimmed for the love of everything you GNU! You look like a damned hobo!"
Richard: "Well, actually, purely technically speaking, I am as free as a hobo, except that I smell nice."
Its logo says it all, it's a ñu.
For those that doesn't know how to pronounce 'ñ', it's like 'gn' in cognac or Avignon.
The best way to predict the future is to invent it
Why? Because it's a quote.
FTFA:
"FSF President and founder, Richard Stallman, presents this year's award to Theo de Raadt."
Does this make it any worse?
There are two types of people in the world: those who divide people into two types and those who don't.
Ok... I want to make a point here....
At one point I looked at the data and concluded that BSD was dying. I think that some people really think this and are not really trolling. The confusion comes in part due to a couple simple mistakes.
It is true that Netcraft has in the past indicated that *BSD is losing market share to Linux in at least the web server markets. However, these numbers are percentage based (regarding domains hosted) and probably don't represent an absolute decline. In fact, I suspect that the absolute number domain running on web servers running *BSD is probably currently growing but doing so slower than the market. This would fit with the observation that proprietary UNIX doesn;t seem to be in much of an absolute decline (with a few punctuations in the equalibrium) and that all such flavors are losing marketshare (percentage-wise) much faster than *BSD.
Secondly, because we are not seeing a mass exodus of the core developers from *BSD to Linux, I don't think one can ever say these are dying. Just as Microsoft can't kill Linux, Linux can't really kill *BSD. The only thing that can kill *BSD is, well, *BSD. More likely, we will see the licensing advantages that Linux offers disappear as proprietary UNIX and later Windows falls. At this point, Linux will still have some competative advantages, but we may see *BSD grow more rapidly once proprietary competition is eliminated.
LedgerSMB: Open source Accounting/ERP
BTW, care to explain how MS locks me in by using BSD code that I can go and pick up just about anywhere else.
That's more or less illustrating the point that you and most sane people don't really understand the difference between the freedoms of BSD and GPL
To answer your question though, here is an example:
In the mid 90s When it was time to put in a network layer into MS windows, MS decided to take some BSD code. They then took standard protocols like Kerberos, DNS, DHCP etc and tweaked them to work MS style so that people would be locked in to using the MS versions only. It was an intentional interoperability problem to make things work MS-to-MS but not MS-to-nonMS. It was part of the MS policy of embrace extend and extinguish, a policy that is elaborated in their leaked "halloween" document.
You can't get hold of the propietary, extended code for windows networking to fix the operatability problem without NDA etc. You can only guess the BSD code up to the moment of forking. After the fork point, the code has been tweaked and closed and used to build a system that tries to lock you in forever after. That's the kind of danger the GPL protects you against.
The restriction of GPL protects the coders in the long run.
The freedom of BSD can restrict the coders in the long run.
At the end of the day, OpenBSD was created because Theo couldn't get along with the other 'first-tier' NetBSD developers, and didn't want to be a 'second-tier' developer.
Or you could phrase this as
At the end of the day, OpenBSD was created because the 'first-tier' NetBSD developers used access controls to try and enforce social policy and Theo refused to be extorted.
This whole thing cuts both ways.
Have you any info on the current BSD market share?
:)
These are the latest data I could find about BSD market share - and they say it's gaining it.
Nearly 2 Million Active Sites running FreeBSD
"FreeBSD secured a strong foothold with the hosting and internet services communities at the genesis of the web and has anything but gone away. Indeed it is the only other operating system [besides Windows and Linux] that is gaining, rather than losing share of the active sites found by the Web Server Survey."
A more recent article doesn't talk about market share, but is quite enough for everybody to see how "Netcraft confirms it"..
Nearly 2.5 Million Active Sites running FreeBSD (Jun 2004)
"[FreeBSD] has secured a strong foothold with the hosting community and continues to grow, gaining over a million hostnames and half a million active sites since July 2003."
I think this pretty much says it all..
--
Requiem for the FUD
You can't get hold of the propietary, extended code for windows networking to fix the operatability problem without NDA etc. You can only guess the BSD code up to the moment of forking. After the fork point, the code has been tweaked and closed and used to build a system that tries to lock you in forever after. That's the kind of danger the GPL protects you against.
If Microsoft does not use the code, they invent their own protocol. When Microsoft uses BSD code as a basis, they are at least easier to guess or work around. How long has it taken the people working on Samba to under all of the SMB protocol? Many years at least. Even Stallman has said the BSD license is good for standards.
BTW, the network stack in Windows has not been based on the BSD code for years.
The restriction of GPL protects the coders in the long run.
Protects coders from what? For example, when Microsoft embraces and extends a protocol (i.e., Kerberos, DNS, DHCP), they have no need for the source. They break the protocol. The GPL nor any other open source license would have power against that. You would need a patent (yuck).
The freedom of BSD can restrict the coders in the long run.
This is never true. I never need to use a proprietary vesion of open source. Which version of Kerberos do you use? With BSD-licensed code, I have very few restrictions placed upon me as a coder. Fewer than using GPL-licensed code.
I forgot to include this in my previous follow-up: it seems quite a political statement to me to favor convenience above software freedom. I'd hardly call Torvalds apolitical, I'd say that his views are the views people have been taught to value--use what helps you get jobs done, push aside any other concerns regardless of their effect on society--hence they are popular.
Digital Citizen
Theo deserves a lot of recognition for his technical achievements and his commitment to freedom. Getting this award proves that you can blow off everyone in the world except your personal fanboys and still be a success.
My company based a commercial product on O-BSD, then converted to Linux when it became clear that Theo doesn't know how to anchor a diverse community. We even tried to fund his project but never got past being personally abused.
i'm going to release an OpenBSD remote root
Or you could just use rsync over ssh instead:
And if the rsync dies, you just run the same command again.
Much less typing. :-)
If you think about it, one of the primary differences between the GPL and BSD is whose freedom the license intends to protect. It's a subtle thing, but true nonetheless.
The BSD license intends to protect the freedom of the programmer, whereas the GPL intends to protect the freedom of the program.
The GPL is not concerned about developer's rights, unless the developer's core values vis-a-vis the freedom of the program closely follow the ideology of the GPL. For example, I (as a Free Software advocate) feel that the GPL protects my rights, but that's mainly because I don't consider the right to close a program to be one that is socially beneficial, rather the way I don't consider, say, theft to be socially beneficial.
The BSD license, on the other hand, ensures that the person who has the program may do whatever they want with it, including relicense it under virtually any license they feel like. So in this case, the developer's rights to do what he wants are protected, at the expense of the rights of the program.
It may seem strange to think of a program, essentially a piece of mathematics that is by nature abstract, as being an entity deserving rights, but if you actually read RMS you'll realize that's very much how he views the world.
So it really isn't a matter of one being more free than the other, in my personal opinion -- rather, it's a matter of whose freedom we are protecting. If you are concerned about the program being Free, BSD is a poor choice for a license, because there's a good chance large portions of the program will be co-opted (enslaved, if you will, in keeping with the "freedom" analogy) into a derivative work that is not itself free. The GPL will ensure that the program (and all its derivatives) will ever be free, but you as the developer must accept certain restrictions in order to ensure that freedom.
For what it's worth, I don't think either view is necessarily wrong, but they have different goals -- and therefore different means when it comes to reaching those goals.
If you value the freedom of an individual, BSD is very much for you. Very libertarian in nature. If you value freedom for the program, which essentially translates to guaranteed freedom for the community, then the GPL is for you (which is perhaps a much more socialist view). I generally fall into the latter category, but it hasn't stopped me from extensively using BSD (OBSD in particular).