HoaS goes on an OpenBSD Adventure

Talk about anything you feel like talking about. Pull up a soapbox and pontificate to your heart's content. May contain some adult humour or otherwise objectionable content (NSFW). No warez, pr0n or illegal stuff.

Re: HS goes on an OpenBSD Adventure

Postby nodir » October 31st, 2018, 4:22 pm

For the most part i ran Sid while using debian.
I had to restore from backup once in all those years.
Else all i did was wait a day or to, until the bug was fixed by the packager.

The last years i sometimes don't start the PC for weeks or months. So i would use stable (i for one don't care for the version of a program).

To put it different: There is not that much about running sid, testing or unstable/testing. Not sure if i learnt much by using it. Perhaps. Now and then you have to fiddle a bit. But you sure learn more by backporting a package, i agree.
nodir
 
Posts: 305
Joined: June 16th, 2015, 10:10 pm

Re: My Awesome Adventure (CoC debate)

Postby Head_on_a_Stick » October 31st, 2018, 9:55 pm

Thanks for splitting this out and nice work with the title :)
cynwulf wrote:where is the "heavily" you're referring to? privsep is for ports as well. It's patched, but not "heavily" patched

I already retracted the "heavily" part in my last post, no need to go on about it. The word is pretty meaningless in this context anyway.

cynwulf wrote:in your previous correspondence you seemed to regard it as some kind of "heavily patched" fork of X?

No, I just got carried away and added an unwarranted adjective.

The point I was making was that X is included in the base system and so I expected it to fall under the same audits as the native OpenBSD software.

I was trying to find out if you knew at all but this seems to be fruitless so never mind.

cynwulf wrote:Why not get your arse to the mailing lists and ask the maintainer or any other developer willing to give you the air time...?

Oh dear me no, they actually have important stuff to do, I wouldn't dream of wasting their time with my nonsense.

cynwulf wrote:Now supposing it's actually not audited? Just like something from ports is not really audited to the same extent as the base system, what will you do then?

Nothing, I was just curious, that's all. OpenBSD has so many advantages over Linux in respect of pro-active security measures that I really can't see me dropping it anytime soon.

This thread arose because you made a comment about how the auditing performed by the OpenBSD devs results in a reduction of bugs & vulnerabilities, the talk by Ilja to which I linked in the OP was specifically about the relative incidences of kernel bugs in the BSDs based on the statement made by Theo de Raadt in an interview with Forbes magazine:
Theo de Raadt wrote:If the Linux people actually cared about quality, as we do, they would not have had as many localhost kernel security holes in the last year.

Ilja von Sprundle's talk asks whether the greater number of holes reported in Linux compared to OpenBSD is because more people are using Linux or because the code in OpenBSD is better.

The fact that he was able to find 25 bugs in OpenBSD in the mere three months he was looking at the code worries me a bit, especially considering that he only found 30 bugs in FreeBSD.

I can't help but think that perhaps Linux is more secure than I have been giving it credit for (especially if all the knobs are enabled), they have professionals like Ilja looking at their code all the time.

cynwulf wrote:But then that's how it works at FDN and the Linux fanboi sites isn't it?

There are some very expert posters over at fdn (not me!), you are foolish to deny it.
Show Off
User avatar
Head_on_a_Stick
 
Posts: 163
Joined: June 16th, 2015, 8:35 pm
Location: London baby!

Re: My Awesome Adventure (CoC debate)

Postby Head_on_a_Stick » October 31st, 2018, 10:07 pm

nodir wrote:better don't make them trying to "give back" for BSD too.

Everybody seems to know more than me over at deamonforums.org and I keep making a fool of myself so no need to worry about that, I'm keeping schtum over there from now on unless I'm sure it's useful.

nodir wrote:Just glanced over the "are you testing buster" tutorial.

Ah good, I was hoping to get some expert feedback :)

nodir wrote:Fucking great idea to make people who need to get told how to run a mixed testing/unstable setup (and getting it told kinda wrong, what makes it worse) to send thousands of pointless bug reports, as they got no clue what the heck they are into when using testing and/or sid.

Oh dear. Did I fuck it up? :shock:

Surely we need people testing buster? The freeze starts in January so I thought it was about time.

Also, I am encouraging people to post problems in the thread rather than directly to bugs.debian.org

I didn't just pull that pinning stuff out of my arse, I followed this section in Osamu Aoki's Debian Reference:

https://www.debian.org/doc/manuals/debi ... le_literal

The xserver-xorg-core package in buster was vulnerable to the X hole so I used sid to get the fixed version, is that not how it's supposed to be done?

If you check the thread again you'll see that I've replaced the sid packages with the buster equivalents and my box is "clean" atm, AFAICT.

Please tell me how to do it better, or link me to a guide, I just want to learn.

nodir wrote:Probably gives them a boner if they talk to that magical thing called "developper". To be part of something. Mankind still seems to be in religion. "I know the forces" ... Well: you don't.

Erm, yes, OK, if you say so :)
Show Off
User avatar
Head_on_a_Stick
 
Posts: 163
Joined: June 16th, 2015, 8:35 pm
Location: London baby!

Re: HoaS goes on an OpenBSD Adventure

Postby nodir » November 1st, 2018, 7:35 am

I was only speaking of /etc/apt/apt.conf APT::Default-Release "testing"; ; versus pinning. I only glanced, and it is ok, as far i can tell.
http://forums.debian.net/viewtopic.php?t=15612
pinning is all i was reffering too, and "wrong" was ... guess i was just angry to go over it again

There is never anything wrong with running mixed testing/unstable, au contraire, it is rather the preferred method for running testing. I do know that quite some are against it though (without ever giving a valid reason for it. They seem to have their mindset stuck in stable-land). To me it was more easy to go straight for sid (which wouldn't help with testing "testing"), but it makes more sense then it seems:
https://www.debian.org/doc/manuals/debi ... tml#s3.1.5

There is nothing to be done any better with the how-to run testing itself..
The whole idea "to give back" is fucked, imho. The added idea to discuss problems in a thread (a forum, in irc, in mailing lists: short -somewhere) is a good idea though.
See: a bug report is a burden for the maintainer. The less pointless reports, the better, the more time for real bugs (sure, true: not easy to know in advance. As i don't know, i usually don't write bug reports. Less burden for me too, so a win-win situation).

The good news: as soon you run anything but stable, there will always be people who tell you you do it all plain wrong. Starting with: the whole idea to run anything but stable would be wrong.

all imho, of course. I am not much in theory. I picked up here and there. I chat. that's all (i am quite sure that you know more about computing and perhaps even debian than i do. Well: most do. I don't care for much. wirless, graphics, firewalls, hardware, etc, etc, etc. I don't care for it).
nodir
 
Posts: 305
Joined: June 16th, 2015, 10:10 pm

Re: My Awesome Adventure (CoC debate)

Postby cynwulf » November 1st, 2018, 12:03 pm

Head_on_a_Stick wrote:The point I was making was that X is included in the base system and so I expected it to fall under the same audits as the native OpenBSD software.

There is a section in the OpenBSD FAQ relating to this. You should note that over the years 3rd party software has been slowly removed and/or replaced - for example Apache (and then nginx), which were replaced with a homegrown alternative.

Head_on_a_Stick wrote:I was trying to find out if you knew at all but this seems to be fruitless so never mind.

As far as I know, X.org and other 3rd party software in base is audited and patched as necessary, but to what extent I cannot say. But I can't imagine to the same extent as the kernel or even OpenSSH for example.

This is why I've directed you to the mailing lists. You might get no response (or a snotty response), at the least you might get a link to more reading on this. When all is said and done, OpenBSD is tiny and they will have to focus their efforts on the areas which are important to the project, not trawling through a mass of 3rd party like X. Once you are running X and then running X applications from ports and in particular web browsers running javascript, etc, etc, your "attack surface" increases considerably.

You should do some basic research as to what the project has worked on for decades in terms of running 3rd party software (including from ports) and protecting the OS from defects/bugs/holes in said software.

Also:
This is called the "device drivers in userland" model. It violates
all the security models you will hear of in a university class.


This problem is ENTIRELY the X group's fault! They have failed us.
Ten years ago they were laughing at Microsoft for moving their video
subsystem into their kernel, but now the joke is on the X developers,
because what Microsoft did solved all these driver security problems!

https://marc.info/?l=openbsd-misc&m=114738577123893&w=2

Things have moved on a bit and the aperture driver is no longer needed for intel and radeon, plus X is now fully privsep on OpenBSD, but the user mode drivers remain. As deraadt says, the big focus of X.org for more than a decade has been in 3D rendering for Nvidia/AMD/Intel, etc and entirely centred around Linux.

OpenBSD had no choice but to follow upstream and move to the Linux DRM drivers, which has improved matters a little. So my entire point is that any "auditing" X won't solve much, unless someone has years to rewrite/re implement the whole thing, breaking all the X11 based window managers and application, etc which depend on it... the whole thing needs scrapping and replacing with something a lot simpler - but few really have the skill or the time to do this. For example Apple's macOS and google's Android implement their own proprietary display servers (Quartz and SurfaceFlinger) to avoid the X mess. This is the main problem with these modern graphics stacks - they're overwhelmingly proprietary.

Head_on_a_Stick wrote:This thread arose because you made a comment about how the auditing performed by the OpenBSD devs results in a reduction of bugs & vulnerabilities,

What do you think constitutes "auditing"?

Head_on_a_Stick wrote:Ilja von Sprundle's talk asks whether the greater number of holes reported in Linux compared to OpenBSD is because more people are using Linux or because the code in OpenBSD is better.

He's within his rights to ask that question. By the same logic, far more people use MS Windows, Windows has seen a lot of security vulnerabilities over the years, but as more people by far use it as a desktop/laptop PC system, then it's possible that the NT kernel is in fact more secure than the Linux kernel (in fact there is some evidence to support this, but that's another story).

However this does not somehow prove that audits are of little use.

My point about "eyeballs" is that they obviously need to be looking for the right things in the right places. In the case of Linux, they have admitted that there is too much code for humans to look at. The kernel has simply grown too large and it's debatable as to whether all of that code is actually useful.
Head_on_a_Stick wrote:The fact that he was able to find 25 bugs in OpenBSD in the mere three months he was looking at the code worries me a bit, especially considering that he only found 30 bugs in FreeBSD.

Again - was he not "auditing" - i.e. looking for specific things?

Have you just taken his results and conclusions at face value?

Have you considered that he is not simply some random volunteer or unaffiliated individual, but a professional working for an security advisory company? https://ioactive.com/service/advisory-services/

He found bugs, those bugs were fixed, that's about all you can say. His conclusions as to why the bugs weren't discovered don't really count for much. He found them, others didn't. In his opinion they should have, in my opinion he and others like him, should have found some even more obvious bugs in Linux which went undetected for years.

The whole thing, while undeniably useful (and I hope he contributes this kind of thing again) lumps all of the "BSDs" together, which is rather telling in itself, he is also obviously just a little biased against the *BSDs and the entire exercise is obviously all about somehow proving that Linux is just as secure. He then concludes that "eyeballs" matter, without anything concrete to support that.

My point? He could have reported his bugs without the fanfare... instead he went for sensationalism and flawed comparisons.
Head_on_a_Stick wrote:I can't help but think that perhaps Linux is more secure than I have been giving it credit for (especially if all the knobs are enabled), they have professionals like Ilja looking at their code all the time.

That's no doubt the conclusion you're supposed to come to...

But despite van Sprundel and others "looking at their code" they [Linux] have had more than their fair share of kernel security holes over the years.

If you look at 2017, it was actually the worst year on record for Linux kernel vulnerabilities since 1999: https://www.cvedetails.com/product/47/L ... ernel.html
(a huge amount of that related to Android and vendor drivers)

That "worries me a bit". But no OS can be the utopia of security and code correctness. OpenBSD is a work in progress and considers what it is trying to do as an ongoing process.

The Linux kernel also has a multitude of IT professionals and penetration testers at their disposal, not to mention multi-billion $ corporations heavily involved and invested in their code, which equals a lot of very highly paid "eyeballs".

You also have to take into account that despite all of the above, OpenBSD is very much security focused, whereas Linux is quite simply not, by the lead developer's own, very public, admissions. OpenBSD often sacrifices performance for security, Linux and quite a few other OS do exactly the opposite.
User avatar
cynwulf
 
Posts: 2535
Joined: April 26th, 2011, 2:46 pm

Re: HoaS goes on an OpenBSD Adventure

Postby Head_on_a_Stick » November 1st, 2018, 9:17 pm

That is brilliant, thank you for the detailed responses, it is very much appreciated :)
Show Off
User avatar
Head_on_a_Stick
 
Posts: 163
Joined: June 16th, 2015, 8:35 pm
Location: London baby!

Previous

Return to Nonsense

Who is online

Users browsing this forum: No registered users and 1 guest

cron

x