Re: Security updates and packages
Hi, on a lighter note, 'cause i usually (with exceptions :) like doing what i like to do better than arguing with people who happen to misunderstand it... Theo de Raadt screamed on Fri, Aug 19, 2016 at 08:25:40AM -0600: > AND WHERE IS THE PONY. Right here: https://plus.google.com/collection/4SI_e And it was already here: http://www.openbsd.org/papers/bsdcan11-mandoc-openbsd.html Watch out, more than one pony hides in the latter! Admittedly, it has grown somewhat since that time: http://www.openbsd.org/papers/bsdcan15-mandoc.pdf So Theo, don't make us smaller than we are. We have been having a pony in the base system for more than half a decade now! Even if you don't count this one, which is enabled in the default install as well: schwarze@dino $ psl | grep ': pony' _smtpd 77747 91072 ?? 10:18AM Ip 0.2 0.0 smtpd: pony express (smtpd) SCNR, Ingo
Re: Security updates and packages
> OK I have done a lot of cutting and I may have put your words out of context, > this isn't intended of course, however I feel when you say "OpenBSD isn't a > PRODUCT" that this just can't be. By that I mean, that I buy every CD that > comes out, a) it has an ISBN number so it's a book (but not really) b) It > has a booklet inside so perhaps it is a book. It has 3 awesomely decorated > CD's inside too, that contain binary code to run on a set of computer > architectures and the last CD has source code so the purchaser can study the > inner workings of the binary, *) these are expected to be synced. When > running the contents of your product it's able to compile itself from the > provided source code with means of a GCC compiler. hmm, the difference is very subtle indeed. Man, what you bought is OpenBSD version x.x, not OpenBSD. Look on your CD label.
Re: Security updates and packages
> > You never purchased an agreement for it to be serviced. > > I'm not expecting that. But the "hint" that this will not be serviced > should be there. The lack of a promise is enough. > > Then, you stand here and demand things? You sir, are just wastewater. > > I simply suggested a line to be put on the front or back cover of the CD > case. That sentence is completely false. It is the first time you have suggested it. And I won't do it, I don't bow down to demands. > >> they can spend their money wisely. > > Text like this occurs 40,000 times throughout just the base source tree: > > > > * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES > > * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF > > * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR > > * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES > > * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN > > * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF > > * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. > > > > You are way out of line with the software development community. Your > > interpretations are hostile. > > To whom? The person buying your plastic? For someone to read the > source code license (which isn't even the book) they have to purchase > the CD's and open them, or they write down the ISBN and go home and > educate themselves on the product they consider buying. But in this > fast-paced life who really does that? People see, and buy it. That is pure fiction. Everyone knows what the purpose of OpenBSD is. It will not twist in the directions you want.
Re: Security updates and packages
> Not "purely" but in common parlance and practice I do regard prompt > installation of fixes for "security flaws" as part of "security" in its > usual sense, yes. Then hire some people to do it. Our crew who cares about a subset of that is at their limit. We aren't going to keep slaves, and garden fairies can't do the work. > You can understand why the average outsider reading through these public > pages might be confused and read "security" more broadly though? Maybe > it was just me. I don't care if you misread or misunderstood our web pages. Lots of other people understand them fine. > But, on the other hand, just this week I contributed Java code > to kryo-serializers and I've not even actually used that library myself > yet: I figure it all balances out but of course you may reasonably think > otherwise. So you submitted some small changes to someone. Somehow those small changes will pixie-dust turn into a driving factor which causes other people to give you "prompt installation of fixes for "security flaws" as binaries. > I figure it all balances out but of course you may reasonably think > otherwise. It does not balance out. About one thousand people write all the free software. Everyone benefits to a tremendous extent. Then some of those benefiting users come on lists and demand that a thousand volunteer do more for them. I expect more, damn it. And I want my flying car tomorrow.
Re: Security updates and packages
On 19 Aug 2016, Theo de Raadt wrote: (snip) > There is no juxtaposition. I'm pretty sure that I managed to place the quotations side by side! > You are expecting a bunch of volunteers to do the massive job of > upgrading last-month's software -- and do it better than Google with > Android, or car manufacturers, or basically anything which contains > software. I don't expect anything of the sort. Please don't confuse what I actually said with your generic caricature of people. I'm sorry that you read my amusement as judging and sniping but that sneering's wholly in your head. I wouldn't be on this list at all were I not pretty impressed with the project. Though, I have a feeling that you might keep on seeing sniping in this response, so go ahead and have the last word after this: you need not fear my extending this subthread beyond it having plausible value in reducing confusion. > You are labelling "security" as purely "dealing with yesterday's bugs" > essentially for "customers" -- and we don't have customers. Not "purely" but in common parlance and practice I do regard prompt installation of fixes for "security flaws" as part of "security" in its usual sense, yes. That's why I was surprised by how "everyone is encouraged to use" packages that don't get such fixes and I assumed the lack of binary fixes to simply be a matter of having to allocate limited resources to other, more valuable, efforts, that the "everyone is encouraged" might just be worded too strongly. I now find that I may well be wrong, that it is a deeper philosophical issue: Thank you for your explanation of how the security discussed by one of the pages I quoted is specifically about a development mindset rather than being about some general concept of users' systems security: that explains why the quotes all make sense as a whole and it also fits with your laudable stance on W^X, etc. I already wrote elsewhere how I value how the project puts "solid engineering well ahead of adding features". You can understand why the average outsider reading through these public pages might be confused and read "security" more broadly though? Maybe it was just me. Indeed, I've not contributed much to OpenBSD. I do answer questions here where I can (which isn't often!) and I wrote up details of how I got OpenBSD running on my machines in the hope of helping other new users (and of course sent a dmesg) but, back to the optimal allocation of resources, mostly I use and contribute to FOSS according to my actual ability: with my being fairly new to running BSDs and having barely used C for years, I am sorry to agree that I don't offer OpenBSD much at present. But, on the other hand, just this week I contributed Java code to kryo-serializers and I've not even actually used that library myself yet: I figure it all balances out but of course you may reasonably think otherwise. I also occasionally contribute FOSS security fixes (e.g., one that got into this month's release of OMERO) and my thinking may be colored by the anxiety I sometimes feel in seeing people still running the vulnerable versions. Of course it helps that the OpenBSD release schedule has been fairly brisk so people certainly aren't encouraged to run /ancient/ packages. -- Mark
Re: Security updates and packages
On 08/19/16 17:43, Theo de Raadt wrote: >>> You even come to the conclusion that such work isn't going to happen >>> for free, but leave the result dangling. Especially since OpenBSD >>> isn't a PRODUCT. If product-servicing is a requirement, first of all >>> choose something which is a PRODUCT, then choose a PRODUCT VENDOR who >>> actually does SERVICING. It's doubly hard, without having to hold >>> a non-product non-vendor responsible for a servicing requirement, >>> which WE DO WELL WITH, but expecting more is ridiculous. AND WHERE >>> IS THE PONY. >> OK I have done a lot of cutting and I may have put your words out of context, >> this isn't intended of course, however I feel when you say "OpenBSD isn't a >> PRODUCT" that this just can't be. By that I mean, that I buy every CD that >> comes out, a) it has an ISBN number so it's a book (but not really) b) It >> has a booklet inside so perhaps it is a book. It has 3 awesomely decorated >> CD's inside too, that contain binary code to run on a set of computer >> architectures and the last CD has source code so the purchaser can study the >> inner workings of the binary, *) these are expected to be synced. When >> running the contents of your product it's able to compile itself from the >> provided source code with means of a GCC compiler. > You bought some plastic. If we shipped blank plastic, half our user > community would still purchase it in support of what we do. > > You never purchased an agreement for it to be serviced. I'm not expecting that. But the "hint" that this will not be serviced should be there. > Nowhere will you find promise that this is a product, nor a product with > servicing, you are making shit up. > > Considering the CDs have been sold at close to a loss for years, your > expections are way out of line. > > Then, you stand here and demand things? You sir, are just wastewater. I simply suggested a line to be put on the front or back cover of the CD case. Thanks for the insult. >> The fact that you don't want to promise service for your product is your >> decision, but it is a product. In fact it's a wise decision because you'd >> be facing a lot of work for which human resources are needed and human >> resources require money. The income of your product is not substantial to >> pay the human resources to deliver service. > It is not a product. > > You cannot claim that something I largely give away is a product, if I say > it isn't a product. Your words are just bile. > >> Perhaps for future customers who are looking around a book store and find >> your product it should say "AS IS. Promise no further service." so that >> they can spend their money wisely. > Text like this occurs 40,000 times throughout just the base source tree: > > * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES > * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF > * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR > * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES > * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN > * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF > * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. > > You are way out of line with the software development community. Your > interpretations are hostile. To whom? The person buying your plastic? For someone to read the source code license (which isn't even the book) they have to purchase the CD's and open them, or they write down the ISBN and go home and educate themselves on the product they consider buying. But in this fast-paced life who really does that? People see, and buy it. I've been buying your CD's since 2.6. I don't mean to be rude, in fact I'll continue to buy the CD. And regarding the software development community, I can't speak for it or against it. Regards, -peter
Re: Security updates and packages
> > You even come to the conclusion that such work isn't going to happen > > for free, but leave the result dangling. Especially since OpenBSD > > isn't a PRODUCT. If product-servicing is a requirement, first of all > > choose something which is a PRODUCT, then choose a PRODUCT VENDOR who > > actually does SERVICING. It's doubly hard, without having to hold > > a non-product non-vendor responsible for a servicing requirement, > > which WE DO WELL WITH, but expecting more is ridiculous. AND WHERE > > IS THE PONY. > > OK I have done a lot of cutting and I may have put your words out of context, > this isn't intended of course, however I feel when you say "OpenBSD isn't a > PRODUCT" that this just can't be. By that I mean, that I buy every CD that > comes out, a) it has an ISBN number so it's a book (but not really) b) It > has a booklet inside so perhaps it is a book. It has 3 awesomely decorated > CD's inside too, that contain binary code to run on a set of computer > architectures and the last CD has source code so the purchaser can study the > inner workings of the binary, *) these are expected to be synced. When > running the contents of your product it's able to compile itself from the > provided source code with means of a GCC compiler. You bought some plastic. If we shipped blank plastic, half our user community would still purchase it in support of what we do. You never purchased an agreement for it to be serviced. Nowhere will you find promise that this is a product, nor a product with servicing, you are making shit up. Considering the CDs have been sold at close to a loss for years, your expections are way out of line. Then, you stand here and demand things? You sir, are just wastewater. > The fact that you don't want to promise service for your product is your > decision, but it is a product. In fact it's a wise decision because you'd > be facing a lot of work for which human resources are needed and human > resources require money. The income of your product is not substantial to > pay the human resources to deliver service. It is not a product. You cannot claim that something I largely give away is a product, if I say it isn't a product. Your words are just bile. > Perhaps for future customers who are looking around a book store and find > your product it should say "AS IS. Promise no further service." so that > they can spend their money wisely. Text like this occurs 40,000 times throughout just the base source tree: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. You are way out of line with the software development community. Your interpretations are hostile.
Re: Security updates and packages
> You even come to the conclusion that such work isn't going to happen > for free, but leave the result dangling. Especially since OpenBSD > isn't a PRODUCT. If product-servicing is a requirement, first of all > choose something which is a PRODUCT, then choose a PRODUCT VENDOR who > actually does SERVICING. It's doubly hard, without having to hold > a non-product non-vendor responsible for a servicing requirement, > which WE DO WELL WITH, but expecting more is ridiculous. AND WHERE > IS THE PONY. OK I have done a lot of cutting and I may have put your words out of context, this isn't intended of course, however I feel when you say "OpenBSD isn't a PRODUCT" that this just can't be. By that I mean, that I buy every CD that comes out, a) it has an ISBN number so it's a book (but not really) b) It has a booklet inside so perhaps it is a book. It has 3 awesomely decorated CD's inside too, that contain binary code to run on a set of computer architectures and the last CD has source code so the purchaser can study the inner workings of the binary, *) these are expected to be synced. When running the contents of your product it's able to compile itself from the provided source code with means of a GCC compiler. The fact that you don't want to promise service for your product is your decision, but it is a product. In fact it's a wise decision because you'd be facing a lot of work for which human resources are needed and human resources require money. The income of your product is not substantial to pay the human resources to deliver service. Perhaps for future customers who are looking around a book store and find your product it should say "AS IS. Promise no further service." so that they can spend their money wisely. Regards, -peter
Re: Security updates and packages
Theo de Raadt wrote: Especially since OpenBSD isn't a PRODUCT. If product-servicing is a requirement, first of all choose something which is a PRODUCT, then choose a PRODUCT VENDOR who actually does SERVICING. Nicely put. My open source Ublu (https://github.com/jwoehr/ublu) is currently attracting attention in the IBM record-based systems world (for precisely which Ublu was coded) and people keep referring to it as a "product" and I have to make similar corrections to their understanding ... AND WHERE IS THE PONY. Much easier question to answer: https://az616578.vo.msecnd.net/files/responsive/embedded/any/desktop/2015/12/18/6358600036517504461717781900_maxresdefault.jpg -- Jack J. Woehr # Science is more than a body of knowledge. It's a way of www.well.com/~jax # thinking, a way of skeptically interrogating the universe www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan
Re: Security updates and packages
> > I was wondering if packages for -release would be fixed if a security > > issue is found in one of these third party programs, which could be > > updated with pkg_add -u. > > It's a good question. I was quite amused to notice the juxtaposition of: > > ] Our aspiration is to be NUMBER ONE in the industry for security (if we > ] are not already there). > > ] The ports tree is meant for advanced users. Everyone is encouraged to > ] use the pre-compiled binary packages. > > ] When serious bugs or security flaws are discovered in third party > ] software, they are fixed in the -stable branch of the ports tree. Note > ] that binary packages for -release and -stable are not updated. > > I am guessing that your fear is correct but it's a matter of resource > availability given the effort it takes to keep the core system great. If > we want security updates for binary packages then I'd hope that people > agree it to be a good idea in the abstract but we probably need to > volunteer actual work (or donate more!) if it is to actually happen. There is no juxtaposition. You are expecting a bunch of volunteers to do the massive job of upgrading last-month's software -- and do it better than Google with Android, or car manufacturers, or basically anything which contains software. You are labelling "security" as purely "dealing with yesterday's bugs" essentially for "customers" -- and we don't have customers. When we talk about security, we mean a development mindset for security-related innovation which get designed, proven, adopted, and reduce risk of software having bugs. Then slowly as a whole we try to drag everyone in the world forward - some of the things listed at http://www.openbsd.org/innovations.html are relevant to that. The juxtaposition I observe is someone I never heard of before in regards to investment & work in this community, arriving on a list to make a judgement. You even come to the conclusion that such work isn't going to happen for free, but leave the result dangling. Especially since OpenBSD isn't a PRODUCT. If product-servicing is a requirement, first of all choose something which is a PRODUCT, then choose a PRODUCT VENDOR who actually does SERVICING. It's doubly hard, without having to hold a non-product non-vendor responsible for a servicing requirement, which WE DO WELL WITH, but expecting more is ridiculous. AND WHERE IS THE PONY. Perhaps the distictions are too subtle for you, and doesn't roll off the keyboard well enough as a snipe. It's ok, my cats cannot read and interpret such complexities either.
Re: Security updates and packages
On 2016-08-19, Thuban wrote: > I was wondering if packages for -release would be fixed if a security > issue is found in one of these third party programs, which could be > updated with pkg_add -u. No, they're not, they're fixed for release and not further updated. It's the same for the base OS - releases are a fixed point, we don't rewrite history. > Or does someone has to stay up to date and usr ports to upgrade each > single package on his system to follow -stable? (with the risk to miss > the last new of a tiny library...). This is what the FAQ make me wonder, > but just to be sure. Options include: - use -current snapshots. this is likely to be the easiest way for most people. - build your own from -stable if the relevant commits have already been backported, dpb -R can help with this, but it's not really a beginner thing. - backport things yourself if the relevant commits have not already been backported. - use a third party service. - use a different OS, some of the Linux distributions are a lot better suited to people who don't want to update most of their software but still get some backported fixes ;)
Re: Security updates and packages
Hi, haveva look at this: https://stable.mtier.org/ Regards Am 19.08.2016 08:59 schrieb "Thuban" : > Hello, > I was wondering if packages for -release would be fixed if a security > issue is found in one of these third party programs, which could be > updated with pkg_add -u. > > Or does someone has to stay up to date and usr ports to upgrade each > single package on his system to follow -stable? (with the risk to miss > the last new of a tiny library...). This is what the FAQ make me wonder, > but just to be sure. > > Regards. > > -- > /Thuban/ > > [demime 1.01d removed an attachment of type application/pgp-signature > which had a name of signature.asc]
Re: Security updates and packages
On Fri, Aug 19, 2016 at 8:58 AM, Thuban wrote: > Hello, > I was wondering if packages for -release would be fixed if a security > issue is found in one of these third party programs, which could be > updated with pkg_add -u. > Officially? No. But this seems to be a "industry standard" - https://stable.mtier.org/ -- chs
Re: Security updates and packages
You can pay someone to build them for you, where M:Tier springs to mind. Also, having a build host (or vm) somewhere running -stable and (re)building any updated -stable port for your particular platform isn't all that difficult and hard, especially if its just about a single or a specific small subset of ports. Building ports numbering upwards to 1 or whatever todays list is, and co-publishing it as any single on gets an update takes a certain amount of effort, for which snapshots right now only get that kind of attention, and the per-6month package builds. So the juxtaposition thing is a bit weird, since updates do get published, its just that you also need to chip in with a bit of effort if your particular port got a security update in -stable. So the project can still be about security if it does updates, even if you can't just lean back and open your mouth and get spoonfed precompiled binaries the same day. The project updates -stable and -current ports (and base) in terms of cvs commits. The prebuilt packages, if any, are a nice bonus on top of that. 2016-08-19 9:45 GMT+02:00 Mark Carroll : > On 19 Aug 2016, thu...@yeuxdelibad.net wrote: > > > I was wondering if packages for -release would be fixed if a security > > issue is found in one of these third party programs, which could be > > updated with pkg_add -u. > > It's a good question. I was quite amused to notice the juxtaposition of: > > ] Our aspiration is to be NUMBER ONE in the industry for security (if we > ] are not already there). > > ] The ports tree is meant for advanced users. Everyone is encouraged to > ] use the pre-compiled binary packages. > > ] When serious bugs or security flaws are discovered in third party > ] software, they are fixed in the -stable branch of the ports tree. Note > ] that binary packages for -release and -stable are not updated. > > I am guessing that your fear is correct but it's a matter of resource > availability given the effort it takes to keep the core system great. If > we want security updates for binary packages then I'd hope that people > agree it to be a good idea in the abstract but we probably need to > volunteer actual work (or donate more!) if it is to actually happen. > > -- Mark > > -- May the most significant bit of your life be positive.
Re: Security updates and packages
On 19 Aug 2016, thu...@yeuxdelibad.net wrote: > I was wondering if packages for -release would be fixed if a security > issue is found in one of these third party programs, which could be > updated with pkg_add -u. It's a good question. I was quite amused to notice the juxtaposition of: ] Our aspiration is to be NUMBER ONE in the industry for security (if we ] are not already there). ] The ports tree is meant for advanced users. Everyone is encouraged to ] use the pre-compiled binary packages. ] When serious bugs or security flaws are discovered in third party ] software, they are fixed in the -stable branch of the ports tree. Note ] that binary packages for -release and -stable are not updated. I am guessing that your fear is correct but it's a matter of resource availability given the effort it takes to keep the core system great. If we want security updates for binary packages then I'd hope that people agree it to be a good idea in the abstract but we probably need to volunteer actual work (or donate more!) if it is to actually happen. -- Mark
Security updates and packages
Hello, I was wondering if packages for -release would be fixed if a security issue is found in one of these third party programs, which could be updated with pkg_add -u. Or does someone has to stay up to date and usr ports to upgrade each single package on his system to follow -stable? (with the risk to miss the last new of a tiny library...). This is what the FAQ make me wonder, but just to be sure. Regards. -- /Thuban/ [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
