interesting article on FreeBSD kernel almost getty dangerous code
<https://arstechnica.com/gadgets/2021/03/buffer-overruns-license-violations-and-bad-code-freebsd-13s-close-call/> Summary: a WireGuard port to FreeBSD was sponsored by Northgate (pfSense company). The port was of poor quality and dangerously so. Nobody caught it until after pfSense was released with it, and just before FreeBSD released it. The messenger was tortured, but not shot. Bonus: the guy who ported the code was a felon / bad landlord. Lesson: open source software does not get enough quality control. Especially code that might affect security. Some Linux distros attempt QC (e.g. RedHat) but I'm sure it is inadequate.
Solution: pay the testers and programmers. On 3/28/21 2:47 PM, D. Hugh Redelmeier via talk wrote:
Summary: a WireGuard port to FreeBSD was sponsored by Northgate (pfSense company). The port was of poor quality and dangerously so. Nobody caught it until after pfSense was released with it, and just before FreeBSD released it. The messenger was tortured, but not shot.
Bonus: the guy who ported the code was a felon / bad landlord.
Lesson: open source software does not get enough quality control. Especially code that might affect security. Some Linux distros attempt QC (e.g. RedHat) but I'm sure it is inadequate. --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
Netgate did pay the programmer. Also, my understanding is that many open source developers do the work while being paid by their employer to do it. On 2021-03-28 4:39 p.m., William Park via talk wrote:
Solution: pay the testers and programmers.
On 3/28/21 2:47 PM, D. Hugh Redelmeier via talk wrote:
Summary: a WireGuard port to FreeBSD was sponsored by Northgate (pfSense company). The port was of poor quality and dangerously so. Nobody caught it until after pfSense was released with it, and just before FreeBSD released it. The messenger was tortured, but not shot.
Bonus: the guy who ported the code was a felon / bad landlord.
Lesson: open source software does not get enough quality control. Especially code that might affect security. Some Linux distros attempt QC (e.g. RedHat) but I'm sure it is inadequate. --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On Sun, Mar 28, 2021 at 02:47:46PM -0400, D. Hugh Redelmeier via talk wrote:
Summary: a WireGuard port to FreeBSD was sponsored by Northgate (pfSense company). The port was of poor quality and dangerously so. Nobody caught it until after pfSense was released with it, and just before FreeBSD released it. The messenger was tortured, but not shot.
Bonus: the guy who ported the code was a felon / bad landlord.
Lesson: open source software does not get enough quality control. Especially code that might affect security. Some Linux distros attempt QC (e.g. RedHat) but I'm sure it is inadequate.
I think a more correct lesson is: FreeBSD has so few people involved (and their processes for comming don't require review) that things don't get checked in many cases. I certainly don't get the impression that there is much activity or use going on with any of the BSDs anymore (and in my opinion having used them, rightfully so.). Certainly the linux kernel has stuff reviewed by multiple people, in public, and has to go through multiple people before being accepted in. Things can still go wrong, but I don't think anything like what FreeBSD experienced here would be possible. -- Len Sorensen
On 2021-03-29 2:08 p.m., Lennart Sorensen via talk wrote:
I think a more correct lesson is: FreeBSD has so few people involved (and their processes for comming don't require review) that things don't get checked in many cases. I certainly don't get the impression that there is much activity or use going on with any of the BSDs anymore (and in my opinion having used them, rightfully so.).
Certainly the linux kernel has stuff reviewed by multiple people, in public, and has to go through multiple people before being accepted in. Things can still go wrong, but I don't think anything like what FreeBSD experienced here would be possible.
--
When I started using pfsense, about 5 years ago, I was surprised it was using FreeBSD and not Linux. I also found BSD to be a bit crude, compared to Linux. The only reason I stopped using SUSE for my firewall was it didn't support DHCPv6-PD, which pfsense did.
On Mon, Mar 29, 2021 at 02:21:06PM -0400, James Knott via talk wrote:
When I started using pfsense, about 5 years ago, I was surprised it was using FreeBSD and not Linux. I also found BSD to be a bit crude, compared to Linux. The only reason I stopped using SUSE for my firewall was it didn't support DHCPv6-PD, which pfsense did.
OpenWRT seems to handle it fine, whatever program they are using on linux. -- Len Sorensen
On 2021-03-29 3:31 p.m., Lennart Sorensen wrote:
OpenWRT seems to handle it fine, whatever program they are using on linux.
While I haven't used it much, OpenWRT isn't in the same class as pfsense. In terms of function, it's closer to Cisco. However, according to a book I read a while ago, some Cisco models are Linux powered. One thing I miss on pfsense is the ability to run Wireshark on my firewall via ssh. However, it does have a built in Packet Capture. My pfsense firewall is running on a Qotom mini PC, with i5 CPU, 4 GB of memory, 64 GB SSD and 4 Ethernet ports. I plan on experimenting with OSPF on it, along with my Cisco router.
On Mon, 29 Mar 2021 at 15:40, James Knott via talk <talk@gtalug.org> wrote:
While I haven't used it much, OpenWRT isn't in the same class as pfsense.
From what I found with a quick web search, it looks like DHCPv6-PD can be handled by wide-dhcpv6, maybe along with dnsmasq, so any distribution supporting these might be able to handle it.
-- Scott
On 2021-03-29 3:59 p.m., Scott Allen wrote:
On Mon, 29 Mar 2021 at 15:40, James Knott via talk <talk@gtalug.org> wrote:
While I haven't used it much, OpenWRT isn't in the same class as pfsense. From what I found with a quick web search, it looks like DHCPv6-PD can be handled by wide-dhcpv6, maybe along with dnsmasq, so any distribution supporting these might be able to handle it.
It might be supported now, but it wasn't 5 years ago. I'll be sticking with pfsense, as it does far more than the SUSE firewall did.
On 2021-03-29 3:31 p.m., Lennart Sorensen via talk wrote:
On Mon, Mar 29, 2021 at 02:21:06PM -0400, James Knott via talk wrote:
When I started using pfsense, about 5 years ago, I was surprised it was using FreeBSD and not Linux. I also found BSD to be a bit crude, compared to Linux. The only reason I stopped using SUSE for my firewall was it didn't support DHCPv6-PD, which pfsense did. OpenWRT seems to handle it fine, whatever program they are using on linux.
OpenWRT has Dave Taht on their side, who is both a friend, a comedian and a force of nature (;-)) https://www.youtube.com/watch?v=ZeCIbCzGY6k --dave -- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest dave.collier-brown@indexexchange.com | -- Mark Twain
On Mon, Mar 29, 2021 at 02:08:35PM -0400, Lennart Sorensen via talk wrote:
I think a more correct lesson is: FreeBSD has so few people involved (and their processes for comming don't require review) that things don't get checked in many cases. I certainly don't get the impression that there is much activity or use going on with any of the BSDs anymore (and in my opinion having used them, rightfully so.).
OpenBSD is still thriving, and they carefully audit all their code before incorporating it, as well as have ongoing rolling security audits. They may be too extreme in their focus, but that's another issue. -- Peter King peter.king@utoronto.ca Department of Philosophy 170 St. George Street #521 The University of Toronto (416)-946-3170 ofc Toronto, ON M5R 2M8 CANADA http://individual.utoronto.ca/pking/ ========================================================================= GPG keyID 0x7587EC42 (2B14 A355 46BC 2A16 D0BC 36F5 1FE6 D32A 7587 EC42) gpg --keyserver pgp.mit.edu --recv-keys 7587EC42
On Mon, Mar 29, 2021 at 04:10:38PM -0400, Peter King via talk wrote:
OpenBSD is still thriving, and they carefully audit all their code before incorporating it, as well as have ongoing rolling security audits. They may be too extreme in their focus, but that's another issue.
Oh OpenBSD definitely handles code updates in a safer way than FreeBSD, although it seems their rate of progress may be even lower then FreeBSD and not too much is happening there. And I doubt any of the BSDs will ever have a userspace that is worth putting up with. -- Len Sorensen
Lennart Sorensen via talk wrote:
On Mon, Mar 29, 2021 at 04:10:38PM -0400, Peter King via talk wrote:
OpenBSD is still thriving, and they carefully audit all their code before incorporating it, as well as have ongoing rolling security audits. They may be too extreme in their focus, but that's another issue.
Oh OpenBSD definitely handles code updates in a safer way than FreeBSD, although it seems their rate of progress may be even lower then FreeBSD and not too much is happening there.
One thing all the *ixen are facing would be all the niche hardware that not every developer has, and can test or code for. I really think that drivers ought to be sandboxed like user processes so they can interact with their hardware only, and their code crashing can't bring down the whole kernel. And maybe canned drivers could be a bit more portable too. There'd still be the license barrier to hurdle between the Linux and BSD camps, but a driver that was arms-length from the kernel itself might be at sufficient distance for that too. Back when I was working with OpenBSD I found that it was too much about network security and it was near-impossible to do a simple RAID to protect my data from threats coming up from the hardware.
And I doubt any of the BSDs will ever have a userspace that is worth putting up with.
Last time I ran a BSD desktop (bunchteen years ago) it was the same X environment that I had over on my Linux box. At one point it was where you had to go for ZFS and for jails (chroots with network namespacing) and then awhile later Linux got ZoL and LXC that looked suspiciously familiar. Other stuff like FUSE has been ported the other way. But I think folk develop expectations of what's in a modern *ix and the feature set tends to converge back and forth. Between Red Hat and Gentoo and Debian and FreeBSD I'd always find the great majority of packages I wanted in their respective packaging systems, and every one of them had at least one moment of being sworn at for omitting something I should have found them carrying. The range of Linux distros and BSDs tend to be more similar if you're looking for a generic traditional portable OS, but the latest new features always require picking up one that has that (or doing like a hockey fan of a different team and downplaying the need for the feature until your side has it!) -- Anthony de Boer
| From: Peter King via talk <talk@gtalug.org> | OpenBSD is still thriving, and they carefully audit all their code before | incorporating it, as well as have ongoing rolling security audits. They | may be too extreme in their focus, but that's another issue. That's what they claim. And it's probably true. But many years ago I reported a security issue with PTYs and they just ignored it. Yes, I used the correct channel.
participants (8)
-
Anthony de Boer -
D. Hugh Redelmeier -
Dave Collier-Brown -
James Knott -
lsorense@csclub.uwaterloo.ca -
Peter King -
Scott Allen -
William Park