Slashdot Mirror
Kernel Trap Interview with Theo de Raadt
An anonymous reader writes "KernelTrap has an insightful interview with Theo de Raadt, creator of OpenBSD. The wide-ranging interview focuses first on the past few years of OpenBSD development, then moves on to the recently released OpenBSD 3.9. De Raadt talks about how binary blobs threaten free software, and how OpenBSD developers work to reverse engineer them. He also talks about the future of OpenBSD, his views on Linux, and why developing truly free software is so important to him."
Weird... was Theo having a bad day? He's always seemed like such a nice guy, but in this interview he really comes off like a total a-hole... very un-Theo-ish.
I sure wish he had taken a better position on the wifi "FCC Rules require Binary Blobs" issue. He basically agreed that the FCC does require that the consumer not be able to change the frequency, but claimed that it should be dealt with in hardware, not the driver. This line is particularly poorly thought out: "Let the FCC go after the vendors who made the flawed devices."
See, here's the thing...the people he needs to convince here are the hardware manufacturers. You aren't going to get them to release open drivers by suggesting that the FCC should "go after" them. In fact, it serves to reinforce their binary-blobs-only position; after all, that's their current protection. But worse, by tacitly agreeing with their position about the FCC rules, he cedes the important part of the argument...the part where he could have won it. That's because while the FCC does indeed require that the consumer not be able to change the frequency to licensed spectrum, they have never taken the position that changing the source code is normal consumer operation. After all, consumers can change the frequency on many other chipsets (even in Windows) with binary patches. This is simpler than changing source code and recompiling it. I have never heard anything from the FCC that says you can't distribute source code with this functionality. Which is good, because the current mainline Linux kernel does distribute code that does this. If FCC rules actually forbade this (as the hardware companies are claiming) then it would be illegal to distribute the Linux (and presumably OpenBSD) kernel in the USA.
There was a wonderful discussion of this on the LKML recently in context of Intel's binary blob driver.
Given a choice between free speech and free beer, most people will take the beer.
Any idea who he's refering to?
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
I thought "blob" stood for "binary large object."
So isn't it redundant to say "binary blob"?
Read any good sonnets lately?
Indeed, I can confirm this.
Though we only use OpenBSD on a few of our servers (we have about 150 servers) - we NEVER buy hardware that OpenBSD doesn't support, because to us that's a good test of whether this hardware is going to last or not.
If a hardware company is so proprietary or secretive or locked-down that OpenBSD can't (or chooses not to) support it, I don't believe that company will last in the long run.
This was an excellent interview and Theo seemed fairly down-to-earth. I actually agree with many of Theo's POV's but don't always agree with how he conveys them. This interview seemed to show his *softer* side :)
Honestly though, he is right...the big Linux vendors really needed to step up and donate to the project. I am a FreeBSD user and certainly understand the need for funding to keep these projects going. OpenSSH is an amazing piece of software that we all use quite a bit. I can't say that I give all of my money to these projects but I do purchase CD sets and can only hope that the rest of you do as well.
I guess sometimes we are all dicks when we really believe in something. Although Theo can come across as a dick sometimes he really does stand for a good cause. Software should be free!
"I reject your reality and substitute my own!"
Theo apparently feels (as I do) that the more we support vendors who refuse to just open up their specs, the less vendors will open them up. If Linux is taking over the server market (it is) and they need to open their device specs up to have them supported (they don't, if people will go NDA) then more companies will open up their specs so that they can be supported by linux - because companies like to minimize the variety of hardware in their organization for support reasons, and they are more likely to spec a single NIC that works in all situations (if available) than spec two different ones, one for Linux, and one for Windoze.
As long as people develop drivers for these products through reverse engineering or NDA, then these manufacturers will have no reason to release specs.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The fundamental reason why companies do not open up their drivers is because the average end user considers it a Linux problem when Linux doesn't have proper support for a given proprietary piece of hardware, instead of a problem with the maker of the chipset in question.
I think one reason for this is because there are a zillion consumer devices out there and no real place to be able to look up a given piece of consumer hardware and see who is making the chips for said hardware, and whether the chipset in question has a Linux driver. More importantly, if a given chipset doesn't have a Linux driver, the documentation should tell us whether this is because the chipset in question is closed, or if it is because no one has had a chance to write a driver.
If this information is out there, when people give the usual "Linux sucks because it doesn't support X piece of hardware" flame, the reply can be "blame the makers of X piece of hardware, not Linux". If this mindset catches on, companies will start supporting Linux better. For example, I bought a Creative Zen Nano instead of an iPod Nano because the Zen had full Linux support; the iPod doesn't.
The problem with making this online database is that someone will need to be motivated to make such a database; this is a non-trivial task. The wiki model is perfect for something like this. Indeed, someone has a wiki-based database like this for IBM Thinkpad computers
OpenBSD confirms it. Adaptec is dying.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Come on. He's asking for money, not code changes. On that level, GPL-licensed code and BSD-licensed code are the same. A company like Linksys could use the Linux kernel in their routers without giving a cent to Linus or the hundreds of others.
There's nothing wrong with _asking_ for contributions. He knows that nobody owes him anything, and that jackasses like you will give him nothing but hot air, probably all the while logged into an OpenSSH server somewhere.
Hands in my pocket
Oh my, you really don't have a fucking clue, do you?
The OpenBSD project's recent funding problems have absolutely nothing to do with licensing; zero, zip, nada. The problem is not companies (Linux vendors, Cisco, Sun, etc.) modifying OpenSSH and without releasing changes publicly. The OpenBSD/OpenSSH project doesn't care about that, they expect it to happen. The problem is with said vendors using, redistributing and profiting from OpenSSH without making even a modest monetary donation in return. Given this, please, enlighten me as to releasing OpenSSH under the GPL would have any impact on this? Where in the GPL does it state that all redistribution and/or modification requires supporting the software's developers financially?
You think expecting a little money for something you poured blood, sweat, and tears into is "arrogant"? How about including open source software in almost all of your products (Cisco, Sun), and not giving a penny back for being given the opportunity to do so? Of course you have no obligation, but given the fact you're profiting off of this software, wouldn't it be wise to donate something (money, hardware) to the developers so that the software you're profiting from can continue to be developed? Some companies/projects have: GoDaddy and the Mozilla foundation. And hopefully more will in the future.
Oh, and whoever modded the parent up as insightful needs to be hit with a cluestick.
Agreed; this analogy is utterly awful! Not only is there this unhealthy response to prostitutes (someone needs to get some therapy. . .), the *ENTIRE* analogy doesn't work:
A prostitute is someone who gives what they otherwise wouldn't (sex) in exchange for cash. Theo gives his software away for free, to anyone, to use as they wish.
Now maybe you (GP) think the Free Software isn't a sound business strategy, and maybe you think Theo's a jackass---and heck, maybe you think he's getting what he deserved because he didn't demand that corporations leave their cash on the nightstand ahead of time [THAT'S how you make a prostitution reference!] but holy crap son could you find a way to say that without invoking repellant examples that contradict your point completely.
"Every decent man is ashamed of the government he lives under." - H.L. Mencken
>A prostitute ... gives what they otherwise wouldn't ... for cash. Theo gives his software away for free, to anyone, to use as they wish.
So, he's a slut?
The very fact that an NDA is used means that the manufacture knows that the writer of the driver needs facts that can not be determined by looking at the source of the driver itself. Typically this involves the use of various magic constants that must be loaded into device registers at appropriate times. The manufacturer knows what the magic constants mean. Hopefully the writer of the driver does too. But nobody else does, and the author of the device driver can't tell them. So if there's a bug (maybe because the magic constant wasn't quite the right one to use in certain circumstances) there's no way for another person to fix it. Likewise if there's a desire to expand the functionality of the driver there is again no way for a third party to know what the magic constants should be.
Universities have an overhead level, including salary fringe, etc., that then gets estimated. If the university's overhead rate is 65%, then for every $1 in grant money, 35 cents goes to cover DIRECT costs of the work, and 65 cents go to the University Overhead Income Account.
Basically, things like lab space may be direct or indirect (overhead) costs, depending on setups.
Given that they weren't on staff so there was no fringe (taxes, benefits, etc.), and they weren't using any school resources, maybe they got a discount and a 45% or 50% overhead rate.
Essentially, in grant accounting, you have to account for your direct expenditures (and get reimbursed from the grant issuer), but the overhead you keep. So the university wants as high an overhead rate as possible, as they keep that money. The researchers that "earned the grant" want the lowest rate possible, so more of the money goes into their accounts for their expenditures (you know, things like their salaries).
Also, if grant money is spent on not-aprroved things (let's say Theo calls 25% of his house his office, but the grant doesn't cover the home office, or he hires a project manager and that isn't approved for the grant), then the school won't be able to get reimbursed for those expenditures. Each organization's politics determines what happens when the school "eats" the costs (part of why they have such a high overhead, they cover over-runs, etc.), but in this case, it was an outside organization. I wonder how comfortable the University was cutting checks to Theo's personal account without knowing that they would get reimbursed, so they probably kept a high reserve that they wouldn't release, and a large overhead rate.
Ah, grant accounting...
Alex
The problem is not the other open source projects. It's the commercial Linux and Unix vendors (and other as well) that use all the benefits of OpenSSH, but do nothing in return. To name a few: IBM, HP, Cisco.
If you were minded to you could find out for yourself what Theo has contributed. Scan the source tree of just about any project the OpenBSD team ships and hunt for openbsd.org. If by chance you don't find anything then search again for "De Raadt" or some of the other developers' names. More likely than not you'll find code contributions.
If that's not enough, look at the number of companies Theo and his team and users have lobbied to release documentation thus helping all projects. Note also the Free Software Foundation and others respect and have honored Theo's work and contributions. In 2004 the Free Software Foundation presented Theo with the FSF Software award
Try google -- it's your friend when you have these kinds of questions.Usually documentation does not exist. Under an NDA, the company can supply hardware design plans and Windows source code instead.
Unfortunately, its not so simple. Many of the optimizations required serious recoding of gcc, making it MUCH slower to compile code, even when you don't have any optimizations turned on. Notice how gcc3 is twice as slow as gcc2? Notice how gcc4 is even slower?
TFA had a typical comment from Theo or any OpenBSD core team member: "As we become aware of more problems in the C language, we are trying to be very agressive to make the code cleaner. Just the standard OpenBSD proactive auditing process."
My question is this: what is the "standard OpenBSD proactive auditing process"? Before, I've lightly asked about this on the misc@ mailing list, but the answers weren't very helpful, generally paraphrased as (1) experience or (2) study the CVS diffs.
Well... that's nice, but I'd like to have a more straightforward "beginner's approach", something a little more accessible. I agree that only experience will make you a truly great secure and correct coder, but it would be nice to have a book that explained (and gave examples) of the kinds of things that the OpenBSD developers routinely look for in their code audits.
Put another way, I feel I have a good understanding of the fundamentals of secure C programming: generally prefer strncpy() (or strlcpy()) to strcpy(), know when to use memmove() or memcpy(), always check input parameters to make sure they are within the defined boundaries of the function, etc... but surely there's more than just these well-known general rules of thumb, right? It would be nice if core OpenBSD developers could have their secure C programming expertise dumped into a book!
It seemed to me he was more concerned that the correctness of the generated code was being compromised by the optimizations. I would expect the would love a small, correct compiler that they could add various security enhancements (e.g. stack protection) in a straightforward manner.