Mozilla Foundation Donates $10K to OpenSSH

eklitzke writes to tell us the OpenBSD journal is reporting that the Mozilla Foundation is donating $10,000 USD to the OpenSSH project. This comes as good news after the recent reported financial troubles from the OpenBSD and by extension the OpenSSH team. It seems that quite a few people have answered the call for aid made by OpenBSD's de Raadt.

NO

[DAldredge]

"While donations are not US tax deductible as charitable contribution" is what their website says. I guess they don't want to become a true non-profit org for some reason.

Re:NO

[Geekboy(Wizard)]

You cannot take advantage of a Non-Profit status in Canada, on your taxes in the US.

Re:NO

[SigILL]

I guess they don't want to become a true non-profit org for some reason.

They don't want to because of the huge administrative overhead that incurs. Theo'd much rather work on the next feature or security audit than on handling that.

Of course, you're free to set up your own non-profit "Friends of OpenBSD" foundation if you want to.

Isn't 10K too low?

[guyfromindia]

Considering the rumors that the foundation makes something close to $72 million? (http://news.zdnet.com/2100-9588_22-6048377.html)
Quoting Chris Blizzard, a board member "I won't comment on the dollar amount, except to say that ($72 million) is not correct, though not off by an order of magnitude...."
Guess any amount is fine...but 10K seems too low, IMHO

Re:Contribution made to OpenSSH or OpenBSD?

For something like this, no, you cannot effectively donate JUST to OpenSSH. Even if you could specify this *specific* amount of money is to be used for that project, if they wanted to they could just allocate that much less of their own money.

Re:Contribution made to OpenSSH or OpenBSD?

[dizzy+tunez]

Its going to both. OpenBSD and OpenSSH share the money. (Which is fine by me, since its the same dudes who makes the code to both projects)

Re:Contribution made to OpenSSH or OpenBSD?

According to the source linked to in the actual article, it's to OpenBSD.

Re:Contribution made to OpenSSH or OpenBSD?

[Syberghost]

The Slashdot post is misleading; they donated to the OpenBSD project in general, not one specific subproject within it. Doing that would open up a can of auditing worms that wouldn't be in anybody's best interest.

Re:Contribution made to OpenSSH or OpenBSD?

[Theatetus]

Is this going directly to OpenSSH efforts, or to OpenBSD in general?

Since they're the same team, any donation is pretty much fungible (ie, $10,000 "for OpenSSH" still means Theo has $10,000 now freed up for OpenBSD, if that's how he sees the need to allocated it).

Re:or...

Not possible. Mozilla's code base is so fucked up, they'll never fix them all. There are something like three different memory allocation schemes used in the code, and they don't all play nicely together.

If you want to spend $10k to get a decent browser, you're better off donating to KDE to support Konqueror. Mozilla never has and never will be anything but a bloated POS.

After all, don't forget, they're not memory leaks, they're features!

Ah well, I know I'm going to get dinged as a troll for this, but I really can't come up with any way to explain just how messed up Mozilla's code is without a very lengthy post and really can't figure out a way to say "Mozilla's code sucks" without coming off as a troll. I'll just throw a link out to prmalloc.c, their custom allocator, and explain that this allocator is used to implement a malloc/free style of memory allocation, a reference counting style of memory allocation, and a mark-and-sweep garbage collector. All at once. And I think I may be missing some different implementations of those same patterns.

Each style has different patterns that cause memory leaks. All three are used together, which introduces neat patterns that cause memory leaks due to the interaction between them. That's about as short and simple as I can make it, so let the modding begin!

Conspiciously absent...

[rongage]

If you looked through the list of donations on Theo's donations page, it's quite curious that some of the larger commercial interests in the Linux World (RedHat, Novell, etc...) are NOT in there.

Of course, they may have requested no publicity.

This is Slashdot, I'll let you draw your own conclusions here... :)

Re:Conspiciously absent...

[SigILL]

some of the larger commercial interests in the Linux World (RedHat, Novell, etc...) are NOT in there.

Of course, they may have requested no publicity.

Nope, they just didn't donate.

Hell, IBM even wanted the OpenBSD team to handle end-user support for one of their high-paying customers for free.

NO (too complex for international donations)

[kneecap]

Theo has always stated that it was more difficult to setup a non profit in Canada. There was also recent statements that for international donations it is even more difucult to do. If they were in the U.S. they could more easily accept non profit or 'Not for profit' donations from US residents but then they may run into future crypto export restrictions when they try to export advanced crypto from the US. So they stay in Canada and can do what every then need to do to keep OpenBSD, OpenSSH, OpenNTPD, OpenBGP & OpenCVS as secure as they can without worrying about politician whims on crypto export matters.

Re:Good for Mozilla.

[liliafan]

I can see their point, there are other ways to get around this problem and other tools available to people. OpenSSH is a secure project every feature you add is another potential security hole, so really is makes sense for them to refuse to add this feature, in other instances where there is no other way to workaround this problem the developers would willingly add the code to the project but this particular case has other solutions.

Re:Contribution made to OpenSSH or OpenBSD?

[freshman_a]

While I like OpenBSD I don't have a need to support OpenBSD. On the other hand I do use and would donate money to OpenSSH.

Uh, I hate to tell you, but it's all the same people. If you read the OpenSSH project is prettypage it states "OpenSSH is developed by the OpenBSD Project." So yes, you do have a need to support the OpenBSD project if you want them to continue to develop OpenSSH.

There isn't a entity setup for OpenBSD or any other of their projects it seems. It's questionable what actually happens with the money donated.

I'm sure they squander all the money on booze and hookers. Pardon the sarcasm, but it's pretty much the same as if you sent Linux a check to help support the Linux project. And if you check out the donations page, there's quite a list of names there. I'm sure if something fishy was happening to the money, someone would have noticed by now. Besides, the OpenBSD project is basically Theo's baby. Why would he jepordize it by not being honest?

Re:This is great news, however...

I've noticed some undue emphasis placed on OpenSSH & OpenSSL. They are GREAT packages, but not the only thing people benefit from. Don't forget, that nearly every commercial operating system has pilfered code from the BSD projects.

Contrary to popular belief the OpenSSL project has nothing to do with OpenBSD.

Donation is to OpenBSD, not OpenSSH

[QuietLagoon]

From the Frank Hecker's report of Mozilla foundation activities:

OpenBSD project. The Mozilla Foundation made a $10K donation to the OpenBSD project in support of development of OpenBSD, OpenSSH, and related activities. The OpenBSD project does great work in the area of creating a secure Unix-like operating system (which runs Firefox, of course) and developing related security technologies. In particular the Mozilla project uses SSH extensively for various purposes, including securing connections to the Mozilla CVS repository. The OpenBSD and OpenSSH projects have been experiencing some financial difficulties, and based on their importance to the Mozilla project and to the wider open source and free software world we felt that it was well worth showing our support for them.

Re:Good for Mozilla.

[DeBeuk]

A lots of people/companies asked the OpenSSH group to include the ability to include rate limiting due to large SSH user/dictionary attacks being run by script kiddies. One person even WROTE it for them. I believe the OpenSSH group's response was "Not an ssh problem."

It's not an ssh problem. Connection rate limiting is something you really want to do with a firewalling solution.

Re:Good for Mozilla.

[lactose99]

Considering OpenBSD's pf packet filter already has support for connection rate limiting (and it works quite nicely), I'm inclined to agree with them. You could always run sshd via inetd or xinetd for connection limiting if needed.

Thunderbird

[Noksagt]

I can't compose messages in plain text?

As replied to you: yes, you can.

I can't have signature lines automatically removed when replying and quoting?

It does this too.

I can't change the name of my outgoing account when composing?

If you get the Buttons! extension you certainly can.

Crazy. Gimme kmail on Win32 and I'll be much happier.

happy?

Re:This is great news, however...

every commercial operating system has pilfered code from the BSD projects.

EVERYBODY should contribute, especially the companies that have profited from the hard work of the team.

"Pilfered" gives the impression of theft, whereas the BSD license gives users the right to re-use the code essentially as they see fit, so if a company uses BSD code to built some very successful and profitable software, then they owe nothing to anyone, as the person licensing it said it was ok to do that.

For example, the Windows FTP client (Ftp.exe) actually contains the statement "Copyright (c) 1983 The Regents of the University of California" since it is based on BSD-licensed code - open the file in Notepad and have a look. Aside from this, my guess is that MS gave nothing for the use and, as much as you may hate MS, they are perfectly entitled to do so.

Re:Contribution made to OpenSSH or OpenBSD?

[Slithe]

>> For something like this, no, you cannot effectively donate JUST to OpenSSH.

Here is a simple solution: look in the CREDITS file of the OpenSSH and find the developers who are responsible for the areas in which you desire some improvements and email them with offers to provide them money, hardware, or whatever they need to improve OpenSSH.

For the sake of convenience, here is the CREDITS file to OpenSSH-4.3p1

Tatu Ylonen - Creator of SSH; Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,; Theo de Raadt, and Dug Song - Creators of OpenSSH; Ahsan Rashid - UnixWare long passwords; Alain St-Denis - Irix fix; Alexandre Oliva - AIX fixes; Andre Lucas - new login code, many fixes; Andreas Steinmetz - Shadow password expiry support; Andrew McGill - SCO fixes; Andrew Morgan - PAM bugfixes; Andrew Stribblehill - Bugfixes; Andy Sloane - bugfixes; Aran Cox - SCO bugfixes; Arkadiusz Miskiewicz - IPv6 compat fixes; Ben Lindstrom - NeXT support; Ben Taylor - Solaris debugging and fixes; Bratislav ILICH - Configure fix; Charles Levert - SunOS 4 & bug fixes; Chip Salzenberg - Assorted patches; Chris Adams - OSF SIA support; Chris Saia - SuSE packaging; Chris, the Young One - Password auth fixes; Christos Zoulas - Autoconf fixes; Chun-Chung Chen - RPM fixes; Corinna Vinschen - Cygwin support; Dan Brosemer - Autoconf support, build fixes; Darren Hall - AIX patches; Darren Tucker - AIX BFF package scripts; David Agraz - Build fixes; David Del Piero - bug fixes; David Hesprich - Configure fixes; David Rankin - libwrap, AIX, NetBSD fixes; Dag-Erling Smørgrav - Challenge-Response PAM code.; Dhiraj Gulati - UnixWare long passwords; Ed Eden - configure fixes; Garrick James - configure fixes; Gary E. Miller - SCO support; Ged Lodder - HPUX fixes and enhancements; Gert Doering - bug and portability fixes; HARUYAMA Seigo - Translations & doc fixes; Hideaki YOSHIFUJI - IPv6 and bug fixes; Hiroshi Takekawa - Configure fixes; Holger Trapp - KRB4/AFS config patch; IWAMURO Motonori - bugfixes; Jani Hakala - Patches; Jarno Huuskonen - Bugfixes; Jim Knoble - Many patches; Jonchen (email unknown) - the original author of PAM support of SSH; Juergen Keil - scp bugfixing; KAMAHARA Junzo - Configure fixes; Kees Cook - scp fixes; Kenji Miyake - Configure fixes; Kevin Cawlfield - AIX fixes.; Kevin O'Connor - RSAless operation; Kevin Steves - HP support, bugfixes, improvements; Kiyokazu SUTO - Bugfixes; Larry Jones - Bugfixes; Lutz Jaenicke - Bugfixes; Marc G. Fournier - Solaris patches; Mark D. Baushke - bug fixes; Martin Johansson - Linux fixes; Mark D. Roth - Features, bug fixes; Mark Miller - Bugfixes; Matt Richards - AIX patches; Michael Steffens - HP-UX fixes; Michael Stone - Irix enhancements; Nakaji Hiroyuki - Sony News-OS patch; Nalin Dahyabhai - PAM environment patch; Nate Itkin - SunOS 4.1.x fixes; Niels Kristian Bech Jensen - Assorted patches; Pavel Kankovsky - Security fixes; Pavel Troller - Bugfixes; Pekka Savola - Bugfixes; Peter Kocks - Makefile fixes; Peter Stuge - mdoc2man.awk script; Phil Hands - Debian scripts, assorted patches; Phil Karn - Autoconf fixes; Philippe WILLEM - Bugfixes; Phill Camp

- login code fix; Rip Loomis - Solaris package support, fixes; Robert Dahlem - Reliant Unix fixes; Roumen Petrov - Compile & configure fixes; SAKAI Kiyotaka - Multiple bugfixes; Simon Wilkinson - PAM fixes, Compat with MIT KrbV; Solar Designer - many patches and technical assistance; Svante Signell - Bugfixes; Thomas Neumann - Shadow passwords; Tim Rice - Portability & SCO fixes; Tobias Oetiker - Bugfixes; Tom Bertelson's - AIX auth fixes; Tor-Ake Fransson - AIX support; Tudor Bosman - MD5 password support; Udo Schweigert - ReliantUNIX support; Wendy Palm - Cray support.; Zack Weinberg - GNOME askpass enhancement; Apologies to anyone I have missed.; Damien Miller ;

Re:Even more conspicuous

[Kelson]

Darwin is based on FreeBSD, not OpenBSD -- though I must admit, I have no idea how much cross-pollination there is among the *BSDs -- but like most of the civilized world, they do use OpenSSH.

Re:Contribution made to OpenSSH or OpenBSD?

[SigILL]

it's more likely he'll buy lots and lots of noodles or cola with it.

Or pay the electricity bill. It's about $5000 a year.

Re:Serious question.

[dghcasp]

> Honestly, I can't think for the life of me why they haven't become a non-profit yet.

Well, there are two obvious answers; your choice may depend on your feelings about Theo...

1. OpenBSD is based in Canda. That's what lets them get around the US ITAR restrictions on strong encryption. But, on the other hand, if they set up a non-profit, they would only be able to give deductions off Canadian taxes, which doesn't help companies in the U.S. Incorporating as a non-profit in the US and transferring all the money to Canada would require dual taxation returns (which are a pain) and might affect the Non-Profit status in the U.S.
2. Right now, their donations page says "Make cheques out to Theo." If they incorporated in any way, they would need to have, for government purposes, an official set of accounting books, which might prove less, ehm, "personally beneficial" to Theo.

Re:Contribution made to OpenSSH or OpenBSD?

[vuud]

And yes, de Raadt really should set up a non-profit for OpenBSD, under the OpenBSD name.

Not as easy as one might think - especially when dealing internationally. I personally know of one instance where a very large company in the UK gave up trying to form a non-profit in the U.S. because of all the tax issues. They just gave up and pulled out.

Anyway, probably a non-profit in canada may not be recognized as a non-profit in Boliva, etc...

It's been discussed on misc a few times.

Re:Contribution made to OpenSSH or OpenBSD?

[linzeal]

No matter how much you pay the hooker she can't do your C++ homework for you, I've tried.

Re:Contribution made to OpenSSH or OpenBSD?

[clymere]

Pardon the sarcasm, but it's pretty much the same as if you sent Linux a check to help support the Linux project.

This is where you're wrong. The Linux kernel, and virtually every other large open source project is funded through officialy recognized organizations of one sort or another. Nobody is making checks out to Linux Torvalds personal checking account.

The issue of whether or not Theo is going to squander the money is irrelevant. Many organizations, in particular large corporations with deep pockets, simply CAN'T support a project like OpenBSD by cutting a check to an individuals personal account. Not only is it going to be against company policy, they can't claim it as a deduction on their taxes because it went to an individual, not a recognized non-profit.

Large companies like IBM set aside a certain portion of their budget each year to donate to these kinds of causes...probably just for the tax deductions. Since they are already planning it, getting them to throw some your way is easier than you'd think. But asking to write you a personal check goes outside of that established system, and creates a whole lot more work for them.

Does it make sense to make it harder for someone to GIVE you money? No.

If Theo wants donations on a large scale, he will need to get that taken care of eventually. Everyone else has.