NetBSD 2.0.2 Released

jschauma writes "James Chacon of the NetBSD Release Engineering team has announced that update 2.0.2 of the NetBSD operating system is now available. NetBSD 2.0.2 is the second security/critical update of the NetBSD 2.0 release branch. This represents a selected subset of fixes deemed critical in nature for stability or security reasons. More details are available in the NetBSD 2.0.2 Release Announcement."

I wonder...

[0x461FAB0BD7D2]

if NetBSD 2 SP2 breaks compatibility with Halo.

Re:I wonder...

I don't know what Halo is, but NetBSD security upgrades (2.0.x), and even minor upgrades (2.x), normally are 100% backward compatible.

Backward compatibility across major versions (for 1.5, 1.6. ...) can be enabled in the kernel, using e.g. the COMPAT_16 option.

Re:I wonder...

Whoosh! Whoosh! Whoosh! He made a funny. WinXP SP2 breaks Halo (the game).

Re:I wonder...

[quamaretto]

Speaking of which, I guess they haven't made an ending for BSD, either...

StinkBSD

StinkBSD stink.stink released.

Re:StinkBSD

If you are having problems with stink, use some Linux.

So, speaking of security,

[hey!]

whatever happened to kernel privilege elevation, which was supposed to allow daemons in BSD to run as unprivileged accounts, but still do things like bind to certain low number IP ports? Supposedly, by making the ability to do certain privileged things fine grained, it reduced the impact of things like buffer overflows.

Is this just part of the BSD landscape now? Did the idea pan out, and is BSD now relatively immune to a large class of security vulnerabilities?

OT, I know, but I remember thinking that if this worked as well as it sounded, it was a good reason to move my Linux servers over to BSD.

Re:So, speaking of security,

You may be thinking of systrace.

Re:So, speaking of security,

On all BSD's you can set the lowest "unprivileged bindable" port by means of a sysctl.

Re:So, speaking of security,

or, you can redirect the port to a higher number by using NAT.

Re:So, speaking of security,

[hey!]

Yes, that's it.

So, what's the consensus been about the experience with this. Has it proven to be a huge improvement in security?

Re:So, speaking of security,

[Homology]

So, what's the consensus been about the experience with this. Has it proven to be a huge improvement in security?

Writing systrace policies are alot of work, and requires much testing in order not to break the application. In addition you need knowledge of the system calls involved (pass/deny).

As an example "mv a /b" involves different system calls depending on a is on same filesystem as /b.

Re:So, speaking of security,

[hey!]

So, we're in the same old situation: you can secure your system, but its so much trouble most people won't?

Re:So, speaking of security,

Most people wont do the whole system, but individual daemons are not too much work.

I do this with my servers which run a modified postgresql, though I use OpenBSD.

Re:So, speaking of security,

[setagllib]

Well, it all depends how much security you WANT, short of not having a system at all. You can systrace everything and have a crack team of trusted, indoctrinated people constantly watching all traffic and analysing it for signs of attempted intrusion or investigation. Or you can trust the software quality and 'general practice' recommendations even outlined in the BSD handbooks.

It's definitely a fun job though (one I wouldn't mind having), as long as the software is good. The BSDs are good in this regard, and so is Linux with the right patches and tools. But then sometimes a bug will come up nobody expected and it's all for naught :(

Re:So, speaking of security,

[hey!]

Well, sure, but that doesn't to squat for security -- it just makes things more insecure.

So now an unprivileged app can masquerade as a apache or imapd.

Re:So, speaking of security,

[Homology]

Well, sure, but that doesn't to squat for security -- it just makes things more insecure. So now an unprivileged app can masquerade as a apache or imapd.

You do not understand the issue : Too many daemons runs as root just beacuse they need to bind to a low port. So any exploit will be a remote root exploit. Besides, if you rely on port numbers for security on random machines, I guess you have some problems ;-)

Re:So, speaking of security,

[hey!]

No offense taken, I do understand the problem. It's just that the problem of security never boils down to one thing, does it.

It isn't just about a daemon getting root privileges. That's really bad of course. But impersonating a trusted program is really bad to, just not quite as bad. When the trusted program can bind to the port, and only that program, it solves both aspects of that particular problem.

Oh, there's lots more ways we can get in trouble, but every door that's closed and locked is a good thing.

Re:So, speaking of security,

[dmiller]

It may be more accurate to say that "too many programs start as root because they need to bind to a low port", but most of them give up root privileges quickly (at least on OpenBSD).

Re:So, speaking of security,

[evilviper]

"too many programs start as root because they need to bind to a low port", but most of them give up root privileges quickly

While that's true, it's far from ideal. There have been many instances where popular apps (eg samba) that were supposed to drop root privlidges immediately, didn't do so properly, and became a remote root exploit anyhow...

Ahh!

[Pugflop]

The living dead!

It Is Official; Wired News Confirms

IT IS OFFICIAL; WIRED NEWS CONFIRMS: LINUX IS SUPERIOR TO NetBSD
NetBSD is Dying, Says Respected Journal

Linux advocates have long insisted that open-source development results in better and more secure software. Now they have statistics to back up their claims.

According to a four-year analysis of the 5.7 million lines of Linux source code conducted by five Stanford University computer science researchers, the Linux kernel programming code is better and more secure than the programming code of *BSD.

The report, set to be released on Tuesday, states that the 2.6 Linux production kernel, shipped with software from Red Hat, Novell and other major Linux software vendors, contains 985 bugs in 5.7 million lines of code, well below the average for *BSD software. NetBSD, by comparison, contains about 40 million lines of code, with new bugs found on a frequent basis.

*BSD software typically has 20 to 30 bugs for every 1,000 lines of code, according to Carnegie Mellon University's CyLab Sustainable Computing Consortium. This would be equivalent to 114,000 to 171,000 bugs in 5.7 million lines of code.

The study identified 0.17 bugs per 1,000 lines of code in the Linux kernel. Of the 985 bugs identified, 627 were in critical parts of the kernel. Another 569 could cause a system crash, 100 were security holes, and 33 of the bugs could result in less-than-optimal system performance.

Seth Hallem, CEO of Coverity, a provider of source-code analysis, noted that the majority of the bugs documented in the study have already been fixed by members of the Linux development community.

"Our findings show that Linux contains an extremely low defect rate and is evidence of the strong security of Linux," said Hallem. "Many security holes in software are the result of software bugs that can be eliminated with good programming processes. However, we found that the NetBSD developers seem to believe that they can just make up facts rather than write decent code. It is our belief that all of the BSD projects are on the decline and will be dead within a year. NetBSD will probably be the first to go, because it's in the worst shape."

The Linux source-code analysis project started in 2000 at the Stanford University Computer Science Research Center as part of a large research initiative to improve core software engineering processes in the software industry.

The initiative now continues at Coverity, a software engineering startup that now employs the five researchers who conducted the study. Coverity said it intends to start providing Linux bug analysis reports on a regular basis and will make a summary of the results freely available to the Linux development community.

"This is a benefit to the Linux development community, and we appreciate Coverity's efforts to help us improve the security and stability of Linux," said Andrew Morton, lead Linux kernel maintainer. Morton said developers have already addressed the top-priority bugs uncovered in the study.

Re:It Is Official; Wired News Confirms

I have never seen any real, cold, hard, evidence to backup these absolutely benign claims!

Re:It Is Official; Wired News Confirms

How about the Wired news article? These are not benign claims; they're cold hard indictments of *BSD and its clearly impending doom.

The Dead Dead

*BSD Obituary

*BSD, 27, of Berkeley, CA died Monday, Apr. 6, 2004. Born July 3, 1976, it was the creation of a cluster of pot-smoking hippies who went to Illinois and came home with a reel of tape. Rather than smoke the tape, they uploaded it and hacked on it a little.

*BSD was known for its C shell and early TCP/IP implementation. After being banished from UC Berkeley, it was ported to the x86 platform, where it fell into the hands of heavier pot-smokers who liked to argue. Soon, the project had splintered into 12 different Balkanized projects. Until its death, there was almost constant fighting in and amongst these groups, sometimes degenerating into out-and-out fistfights.

*BSD is survived by its superior, Linux, as well as several commercial unix implementations. It may be missed by some who knew it, although most of them are said to be mere OS dilettante dabblers.

A funeral will be held at 2 p.m. Thursday, Apr. 9, at the Berkeley Chapel on the UC campus, with interment to follow via the burning of the original *BSD tapes and scattering of the ashes over the San Francisco Bay. The Rev. Lou "Buddy" Stubbs will officiate.

The family will receive friends from 7 to 8 p.m. Wednesday, Apr. 8, at the funeral home.

I Hereby Resign

To: Bill Joy

March 10, 2005

Dear Joy:

I am joining my colleague AmigaOS in submitting my resignation from the list of living operating systems (effective immediately) because I cannot in good conscience compete with Linux.

I have failed:

--To support SMP

--To generate media attention

--To spawn a professionally managed distribution

--To innovate

--To be relevant.

Throughout the globe *BSD is becoming associated with in-fighting and sloppy coding. My disregard for views of other operating systems, borne out by my neglect of technical competence, is giving birth to an anti-BSD century.

I joined the operating system world because I love technology. Respectfully, Mr. Secretary, I am now bringing this calling to a close, with a heavy heart but for the same reason that I embraced it.

Sincerely,

*BSD
Dead Operating System

BSD is dying

haha it must be dying only version 2.02

hahaha

MOD PARENT UP

+5 Eng Comp 101

Requiem for the FUD

// Please *don't* mod this up. It has already been done! Thx

... facts are facts. ;)

FreeBSD:
FreeBSD, Stealth-Growth Open Source Project (Jun 2004)
"FreeBSD has dramatically increased its market penetration over the last year."
Nearly 2.5 Million Active Sites running FreeBSD (Jun 2004)
"[FreeBSD] has secured a strong foothold with the hosting community and continues to grow, gaining over a million hostnames and half a million active sites since July 2003."
What's New in the FreeBSD Network Stack (Sep 2004)
"FreeBSD can now route 1Mpps on a 2.8GHz Xeon whilst Linux can't do much more than 100kpps."

NetBSD:
NetBSD, for When Portability and Stability Matter (Oct 2004)
NetBSD sets Internet2 Land Speed World Record (May 2004)
NetBSD again sets Internet2 Land Speed World Record (Sep 2004)

OpenBSD:
OpenBSD Widens Its Scope (Nov 2004)
Review: OpenBSD 3.6 shows steady improvement (Nov 2004)
OpenSSH (OpenBSD subproject) has become a de facto Internet standard.

*BSD in general:
Deep study: The world's safest computing environment (Nov 2004)
"The world's safest and most secure 24/7 online computing environment - operating system plus applications - is proving to be the Open Source platform of BSD (Berkeley Software Distribution) and the Mac OS X based on Darwin."
BSD Success Stories (O'Reilly, 2004) (pdf) ~ from Onlamp BSD DevCenter
"The BSDs - FreeBSD, OpenBSD, NetBSD, Darwin, and others - have earned a reputation for stability, security, performance, and ease of administration."
..and last but not least, we have the cutest mascot as well - undisputedly. ;)

--
Being able to read *other people's* source code is a nice thing, not a 'fundamental freedom'.

Re:Requiem for the FUD

Those are fake facts. No one is using *BSD anymore, because its just for dillitant dablers. And Apple is switching to Linux for Tiger, everyone knows that so stop bragging about it using *BSD because Apple doesnt anymore.

Gripes.

*HOW* do I get my dreamcast to boot NetBSD? I am not particularly sure how many coasters I have made now.

And, why not BIND 9.X.X? NetBSD still ships with 8.X.X :(

Re:Gripes.

[niteice]

IIRC, Dreamcasts have a CD drive that spins backwards. YOu ned to rewire your CD burner.

Re:Gripes.

not true at all. i've been able to run netbsd on my dreamcast since 1.5 using a regular cd-r

FUD for the FUD

no kidding the recent tests show Linux networking is 10 times faster then the fastest *BSD, which is certunly not NetBSD. FAKE FACTS.

Re:FUD for the FUD

Recent tests show that I'm 10 times righter than you, and you're always wrong.

Re:FUD for the FUD

Recent data proves that 10 times the people spout unprovable statistics than the 10% that can prove that 90% of all statistics are at least 25% inaccurate based on relevant data acquired 50% of the time by 20% of the researchers.

In keeping with the relevance of this information, 10% of all slashdot messages are posted by a community that is 90% nerds, of which at least 7% are spouting 80% FUD, and this is at least 47% provable 63% of the time.