Are the BSDs Dying? Some Security Researchers Think So

itwbennett writes: The BSDs have lost the battle for mindshare to Linux, and that may well bode ill for the future sustainability of the BSDs as viable, secure operating systems, writes CSO's JM Porup. The reason why is a familiar refrain: more eyeballs mean more secure code. Porup cites the work of Ilja von Sprundel, director of penetration testing at IOActive, who, noting the "small number of reported BSD kernel vulnerabilities compared to Linux," dug into BSD source code. His search 'easily' turned up about 115 kernel bugs. Porup looks at the relative security of OpenBSD, FreeBSD and NetBSD, the effect on Mac OS, and why, despite FreeBSD's relative popularity, OpenBSD may be the most likely to survive.

BSD is Dying?

[sconeu]

I won't believe it until Netcraft confirms it!

Re:BSD is Dying?

[Netcraft+Confirms+It]

I'm sad to say it's true.

Re:BSD is Dying?

[Daetrin]

This is what happens when we complain too much about the quality of recent posts. They dig up some "BSD is dying" article to try and make us feel all warm and fuzzy from the nostalgia.

Re:BSD is Dying?

[Bruce+Perens]

My sinister viral GPL cabal has been successful! Baw ha ha ha ha :-)

Re:BSD is Dying?

[hawk]

BSD has been dying almost as long as Apple has been going out of business . . .

hawk

Is it now official

It is now official. Netcraft has confirmed: *BSD is dying One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last [samag.com] in the recent Sys Admin comprehensive networking test. You don't need to be the Amazing Kreskin [amazingkreskin.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying. Let's keep to the facts and look at the numbers. OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts. Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house. All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Re:Is it now official

[sconeu]

Dude, that is one of the oldest memes on Slashdot.

YHBT. YHL. HAND.

BSDs dying?

[QuietLagoon]

I'd be more concerned about the effects of systemd on the Linux distributions. :)

Re: BSDs dying?

[rl117]

systemd was what pushed me into trying out FreeBSD seriously for the first time, three years ago, after 15+ years of Debian as a user and develop. So many stupid problems. FreeBSD was like a breath of fresh air, and I wish I'd tried it out years ago. Today, I'm using FreeBSD increasingly, contributing to the ports here and there, and finding it to be mostly pretty good. Not as polished as Debian in every respect, but the package manager is continually improving and it's on a par with apt at this point. And being able to install straight onto ZFS is huge; Debian and Ubuntu need to get this into their installers.

Re:BSDs dying?

[Drunkulus]

Systemd is the reason Linus is now running freebsd at home.

Re:BSDs dying?

[Anne+Thwacks]

I've heard systemd is under suspicion of being a serial killer!

So that explains why my serial ports don't work any more!

Re: BSDs dying?

[rl117]

It can certainly be overkill on low end systems. But its features are pretty great, and quite a few of them are useful even on a single disc/SSD setup. Like every filesystem, it makes a bunch of tradeoffs and you need to decide if they are acceptable or if another filesystem would be more appropriate for your needs. If you want to use some of those features, it can still make sense to use it. Lastly, the memory usage you mentioned is mainly an issue for ZFS on Linux where there's duplication in the page cache and the ARC; on FreeBSD it's much lower and is better integrated with the rest of the kernel memory management. You can tune it to use very little memory (with some performance tradeoffs, obviously).

MacOS X?

[Kenja]

While not an "official" BSD, OS X is based on NeXT which is based on BSD and it uses the MACH kernel.

Re:MacOS X?

I'm a Mac user and I've downloaded and installed FreeBSD, NetBSD and Minix 3 in virtual machines, so I could work through tutorials that were geared toward these systems.

The question then became, what can I actually DO with them that I can't do already with Mac OS? I couldn't find anything. So those VMs went in the trash.

Hogwash

[thegarbz]

The authorities here on Slashdot have repeatedly said that right now was the golden age of BSD due to Debian's adoption systemd. There are no Linux users left. BSD is the only system that remains in widespread use.

"more eyeballs mean more secure code"?!

The reason why is a familiar refrain: more eyeballs mean more secure code.

After Heartbleed and the other issues affecting OpenSSL, and Shellsheck affecting bash, why the hell would anyone still be pushing this disproven "more eyeballs" narrative?!

The OpenBSD project proves that security doesn't come from "more eyeballs". It comes from having software developers who know what they're doing, and who take their work very seriously, and who show immense discipline, and who don't put up with bullshit, and who put security first and foremost.

You could have two million "eyeballs" of offshore "programmers" in India looking at some code, and it will likely still end up being much less secure than code doing the same work but written by a couple of OpenBSD's developers.

Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.

Re: "more eyeballs mean more secure code"?!

Give us links to each and every one of those bug reports so we can judge the severity of these alleged bugs on our own. If the BSD devs aren't fixing them it's probably because they're very minor bugs, or perhaps aren't even valid bugs to begin with.

Re:"more eyeballs mean more secure code"?!

[Hylandr]

Why the hell would anyone still be pushing this disproven "more eyeballs" narrative?!

It's important to not that if there weren't eyeballs on the code we would never have known about the vulnerabilities to fix to begin with.

They would have only been discovered and exploited by the malicious and never disclosed unless the attack was discovered while the company responsible would spin the issue and would ( in most cases ) not spend the money to secure other installations.

Because flaws cannot be hidden, overlooked or covered up, researchers and other interested parties can perform their own independent audit of the software powering their systems.

-- More eyeballs does in fact mean more secure code. -- Think of it as a global oversight committee.

Re:"more eyeballs mean more secure code"?!

That comment is neither interesting nor insightful. It's just pushing the age old misrepresentation of the quote.

Many eyeballs makes all bugs shallow does not - and have never - meant that there will be no bugs, or that they will not lie dormant for a potentially long time. It simply refers to the fact the the more eyes that see a bug, the quicker someone will come up with a fix. Exactly what these researchers are claiming.

The OpenBSD project proves that security doesn't come from "more eyeballs".

I'm sorry, that you didn't RTFA is pretty damned obvious, but did you even read the blurb? There is no such "proof". Rather, they proved the opposite.

Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.

Again, a half-truth. Yes, it's true, but the more people who are involved in a project, the greater the probability that your "good people" turn out to be really good. And the more people you have, the more people you have to fix mundane stuff which doesn't require "really good people" to fix - which frees up your "really good people" to deal with the hairy stuff, and the more eyeballs you have who might for some reason find bugs which needs the attention of the "really good people".

Quantity is a quality of it's own.

Re: "more eyeballs mean more secure code"?!

[fmoliveira]

van Sprundel also praised OpenBSD's response to his bug findings, saying that De Raadt responded within a week, and OpenBSD patched the flaws within a few days.

Re:"more eyeballs mean more secure code"?!

[koavf]

Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.

Did you read the article? Theo De Raadt says as much:

Theo De Raadt, the founder of OpenBSD, agreed with van Sprundel that more eyeballs on OpenBSD would make the operating system more secure. "I remember reading his first slides, which were mostly about the impact of small API misuses," De Raadt tells CSO Online by email. "Unfortunately, this is a problem of the volume of code relative to manpower. Ensuring all code is 100 percent bug-free and handles all exceptional conditions is a rather difficult problem."

Re:"more eyeballs mean more secure code"?!

[Anne+Thwacks]

Everybody has to find a way to put groceries on the table.

I am fine on groceries. I want code that is reliable and secure. I will continue using OpenBSD - but not as my dinner.

No

[DaMattster]

"Some" researchers are saying the BSDs are dying so it must be true, huh? "Read it on the internet, hot damn, must be true then." Bullshit! The BSDs have a large community that is passionate about their choice of operating system. I have been using OpenBSD since 1998 and I will only stop using it once the community completely collapses, development ceases, and the foundation folds. The day that happens, I will have to find another hobby altogether and just keep a smartphone and tablet handy. Learning and using OpenBSD has made me far more knowledgeable about computers, operating systems, networks, and security than any other platform out there. If it weren't for my college roommate introducing me to OpenBSD, I believe I would just be another Microsoft wanker. OpenBSD taught me how the internet works and opened a wealth of knowledge. OpenBSD turned me from a computer power user into a true System Administrator. Ever since that day when I asked my roommate just what the heck OpenBSD was, my life would never be the same.

Re:No

[quantaman]

"Some" researchers are saying the BSDs are dying so it must be true, huh? "Read it on the internet, hot damn, must be true then." Bullshit! The BSDs have a large community that is passionate about their choice of operating system. I have been using OpenBSD since 1998 and I will only stop using it once the community completely collapses, development ceases, and the foundation folds. The day that happens, I will have to find another hobby altogether and just keep a smartphone and tablet handy. Learning and using OpenBSD has made me far more knowledgeable about computers, operating systems, networks, and security than any other platform out there. If it weren't for my college roommate introducing me to OpenBSD, I believe I would just be another Microsoft wanker. OpenBSD taught me how the internet works and opened a wealth of knowledge. OpenBSD turned me from a computer power user into a true System Administrator. Ever since that day when I asked my roommate just what the heck OpenBSD was, my life would never be the same.

Here's the problem, in 1998 the BSDs and Linux were still on fairly equal footing, so it made just as much sense for you to learn a BSD.

In 2018 Linux has a giant community, a huge ecosystem, and major companies behind it.

You can get a job on the basis of your Linux expertise and will be able to do so for a while, even if there are corporate BSD systems right now how much longer do you think they're going to last?

How old are the members of that BSD community? If an undergrad is looking to learn BSD or Linux how will you convince them to choose BSD?

I love the idea of BSD, but I don't see they attract the next generation of developers. I think it will live in some form for as long as it keeps its base of impassioned old gurus, but sooner or later they'll run out.

Re:open source is dying

[MoralCharacter]

Yep, those cloud environments will be self sustaining on hopes and dreams, and never need anyone with experience in UNIX to touch them. Cloud services run on what, Windows Server yeah? NO. WORRIES. /s

If true, it's a shame

[walterbyrd]

IMO:

BSDs have a superior architecture in many respects. This is especially true since the systemd takeover.

Administration on BSD servers just makes more sense. Linux seems to be all over the map. I think there are over 1000 Linux distros. Many distros want to change around the directory structure. Simple things, like starting services on bootup, and setting up static IP, become difficult with Linux because everybody wants to pull Linux in different direction - often for no good technical reason.

Linux certainly has advantages over BSD. But I think BSD gets a lot of stuff right.

Again: all JMHO.

Re:If true, it's a shame

[geek]

1000 distros sure, but you can completely ignore 990 of them. The other Of the remaining 10, probably 6 are copies of the major 4, Debian, RedHat, Gentoo, Arch.

People keep bringing up the many distro thing but honestly, no one really gives a shit. Those are hobbyist toys and they almost universally die out after a few years. In those few years a handful of people learn a lot and contribute to the community.

The BSD's are fine. I used them once upon a time. The problem is they are inflexible and all they want to do is emulate a long gone era of computing that just isn't functional today. Linux will at least adapt to peoples needs, BSD's will stand there and bitch about you being on their lawn.

Re:If true, it's a shame

[Anne+Thwacks]

the BSD's aren't changing to meet the newer needs of the current world.

Maybe not your needs - definitely mine:

• I can and do pass on to my grandchildren what I learned about Unix in 1978 and in all the years since.
• I want an internet facing system that works 24/7, securely processing financial transactions in real time, with a couple of hours attention every few months.
• I can switch architectures and still use the same code I used/wrote/tested before.
• I can avoid systemd (yes, that matters - systemd killed my cat)

I have other needs too, but they have no bearing on OS choice ;-)

Take your current world off my lawn!

Re:If true, it's a shame

[TeknoHog]

BSDs have a superior architecture in many respects. This is especially true since the systemd takeover.

1000 distros sure, but you can completely ignore 990 of them. The other Of the remaining 10, probably 6 are copies of the major 4, Debian, RedHat, Gentoo, Arch.

Gentoo doesn't use systemd by default. I don't know about the others. There's nothing wrong with GNU/Linux itself just because some distros decide to ruin themselves by including systemd.

I remember trying NetBSD back around 2002, and I really liked some aspects of it compared to the Linux distros I knew back then. Hardware support was pretty bad, though. Fortunately, I soon discovered Gentoo whose package management is derived from the BSDs, but having the hardware support of Linux and the nicer (IMHO) GNU userland.

Is it just that the pie is growing?

[Voyager529]

First off, I submit that BSD is finding its home in appliances. FreeNAS and pfSense are both fairly popular, and both BSD based. Commercially, the Nintendo Switch is based on BSD, and Cisco, McAffee, and Juniper all have appliances using BSD at their core. Also, as others have pointed out, OSX.

That said, there are so many copy/paste tutorials for Debian and its derivatives like Ubuntu and Raspbian. With BSD lagging behind severely, for every person who prefers BSD and can successfully use it to do what they need, there are five more less-technical users who are able to fall into the pit of success with a Bitnami or Turnkey Linux distribution.

BSD may well be superior for certain tasks, especially networking, but the fact of the matter is that expecting BSD to simultaneously be competitive in the numbers game against Linux when Linux has an ecosystem which BSD lacks. That ecosystem encourages users looking to get something done to use that product, rather than adhere to principles which otherwise have little effect on them. I know systemd is hated in these parts, almost universally, but if I need to spin up a Wordpress instance, it takes me ten minutes to grab Turnkey Linux and start addding my content, rather than the half hour or more it would take to spin up BSD, manually install an AMP stack, figure out the BSD equivalent of /var/www, Google all the MySQL commands to create the database at the CLI since I don't have Adminer or phpMyAdmin to do it, and then add Wordpress. As a non-developer and non-distributor, the BSD vs. GPL vs. MIT license situation affects me very little, so the fact that both Debian and BSD are free-as-in-beer means that they compete on how much of my time they take to spin up.

This is why I use pfSense and FreeNAS. It's also why most of my appliances are Turnkey Linux based.

Re:How would they No

[Neuroelectronic]

It's not like BSD users go around saying "I run BSD" or that they leave ports open so that they can be electronically surveyed.

My SNES Classic runs BSD. Lots of routers, firewalls and NAS devices run BSD.

The thing with BSD is it gets professionally used, not professionally blogged. Maybe BSD should consider a marketing team is it's really an issue for them.

*BSD = Elitism

[duke_cheetah2003]

You know, some 20 years ago, I used to be a huge supporter of FreeBSD. I swore by the OS, and wouldn't touch anything else. A diehard fanboi. Then I asked for help with some legacy hardware and discovered the hostile elitism of BSD community.

They basically told me to make my own drivers and to fuck off. Yeah, not very helpful. I switched to Linux cuz it worked with my legacy hardware and never looked back.

Today I have zero respect for *BSD people and software. They can jump off a cliff and I'd just smile. I would sooner touch a Mac than a *BSD system. Treat people like shit, they might just be totally alienated from your offerings.