OpenBSD foundation raised around ~380 thousand IIRC.
By creating OpenSSH and the fact all fortune 500 companies use it, I would say every year, the foundation should be bringing in around 1 or 2 million. It is time these companies really give back.
And while I am here, hardware vendors should open up their source, looking directly an Nvidia.
It's not the foundation that does the work but developers. With that kind of budget, the foundation is just administrative support. They aren't employing a lot of developers. Many developers are employed of course. Partially by those same fortune 500 companies that you mention.
Open source is a pragmatic arrangement where developers embedded in the industry can collaborate and share code; often explicitly supported by the companies they work for. It has worked very well for decades and there's no urgent reason to change anything.
For example, Damien Miller, who puts in a lot of time on OpenSSH, is employed by Google. Employing key contributors is how the industry supports OSS.
> For example, Damien Miller, who puts in a lot of time on OpenSSH, is employed by Google. Employing key contributors is how the industry supports OSS.
Yeah that's just confirmation bias. How often do we read about key open source libraries that are being maintained by one random dude in his free time, said dude's free time dries up, and suddenly everyone is in panic mode on how to get funding to him.
It'd be much nicer if every tech company above X amount of yearly revenue would be required to kick in 1.0% (0.1%? 2.5%?) of their profit into a foundation. That foundation then would put out bounties or contracts for open source project maintainers. The priority (= monetary value) of these would be decided on by a mix of community voting, open source expert panel, and commercial interest, split ⅓/⅓/⅓.
This seems reasonable, but my concern is that the money would not do much good. It could simply lead to a more powerful bureaucracy that prioritizes its own survival instead of it’s original mission, like what seems to have happened with the Mozilla or Wikipedia foundations. More money doesn’t always solve problems. It can simply create new problems.
There's a long tail of stuff that isn't paid indeed but I don't think this is confirmation bias. I maintain a few things myself actually. The thing is, I'm not actually expecting to get paid.I think you are underestimating just how many OSS developers have steady jobs and over estimating the urgency of the issue. I don't think the crisis you are outlining actually exists. But I'm sure there are individuals who'd like to get paid more for whatever they are doing.
I mean, the XZ backdoor happened because the main developer was overworked and burned out[0]. Stuff like this happens all over the OSS sphere, its just that its usually on less-critical projects. AFAIK, Heartbleed also sat unnoticed in OpenSSL for years because it was no one's full-time job to care.
If you were paying someone to full-time maintain XZ or Heartbleed, or whatever, it would have their singular attention.
> I haven't lost interest but my ability to care has been fairly limited
mostly due to longterm mental health issues but also due to some other
things. Recently I've worked off-list a bit with Jia Tan on XZ Utils and
perhaps he will have a bigger role in the future, we'll see.
Yes. What’s interesting is that this corporate software engineering socialism isn’t new with modern open source. It dates back to the earliest operating systems for IBM mainframes.
OpenBSD has supported 11ac for several years, and has the iwx(4) driver for modern Intel WiFi cards. There's also support for Broadcom FullMAC, bwfm(4), which is on e.g: Apple Silicon machines.
HaikuOS also has a port of OpenBSD's iwm/iwx drivers.
FreeBSD just recently announced they've started porting the OpenBSD iwx driver.. from Haiku.
Not OP, but they've raised $4,974,668 since 2014 (done by adding up all the thermometers at https://github.com/bob-beck/foundation-web), and I'm excluding anything prior.
Your second paragraph is explaining perfectly why open source doesn't work and how its economics don't add up.
I would also add that it indirectly kills the vast majority of programming jobs - nobody is ever going to get paid to create a JPEG decoder as everyone can just use libjpeg. Nobody is ever get paid to write a new kernel as everyone can just use Linux. Very few people are going to get paid to work on a new database as you can just use Postgres...
Once there's a good enough open source solution in a field, in the long run it will out-compete commercial offerings, even it's overall a worse package, as it's some guy's free time project and is created on a $0 budget.
Programmers work for free, end users get a worse product, companies make trillions.
> It's an extremely successful model organizationally and technically.
There are technically impressive open source projects - e.g. Linux, and most of them have people paid to work on them full time. Those are the exception, not the rule. Most open source projects are some guy's hobby, done for free in their free time. Hobbyists solve problems they find interesting, and often ignore a lot of the "gruntwork" required to make a technically sound package.
> Anyway, are we short of programming jobs?
Yes. Especially good ones.
> Efficiencies create new, higher-value possibilities than, for example, JPEG decoders.
I don't see it - a large portion of programming jobs have devolved to gluing together a bunch of open-source libraries, doing the boring gruntwork to actually make them work, and dealing with the inevitable hell, caused by using 500 components that were never designed to work together.
> Those are the exception, not the rule. Most open source projects are some guy's hobby, done for free in their free time.
And most proprietary software becomes completely unavailable when the company making it goes out of business. At least with the open source software, if there is interest in it, someone else can pick it up, if the original creator stops maintaining it.
> a large portion of programming jobs have devolved to gluing together a bunch of open-source libraries, doing the boring gruntwork to actually make them work, and dealing with the inevitable hell, caused by using 500 components that were never designed to work together.
And you think that would be any different without open source? A large portion of programming would still be gluing together a bunch of components, but instead of open source libraries you would have proprietary libraries, where if the documentation is inadequate or wrong, you have no option of looking at the source code to see what it actually does. Or in-house libraries that were designed for some specific purpose that doesn't match yours at all, and are very low quality, because they were made under a tight deadline, and no one ever went back to pay the tech debt after the MVP was released. Or maybe instead of a library you make API calls to some SaaS with no SLA and barely any documentation.
> Hobbyists solve problems they find interesting, and often ignore a lot of the "gruntwork" required to make a technically sound package.
OTOH some commercial software only solve problems that make money, and ignore the technically sound part unless it makes money. E.g. the enshittification of Google, Windows or Facebook, and friends, from a product that worked to a product that nobody asked for. All the technicality spent in tracking users, more ads, etc.
These are a lot of commercial software that are not much more than a repackaging of open source software and a UI layer (ffmpeg, for example).
> Hobbyists solve problems they find interesting, and often ignore a lot of the "gruntwork"
Yes
> required to make a technically sound package.
No. What they don’t do is take the time to turn it into a product used by a general audience. Technical soundness is usually something corporations don’t have time for.
If software doesn't automate things, why are we investing so much in it?
Maybe I misunderstand, but computers make us much more efficient: writing, graphics, computation, communication, storage and retrieval of information, searching information, machine control, ... for a time, 'computers' were rooms full of people doing computations.
Think of the software stack that runs HN. What would we do? Write letters to a journal for publication? Gather in a room someplace?
> I would also add that it indirectly kills the vast majority of programming jobs - nobody is ever going to get paid to create a JPEG decoder as everyone can just use libjpeg
Looked at another way, open source means that instead of a bunch of programmers getting paid to write multiple implementations of the same thing over and over, so the programmers that otherwise would be doing that can instead work on new innovative things.
In an ideal world, all software would be open source, and programmers would spend all their time improving said software for everyone. The problem is I don't know how those programmers would be compensated for their work. In many ways, open source software is a public good, since anyone can benefit from it[1], so an argument could be made that OSS should be publicly funded (i.e. paid for by government grants). However, I am doubtful that the government could do a good job of allocating resources to open source projects. Then again, I don't think the private sector is doing a great job of that either. Just look at how many resources are put into showing people ads.
[1]: And it has the interesting property, that unlike most public goods, the cost does not scale with the number of people who use it, or have a limit on the number of people who use it.
Isn't the solution to have much shorter copyright terms? Software could be closed source at first, its implementation costs recouped, then opened by default when its copyright term lapses. New releases could still be closed, so income could continue. Set the term at 5-10 years, rather than >70.
This doesn't really work for projects that want to be closed source, as they can just not publish the source. After the 10 years, people can copy the binary, but that doesn't really give you a whole lot of benefit.
And if a project does want to be open source eventually, they can already license their code that way.
Couple it with a generalized right to repair: source code is what's needed in order to be able to repair the software that you use. If beyond the support period or the copyright term (whichever is least), the materials needed to repair the product must be released.
OSS isn't anti-alternative at all? Just because you don't pay for the software doesn't mean there's no competition.
Even well-established software can have meaningful alternatives. Look at ripgrep. While it hasn't replaced grep as a distro default, it's still being used by folks that find it a better solution for them.
Don't you remember how hostile people were to ripgrep just because ag or find + xargs + grep existed? Or the same with meson because cmake exists and cmake because autotools exists? Or systemd or clang? It takes an unusualy stubborn person or strong corporate backing to actually create an alternative to an established open source project.
> Your second paragraph is explaining perfectly why open source doesn't work
> some guy's free time project and is created on a $0 budget.
> Programmers work for free
You seem to be completely out of touch with what FOSS is.
The amount of relevant FOSS hacked by some teenager for free in moms basement is negligible. The largest contributors to the Linux kernel are IBM, Intel and Oracle. Nobody there works for free.
Because it costs down their own development costs, doing more with less.
How much upstream do you think BSD gets from Sony and Apple, besides a few crumbs?
clang was sponsored exactly to allow Google and Apple to take a compiler and not be legally obliged to upstream their sauce.
Nowadays clang has mostly replaced most proprietary compilers on surviving UNIXes, and embedded OSes, how much of those downstream changes land on upstream clang? It is mostly volunteer work improving ISO C and ISO C++ compliance, despite all the money being made by those folks.
> clang was sponsored exactly to allow Google and Apple to take a compiler and not be legally obliged to upstream their sauce.
Sponsored is an understatement. It was pretty much entirely funded by those two, so if the goal was to leech on volunteers, that would be a pretty bad move by those companies.
The goal was not to give anything back as expected by GCC and GPL, especially the at the time relatively new GPL3.
Which is exactly what happened after clang got mature enough, GCC was expunged from their platforms.
Apple first, followed by Google about a year later.
Note that nowadays, Apple clang has its own column on cppreference, Google is focused on Carbon/Rust/Go, and both cases most of the contributions are on LLVM side, not clang and ISO compliance.
I totally get that avoiding GPL3.0 was the goal for Apple (less so for Google I'd say). If avoiding "giving anything back" were the goal they have fucked up on that. Regardless, the point is they could have pretty much done proprietary software and kept it for themselves too and no one would complain. It's not somehow a brilliant conspiracy to leech off of the measly volunteer base when they have paid the majority of development costs.
P.S. you focus on ISO compliance. Could it be that the actual user base does not really care about it as much as the rest of the aspects of the compiler (features, correctness, performance) and thus deprioritized by everyone. I don't consider clang abandoned by Google or Apple.
What matters is actually who puts the effort into bringing clang into modern times, regardless of your opinion Github is there for tracking purposes, who contributes what.
Also clang was only one example of who profits and who puts into the work, like the endless number of PhD students contributing to LLMV or MLIR.
Yes, I just briefly clicked at the top contributors. As expected they are mostly not homeless PhD students. All big ones are employed or have been employed by Apple/Google/RedHat/SiFive/Sony, often multiple of those. (Did you actually look or just spreading your hunches?)
If you think it's the long tail of endless contributions is what makes a production quality open source project like clang tick, well, we disagree...
(In fact such PhD students are often the prime beneficiaries of the work by commercial companies, because they get to build their research stuff on top of LLVM.)
This thread keeps having its goal posts moved around, first is was an example, then got the spotlight of being only about clang, then I pointed out about Apple/Google original purposes, then it was something else, and yet another one.
Just head off to /r/cpp that is where hunches are coming from.
Have you at very least filtered by C++ clang only related contributions instead of LLVM ones?
Yes, as I acknowledged I did not spend time digging in who wrote which exact patch or sift through some loudmouths on /r/cpp whining about things. The burden to substantiate your argument at this point is chiefly on you. I have spent enough time on this already. You can narrow things down to some area that you care about specifically, but I am fairly certain Google and Apple each spend tens of millions of dollars a year, if not 100+, on the LLVM project at large. Are you suggesting this $$$ figure is wrong?
To contextualize, I have been one of those PhD student in the exact same space who used clang/libtooling in a past life, as well as a maintainer of a sufficiently popular corporate open source projects, and I do have my own hunches on how much exactly random "volunteer contribution" is often worth (hint: it is mostly extra pain for the maintainers to review).
The irony is if Apple closed it up for themselves as proprietary software in the first place, they would not have received that criticism. If you start open sourcing, you will be treated with a much different, IMHO unfair, benchmark.
Before LLVM, much of the PL research prototype would be done on Java with some research JVM crap because it was hard to do it in the real world with native code, so I could the academics beneficiaries not among the abused.
> nobody is ever going to get paid to create a JPEG decoder as everyone can just use libjpeg.
if there's no technical reason why libjpeg isn't suitable, I'd consider it a huge waste of human life to create another. if there is a good technical reason to build a new one, then somebody will do it for free or somebody will pay for it to be made.
> Nobody is ever get paid to write a new kernel as everyone can just use Linux
Not that it negates your point in any way, but lots of people are paid lots of money to write Zircon (Google Fuschia's kernel) which is intended to replace Linux in many scenarios.
It's open source and you can track how active it is by commits per week. It's still a very active project. It's a bit disheartening to see people make random armchair judgements.
I will note that the number of people who actually work on the Zircon kernel directly is relatively small. Zircon is a small fraction of Fuchsia's codebase. However if you widen your view to include things that are not in the kernel but would be in Linux the math lines up better.
If people didn't do the work for free in open source, then companies who need that functionality would in fact be forced to pay for it, although it may not necessarily be open source in turn. It's hard to complain about the state of open source because people choose to put themselves in these predicaments. If you need money to sustain the project, asking for donations is not really an adequate plan.
Nobody is ever going to pay somebody to shovel holes when they can just use a back-hoe. So, let’s outlaw industrial machinery.
Open Source achieves the exact opposite of what you say. It allows people to direct their talent and effort to solving high-value problems instead of low-value ones. Instead of writing a JPEG decoder, you can create a professional photography workflow or a pre-press pipeline. Instead of writing the low-level bits of a database, you can create an enterprise SaaS.
Yes, Open Source infrastructure is hard to compete with. However, it is super easy to out-compete companies that are wasting their engineering resources re-inventing the wheel.
Of course, there is always the option of doing the basic stuff better of course and being rewarded for it. Some will.
And, while this reply is already too long to get into it, the majority of Open Source is written by people being paid to do it. So, wrong there too.
I wouldn't be a good way to spend money and resources to rewrite things like jpeg decoders again and again. It would not help to make the final product any better, but just siphon the money off from more worthwhile purposes.
Companies make billions? Good. It's time to tax them and use the money for the benefit of everyone.
And I ironically think that if you want to fix the open source you end up creating a good old economy.. where people don't give, but negotiate an exchange apriori so they know they won't be disappointed after the fact.
"nobody is ever going to get paid to create a JPEG decoder as everyone can just use libjpeg. Nobody is ever get paid to write a new kernel as everyone can just use Linux. Very few people are going to get paid to work on a new database as you can just use Postgres..."
There's still many paid offerings for databases, operating systems (esp RTOS's), and image processing. That includes libraries. The companies are usually profitable with some making a fortune on the products. Quite opposite of what you said.
The question you should ask is: why?
Next question: how do I use those lessons to sell and give away something like OpenBSD?
I think killing software jobs is a bit of a silly argument, it's not a better world that we've got 1,000 closed source jpeg decoders rather than one excellent open source one.
What I do find massively problematic is that the developers of the open source ones often aren't paid. That should be impossible, companies are profiting off of free labour and that's wrong. If anything open source developers should get paid more per accepted PR, they provide more value and probably better quality code.
Seems like the economics works better than 99% of our society does. The point of the economy is not to produce jobs, it's to circulate goods and services. Open source does this more efficiently in the long term. The American (or globalized) economy is mostly inefficient and irrational outside the perspective of shareholders and investors. Unfortunately, those same people will make us commit mass suicide before allowing the basis of resource management to change.
If we had to write every single piece of code over and over(or pay for them), computer science would have barely evolved and would not be so mainstream
It is still true that people freely shared and copied sources for useful software in those days. It wasn't even called "open source" or any other kind of fancy term because it was the norm.
No, writing them over and over is literally what evolves computer science. Not having to write them over and over is what improves software. They’re different.
As a generic rule, it's true that open source software increases the supply of software, which means that the value of software goes down.
The reason this doesn't really matter in a truly noticeable way, and why I'm also not really concerned about AI taking programming jobs, is that demand for software is so much higher than supply. You can go to any random local small business, and within five minutes, you will identify software demand that is not being met adequately, or at all. They use Excel for their inventory and constantly have problems with it that need to be manually resolved. Their website doesn't work right and nobody knows how to fix the broken links. They have somebody who does paychecks by hand. One person is in charge of scheduling holidays in a shared calendar. And so on.
These companies would pay developers to fix their issues if they could afford them. As programmers become more productive, whether that is by using open-source software instead of writing things manually, by using LLMs, or by other means, there is a downward pressure on salaries. But that doesn't mean that jobs disappear; it just means that more companies now have access to developers they could previously not afford.
We make less money doing some in-house processes for a small, local business than writing a database for a multinational corporation. But on the upside, we improve the lives of people who actually matter, rather than making some billionaire even richer.
When you give freely and generously to the community you should do so with no expectation of getting anything in return. Sometimes that expectation is fulfilled.
They are not talking about OpenBSD's expectations, it's about the ethics (!) of the companies using things on the back of the generosity without giving back.
I see this mindset more and more, and to me it seems against the ethos of open-source software. There's something philosophically odd about saying "you are free to use, change, redistribute, or sell this with basically no restrictions" while simultaneously maintaining that users incur unstated ethical debts by accepting. It could even be seen as a kind of bait-and-switch.
Contributions and reciprocity are praiseworthy of course, and we should all aspire to this. But that doesn't mean someone is ethically wrong for choosing to accept a gift freely given without giving one in return.
You are legally free to use. Your ethical obligations will depend on your particular worldview, and are likely to vary substantially by culture.
All cultures I'm familiar with recognize that someone who is well off taking advantage of a tragedy of the commons is unethical. The particulars vary by locale but my impression is that it is universal that the degree of condemnation increases the wealthier the person exploiting the system is.
The thing about the tragedy of the commons is that you are actively hurting everyone else by depleting a non-rivalrous good.
When I accept a friend's hospitality and don't reciprocate, I am taking their time and resources. When I take five free samples at the store, I ruin it for others who come later.
When I download an open source GitHub repo, I am burning 1¢ of Microsoft's money.
The cost of software is not the cost of distribution, it's the cost of maintenance, support, and implementation. When you clone a repo, this has little impact by itself, but the work to create that repository in the first place, to maintain it and ensure it is free of bugs, and to provide documentation and support so that people understand how to use it - that all has a cost.
If nobody pays for that cost, then the work will never get done in the first place, and we won't have these resources.
> When I download an open source GitHub repo, I am burning 1¢ of Microsoft's money.
While the other examples seem good for illustrating the point, this one has it backwards I think. Microsoft worked very hard to be in this position. They did this on purpose and this aspect is essential to their success:
- GitHub did everything they could to capture the market by being free to use and by leveraging the network effect
- Microsoft bought GitHub at a point where it was already widely successful in this aspect, so they fully knew what they were buying
Capturing the whole open source market is part of their business model. I don't like they've done this and I don't get to choose where authors host their code. Even the authors themselves might not have felt free to choose something else because of the network effect. It's only fair Microsoft pays for the privilege. GitHub being free is a feature for Microsoft.
> When I accept a friend's hospitality and don't reciprocate
I came to realize that you don't need to return the favor specifically to the person who helped you. Things work as long as you help anybody. The loop will be closed by someone who will eventually help the person who helped you (or has in the past). Actually, it doesn't events need to be a loop. This is very powerful and quite relaxing because you can be chill both for helping and for receiving help, and it has the potential of working very well and be very enjoyable.
In short: take (from anybody) as long as yougive (to anybody)
(Of course, in a friendship, some reciprocity is necessary, if things only go one way, it doesn't work)
Ah, I didn't plan to keep this "In short" sentence in my comment, but it allowed you to share this, nice. I didn't know this "Pay it forward" phrasing nor that the idea was theorized (but of course it was, in hindsight). It is such a nicer way to express this.
I'm not sure I see the point in distinguishing between something beneficial being reduced in value actively versus passively. Whether it's individuals taking negative action or individuals failing to take positive action, the end result is the same at the end of the day. Something beneficial is reduced in value by collective greedy (in)action. The world at large is made worse for it over time.
Perhaps my definition is off? If so I would appreciate a pointer about the correct terminology.
I suppose it might be different in the case of a one-time fork. It still seems like there's an ethical obligation to contribute back if you are well off and you benefit from something. I think there's a meta, societal level tragedy of the commons to be found there. But if you aren't actively benefiting from maintenance efforts then perhaps it doesn't qualify as a direct tragedy of the commons.
> But that doesn't mean someone is ethically wrong for choosing to accept a gift freely given without giving one in return
Many cultures do in fact work that way. And while modern American culture views the idea of taking everything you can and only giving back what you are contractually forced to in a more positive light, the term freeloader still has negative connotations.
If you're a maintainer and reciprocity is an important value to you, and you think that people who don't give back are freeloading, then why did you specifically choose not to use a GPL license for your project?
Your point about the gap between the words of a license and an ethical expectation is well taken. But why put that gap there at all? It's going out of your way to make sure that people have the choice to screw you.
> American culture views the idea of taking everything you can and only giving back what you are contractually forced to in a more positive light
That’s not a thing in American culture. Maybe you are referring the low trust culture of international commerce, which just happens to be centered in the US.
> There's something philosophically odd about saying "you are free to use, change, redistribute, or sell this with basically no restrictions" while simultaneously maintaining that users incur unstated ethical debts by accepting
Not users, companies that make bilions. We call that shameless.
How many restaurants serve food and ask for donations from patrons instead of charge them specific amounts? People are not generous, large companies made of lots of people, none of which feel specifically responsible for the companies actions are also going to accordingly not be. If they need money, the expectations should be set accordingly. Maybe spruce should be open but features and bug reports must have accompanying bounties set by the individuals reporting them otherwise the maintainer will ignore them.
If you make it about ethics, it's not going to work. Your C-suite folks wont be on board.
You need to make it about utility. Open sourcing some package or contributions to an existing package is giving you returns far beyond your investment. A community will help maintaining, improving, growing your code. Perhaps even competitors will chip in. (If they don't, well, their loss..) It's going to be a net positive.
I don’t think OpenBSD is clamoring for code contributions from the companies with proprietary SSH forks. Just money to support continued development.
> Use GPLv3 or AGPL then. If you want companies to "give back" when they use your code, put it in the licence.
Seems like a poor choice given that projects like MongoDB try out AGPL for this reason and then later switch to nonfree licenses like SSPL. OpenBSD is not interested in that—whether its attempts to raise funds through goodwill work out or not, OpenBSD will always be free software.
That's the excuse, but society only works if people behave ethically and not entirely in their self-interest. I don't see why that doesn't apply to people working in businesses, and it never has: Businesses have always contributed to their communities in many ways.
A moral people could operate communism successfully. Unfortunately, most people are not even remotely moral. Pragmatically moral (in plain view, but not behind closed doors), for sure, but innately good -- definitely not.
This is incorrect. Companies form for numerous different reasons, including a group of people needing a legal structure for investments, or to protect against liability, or for particular ventures.
One of the primary outcomes that people want from corporate structures is profit, but that is not the structure's "sole purpose", either in law or practise.
Corporate structures can't have ethics because they are not people (legal constructions of "person" vs "natural person" notwithstanding).
Capitalism is usually maximization of selfish gain. A business in any form maximizes the objective of its owners, often financial gain. However, they can be designed to or run for altruistic purposes or a mix of altruism and selfishness. Here's two types of companies not soley about the money:
As European we are lucky to already enjoy minimum wage and unions, across many
countries, still money has to flow from somewhere, namely taxes.
Yet people still need to work somehow, and UBI is more of an ideal that will never happen in capitalism society driven by profits of few shareholders at the expense of everyone else.
Now the current trend is replacing people with self service machines, they aren't getting UBI, they are being shown the street.
The license says use it however you want with nothing in return. They usually get nothing in return. It's a license best used when you want maximum uptake by users, including proprietary products. It's also good for people who enjoy knowing others enjoy using what they build. Whereas, it's one of the worst licenses if a supplier wants money.
Lets assume goals like OpenBSD's. If one also wants money, they can make the software paid, free for many categories of users, source-available, and derivatives (mods) allowed. The paid part can be regular payments or one-time per release. Probably an exception to mods allowed saying they can't backport paid features from new versions to old versions but independent creation is allowed. From there, companies will pay to support it or they'll determine it has no market value.
There are proprietary, source-available RTOS's on the market for real-time and secure use. One source said, but I haven't verified, that INTEGRITY RTOS royalty-free was around $17,000 minimum per product or company. Another said LynxOS with communications middleware was around $50,000. A number of small vendors exist showing one can generate sales if their product is marketable. Tons of companies selling firewalls, load balancers, etc like OpenBSD is often used in.
So, if money is important, they can change their terms to demand money some or all of the time. If the license says "free giveaway!," expect most people to treat it that way. I imagine quite a few of the developers have exactly that expectation. They are motivated by the joy of writing great code, not money.
Our system rewards those who take as much as they can and give as little as they can. The tradeoff here is that each entity having a certain amount of freedom makes us happier since we can be different and choose to allocate our resources in different ways. But asking corporations to give back when they don't have to is like asking your neighbours to pay more tax because the roads need repairing.
You can't appeal to individuals, so the solution is simply to raise the bar on what that minimum is. The way to do that with software is to use copyleft licences. Support copyleft projects in any way you can and reject permissively licensed projects where possible. If we had stuck with copyleft we'd be so much better off.
I'm not going to sit here shilling for the corporates, but at the same time I think you need to put yourself in their shoes.
The stance you are taking is essentially the same as if a chugger stops me in the street and asks me to sign up to regular donations to $charity because "its only $1 a month". To which the inevitable answer is "sure, and there are a gazillion other charities, so I'm supposed to give $1 to all of them because its 'only' $1 a month" ? I will choose which charities and how much to donate to on my terms, thank you very much.
And its the same with corporates and open-source. Your favourite pet-project might be OpenBSD and you might think $evilCorp should give more to them ? But what about all the gazillion other pieces a typical $evilCorp will use ? OpenSSL ? curl ? ping ? traceroute ? In your idealistic world a corporate would give $1m to each of them I guess ?
The fact is the corporate lawyers know you've released your software on open terms. I'm sure they would be happy to buy an OpenBSD license ... but OpenBSD made their bed, as it says on their website "OpenBSD policy is simple — OpenBSD strives to provide code that can be freely used, copied, modified, and distributed by anyone and for any purpose. "
And before you say "well, they could donate instead of buying licenses" ... let's just say you would be naïve. Buying licenses is a "simple" standardised procurement exercise in most corporates. Meanwhile giving donations typically is a far more bespoke process involving far more administrative burden. And the smaller the recipient of the donation, the more admin burden required.
As others have pointed out $evilCorp does contribute indirectly to open-source. Many of the core maintainers and contributors to open-source are employed by $evilCorp and file their PRs to the open-source projects on their employer's dime, often whilst sitting in their employer's offices, using their employer's computers and infrastructure.
> I will choose which charities and how much to donate to on my terms, thank you very much.
Indeed. The observation is that generally for most corporations the charities are "nobody" and the amounts are "$0". If you, an individual, behave this way then you're a bad person. The argument is merely that the corporate "people" are also being bad people.
> In your idealistic world a corporate would give $1m to each of them I guess?
Why make this ridiculous strawman? If we said "some reasonable amount, distributed among their dependencies" why is that unreasonable? Do we have to draw out the whole picture before these people even attempt to consider what a reasonable contribution could be?
> The fact is the corporate lawyers know you've released your software on open terms.
Yes, and corporate parasites will therefore extract the maximum value while providing the minimum in return. History repeats itself.
> Buying licenses is a "simple" standardised procurement exercise in most corporates.
If you think about this for a few seconds you will realise it is not a good excuse. If ping/openssl/whatever had a "recommended contribution" listed on their "corporate licensing" page, then there is no administrative burden required whatsoever. You just pay whatever they ask, same as a license. You think the price is too high? Make up one.
So why is there a high administrative burden? Simply, because corporates themselves place a high value on "paying the bare legal minimum". In other words, they over-value the virtue of being cheap and unsociable. If your reaction to this is "that's just how business is", then good for you: according to your understanding, business is antisocial, and should be discouraged.
It's not as bad as it used to be, but one moat some companies had was "excellent support for Linux/Unix/BSD". Until CUDA no one in their right mind would buy Nvidia for their Linux workstation, just like you'd avoid certain Broadcom wireless chips.
Hardware companies need their devices supported by as many operating systems as possible, especially if those devices can be used in servers, desktops less so. Apple is pretty much the exception.
Source code is often still very confusing without accompanying documentation. A weird cryptic series of register writes with random values makes it difficult to really understand what's going on.
Capitalism is based on the exploitation of workers who are directly hired by a company, now imagine if a company would pay someone who it doesn't have to
The beauty of FOSS is that it does not ask for anything in return (the 4 freedoms). That's exactly why things get adopted in the first place. Because you are free to use them as you see fit, which is why Fortune 500 companies use them in the first place.
In addition to work pioneering privdrop/privsep design for network daemons, and the almost ubiquitous adoption of pledge(2)/unveil(2) across the base system, I think people are missing out on much more recent mitigation work, such as mimmutable (which Linux is just beginning to land with mseal), on OpenBSD, most of a programs static address space (.text/ld.so's .text/.bss/main stack) is now automatically immutable.
There's also execute-only memory and BTI/IBT on modern Intel/AMD, and ARM machines, enabled by default. Including a significant amount of ports development work to make the larger software ecosystem ready for this.
Why? OpenBSD seems to think execute-only in userland is important. We've had SMAP on x86 for many years, it helped fixed bugs early, these bugs are rare now, so why is everyone concerned about kernel accesses that aren't using copyin(9)?
EPAN is already supported, hardware is now arriving, it's used if available, but the idea that execute-only was less important than PAN was probably misguided.
How does execute only memory disable privileged access never memory? The bigger problem I expect is the overhead of loosing PC-relative loads unless the hardware still allows these as instruction fetching related? Would you have to dedicated one of your 31 GPRs as the table of contents pointer similar to PowerPC’s ABI (e.g. sizeof(void()(void)) == 2sizeof(void *))?
https://blog.siguza.net/PAN/ has a nice summary of the PAN issue. Also, you can't load data under execute-only but you can execute it (e.g. by jumping there). If you are compiling under this scheme you need to tell your compiler that this is the case.
OpenBSD is thoughtfully designed because it is one of the best examples of "design by dictator" (Theo) - and a small core team - as opposed to design by committee like every other OS out there. Look me in the eye and tell me 90% of changes and unnecessary features in macOS aren't there because some team needs to justify their existence.
While much of this document is openly disdainful, there are areas like the malloc implementation[1] and features like the atexit hardening[2] where OpenBSD is unambiguously excellent, and it says as much, noting that the latter is a "pretty cool mitigation".
I used to do some OpenBSD ports work, and even got a tiny patch into the base system. I love OpenBSD! I don't have an axe to grind here! But it is not above reproach, and I think this site is overall harsh but fair.
Maybe it's just limited resources? In a project that size, I can't imagine having to keep up with the resources of Linux (and to a degree with Apple, Google, and Microsoft) on one side and with all the attackers on the other side. And they want - their reason for being is - higher quality code and security than the rest.
Their 'unusual' approach to security might be a distraction they don't need. But maybe it's the only way to hope to pull it off? Maybe they can't do it the GLAM (Google, Linux, Apple, Microsoft) way with OBSD's resources.
The author neither complains about it, nor says they are bothered by it. “This website was done because studying mitigations is fun, not to get involved in a huge flamewars or endless bike-shedding on mailing lists”. Misrepresentation is a poor showing. Perhaps we should take everything you write with a grain of salt, hmm?
Fun fact, Hacker News also has guidelines for conduct.
Yeah I was worried for a second jcs might have something interesting to say about backward- and forward- edge CFI, but then I remembered he's woke and closed the tab before the mind virus could get me.
It might! But unless jcs changed his appearance and his accent since I last met up with him in Chicago, this is one of the millions of other people named Stein.
OK, no idea. I've been in the same room with him too, but I didn't look very carefully at the CCC presentation. An awfully big coincidence, given jcs's OpenBSD involvement! But totally possible. Neither here nor there to my point about this page as a resource, if you can, somehow, look past the code of conduct concerns.
I don’t care one bit about the code of conduct conversation you’re having. Just found it funny that you’ve been attributing this site to jcs for years based just on a common surname.
Can’t find anything from “years ago,” though. So maybe my search skills are weak, or maybe I confabulated the memory of finding others, so I’ll withdraw that. Either way, I hope you agree that this thread (now rightfully behind a flag) is all played out.
The onus is always on you to figure out what information is and is not reliable. People who haven't stated their feelings still have them. They might still be pursuing an agenda other than being informative. If anything, someone stating their reservations should make you feel more comfortable, because it gives you a better lens to view their statements through and judge what parts you trust more or less.
Personally, what makes me discount a source as unreliable is when they don't state clearly what their problems are but instead make it known through vague insinuations or by a litany of tangential complaints. When someone says "I'm uncomfortable with X" I respect their candor, regardless of how I feel about X.
Someone stating their reservations when those are directly relevant to the subject at hand, sure. If they aren't directly relevant to the subject under discussion but are directly related to a negative impact on the person while they were performing the relevant work then I get that as well.
But someone who isn't mature enough to separate their irrelevant personal views from the task at hand when communicating with an audience, not so much. It calls into question their ability to be objective.
Note that I apply this equally, even to those who interject pet topics that I strongly support.
Granted. However, the quote at issue doesn't come out of left field. It is natural to consider the internal politics of an open source project when writing a wide ranging, in depth critique of the project. Plenty of projects don't have a CoC, it is idiosyncratic to be "proud" not to have one, and that does reflect on the project (I leave it to you to decide if it's for better or worse).
CoC are the homeowners associations of the free software world. Some think they're essential to keep undesirables out; others won't have anything to do with them.
The source of petty disagreement, in this instance, is that you went to this website, clicked on "about," found an offhand mention of CoCs, which you took out of context to derail the conversation and start an argument. You complain that the author is injecting their "feelings" into a discussion, but you're clearly going out of your way to inject your anti-CoC politics into a discussion of an operating system. You complain that CoCs are tools to exclude people, meanwhile you are attempting to dissuade people from engaging with this author's work because an offhand remark rubbed you the wrong way.
That seems a rather unreasonable characterization.
While I didn't raise a comment over it (since I felt it likely that it might sour the discussion) I too found myself wondering about the motivations behind that remark when I came across it. As it happens I had the exact same thought that GP had - to wonder if there was an ulterior motive at play. However based on the rest of the content I came to the conclusion that the site didn't seem to be particularly biased. Highly technically opinionated, a bit colorful, but not a malicious hit piece.
And for what it's worth I thought the HoA analogy you're responding to here was on point. Those also tend to be incredibly polarizing to a bewildering degree. Apparently a large portion of Americans get remarkably bent out of shape if you try to regulate their behavior, while a different set is similarly incensed by attempts to prevent said regulation.
The motivations seem pretty plain. They were anticipating the question, "why did you host this site yourself?" I don't think there's any need to read further into it. You seem to have come to that conclusion yourself.
The HOA analogy would be appropriate if HOAs were about conduct among colleagues. It's pretty obvious why you need to set ground rules when you have a huge number of people collaborating - you get incidents of people behaving inappropriately, and if that behavior proliferates, you will create a hostile environment where it's difficult for work to be done. (See this comment https://news.ycombinator.com/item?id=43147705)
HOAs are a problem because there is very little shared interest in regulating the size of hedges or the color you may paint your house or whatever. It's a scheme to keep property values elevated.
There is no connection between these phenomena. One of them addresses pragmatic and real problems, however flawed the implementation may be. The author is a scheme to manipulate property markets. There is no shared cause between them.
The author's second point (about general hostility) answered the question. The CoC comment above it appears as a non sequitur to me. You misunderstood my conclusion - it was that the remainder of the site passed my "is this a hit piece or is this just a bit spicy" check.
> The HOA analogy would be appropriate if HOAs were about conduct among colleagues.
There was nothing inappropriate about the analogy. If they both involved colleagues then the analogy would be pointless because they would be the same thing. The entire point of an analogy is the abstract similarities between things that are different.
The necessity of CoCs does not follow from the necessity of ground rules. That is a conclusion that you silently slipped in without justification. Social norms have not historically been codified as CoCs. Moreover, I would dispute that codifying social norms is the actual intended purpose of CoCs despite being the stated one.
"Very little shared interest" and "scheme to keep property values elevated" appear contradictory to me. Property values are a very strong shared interest for most people. Avoidance of noisy or otherwise disruptive neighbors are another strong shared interest. Folks just don't always agree on all the details.
> One of them addresses pragmatic and real problems, however flawed the implementation may be.
That would be HoAs, of course, which prevent my neighbor from unilaterally tanking my outrageously expensive (relative to my income) investment. CoCs in contrast are a recent trend and thus obviously unnecessary for productive collaboration.
By "appropriate" I meant "fitting" or "suitable". Just in case you took my meaning as "inappropriate in conversation," I could have been more clear, my mistake.
My supposition about the necessity of ground rules is precisely as supported as the alternatives offered in this discussion. Poorly supported by the standards of rigorous debate, I agree, but supported enough for casual discussion. No one has offered any evidence CoCs are caused by busybodies. ("Silently" seems unnecessary, it wasn't silent, I stated it aloud and described why I thought it was so. I can't help but point out again, you go on to dispute it, but not with any evidence. I think that's fine for casual discussion, but it's not meeting the bar you're setting.)
"Scheme to elevate property values" is a shared interest if all of the homeowners primarily view their homes as financial instruments. People get bent out of shape with HOAs because they want their home for other things. Some people would rather put up radio towers or paint their house a garish color or park a truck on their lawn than maximize their property value.
CoCs are as old as dirt. I signed one every single year in elementary school, decades ago. They've been a norm in workplaces for a long time. They're more recent in open source projects, and they started because of problems projects were having - people being creepy at conferences, people starting drama on mailing lists, etc.
What's recent is the politicization of CoCs.
If it helps, I would agree that busybodies might abuse both of these mechanisms to impose themselves on their neighbors and colleagues. I disagree that that is the root of why they exist, on the basis that they can be explained by incentives and pragmatic considerations. On an Occam's razor basis, if I don't need to assume busybodies are the motivating force to explain the existence of these things, then I won't, until such a time I receive evidence I can't explain without them. Were we colleagues, and I were involved in drafting a CoC, "I don't want a CoC because I'm worried it will be abused by busybodies" is a concern I'd take seriously.
> By "appropriate" I meant "fitting" or "suitable".
I felt that the analogy was both of those.
> "Silently" seems unnecessary, it wasn't silent
You wrote "it's pretty obvious why you need to set ground rules" in regards to CoCs, which implies that CoCs are the primary or preferred or standard means for doing that. It's an unstated premise, and one that I disagree with.
> you go on to dispute it, but not with any evidence.
You implied a rather sweeping claim (the necessity of CoCs to enforce ground rules) which I believe puts the burden of evidence squarely on you.
While not obligated by social convention, I believe my point that social norms have not historically been codified as CoCs qualifies as a veritable mountain of evidence disputing your implication. People have been successfully collaborating (and enforcing social ground rules) for approximately all of human history; CoCs in comparison are a quite recent development.
> "Scheme to elevate property values" is a shared interest if all of the homeowners primarily view their homes as financial instruments.
You could as well claim that noise ordinances aren't a shared interest because some people like to party in their yard into the wee hours. The observation would be correct but it would not support the claim. Note that even if the group collectively chooses not to prioritize something it still remains a shared interest inasmuch as the definition of "interest" is something which has a negative or positive impact on the individual.
> they started because of problems projects were having - people being creepy at conferences, people starting drama on mailing lists, etc.
Agreed that those are certainly the sorts of things that the people in favor of them claimed as justification. That those things were happening at a problematic rate, that a CoC would meaningfully reduce that rate, that the benefits of this reduction would outweigh any negative impacts a CoC might have, and that this was their motivation in pursuing their adoption. I was never convinced, particularly on that last point.
As far as drama on mailing lists goes, I believe the results in the years since speak for themselves. Any self respecting troll would be envious of the amount of drama CoCs have been used to kick up. In that sense they truly are exactly like an HoA.
> What's recent is the politicization of CoCs.
I believe that politicization you refer to is what drove the recent widespread adoption in open source projects that you speak of. As but one example, consider the route that sqlite took and how controversially that was received. Surely if the reasoning driving the adoption was as you suggest then very few people would have been bothered by the document that project adopted.
> On an Occam's razor basis, if I don't need to assume busybodies are the motivating force
For the record, you are the one who brought busybodies into this. My previous claim was merely that CoCs are "unnecessary for productive collaboration". If you had asked I would have answered that I think politics are the motivating force. Regardless, you merely assumed a different motivating force and I am unconvinced by it. From my perspective, if I don't need to assume the sudden and mysterious breakdown in the ability of people to constructively collaborate in the absence of CoCs then I won't.
You are applying standards only to my comments. Your statements are just as "sweeping" and "silent". We're both just asserting stuff based on our experiences, but it only seems to be a problem when I do it. I'm doing my best to have a productive discussion, but I don't think it's possible under the circumstances.
Not to mention that in the general case it seems desirable that a community can exist without needing a CoC. Being disappointed that some community out there is doing just fine without CoC is a /really weird/ point to make in a marketing piece evangelizing how secure OpenBSD is as a technology. To the extent that it feels out of place and yes detracts. Some would even go so far as to argue that OpenBSD is second to none in security because they don’t give a shit about politics and tone in their community. They swiftly dismiss the wasted cycles spent on those in other communities, instead spending their precious time focusing on just being really good. The author sorta misses the plot point there.
That's only if you take CoC enjoyers at their word. It makes perfect sense when you realize it's not about advancing project or community, but rather controlfreak ideology.
a.) They found it off-putting that OpenBSD was "proud" not to have a CoC, in the context of whether they would choose to work with them or to host the website themselves. Consider taking a moment to read the passage in question: https://isopenbsdsecu.re/about/
This idea they were surprised a project succeeded without having a CoC is an artefact of this particular discussion, not something the author ever said or implied. It was in the same category as de Raadt swearing at people over email - they didn't anticipate a productive exchange if they reached out. That's it.
If someone declares they reserve the right to treat people however they please, and then you observe them treating people in a way you don't want to be treated, and your conclusion is, "I don't think emailing this person is a good use of my time, I'm just going to host this website myself" - I find it hard to understand how anyone would find that objectionable, that seems simple, common sense, and largely neutral.
b.) Whenever you have a large group of people collaborating for an extended period of time, you have incidents. There's drama. There's inappropriate behavior. It's just how it goes. It's a Murphy's Law thing.
Eventually people sit down and say, "we've gotta set some ground rules." You probably signed a code of conduct at every school you attended and every job you've accepted. I know I have.
You can disagree with that without viewing it as a conspiracy. It's a predictable result of being in a large community, and about as ideological as traffic lights.
I did read the page in question… You talk like it would be any different with the linux kernel. A CoC doesn’t govern whether you’re entitled to a productive discussion with the big maintainer. Theo swearing at one person cannot be extrapolated to swearing at all people. And in linux’s case it apparently doesn’t prevent good contributions from getting stonewalled and shunned (to the point of turning contributors away) by righteous zealots in the community anyway.
If you read the page then I don't understand why you continue to mischaracterize what it says. Eg, the page offers multiple examples of de Raadt swearing at people, which you characterize as "swearing at one person." Frankly, it makes me doubt your candor.
I was speaking rhetorically. I don't mean to imply there’s only one i stance of swearing. Anyway that’s not even the point. We know Theo is abrasive. It also makes good security. Weird to complain about “the community” on a page evangelizing the success of said community. If the author doesn't want to dive into the mailing list then good for them. Leave it at that.
You weren't speaking rhetorically, you were mischaracterizing what the author said to weaken their statement. That's the most charitable way to describe it without parting from the facts.
> If the author doesn't want to dive into the mailing list then good for them. Leave it at that.
And no, the author whined about how he doesn’t like the icky openbsd community very much arguably out of place. (There are multiple people who have mentioned they think it’s out of place, at least.) That’s not leaving it at that. Leaving it at that implies no further action.
I believe you when you say you made no error and that it was part of your rhetorical strategy. The problem is that your rhetorical strategy was to mischaracterize the author's statement in order to weaken it. That's dishonest. Saying "that was merely rhetorical" doesn't magically make it not dishonest. (This is on top of your earlier mischaracteiztion that they were "surprised" a project succeeded without a CoC, which I presumed was a mistake caused by a game of telephone in this discussion until you implied that wasn't the case. I can't take you at your word when you have mischaracterized the author multiple times then doubled down.)
If you had said, "oh, that was a mistake, I didn't mean to imply they had extrapolated from a single instance," then I would've believed you then, too.
They made a side note in an "about" page. You're making a mountain out of a pebble. The author made a minor note about their thought process, you have been complaining about it and have now crossed into personal attacks on them. "Whining" is not a stone you ought to be throwing.
> Random-data memory: the ability to specify that a variable should be initialized at load time with random byte values (placed into a new ELF .openbsd.randomdata section) was implemented in OpenBSD 5.3 by Matthew Dempsky.
What's the use case for this?
EDIT: further down is one example:
> RETGUARD is a replacement for the stack-protector which uses a per-function random cookie (located in the read-only ELF .openbsd.randomdata section) to consistency-check the return address on the stack. Implemented for amd64 and arm64 by Todd Mortimer in OpenBSD 6.4, for mips64 in OpenBSD 6.7, and powerpc/powerpc64 in OpenBSD 6.9. amd64 system call stubs also protected in OpenBSD 7.3.
I suppose: Sometimes things work fine with the implicit default value that you end up with. So this will cause problems when you forget to initialize values to expected sane defaults.
Everything I've read about pledge and unveil really admire the approach and the results but it didn't seem to have a big impact outside of OpenBSD. It took ~20 years for OpenBSD's CSPRNG to be re-implemented everywhere else maybe we're operating on a similar timeline here.
Maybe I'm not getting something here, but I find the pledge/unveil approach confusing.
Why should I expect a program to set allowed syscalls/filesystem paths? Why would I trust that it will set itself the right permissions? What is allowed should be set externally from the program, similarly how I can map filesystem volumes and add capabilities to a Docker container [1].
I'm not familiar with BSD and I only used it a couple times out of curiosity. What am I missing?
The threat vector is not that you don't trust the program, pledge/unveil is completely unsuitable for that. but that you worry the program will be compromised while it is running.
so the observation is that programs tend to have a startup state where they need access to files and a run state where they don't. so pledge/unveil is a mechanism for a program to inform the os that it no longer needs access to files/syscalls and any future access should be considered a hostile takeover. please kill me.
> Why should I expect a program to set allowed syscalls/filesystem paths? Why would I trust that it will set itself the right permissions?
Because the admin or owner will know FAR less about what a complex program needs at all times, and when it will be safe to drop privs. A database might be tested for a week and then it has a special snapshot thing done for the monthly backup and you did not foresee this, whereas the coders would know what perms are needed in order to do these dumps. Hence, you can't set perms just once before starting, and as a user of said software, you can't expect to just make a quick test and then design a fully working harness for it either.
Have they implemented ISO C11 _Thread_local yet? It's been the number one annoyance¹ with porting software to OpenBSD. It is (was?) the only mainline OS without support for native thread-local storage.
Incredible. I wonder what's the debugging experience for userland developers with all these security features enabled (especially the memory randomization ones).
Can't you launch the debugger as root and attach to the process? Which is to say, I'd expect the experience to be approximately the same.
Alternatively, debug in a VM where the security features are disabled.
> especially the memory randomization ones
I have never once relied on memory addresses being reproducible between program runs. In an era of ASLR that seems like a really bad plan. Plus multithreading breaks that for malloc'd stuff anyway.
Small usb bluetooth dongles work, they show up as a regular audio device. I use one and sndiod can set set to automatically switch back and forth to it.
I run openbsd on my laptop, a thinkpad x260 with an ssd, and it works great.
Worth mentioning lack of Bluetooth is only because they felt the existing BT stack was not up their standards and ripped it out rather than let it rot like most software.
It's pretty easy to avoid Bluetooth, and it'a a complex stack and having code quality standards means sometimes you have to remove features because the code quality isn't there, and nobody had time/interest/motivation to do the work to make an implementation with the proper amount of quality.
If you have a 'must have' device for your desktop environment that's bluetooth, then yes, it makes OpenBSD unviable for you; but OpenBSD isn't viable for every use case.
Sounds easy to buy one of those bluetooth dongle things that can talk to your external mouse/keyboard and pretend to be a set of wired usb-hid devices to solve that small issue.
I’d prefer not to have something than to have a bad something.
Yeah, it was annoying when I tried to pair my mouse- but you know… a wired mouse isn’t that big of a deal.
One thing that brings me the most displeasure about internet discourse about operating systems is this idea that they all have to do all the same things.
Thats homogeny by another name; the point of different operating systems is different trade-offs.
If we're going to be bad faith discussing: as you seem to be should I remind you that your definition of "being a desktop OS" means running a stack that is primarily useful for phones and laptops- definitively not "Desktop" devices?
I haven't used a Bluetooth device on a desktop or laptop in decades now. Not because I'm using OpenBSD, but because while the promise is there, the reality of using Bluetooth has been so disappointing it's not even worth trying for me anymore. Personally, I'm not opposed to wires, because wires usually mean low latency and no dropped connections; but even when using thinks like wireless mice, using them in propriatary modes was so much better than Bluetooth that after a couple attempts, I stopped trying.
You've clearly had a different experience with Bluetooth, and that's good for you, and neither of our experiences is universal, but I think there are plenty of people willing to use a desktop OS without Bluetooth.
Heck, my new car only uses bluetooth to do phone pairing, then it switches to wifi to talk to phones, because that's clearly better than Bluetooth.
Not having developers to work on it seems pretty valid. It's a matter of opinion, but I feel like it's better to have no Bluetooth, compared to having a half-broken and unsupported implementation. Again you could also view is as having a semi-functional Bluetooth is better than none and then hopefully attract developer wanting to fix it.
It depends on what you need for your daily use, OpenBSD has ports of common desktop environments, KDE Plasma, GNOME. In fact, thanks to KDE and GNOME port maintainers, Rafael Sadowski, and Antoine Jacoutot, respectively, OpenBSD 7.6 -current has the latest versions of both (KDE Plasma Desktop 6.3.1, GNOME 47).
I recently checked out KDE 6 for the first time last year, it really is as easy running as 'pkg_add kde kde-plasma kde-plasma-extras' and then reading through the local pkg-readme file, that said if you're not familiar with OpenBSD it won't be like other systems where it comes preinstalled and preconfigured.
There's many popular window mangers and applications you can install using the package tools, as you'd expect, including Chromium and Firefox, but you can quickly search here: https://openbsd.app/
I use OpenBSD. You must check the hardware support. If it works, it works far better than Linux from my experience. Somethings to take note:
1. Power management may not be as good as with Linux
2. No HDMI sound support
3. No bluetooth
4. You need to be comfortable with config files and man pages.
5. Probably fewer applications in the ports tree (I have all I need).
If you are fine with the above, OpenBSD is the finest OS I've used so far. I've never run into random issues like wifi connectivity, audio issues like with Linux.
It was a few years ago, but I ran OpenBSD for about a year in college (on a Thinkpad). It worked because I rarely needed anything more than Firefox, code editors, and a shell with ssh. Most of my time was spent reading, writing papers, writing emails, and writing code.
my big issue when I looked into it was the default filesystem was quite an antiquated design that would lose or corrupt data in a powercut or unexpected shutdown. Last I checked many of the devs have fairly elaborate uninterruptable power supplies to deal with this.
A lot to like about openBSD; doas is my daily driver on linux, openbsd man changes are incredible, but I'm not going to mess about recovering disks just because I forgot to plug my laptop in.
I use it, and even run wayland (sway) on my dell laptop. No bluetooth support. Encrypted disk. Takes a lot of time to setup. Generally similar to linux, but less hardware support.
It works quite well. The OOB experience is very complete and hardware gets picked up without issue. However you’re limited in the amount of apps and it’s also incredibly slow, so you’ll need to really use minimal, fast cli apps.
I left it ultimately because it had way worse battery life than Linux on my T480s and I also wanted to play some games with steam.
Disk I/O is notably slower than e.g. Linux or Windows and executional performance is generally a tiny bit slower, but nothing about it is "incredibly slow".
You will want to enable GPU-accelerated rendering for Firefox and Chromium to get a smoother experience when scrolling pages and for certain video playback, because that's disabled by default. Besides that they load and parse pages and act on input pretty much as fast as they do on Linux.
well, SMT/hyper-threading is disabled by default[0] , not sure if there are other reasons though. It's not that bad, but yeah OpenBSD is probably not your optimal gaming OS :P
Common misconception. It is not. The kernel is XNU, and the OS base is Darwin which has some BSD parts in it, and some of the userland came directly from FreeBSD (though heavily modified).
You’re not actually disagreeing with the OPs statement though. And they’re technically right too.
The problem is that all the user facing stuff in macOS isn’t BSD. It’s Apples proprietary APIs. So while macOS was originally and technically based on BSD, almost none of that is exposed to their users.
So they’re technically correct that macOS / Next was based on BSD. But also completely wrong to recommend macOS as a comparison to OpenBSD.
I'm pretty sure I've even read about FreeBSD code in the Windows networking stack. Is Windows now based on BSD? Open source code, especially when it's permissively licensed, ends up absolutely everywhere.
Windows is very much based on NT, which has its influences from a few different OS, most notably being VMS.
AFAIK there isn’t any BSD code in Windows however the original TCP/IP stack in Windows was a port from BSD. But we are talking about the early 90s here and it’s long since been rewritten by Microsoft (or so they say, but I have no reason to disbelieve Microsoft)
For NT 3.1, Microsoft purchased a TCP/IP stack from Spider Systems[0]. It's not clear how much of that code was based on BSD's TCP/IP stack. Microsoft wrote their own TCP/IP stack for NT 3.5.[1]
Microsoft did leverage BSD code for common network utilities (ping, tracert, ftp, etc.), which still exist in Windows today, although Microsoft's preference is to leverage the "better" equivalent PowerShell cmdlets where available.
For one, we don't know if it was "BSD TCP/IP" stack, just that the stack purchased from Spider was licensed as such, two, that stack went away with NT 3.5.
True. The capitalisation rules for releases kills me every time too. Not just with OpenStep but with Next too. I now don’t even bother trying to get the capitalisation correct.
Considering how obsessed with UX that Jobs was, I don’t get how he thought the naming conventions were a good idea.
Position-Independent Executables (and ASLR) were used by AmigaOS back in 1985. It had to, since the Amiga lacked an MMU, and had very little memory, so anything that was loaded had to be placed at whatever ram was available.
It didn't need the executable to end up in a single block either, every individual section could end up in a different location. Compilers produced large numbers of sections to facilitate this process.
That's not what's meant by PIE though. It means the code can appear at any address and still be valid.
Amigas could, of course, have position-independent code. Use BSR and BRA rather than JSR and JMP; use LEA label(pc),A0 / MOVE.L (A0),D0 instead of MOVE.L label,D0 .. but the limits for PC-relative addressing are +/- 32k so you need to get creative to reach code or data further than that.
More commonly, Amiga executables had relocs, a list of fixups to apply. The code on disk in each hunk was written as if all hunks were loaded at address 0. There was then a list of relocations at the end of each hunk, saying what offsets in that hunk need the base address of another hunk (including themselves) added there, to fixup the absolute address reference.
This is relocatable code, but not position independent code. If I used an MMU to make that relocated code appear at another address, all its absolute addressing would be wrong at that new address.
Position-independent code can be shared by multiple proceeses, and appear anywhere in their address space, while only existing once in memory
Well, PIC, as it commonly is done nowadays (via PC-relative addressing), requires the static/global data it references to be postioned at very specific offset from it. Which prohibits one not only from e.g. putting in 16 GiB away (why would you actually want this?) but also from having unduly large code modules — x64 only provides ±2GiB for PC-relative addressing so you'd have to use some sort of indirection scheme anyhow.
Well, resident programs (actual Pure residents in AmigaOS) would be like PIE, though that came a bit later, and gave the same effect, several programs could run the same code with different set of registers, and all data was pointed to by registers and no globals.
It's still not position independent code (i.e. no absolute addressing, zero relocs), but pure residents are of course reentrant, so their code can be run in many processes' contexts at the same time, by virtue of not using any global state, instead using the process's stack, or have heap allocations that are passed in/out.
The difference is that, with position-independent code, it can be loaded once, no relocations needed, and the same pages of code can be mapped into hundreds of processes' address spaces, each at a random location. Doing it like resident Amiga programs would mean loading to a specific address (even if random), and then it'd have to remain at that address across all processes, which makes it difficult to have different combinations of shared objects in the address space.
A LOT of those innovations were first present in grsecurity/PaX. Back when it was freely available to everyone as well.
I guess the arguments is the OpenBSD has them by default with needing a 3rd party patch, that's why they're claiming them as their innovations?
Yup! The idea behind Pledge/Unveil was first in Landlock also.
> that's why they're claiming them as their innovations?
I think they are just listing their specific implementations as innovations, their particular approach. Too many of what they list was definitely not an original idea, so they can't possible be suggesting otherwise. At least, I would hope not.
> The idea behind Pledge/Unveil was first in Landlock also.
This is so plainly, and verifiably untrue, that it's almost funny. The patch series and kernel commit adding Landlock to the Linux kernel even references OpenBSD pledge(2)/unveil(2) as a source of inspiration.
> This is so plainly, and verifiably untrue, that it's almost funny.
I just found that email and the talk for the project myself and noted the author referenced pledge in another comment, but thought that could be due to the earlier OpenBSD release having gotten press, making it useful as a point of comparison.
I had honestly thought the landlock website or an earlier talk had pre-dated the release of OpenBSD 5.9, but I appear to have been wrong about that.
Linux 5.13 was the first kernel release with Landlock incorporated, but the Landlock project is from 2016 also.
I found the announcement email for Landlock posted to the lkml[1] where the author compares the project to Pledge. There's also his talk[2] from 2016 if you're interested. I was certain landlock predated pledge, as I thought the website or earliest talk was from late 2015, but I am less certain now, indeed I seem to have been wrong in my claim.
As for either being the first, at the very least Seatbelt from Apple has a paper dated 2011[3] and was released with macOS 10.5.
OpenBSD's pledge(2) was first talked about publicly as tame(2), and was presented in at FSec 2015, it was renamed pledge(2) as mentioned on the OpenBSD 5.9 page.
I thought I had remembered something from Landlock from 2015 also, but can't find anything supporting that. The first version referenced is v7 or v0.7, so it's possible there was a talk for v0.1 or something that isn't online anywhere.
I'll concede that's less likely and I'm probably just wrong and misremembering though.
I am guaranteed to get grief on this but an anti-Innovation in OpenBSD (so obsessed it is about security) is to use an unsafe language like C everywhere in kernel and user space.
The implementation of OpenBSD predates many safer systems languages but I think OpenBSD should now start moving to a checked variant of C or a safer language like Rust/OCaml/Odin/Zig/Something else.
The conversion can start with some OpenBSD user space programs. I notice a steady stream of C related security fixes in the OpenBSD changelog. Many of these could have been probably avoided if the implementation language was more “safe” by default.
I doubt that this is going to happen but I think it is fair to point out that using C does give you some additional security headaches by default.
Theo has addressed this directly. I cannot find the video at the moment - it is somewhere on YouTube - but his response essentially is okay, so where is 'cat'? Where is 'grep'? Where is Korn Shell?
Everyone is busy jumping up and down and bitching about reinventing the wheel in Rust but no one has even taken the time to rewrite the simplest of Unix tools in Rust.
Not to mention OpenBSD has a rule that "base builds base" and the Rust compiler is a bloated monster that would fail that most basic task.
>no one has even taken the time to rewrite the simplest of Unix tools in Rust.
"The uutils project reimplements ubiquitous command line utilities in Rust. Our goal is to modernize the utils, while retaining full compatibility with the existing utilities."
"We are planning to replace all essential Linux tools."
It would be nice if they commit to replacing more than just Linux tools. There are numerous quirks/additions to the GNU utils that the BSDs don't want or need.
The worst part is when you come across something advertised as a replacement and it does something like 80% to 90% of what the original does with a WONTFIX for the rest. That can certainly be a valid choice in some cases, but for core tooling it's not realistic to expect widespread replacement to happen in that scenario.
Here is the other part. For the BSD's, it's not as simple as, "someone implement them, then we include them." You can package it in the ports trees, but they won't be apart of the base system. Because BSD and Linux are similar in a lot of ways, they differ in a lot. The BSDs are designed with the idea that each BSD makes a completed "base system". The same team writing kernel code is the same team writing user land. So each BSD's core utils is developed and maintained by their respective development team. It is not like Linux, which is really more like smashing different projects from different teams together. At least for what is considered the "base" system.
Then mentioned elsewhere, but this isn't as big of a problem on OpenBSD, but would be fore NetBSD. The Rust tools don't support all the supported architectures. This is where BSD philosophy diverges. With NetBSD, if you got a PDP-11 or a toaster with a chip, they are more than happy to make NetBSD run on it, and the NetBSD team also don't necessarily have a requirement for physical hardware, if there is an esoteric chip with QEMU support, they will happily try to support it. OpenBSD will maintain support for an architecture so long as someone is willing to maintain it and owns the physical hardware (which is why it supports less than NetBSD).
This is also why NetBSD is sort of "stuck on
" gcc. I believe they would like to move to clang, but can't due to architecture support.
Some more addition to the first paragraph: OpenBSD to a degree takes this to a whole other level than the other BSDs. OpenBSD maintains their own fork of X11 called xenocara and window manager, cwm. In theory, you can have a pretty basic and functional system from boot code to window manager with all of that code being code maintained by the same team, the OpenBSD developers. They even have their own version control system called got.
Thanks for this indepth response. It's made me realise that I'm very much in the linux "smashing together different projects" camp. Probably much more so than other linux users seeing as I prefer to use super minimalist distros like Alpine + my favourite utils, rather thant he standard GNU/Linux.
No problem. Like I said, its easy to think that since they are both unixy-systems and a lot of things "rhyme" that a solution that works for one, works for the other. But that they in fact have different design and development philosophies. And this is even true amongst the BSDs themselves. NetBSD, from boot code to the top of the stack is developed independently from FreeBSD, OpenBSD, Dragonfly, and vice-verse. Now, they will take ideas and re-implement them into their own stack, but they don't necessarily share code directly.
Someone is “putting up”, just need someone to merge uutils and the OpenBSD kernel to see what it starts to look like.
Maybe this is the next part of the “put up or shut up” mantra- but we’re getting closer.
The parents irony is not lost though. C and perl are both quite dangerous in their own ways, lots of implicit assumptions; its ironic that a safety focused operating system would lean in on those languages.
The folks at Xerox PARC, ETHZ, DecOlivetti, Microsoft Research, MirageOS, disagree on what a GC is good for, even if the market mostly thinks otherwise.
Of alternatives, I think Zig is closest to what they like. It's small, easy to maintain, has great tooling for C, and already used for high-reliability (TigerBeetle). I don't know if its portability is as good as they like, though.
It does the job great with the default install as long as you're comfortable with the console but if you're talking something with a web interface like what pfsense/opnsense on freebsd, there was one out of Sweden I think it was for a while that fizzled out called securityrouter. Nowadays these are what I've seen (But not tested):
W^X is only true in an extremely narrow sense. They said they were first, and that it cannot be done on x86. Which was a surprise to me, having run it on multiple Linux architectures, including x86, for years with PaX or grsec.
Then I guessed they looked around, and saw oh we can do it on x86 too, the pax way.
It has, and it is used less and less.
Not sure if any OS never does it anywhere, but the important part is to remove it from all "hot paths", not to remove it where its not relevant.
Can't say if they still do, but FreeBSD for the longest time used to list the floppy driver being one of the modules using GiantLock and that was a problem for what I guess was about zero people.
But if one asks fbsd devs if they still have it, they would have to answer yes, even if the rest of the OS runs super great without locks anywhere else, so the binary question of "is there somewhere something that for some time could possibly call the giant lock" isn't very interesting, but rather "will it do it for the tasks I imagine I will run on my machine?" and that would have to be a more fine-grained question with some research, just like the locks in the kernels are getting more and more fine-grained.
A lot of the network stack has been unlocked (and parallelized) already. There are probably a few bits left to untangle in there. In my own experience, depending on what driver/MAC is used, the network performance has on average doubled in the last two years.
I don't have any specific use case yet, I'm planning on having a little server at home. Things I'll use it for is hosting small apps, local dns server, monitor our LAN and maybe act as a host for multiplayer games.
FreeBSD is much more similar to Linux (you'll feel right at home in a few hours of practice), usually performs better, supports more hardware, includes full ZFS support (including root-on-ZFS — and several FreeBSD developers work on ZFS full time), has decent compatibility with Linux binaries, and more software in the ports.
Yet they can't manage a unified page cache like every other OS on the planet? I'll be more receptive to the concept of OpenBSD innovating when their virtual memory subsystem gets over Reagan leaving office.
That page uses CSS though. Maybe we're looking at different view-sources.
And for readability I already have my browser set up with my favorite fonts and font sizes and background/foreground colors. How can I expect every website to guess my preferences perfectly, as opposed to all the other people with different preferences. So I just set it up one time in the browser UI and it just works everywhere.
If a user is not able to navigate a font/color selection UI but wants to give technical advice to the OpenBSD team, I think it's that user not taking OpenBSD developers seriously.
Perhaps one day the OpenBSD folks will figure out how to completely prevent user programs from making syscalls. It seems they are mostly there but still not quite. Please don't mention WASM in your replies.
Since the only way a program like that would be interacting with the environment via a side channel, it'd be equivalent to not running the code at all.
As a result, you can disable all syscalls for your program with one simple request: 'exit()'
Printing hello world is a syscall - you need that to write to STDOUT .
There are alternative to syscall. For example, writing to shared memory. Shared memory as IPC is hard. And you need some syscall to set the memory up.. .
By creating OpenSSH and the fact all fortune 500 companies use it, I would say every year, the foundation should be bringing in around 1 or 2 million. It is time these companies really give back.
And while I am here, hardware vendors should open up their source, looking directly an Nvidia.
Open source is a pragmatic arrangement where developers embedded in the industry can collaborate and share code; often explicitly supported by the companies they work for. It has worked very well for decades and there's no urgent reason to change anything.
For example, Damien Miller, who puts in a lot of time on OpenSSH, is employed by Google. Employing key contributors is how the industry supports OSS.
Yeah that's just confirmation bias. How often do we read about key open source libraries that are being maintained by one random dude in his free time, said dude's free time dries up, and suddenly everyone is in panic mode on how to get funding to him.
It'd be much nicer if every tech company above X amount of yearly revenue would be required to kick in 1.0% (0.1%? 2.5%?) of their profit into a foundation. That foundation then would put out bounties or contracts for open source project maintainers. The priority (= monetary value) of these would be decided on by a mix of community voting, open source expert panel, and commercial interest, split ⅓/⅓/⅓.
If you were paying someone to full-time maintain XZ or Heartbleed, or whatever, it would have their singular attention.
[0]https://www.mail-archive.com/[email protected]/msg00567.h...
> I haven't lost interest but my ability to care has been fairly limited mostly due to longterm mental health issues but also due to some other things. Recently I've worked off-list a bit with Jia Tan on XZ Utils and perhaps he will have a bigger role in the future, we'll see.
As Microsoft has been demonstrating for decades, there is no direct correlation between budget and quality.
See: https://en.wikipedia.org/wiki/SHARE_Operating_System
You mention nvidia support, others are hopeful for a better filesystem and wifi as well.
OpenBSD has supported 11ac for several years, and has the iwx(4) driver for modern Intel WiFi cards. There's also support for Broadcom FullMAC, bwfm(4), which is on e.g: Apple Silicon machines.
HaikuOS also has a port of OpenBSD's iwm/iwx drivers.
FreeBSD just recently announced they've started porting the OpenBSD iwx driver.. from Haiku.
https://freebsdfoundation.org/blog/laptop-support-and-usabil...
Citation needed, they've raised nowhere near that amount.
https://github.com/bob-beck/foundation-web/commit/483266cece...
https://www.openbsdfoundation.org/campaign2024.html
That's certainly what they meant ;)
I would also add that it indirectly kills the vast majority of programming jobs - nobody is ever going to get paid to create a JPEG decoder as everyone can just use libjpeg. Nobody is ever get paid to write a new kernel as everyone can just use Linux. Very few people are going to get paid to work on a new database as you can just use Postgres...
Once there's a good enough open source solution in a field, in the long run it will out-compete commercial offerings, even it's overall a worse package, as it's some guy's free time project and is created on a $0 budget.
Programmers work for free, end users get a worse product, companies make trillions.
What could you mean by that? It's an extremely successful model organizationally and technically.
> it indirectly kills the vast majority of programming jobs
All software kills the vast majority of jobs - think of all the jobs there would be if we had no software. Anyway, are we short of programming jobs?
Efficiencies create new, higher-value possibilities than, for example, JPEG decoders.
And most proprietary software becomes completely unavailable when the company making it goes out of business. At least with the open source software, if there is interest in it, someone else can pick it up, if the original creator stops maintaining it.
> a large portion of programming jobs have devolved to gluing together a bunch of open-source libraries, doing the boring gruntwork to actually make them work, and dealing with the inevitable hell, caused by using 500 components that were never designed to work together.
And you think that would be any different without open source? A large portion of programming would still be gluing together a bunch of components, but instead of open source libraries you would have proprietary libraries, where if the documentation is inadequate or wrong, you have no option of looking at the source code to see what it actually does. Or in-house libraries that were designed for some specific purpose that doesn't match yours at all, and are very low quality, because they were made under a tight deadline, and no one ever went back to pay the tech debt after the MVP was released. Or maybe instead of a library you make API calls to some SaaS with no SLA and barely any documentation.
E.g. exactly how Linux was created? ;)
It also applies to proprietary software.
OTOH some commercial software only solve problems that make money, and ignore the technically sound part unless it makes money. E.g. the enshittification of Google, Windows or Facebook, and friends, from a product that worked to a product that nobody asked for. All the technicality spent in tracking users, more ads, etc.
These are a lot of commercial software that are not much more than a repackaging of open source software and a UI layer (ffmpeg, for example).
90% of everything is crud:
* https://en.wikipedia.org/wiki/Sturgeon%27s_law
Yes
> required to make a technically sound package.
No. What they don’t do is take the time to turn it into a product used by a general audience. Technical soundness is usually something corporations don’t have time for.
Maybe I misunderstand, but computers make us much more efficient: writing, graphics, computation, communication, storage and retrieval of information, searching information, machine control, ... for a time, 'computers' were rooms full of people doing computations.
Think of the software stack that runs HN. What would we do? Write letters to a journal for publication? Gather in a room someplace?
Looked at another way, open source means that instead of a bunch of programmers getting paid to write multiple implementations of the same thing over and over, so the programmers that otherwise would be doing that can instead work on new innovative things.
In an ideal world, all software would be open source, and programmers would spend all their time improving said software for everyone. The problem is I don't know how those programmers would be compensated for their work. In many ways, open source software is a public good, since anyone can benefit from it[1], so an argument could be made that OSS should be publicly funded (i.e. paid for by government grants). However, I am doubtful that the government could do a good job of allocating resources to open source projects. Then again, I don't think the private sector is doing a great job of that either. Just look at how many resources are put into showing people ads.
[1]: And it has the interesting property, that unlike most public goods, the cost does not scale with the number of people who use it, or have a limit on the number of people who use it.
And if a project does want to be open source eventually, they can already license their code that way.
Same idea as for patents vs trade secrets.
This is bad in the long term because alternative ways of doing things open other avenues of investigation and development.
But all we get are improved versions of hammer when everything is made out as a nail.
Even well-established software can have meaningful alternatives. Look at ripgrep. While it hasn't replaced grep as a distro default, it's still being used by folks that find it a better solution for them.
> some guy's free time project and is created on a $0 budget.
> Programmers work for free
You seem to be completely out of touch with what FOSS is.
The amount of relevant FOSS hacked by some teenager for free in moms basement is negligible. The largest contributors to the Linux kernel are IBM, Intel and Oracle. Nobody there works for free.
How much upstream do you think BSD gets from Sony and Apple, besides a few crumbs?
clang was sponsored exactly to allow Google and Apple to take a compiler and not be legally obliged to upstream their sauce.
Nowadays clang has mostly replaced most proprietary compilers on surviving UNIXes, and embedded OSes, how much of those downstream changes land on upstream clang? It is mostly volunteer work improving ISO C and ISO C++ compliance, despite all the money being made by those folks.
Sponsored is an understatement. It was pretty much entirely funded by those two, so if the goal was to leech on volunteers, that would be a pretty bad move by those companies.
Which is exactly what happened after clang got mature enough, GCC was expunged from their platforms.
Apple first, followed by Google about a year later.
Note that nowadays, Apple clang has its own column on cppreference, Google is focused on Carbon/Rust/Go, and both cases most of the contributions are on LLVM side, not clang and ISO compliance.
P.S. you focus on ISO compliance. Could it be that the actual user base does not really care about it as much as the rest of the aspects of the compiler (features, correctness, performance) and thus deprioritized by everyone. I don't consider clang abandoned by Google or Apple.
Also clang was only one example of who profits and who puts into the work, like the endless number of PhD students contributing to LLMV or MLIR.
If you think it's the long tail of endless contributions is what makes a production quality open source project like clang tick, well, we disagree...
(In fact such PhD students are often the prime beneficiaries of the work by commercial companies, because they get to build their research stuff on top of LLVM.)
This thread keeps having its goal posts moved around, first is was an example, then got the spotlight of being only about clang, then I pointed out about Apple/Google original purposes, then it was something else, and yet another one.
Just head off to /r/cpp that is where hunches are coming from.
Have you at very least filtered by C++ clang only related contributions instead of LLVM ones?
Most likely not, only clicked here https://github.com/llvm/llvm-project/graphs/contributors and came right away to reply.
To contextualize, I have been one of those PhD student in the exact same space who used clang/libtooling in a past life, as well as a maintainer of a sufficiently popular corporate open source projects, and I do have my own hunches on how much exactly random "volunteer contribution" is often worth (hint: it is mostly extra pain for the maintainers to review).
The irony is if Apple closed it up for themselves as proprietary software in the first place, they would not have received that criticism. If you start open sourcing, you will be treated with a much different, IMHO unfair, benchmark.
Before LLVM, much of the PL research prototype would be done on Java with some research JVM crap because it was hard to do it in the real world with native code, so I could the academics beneficiaries not among the abused.
if there's no technical reason why libjpeg isn't suitable, I'd consider it a huge waste of human life to create another. if there is a good technical reason to build a new one, then somebody will do it for free or somebody will pay for it to be made.
I think the system is working.
Not that it negates your point in any way, but lots of people are paid lots of money to write Zircon (Google Fuschia's kernel) which is intended to replace Linux in many scenarios.
Yes I am aware it is shipping on Nest Hub.
What matters after almost 15 years, with a couple of major rewrites, is when it will ship on anything else besides Nest Hub.
Open Source achieves the exact opposite of what you say. It allows people to direct their talent and effort to solving high-value problems instead of low-value ones. Instead of writing a JPEG decoder, you can create a professional photography workflow or a pre-press pipeline. Instead of writing the low-level bits of a database, you can create an enterprise SaaS.
Yes, Open Source infrastructure is hard to compete with. However, it is super easy to out-compete companies that are wasting their engineering resources re-inventing the wheel.
Of course, there is always the option of doing the basic stuff better of course and being rewarded for it. Some will.
And, while this reply is already too long to get into it, the majority of Open Source is written by people being paid to do it. So, wrong there too.
Companies make billions? Good. It's time to tax them and use the money for the benefit of everyone.
There's still many paid offerings for databases, operating systems (esp RTOS's), and image processing. That includes libraries. The companies are usually profitable with some making a fortune on the products. Quite opposite of what you said.
The question you should ask is: why?
Next question: how do I use those lessons to sell and give away something like OpenBSD?
What I do find massively problematic is that the developers of the open source ones often aren't paid. That should be impossible, companies are profiting off of free labour and that's wrong. If anything open source developers should get paid more per accepted PR, they provide more value and probably better quality code.
The concepts of compilers, operating systems, databases, file systems, computer graphics all evolved from the 60s to the early 90s.
After that, it was mostly scaling.
And the open core licenses of nowadays are nothing more than a rebranding of those kind of license models.
If this is the way computer science evolves, it is safe to say that it evolves at the same pace as life.
The reason this doesn't really matter in a truly noticeable way, and why I'm also not really concerned about AI taking programming jobs, is that demand for software is so much higher than supply. You can go to any random local small business, and within five minutes, you will identify software demand that is not being met adequately, or at all. They use Excel for their inventory and constantly have problems with it that need to be manually resolved. Their website doesn't work right and nobody knows how to fix the broken links. They have somebody who does paychecks by hand. One person is in charge of scheduling holidays in a shared calendar. And so on.
These companies would pay developers to fix their issues if they could afford them. As programmers become more productive, whether that is by using open-source software instead of writing things manually, by using LLMs, or by other means, there is a downward pressure on salaries. But that doesn't mean that jobs disappear; it just means that more companies now have access to developers they could previously not afford.
We make less money doing some in-house processes for a small, local business than writing a database for a multinational corporation. But on the upside, we improve the lives of people who actually matter, rather than making some billionaire even richer.
I bet you didn't use any Microsoft product. /s
Contributions and reciprocity are praiseworthy of course, and we should all aspire to this. But that doesn't mean someone is ethically wrong for choosing to accept a gift freely given without giving one in return.
All cultures I'm familiar with recognize that someone who is well off taking advantage of a tragedy of the commons is unethical. The particulars vary by locale but my impression is that it is universal that the degree of condemnation increases the wealthier the person exploiting the system is.
When I accept a friend's hospitality and don't reciprocate, I am taking their time and resources. When I take five free samples at the store, I ruin it for others who come later.
When I download an open source GitHub repo, I am burning 1¢ of Microsoft's money.
If nobody pays for that cost, then the work will never get done in the first place, and we won't have these resources.
While the other examples seem good for illustrating the point, this one has it backwards I think. Microsoft worked very hard to be in this position. They did this on purpose and this aspect is essential to their success:
- GitHub did everything they could to capture the market by being free to use and by leveraging the network effect
- Microsoft bought GitHub at a point where it was already widely successful in this aspect, so they fully knew what they were buying
Capturing the whole open source market is part of their business model. I don't like they've done this and I don't get to choose where authors host their code. Even the authors themselves might not have felt free to choose something else because of the network effect. It's only fair Microsoft pays for the privilege. GitHub being free is a feature for Microsoft.
> When I accept a friend's hospitality and don't reciprocate
I came to realize that you don't need to return the favor specifically to the person who helped you. Things work as long as you help anybody. The loop will be closed by someone who will eventually help the person who helped you (or has in the past). Actually, it doesn't events need to be a loop. This is very powerful and quite relaxing because you can be chill both for helping and for receiving help, and it has the potential of working very well and be very enjoyable.
In short: take (from anybody) as long as yougive (to anybody)
(Of course, in a friendship, some reciprocity is necessary, if things only go one way, it doesn't work)
Another pithy way people express this is with "pay it forward" https://en.wikipedia.org/wiki/Pay_it_forward
Perhaps my definition is off? If so I would appreciate a pointer about the correct terminology.
I suppose it might be different in the case of a one-time fork. It still seems like there's an ethical obligation to contribute back if you are well off and you benefit from something. I think there's a meta, societal level tragedy of the commons to be found there. But if you aren't actively benefiting from maintenance efforts then perhaps it doesn't qualify as a direct tragedy of the commons.
Because of the endless amount of expectations.
Many cultures do in fact work that way. And while modern American culture views the idea of taking everything you can and only giving back what you are contractually forced to in a more positive light, the term freeloader still has negative connotations.
Your point about the gap between the words of a license and an ethical expectation is well taken. But why put that gap there at all? It's going out of your way to make sure that people have the choice to screw you.
That’s not a thing in American culture. Maybe you are referring the low trust culture of international commerce, which just happens to be centered in the US.
Not users, companies that make bilions. We call that shameless.
You need to make it about utility. Open sourcing some package or contributions to an existing package is giving you returns far beyond your investment. A community will help maintaining, improving, growing your code. Perhaps even competitors will chip in. (If they don't, well, their loss..) It's going to be a net positive.
Or you can charge money for your product.
> Use GPLv3 or AGPL then. If you want companies to "give back" when they use your code, put it in the licence.
Seems like a poor choice given that projects like MongoDB try out AGPL for this reason and then later switch to nonfree licenses like SSPL. OpenBSD is not interested in that—whether its attempts to raise funds through goodwill work out or not, OpenBSD will always be free software.
A moral people could operate communism successfully. Unfortunately, most people are not even remotely moral. Pragmatically moral (in plain view, but not behind closed doors), for sure, but innately good -- definitely not.
A company doesn't have ethics. It's sole purpose is to make a profit.
https://www.nytimes.com/roomfordebate/2015/04/16/what-are-co...
One of the primary outcomes that people want from corporate structures is profit, but that is not the structure's "sole purpose", either in law or practise.
Corporate structures can't have ethics because they are not people (legal constructions of "person" vs "natural person" notwithstanding).
https://www.forbes.com/sites/jerrybowyer/2017/04/25/what-mak...
https://money.usnews.com/investing/articles/public-benefit-c...
Yet people still need to work somehow, and UBI is more of an ideal that will never happen in capitalism society driven by profits of few shareholders at the expense of everyone else.
Now the current trend is replacing people with self service machines, they aren't getting UBI, they are being shown the street.
Lets assume goals like OpenBSD's. If one also wants money, they can make the software paid, free for many categories of users, source-available, and derivatives (mods) allowed. The paid part can be regular payments or one-time per release. Probably an exception to mods allowed saying they can't backport paid features from new versions to old versions but independent creation is allowed. From there, companies will pay to support it or they'll determine it has no market value.
There are proprietary, source-available RTOS's on the market for real-time and secure use. One source said, but I haven't verified, that INTEGRITY RTOS royalty-free was around $17,000 minimum per product or company. Another said LynxOS with communications middleware was around $50,000. A number of small vendors exist showing one can generate sales if their product is marketable. Tons of companies selling firewalls, load balancers, etc like OpenBSD is often used in.
https://en.wikipedia.org/wiki/Comparison_of_real-time_operat...
So, if money is important, they can change their terms to demand money some or all of the time. If the license says "free giveaway!," expect most people to treat it that way. I imagine quite a few of the developers have exactly that expectation. They are motivated by the joy of writing great code, not money.
It was a fork of Tatu Ylönen's SSH, so I think it would be more accurate to call it forking, not creating.
Of course, they've created a lot of new code as well since 1999.
https://www.openssh.com/history.html
Our system rewards those who take as much as they can and give as little as they can. The tradeoff here is that each entity having a certain amount of freedom makes us happier since we can be different and choose to allocate our resources in different ways. But asking corporations to give back when they don't have to is like asking your neighbours to pay more tax because the roads need repairing.
You can't appeal to individuals, so the solution is simply to raise the bar on what that minimum is. The way to do that with software is to use copyleft licences. Support copyleft projects in any way you can and reject permissively licensed projects where possible. If we had stuck with copyleft we'd be so much better off.
I'm not going to sit here shilling for the corporates, but at the same time I think you need to put yourself in their shoes.
The stance you are taking is essentially the same as if a chugger stops me in the street and asks me to sign up to regular donations to $charity because "its only $1 a month". To which the inevitable answer is "sure, and there are a gazillion other charities, so I'm supposed to give $1 to all of them because its 'only' $1 a month" ? I will choose which charities and how much to donate to on my terms, thank you very much.
And its the same with corporates and open-source. Your favourite pet-project might be OpenBSD and you might think $evilCorp should give more to them ? But what about all the gazillion other pieces a typical $evilCorp will use ? OpenSSL ? curl ? ping ? traceroute ? In your idealistic world a corporate would give $1m to each of them I guess ?
The fact is the corporate lawyers know you've released your software on open terms. I'm sure they would be happy to buy an OpenBSD license ... but OpenBSD made their bed, as it says on their website "OpenBSD policy is simple — OpenBSD strives to provide code that can be freely used, copied, modified, and distributed by anyone and for any purpose. "
And before you say "well, they could donate instead of buying licenses" ... let's just say you would be naïve. Buying licenses is a "simple" standardised procurement exercise in most corporates. Meanwhile giving donations typically is a far more bespoke process involving far more administrative burden. And the smaller the recipient of the donation, the more admin burden required.
As others have pointed out $evilCorp does contribute indirectly to open-source. Many of the core maintainers and contributors to open-source are employed by $evilCorp and file their PRs to the open-source projects on their employer's dime, often whilst sitting in their employer's offices, using their employer's computers and infrastructure.
Indeed. The observation is that generally for most corporations the charities are "nobody" and the amounts are "$0". If you, an individual, behave this way then you're a bad person. The argument is merely that the corporate "people" are also being bad people.
> In your idealistic world a corporate would give $1m to each of them I guess?
Why make this ridiculous strawman? If we said "some reasonable amount, distributed among their dependencies" why is that unreasonable? Do we have to draw out the whole picture before these people even attempt to consider what a reasonable contribution could be?
> The fact is the corporate lawyers know you've released your software on open terms.
Yes, and corporate parasites will therefore extract the maximum value while providing the minimum in return. History repeats itself.
> Buying licenses is a "simple" standardised procurement exercise in most corporates.
If you think about this for a few seconds you will realise it is not a good excuse. If ping/openssl/whatever had a "recommended contribution" listed on their "corporate licensing" page, then there is no administrative burden required whatsoever. You just pay whatever they ask, same as a license. You think the price is too high? Make up one.
So why is there a high administrative burden? Simply, because corporates themselves place a high value on "paying the bare legal minimum". In other words, they over-value the virtue of being cheap and unsociable. If your reaction to this is "that's just how business is", then good for you: according to your understanding, business is antisocial, and should be discouraged.
this doesn't make sense, how can you expect hardware companies to do this, where the moat???
Hardware companies need their devices supported by as many operating systems as possible, especially if those devices can be used in servers, desktops less so. Apple is pretty much the exception.
You can still support linux while still having closed source
There's no reason for them to do so while maintainers continue to be willing to work for free and governments take a lax stand on security breaches.
Not that there is anything wrong with raising money, but the ideology behind openBSD don't really fit if they go for profit
b) part of what makes it great is that they don't
Industry wide adoption?
I attended a memorial on Zoom and people said he also created the building blocks that permitted Mobile IP (IP on your cell phone) to work.
If you knew John, then my condolences. We're all using the things he built, every day.
There's also execute-only memory and BTI/IBT on modern Intel/AMD, and ARM machines, enabled by default. Including a significant amount of ports development work to make the larger software ecosystem ready for this.
EPAN is already supported, hardware is now arriving, it's used if available, but the idea that execute-only was less important than PAN was probably misguided.
https://isopenbsdsecu.re/mitigations/
I used to do some OpenBSD ports work, and even got a tiny patch into the base system. I love OpenBSD! I don't have an axe to grind here! But it is not above reproach, and I think this site is overall harsh but fair.
[1]: https://isopenbsdsecu.re/mitigations/malloc/
[2]: https://isopenbsdsecu.re/mitigations/atexit_hardening/
https://isopenbsdsecu.re/mitigations/pledge/
https://isopenbsdsecu.re/mitigations/pledge/
Their 'unusual' approach to security might be a distraction they don't need. But maybe it's the only way to hope to pull it off? Maybe they can't do it the GLAM (Google, Linux, Apple, Microsoft) way with OBSD's resources.
https://freshbsd.org/openbsd/ports?q=firefox
Tor browser bundle is also being updated consistently.
https://freshbsd.org/openbsd/ports?q=tor-browser
https://www.openbsd.org/mail.html#Netiquette
Fun fact, Hacker News also has guidelines for conduct.
https://media.ccc.de/v/36c3-10519-a_systematic_evaluation_of...
Doesn’t look like jcs to me.
I don’t keep track of people’s HN comments—but I noticed one time some months back, and figured someone should point it out next time. :)
[edit: struck “found several”]
https://news.ycombinator.com/item?id=40032473
Can’t find anything from “years ago,” though. So maybe my search skills are weak, or maybe I confabulated the memory of finding others, so I’ll withdraw that. Either way, I hope you agree that this thread (now rightfully behind a flag) is all played out.
Personally, what makes me discount a source as unreliable is when they don't state clearly what their problems are but instead make it known through vague insinuations or by a litany of tangential complaints. When someone says "I'm uncomfortable with X" I respect their candor, regardless of how I feel about X.
But someone who isn't mature enough to separate their irrelevant personal views from the task at hand when communicating with an audience, not so much. It calls into question their ability to be objective.
Note that I apply this equally, even to those who interject pet topics that I strongly support.
Both are often the source of petty disagreements.
Physician, heal thyself.
While I didn't raise a comment over it (since I felt it likely that it might sour the discussion) I too found myself wondering about the motivations behind that remark when I came across it. As it happens I had the exact same thought that GP had - to wonder if there was an ulterior motive at play. However based on the rest of the content I came to the conclusion that the site didn't seem to be particularly biased. Highly technically opinionated, a bit colorful, but not a malicious hit piece.
And for what it's worth I thought the HoA analogy you're responding to here was on point. Those also tend to be incredibly polarizing to a bewildering degree. Apparently a large portion of Americans get remarkably bent out of shape if you try to regulate their behavior, while a different set is similarly incensed by attempts to prevent said regulation.
The HOA analogy would be appropriate if HOAs were about conduct among colleagues. It's pretty obvious why you need to set ground rules when you have a huge number of people collaborating - you get incidents of people behaving inappropriately, and if that behavior proliferates, you will create a hostile environment where it's difficult for work to be done. (See this comment https://news.ycombinator.com/item?id=43147705)
HOAs are a problem because there is very little shared interest in regulating the size of hedges or the color you may paint your house or whatever. It's a scheme to keep property values elevated.
There is no connection between these phenomena. One of them addresses pragmatic and real problems, however flawed the implementation may be. The author is a scheme to manipulate property markets. There is no shared cause between them.
> The HOA analogy would be appropriate if HOAs were about conduct among colleagues.
There was nothing inappropriate about the analogy. If they both involved colleagues then the analogy would be pointless because they would be the same thing. The entire point of an analogy is the abstract similarities between things that are different.
The necessity of CoCs does not follow from the necessity of ground rules. That is a conclusion that you silently slipped in without justification. Social norms have not historically been codified as CoCs. Moreover, I would dispute that codifying social norms is the actual intended purpose of CoCs despite being the stated one.
"Very little shared interest" and "scheme to keep property values elevated" appear contradictory to me. Property values are a very strong shared interest for most people. Avoidance of noisy or otherwise disruptive neighbors are another strong shared interest. Folks just don't always agree on all the details.
> One of them addresses pragmatic and real problems, however flawed the implementation may be.
That would be HoAs, of course, which prevent my neighbor from unilaterally tanking my outrageously expensive (relative to my income) investment. CoCs in contrast are a recent trend and thus obviously unnecessary for productive collaboration.
My supposition about the necessity of ground rules is precisely as supported as the alternatives offered in this discussion. Poorly supported by the standards of rigorous debate, I agree, but supported enough for casual discussion. No one has offered any evidence CoCs are caused by busybodies. ("Silently" seems unnecessary, it wasn't silent, I stated it aloud and described why I thought it was so. I can't help but point out again, you go on to dispute it, but not with any evidence. I think that's fine for casual discussion, but it's not meeting the bar you're setting.)
"Scheme to elevate property values" is a shared interest if all of the homeowners primarily view their homes as financial instruments. People get bent out of shape with HOAs because they want their home for other things. Some people would rather put up radio towers or paint their house a garish color or park a truck on their lawn than maximize their property value.
CoCs are as old as dirt. I signed one every single year in elementary school, decades ago. They've been a norm in workplaces for a long time. They're more recent in open source projects, and they started because of problems projects were having - people being creepy at conferences, people starting drama on mailing lists, etc.
What's recent is the politicization of CoCs.
If it helps, I would agree that busybodies might abuse both of these mechanisms to impose themselves on their neighbors and colleagues. I disagree that that is the root of why they exist, on the basis that they can be explained by incentives and pragmatic considerations. On an Occam's razor basis, if I don't need to assume busybodies are the motivating force to explain the existence of these things, then I won't, until such a time I receive evidence I can't explain without them. Were we colleagues, and I were involved in drafting a CoC, "I don't want a CoC because I'm worried it will be abused by busybodies" is a concern I'd take seriously.
I felt that the analogy was both of those.
> "Silently" seems unnecessary, it wasn't silent
You wrote "it's pretty obvious why you need to set ground rules" in regards to CoCs, which implies that CoCs are the primary or preferred or standard means for doing that. It's an unstated premise, and one that I disagree with.
> you go on to dispute it, but not with any evidence.
You implied a rather sweeping claim (the necessity of CoCs to enforce ground rules) which I believe puts the burden of evidence squarely on you.
While not obligated by social convention, I believe my point that social norms have not historically been codified as CoCs qualifies as a veritable mountain of evidence disputing your implication. People have been successfully collaborating (and enforcing social ground rules) for approximately all of human history; CoCs in comparison are a quite recent development.
> "Scheme to elevate property values" is a shared interest if all of the homeowners primarily view their homes as financial instruments.
You could as well claim that noise ordinances aren't a shared interest because some people like to party in their yard into the wee hours. The observation would be correct but it would not support the claim. Note that even if the group collectively chooses not to prioritize something it still remains a shared interest inasmuch as the definition of "interest" is something which has a negative or positive impact on the individual.
> they started because of problems projects were having - people being creepy at conferences, people starting drama on mailing lists, etc.
Agreed that those are certainly the sorts of things that the people in favor of them claimed as justification. That those things were happening at a problematic rate, that a CoC would meaningfully reduce that rate, that the benefits of this reduction would outweigh any negative impacts a CoC might have, and that this was their motivation in pursuing their adoption. I was never convinced, particularly on that last point.
As far as drama on mailing lists goes, I believe the results in the years since speak for themselves. Any self respecting troll would be envious of the amount of drama CoCs have been used to kick up. In that sense they truly are exactly like an HoA.
> What's recent is the politicization of CoCs.
I believe that politicization you refer to is what drove the recent widespread adoption in open source projects that you speak of. As but one example, consider the route that sqlite took and how controversially that was received. Surely if the reasoning driving the adoption was as you suggest then very few people would have been bothered by the document that project adopted.
> On an Occam's razor basis, if I don't need to assume busybodies are the motivating force
For the record, you are the one who brought busybodies into this. My previous claim was merely that CoCs are "unnecessary for productive collaboration". If you had asked I would have answered that I think politics are the motivating force. Regardless, you merely assumed a different motivating force and I am unconvinced by it. From my perspective, if I don't need to assume the sudden and mysterious breakdown in the ability of people to constructively collaborate in the absence of CoCs then I won't.
That's only if you take CoC enjoyers at their word. It makes perfect sense when you realize it's not about advancing project or community, but rather controlfreak ideology.
This idea they were surprised a project succeeded without having a CoC is an artefact of this particular discussion, not something the author ever said or implied. It was in the same category as de Raadt swearing at people over email - they didn't anticipate a productive exchange if they reached out. That's it.
If someone declares they reserve the right to treat people however they please, and then you observe them treating people in a way you don't want to be treated, and your conclusion is, "I don't think emailing this person is a good use of my time, I'm just going to host this website myself" - I find it hard to understand how anyone would find that objectionable, that seems simple, common sense, and largely neutral.
b.) Whenever you have a large group of people collaborating for an extended period of time, you have incidents. There's drama. There's inappropriate behavior. It's just how it goes. It's a Murphy's Law thing.
Eventually people sit down and say, "we've gotta set some ground rules." You probably signed a code of conduct at every school you attended and every job you've accepted. I know I have.
You can disagree with that without viewing it as a conspiracy. It's a predictable result of being in a large community, and about as ideological as traffic lights.
> If the author doesn't want to dive into the mailing list then good for them. Leave it at that.
They did leave it at that.
And no, the author whined about how he doesn’t like the icky openbsd community very much arguably out of place. (There are multiple people who have mentioned they think it’s out of place, at least.) That’s not leaving it at that. Leaving it at that implies no further action.
If you had said, "oh, that was a mistake, I didn't mean to imply they had extrapolated from a single instance," then I would've believed you then, too.
They made a side note in an "about" page. You're making a mountain out of a pebble. The author made a minor note about their thought process, you have been complaining about it and have now crossed into personal attacks on them. "Whining" is not a stone you ought to be throwing.
Same to you, have a good one.
What's the use case for this?
EDIT: further down is one example:
> RETGUARD is a replacement for the stack-protector which uses a per-function random cookie (located in the read-only ELF .openbsd.randomdata section) to consistency-check the return address on the stack. Implemented for amd64 and arm64 by Todd Mortimer in OpenBSD 6.4, for mips64 in OpenBSD 6.7, and powerpc/powerpc64 in OpenBSD 6.9. amd64 system call stubs also protected in OpenBSD 7.3.
Many things, retguard uses this for per-function random cookies, for instance.
The bootloader uses this mechanism to pass data to the kernel.
https://www.openbsd.org/papers/hackfest2014-arc4random/mgp00...
While not the same, this is a SECCOMP-based Linux alternative (and it can even be used to restrict pre-compiled binaries).
https://nanovms.com/dev/tutorials/applying-sandbox-security-...
Why should I expect a program to set allowed syscalls/filesystem paths? Why would I trust that it will set itself the right permissions? What is allowed should be set externally from the program, similarly how I can map filesystem volumes and add capabilities to a Docker container [1].
I'm not familiar with BSD and I only used it a couple times out of curiosity. What am I missing?
[1] https://docs.docker.com/engine/security/#linux-kernel-capabi...
so the observation is that programs tend to have a startup state where they need access to files and a run state where they don't. so pledge/unveil is a mechanism for a program to inform the os that it no longer needs access to files/syscalls and any future access should be considered a hostile takeover. please kill me.
Because the admin or owner will know FAR less about what a complex program needs at all times, and when it will be safe to drop privs. A database might be tested for a week and then it has a special snapshot thing done for the monthly backup and you did not foresee this, whereas the coders would know what perms are needed in order to do these dumps. Hence, you can't set perms just once before starting, and as a user of said software, you can't expect to just make a quick test and then design a fully working harness for it either.
https://why-openbsd.rocks/
¹ e.g. https://github.com/FRRouting/frr/blob/3f290c97e8325bd9db9363...
Emulated TLS isn't particularly great though in any case :/
https://www.openbsdfoundation.org/donations.html
https://www.openbsd.org/donations.html
Alternatively, debug in a VM where the security features are disabled.
> especially the memory randomization ones
I have never once relied on memory addresses being reproducible between program runs. In an era of ASLR that seems like a really bad plan. Plus multithreading breaks that for malloc'd stuff anyway.
Does anyone have such experience? Is it ok?
Your experience will be a lot more variable on any other laptop.
Worth remembering that OpenBSD has no support for bluetooth, which many users often require on a laptop.
I run openbsd on my laptop, a thinkpad x260 with an ssd, and it works great.
If you have a 'must have' device for your desktop environment that's bluetooth, then yes, it makes OpenBSD unviable for you; but OpenBSD isn't viable for every use case.
Yes, and desktop, especially laptop, is an example.
Yeah, it was annoying when I tried to pair my mouse- but you know… a wired mouse isn’t that big of a deal.
One thing that brings me the most displeasure about internet discourse about operating systems is this idea that they all have to do all the same things.
Thats homogeny by another name; the point of different operating systems is different trade-offs.
You've clearly had a different experience with Bluetooth, and that's good for you, and neither of our experiences is universal, but I think there are plenty of people willing to use a desktop OS without Bluetooth.
Heck, my new car only uses bluetooth to do phone pairing, then it switches to wifi to talk to phones, because that's clearly better than Bluetooth.
[1] for which there is an easy workaround in the form of class compliant usb audio cards that output to bluetooth.
I recently checked out KDE 6 for the first time last year, it really is as easy running as 'pkg_add kde kde-plasma kde-plasma-extras' and then reading through the local pkg-readme file, that said if you're not familiar with OpenBSD it won't be like other systems where it comes preinstalled and preconfigured.
https://brynet.ca/article-l13gen2.html
There's many popular window mangers and applications you can install using the package tools, as you'd expect, including Chromium and Firefox, but you can quickly search here: https://openbsd.app/
A lot to like about openBSD; doas is my daily driver on linux, openbsd man changes are incredible, but I'm not going to mess about recovering disks just because I forgot to plug my laptop in.
I left it ultimately because it had way worse battery life than Linux on my T480s and I also wanted to play some games with steam.
I never used OpenBSD. Why is it incredibly slow?
[0] https://www.mail-archive.com/[email protected]/msg9...
The problem is that all the user facing stuff in macOS isn’t BSD. It’s Apples proprietary APIs. So while macOS was originally and technically based on BSD, almost none of that is exposed to their users.
So they’re technically correct that macOS / Next was based on BSD. But also completely wrong to recommend macOS as a comparison to OpenBSD.
BSD stuff has a complicated history due to the lawsuits in the 1990s.
NetBSD and FreeBSD were based on 386BSD. OpenBSD was a fork of NetBSD by one of the NetBSD founders (Theo deRaadt)...
Also OpenStep is an API rather than an OS. So macOS contains both NextStep and OpenStep code.
AFAIK there isn’t any BSD code in Windows however the original TCP/IP stack in Windows was a port from BSD. But we are talking about the early 90s here and it’s long since been rewritten by Microsoft (or so they say, but I have no reason to disbelieve Microsoft)
Microsoft did leverage BSD code for common network utilities (ping, tracert, ftp, etc.), which still exist in Windows today, although Microsoft's preference is to leverage the "better" equivalent PowerShell cmdlets where available.
[0] https://en.wikipedia.org/wiki/Spider_Systems
[1] https://web.archive.org/web/20151229084950/http://www.kuro5h...
EDIT: If you want to hunt for BSD code, try taking a look at NT4[2].
[2] https://github.com/lianthony/NT4.0/tree/master/private/ntos/...
https://en.wikipedia.org/wiki/Windows_Vista_networking_techn...
After NeXTSTEP 3.3 there was OPENSTEP 4.0.
OPENSTEP 4.2 is the last operating system release prior to Rhapsody.
Yes it’s confusing.
Considering how obsessed with UX that Jobs was, I don’t get how he thought the naming conventions were a good idea.
NeXT looks good in the logo, and they spent $100,000 on it.
FWIW, I like it but it is confusing and made harder by the fact they also didn’t stick to their own conventions much of the time.
"Hello, I'd like to by a CARP license please."[0]
[0] https://www.openbsd.org/lyrics.html#35
It didn't need the executable to end up in a single block either, every individual section could end up in a different location. Compilers produced large numbers of sections to facilitate this process.
Amigas could, of course, have position-independent code. Use BSR and BRA rather than JSR and JMP; use LEA label(pc),A0 / MOVE.L (A0),D0 instead of MOVE.L label,D0 .. but the limits for PC-relative addressing are +/- 32k so you need to get creative to reach code or data further than that.
More commonly, Amiga executables had relocs, a list of fixups to apply. The code on disk in each hunk was written as if all hunks were loaded at address 0. There was then a list of relocations at the end of each hunk, saying what offsets in that hunk need the base address of another hunk (including themselves) added there, to fixup the absolute address reference.
This is relocatable code, but not position independent code. If I used an MMU to make that relocated code appear at another address, all its absolute addressing would be wrong at that new address.
Position-independent code can be shared by multiple proceeses, and appear anywhere in their address space, while only existing once in memory
The difference is that, with position-independent code, it can be loaded once, no relocations needed, and the same pages of code can be mapped into hundreds of processes' address spaces, each at a random location. Doing it like resident Amiga programs would mean loading to a specific address (even if random), and then it'd have to remain at that address across all processes, which makes it difficult to have different combinations of shared objects in the address space.
> that's why they're claiming them as their innovations?
I think they are just listing their specific implementations as innovations, their particular approach. Too many of what they list was definitely not an original idea, so they can't possible be suggesting otherwise. At least, I would hope not.
This is so plainly, and verifiably untrue, that it's almost funny. The patch series and kernel commit adding Landlock to the Linux kernel even references OpenBSD pledge(2)/unveil(2) as a source of inspiration.
https://github.com/torvalds/linux/commit/17ae69aba89dbfa2139...
https://lore.kernel.org/linux-security-module/20210422154123...
I just found that email and the talk for the project myself and noted the author referenced pledge in another comment, but thought that could be due to the earlier OpenBSD release having gotten press, making it useful as a point of comparison.
I had honestly thought the landlock website or an earlier talk had pre-dated the release of OpenBSD 5.9, but I appear to have been wrong about that.
Landlock was released in Linux 5.13, in 2021. Pledge was released in OpenBSD 5.9, in 2016. As far as I'm aware, Pledge is the first of its kind.
I found the announcement email for Landlock posted to the lkml[1] where the author compares the project to Pledge. There's also his talk[2] from 2016 if you're interested. I was certain landlock predated pledge, as I thought the website or earliest talk was from late 2015, but I am less certain now, indeed I seem to have been wrong in my claim.
As for either being the first, at the very least Seatbelt from Apple has a paper dated 2011[3] and was released with macOS 10.5.
[1] https://lwn.net/Articles/700607/
[2] https://archives.kernel-recipes.org/document/landlock-lsm-un...
[3] https://www.ise.io/wp-content/uploads/2017/07/apple-sandbox....
https://www.openbsd.org/papers/tame-fsec2015/
https://man.openbsd.org/OpenBSD-5.8/tame
https://www.openbsd.org/59.html
I'll concede that's less likely and I'm probably just wrong and misremembering though.
The implementation of OpenBSD predates many safer systems languages but I think OpenBSD should now start moving to a checked variant of C or a safer language like Rust/OCaml/Odin/Zig/Something else.
The conversion can start with some OpenBSD user space programs. I notice a steady stream of C related security fixes in the OpenBSD changelog. Many of these could have been probably avoided if the implementation language was more “safe” by default.
I doubt that this is going to happen but I think it is fair to point out that using C does give you some additional security headaches by default.
Everyone is busy jumping up and down and bitching about reinventing the wheel in Rust but no one has even taken the time to rewrite the simplest of Unix tools in Rust.
Not to mention OpenBSD has a rule that "base builds base" and the Rust compiler is a bloated monster that would fail that most basic task.
So where is the benefit?
"The uutils project reimplements ubiquitous command line utilities in Rust. Our goal is to modernize the utils, while retaining full compatibility with the existing utilities."
https://uutils.github.io/
https://github.com/uutils/coreutils
It would be nice if they commit to replacing more than just Linux tools. There are numerous quirks/additions to the GNU utils that the BSDs don't want or need.
https://github.com/sharkdp/bat (Haven't used this one, but it's pretty popular)
Where is 'grep'?
https://github.com/BurntSushi/ripgrep Use this one often. It's fast af to search a directory of source code.
Where is Korn Shell?
https://fishshell.com/blog/fish-4b/ Fish is now entirely in Rust, very popular, and to be frank basically a step above bash or ksh.
All I know is that I'm increasingly replacing classic unix cli tools with rust ones that are just better and faster.
Then mentioned elsewhere, but this isn't as big of a problem on OpenBSD, but would be fore NetBSD. The Rust tools don't support all the supported architectures. This is where BSD philosophy diverges. With NetBSD, if you got a PDP-11 or a toaster with a chip, they are more than happy to make NetBSD run on it, and the NetBSD team also don't necessarily have a requirement for physical hardware, if there is an esoteric chip with QEMU support, they will happily try to support it. OpenBSD will maintain support for an architecture so long as someone is willing to maintain it and owns the physical hardware (which is why it supports less than NetBSD).
This is also why NetBSD is sort of "stuck on " gcc. I believe they would like to move to clang, but can't due to architecture support.
Some more addition to the first paragraph: OpenBSD to a degree takes this to a whole other level than the other BSDs. OpenBSD maintains their own fork of X11 called xenocara and window manager, cwm. In theory, you can have a pretty basic and functional system from boot code to window manager with all of that code being code maintained by the same team, the OpenBSD developers. They even have their own version control system called got.
Parent wasn't about rust specifically. Just something safer than C
Under development for longer than a decade and still unstable
Someone is “putting up”, just need someone to merge uutils and the OpenBSD kernel to see what it starts to look like.
Maybe this is the next part of the “put up or shut up” mantra- but we’re getting closer.
The parents irony is not lost though. C and perl are both quite dangerous in their own ways, lots of implicit assumptions; its ironic that a safety focused operating system would lean in on those languages.
Maybe catching up to 40+ years of development takes a little bit of time?
Sure. But that's not OpenBSD's problem, is it?
Hardware that isn’t supported by many of these “newer & safer” languages.
Zig isn't even 1.0. Odin,DasBetterC have not much uptake.
OCaml has a GC which is a non-starter for kernel, it could be used in user space sure.
https://github.com/sonertari/PFFW
https://github.com/sonertari/UTMFW
Then I guessed they looked around, and saw oh we can do it on x86 too, the pax way.
Genuinely curious, and it’s been years since I’ve looked at it.
Can't say if they still do, but FreeBSD for the longest time used to list the floppy driver being one of the modules using GiantLock and that was a problem for what I guess was about zero people.
But if one asks fbsd devs if they still have it, they would have to answer yes, even if the rest of the OS runs super great without locks anywhere else, so the binary question of "is there somewhere something that for some time could possibly call the giant lock" isn't very interesting, but rather "will it do it for the tasks I imagine I will run on my machine?" and that would have to be a more fine-grained question with some research, just like the locks in the kernels are getting more and more fine-grained.
I guess addressing the network stack is work that still remains?
https://news.ycombinator.com/item?id=40076376
OpenBSD still uses CVS, and I suspect its development will benefit greatly (actually accelerate) from the switch, once it eventually happens.
I would say FreeBSD is somewhat like Ubuntu is to Linux - easy to get setup, works for more people.
There isn’t anything like OpenBSD in the Linux world - where the primary focus is system correctness, even at the cost of user convenience at times.
(FWIW, there several other *BSD's.)
Unless you're spinning up a MUD.
https://minecraft.wiki/w/Tutorial:OpenBSD_startup_script
(Emphasis mine.)
Typography matters for readability. For the minimum get a decent line height and limit the line length to 60-ish characters.
Are OpenBSD not taking (potential) users seriously? User experience matters, and the readability of the docs is part of the UX.
(sorry for the rant)
And for readability I already have my browser set up with my favorite fonts and font sizes and background/foreground colors. How can I expect every website to guess my preferences perfectly, as opposed to all the other people with different preferences. So I just set it up one time in the browser UI and it just works everywhere.
If a user is not able to navigate a font/color selection UI but wants to give technical advice to the OpenBSD team, I think it's that user not taking OpenBSD developers seriously.
Or if you're trying to solve a problem, what are you doing that pledge() doesn't cover? For that matter WASM.... would do that, so why not use it?
As a result, you can disable all syscalls for your program with one simple request: 'exit()'
There are alternative to syscall. For example, writing to shared memory. Shared memory as IPC is hard. And you need some syscall to set the memory up.. .