Thanks for making me think a bit deeper on this subject. And thanks for the kind words on my own work. :)

With a historical perspective, I agree with you. grsecurity has done a lot with regards to Linux security (and security in general). I think the entire computing industry owes a lot to grsecurity, especially those of us in infosec.

With the BSDs (except FreeBSD) having the core exploit mitigations in place (ASLR, W^X), it’s time to move on to other, more advanced mitigations. There’s only so much the kernel can do to harden userland and keep performance in check. Thus, these more advanced exploit mitigations must be implemented in the compiler. The BSDs are positioning themselves to be able to adopt and tightly integrate compiler-based exploit mitigations like CFI. Due to Linux’s fragmentation, it’s simply not possible for Linux to position itself in the same way. HardenedBSD has already surpassed Linux as far as userland exploit mitigations are concerned. This is due in part because of using llvm as the compiler toolchain.

Microsoft is making huge strides as well. However, the PE file format, which allows individual PE objects to opt-in or opt-out of the various exploit mitigations, is a glaring weakness commonly abused by attackers. All it takes is for one DLL to not be compiled with /DYNAMICBASE, and boom goes the dynamite. Recently, VLC on Windows was found not to have ASLR enabled, even though it was compiled with /DYNAMICBASE and OS-enforced ASLR enabled, due to the .reloc section being stripped. Certain design decisions made decades ago by Microsoft are still biting them in the butt.

I completely agree with you about hardware-based exploit mitigations. The CHERI project from the University of Cambridge in England is doing just that: hardware-enforced capabilities and bounds enforcement. However, it’ll probably take another 20+ years for their work to be available in silicon and an additional 20+ years for their work to be used broadly (and thus, actually usable/used). In the meantime, we need these software-based exploit mitigations.

UBSan (and NetBSD’s new micro-UBSan) is a sanitizer found in llvm.

Have you ever tried to manually configure wireless on linux? It’s a nightmare. Always has been.

No. The Linux’s I use come with an out-of-the-box experience that makes wireless as easy as clicking a box, clicking a name, typing in the password, it works, and it reconnects when nearby. They have been like that since I bought an Ubuntu-specific Dell a long time ago. They knew it was a critical feature that needed to work easily with no effort with some doing that upon installation so parts of the install could be downloaded over WiFi. Then, they did whatever they had to do in their constraints (time/talent/available code) to get it done.

And then I was able to use it with only breaks being wireless driver issues that had answers on Q&A sites. Although that was annoying, I didn’t have to think about something critical I shouldn’t have to think about. Great product development in action for an audience that has other things to do than screw around with half-built wireless services. That’s a complement about what I used rather than a jab at OpenBSD’s which I didn’t use. I’m merely saying quite a few of us appreciate stuff that saves us time once or many times. If common and critical, adoption can go up if it’s a solved problem with minimal intervention out of the box.

That said, props to your project member who solved the problem with a minimally-complex solution in terms of code and dependencies. I’m sure that was hard work. I also appreciate you illustrating that for us with your comparisons. The difference is almost comical in the work people put in with very different talents, goals and constraints. And m4 isn’t gone yet. (sighs)

This is really great. I wish all other projects can do that, preferring elegancy to throwing code on the wall, but sometimes life really takes its toll and we cave and just make Frankenstein to get shit done.

I really appreciate all the works by OpenBSD folks. Do you have any idea how other *BSD’s deal with the wireless?

It’s almost like if you prioritize the stuff that truly matters, and be willing to accept a little bit of UX inconvenience, you might happen upon a formula that produces reliable software? Who would have thought?

I think this is just a matter of what you think matters. There’s no sadness here. The ability to trade off security for features and vice versa is good. It lets us accept the level of risk we like.

On the other hand, it’s really sad, for instance, that OpenBSD has had so many public security flaws compared to my kernel ;P

I’m getting a bit tired of every complaint and remark being reduced to entitlement. Yes, I know that there is a lot of unjustified entitlement in the world, and it is rampant in the open source world, but I don’t feel entitled to anything in free or open source software space. As someone trying to write software in my spare time, I understand how hard it is to find spare time for any non-trivial task when it’s not your job.

Though I am not a heavy user, I think OpenBSD is an impressive piece of software, with a lot of thought and effort put into the design and robustness of the implementation.

I just think it’s somewhat disheartening that something this common (switching wireless networks) was not possible without manual action (rewriting a configuration file, or swapping configuration files, and restarting the network interface) every time you needed to switch or moved from home to the office.

Whether you feel like this is me lamenting the fact that there are so few contributors to important open source projects, me lamenting the fact that it is so hard to make time to work on said project, or me being an entitled prick asking for features on software I don’t pay for (in money or in time/effort) is entirely your business.

First, both free speech and hacker culture say that person can gripe about what they want. They’re sharing ideas online that someone might agree with or act on. We have a diverse audience, too.

Second, the project itself has developers that write cocky stuff about their system, mock the other systems, talk that one time about how they expect more people to be paying them with donations, more recently talk about doing things like a hypervisor for adoption, and so on. Any group doing any of that deserves no exception to criticism or mockery by users or potential users. It’s why I slammed them hard in critiques, only toning it down for the nice ones I met. People liking critiques of other projects or wanting adoption/donations should definitely see others’ critiques of their projects, esp if its adoption/donation blockers. I mean, Mac’s had a seemless experience called Rendevous or something in 2002. If I’m reading the thread right, that was 16 years before OpenBSD something similar they wanted to make official. That OpenBSD members are always bragging when they’re ahead of other OS’s on something is why I’m mentioning it. Equal treatment isn’t always nice.

“But, I do care that people aren’t berating developers with: “That’s great, but ____” comments. Let’s support each other, instead of feigning gratitude. It wasn’t clear if that’s what you were doing, hence, my request for clarification.”

I did want to point out that we’ve had a lots of OpenBSD-related submissions and comments with snarky remarks about what other developers or projects were doing. I at least don’t recall you trying to shut them down with counterpoints assessing their civility or positivity toward other projects (say NetBSD or Linux). Seems a little inconsistent. My memory is broken, though. So, are you going to be countering every negative remark OpenBSD developers or supporters make about projects with different goals telling them to be positive and supportive only? A general rule of yours? Or are you giving them a pass for some reason but applying the rule to critics of OpenBSD choices?

i think he’s sad that there haven’t been enough volunteers to make it happen sooner

The amount of trust people need to put in others for a functioning FOSS world is very high. Groups that have strong financial behavior to betray their surroundings have to behave in an extremely paranoid way, and it’s far easier to introduce vulnerabilities in your own project than find a vulnerability in another.

suppose I find a vulnerability, I report it to security-officer@somebsd.org, they didn’t fix it yet. what am I supposed to understand? that they are behind on handling tickets (it happens), or that security-officer had 500,000 reasons to stay quiet?

What about the person who is creating the release - he can do the build with an extra change. Are all builds that aren’t reproducible suspicious now?

Suppose you do find a vulnerability in your own project. You can see who introduced this. Are you kicking them out of your project or assuming it’s a mistake?

Yes, I should review the work of others and I do, but there’s a limit for how much one person can check.

Completely agree, but it’s still not unusual for projects to use one compiler for their official releases.

Suddenly? No, but I’m afraid that sooner or later having both clang and rust will become required for any platform that wants to ship firefox. Which is a shame, since Mozilla mission is:

That’s already the case. Stylo needs clang to build. You can build some parts with GCC though.

Clang and rust are both open projects, so I don’t see how it conflicts with their mission.

I agree. Sadly the browser already without this has very big difference in platform support, even without that. For example WebRTC (the multimedia part), sandboxing capabilities, etc. But then of course supporting that on many platforms isn’t easy. Would be great of course, if that mission lead to a focus on not only supporting Windows, Linux and MacOS.

Maybe someone has more insights, but something that makes me wonder a lot about how things work internally at Mozilla is that there is quite a few bug reports with ready to integrate patches remaining unanswered for often years, yet there is often changes that completely surprise users, some of them being very far away from Mozilla’s stated mission.

While I get that not all the people working for Mozilla work in all areas it seems a bit like on the “accepting and integrating contributions” side of things there is a problem. As a foundation asking for monetary contribution it’s often a bad sign when contribution in form of work gets not taken care of. I hope Mozilla can fix this, so contributors don’t get too frustrated.

FreeBSD initially imported Clang at revision r72732 into the tree June 2nd 2009:

https://svnweb.freebsd.org/base?view=revision&revision=193323 https://llvm.org/viewvc/llvm-project/?pathrev=72732

This was long before FreeBSD 9.0-RELEASE (January 2012).

The public documentation of the effort starts back in Feburary of 2009:

https://wiki.freebsd.org/action/recall/BuildingFreeBSDWithClang?action=recall&rev=2

As of June 2009, Clang was at version 2.5. Version 2.6 didn’t happen until October 2009.

http://lists.llvm.org/pipermail/llvm-announce/2009-March/000031.html http://lists.llvm.org/pipermail/llvm-announce/2009-October/000033.html

So this means the devs were working with the devel/llvm-devel FreeBSD port, which would have been based on HEAD or slightly newer than Clang 2.4.

https://docs.freebsd.org/cgi/getmsg.cgi?fetch=512205+0+/usr/local/www/mailindex/archive/2009/cvs-ports/20090222.cvs-ports

So I’m not sure that I believe the story that Debian was that invested in LLVM/Clang before FreeBSD was. There was no reason to; the Linux kernel had so many GCC-isms to overcome, what would be the gain? (other than some faster compiling of packages but poorer performing binaries)

edit: FreeBSD was trying to build all of the ports collection with Clang around May 2010. This still predates Debian by over a year

https://wiki.freebsd.org/action/recall/PortsAndClang?action=recall&rev=1

Okay, wrong perspective then. From my angle I saw how tons of projects got pull requests, patches, etc. so they’d work with clang.

Do you have any background on why the Debian clang community even popped up early? I’d have considered them to be be philosophically closer to sticking to GCC (other than for where it’s necessary).

Also saw that Wikipedia actually does have a nice timeline. However it doesn’t mention where Debian starts only where it “finishes”: https://en.wikipedia.org/wiki/Clang#Status_history

Indeed, it’s not the fault of the economic system (if you think Capitalistic societies are wasteful, take a look at the waste and inefficiency of industry under the USSR). If externalities are correctly accounted for, or to be safe, even over-accounted for by means of taxation or otherwise, the market will work itself out. If the environmental cost means the new iPhone costs $2000 in real costs, Apple will work to reduce environmental cost in order to make an affordable phone again and everyone wins. And if they don’t, another company will figure it out instead and Apple will lose.

Currently, there is basically no accounting for these externalities, and in some cases (although afaik not related to smart phones), there are subsidies and price-ceiling regulations and subsidies that actually decreases the cost of some externalities artificially and are worse for the environment than no government intervention at all.

The easy example of this is California State water subsidies for farmers. Artificially cheap water for farmers means they grow water-guzzling crops that are not otherwise efficient to grow in arid parts of the state, and cause environmental damage and water shortage to normal consumers. Can you imagine your local government asking you to take shorter showers and not wash your car, when farmers are paying 94% less than you to grow crops that could much more efficiently be grown in other parts of the country? That’s what happens in California.

Step 1 and 2 are to get rid of the current subsidies and regulations that aggravate externalities and impose new regulation/taxes that help account for externalities.

I have talked to a factory owner in china. He said China is more capitalist than the USA. He said China prioritizes capital over social concerns.

You’re blaming the consumer? I’d really recommend watching Century of the Self. Advertising has a massive impact and the mass of humans are being fed this desire for all the things we consume.

I mean, this really delves into the deeper question of self-awareness, agency and free will, but I really don’t think most human beings are even remotely aware.

Engineers, people on Lobster, et. al do really want standard devices. Fuck ARM. Give me a god damn mobile platform. Microsoft for the love of god, just publish your unlock key for your dead phone line so we can have at least one line of devices with UEFI+ARM. Device tree can go die in a fire.

The Linux-style revolution of the 2000s (among developers) isn’t happening on mobile because every device is just too damn different. The average consumer could care less. Most people like to buy new things, and we’re been indoctrinated to that point. Retailers and manufactures have focus groups geared right at delivering the dopamine rush.

I personally hate buying things. When my mobile stopped charging yesterday and the back broke again, I thought about changing it out. I’ve replaced the back twice already and the camera has spots on the sensor under the lenses.

I was able to get it charging when I got home on a high amp USB port, so instead I just ordered yet another back and a new camera (I thought it’d be a bitch to get out, but a few YouTube videos show I was looking at the ribbon wrong and it’s actually pretty easy to replace).

I feel bad when I buy things, but it took a lot of work to get to that point. I’ve sold or given away most of my things multiple times to go backpacking, I run ad block .. I mean if everyone did what I’d did, my life wouldn’t be sustainable. :-P

We are in a really solidly locked paradigm and I don’t think it can simply shift. If you believe the authors of The Dictators Handbook, we literally have to run our of resources before the general public and really push for dramatically different changes.

We really need more commitment to open standards mobile devices. The Ubuntu Edge could have been a game changer, or even the Fairphone. The Edge never got funded and the Fairphone can’t even keep parts sourced for their older models.

We need a combination of people’s attitudes + engineers working on OSS alternatives, and I don’t see either happening any time soon.

Edit: I forgot to mention, Postmarket OS is making huge strides into making older cellphones useful and I hope we see more of that too.

Capitalism, by it’s very nature, drives companies to not be satisfied with what already sells. Companies are constantly looking to create new markets and products, and that includes creating demand.

IOW, consumers aren’t fixed actors who buy what they need; they are acted upon to create an ever increasing number of needs.

There are too many examples of this dynamic to bother listing.

It’s also very difficult for the consumer to tell exactly how destructive a particular product is. The only price we pay is the sticker price. Unless you really want to put a lot of time into research it is hard to tell which product is better for the environment.

It’s ridiculous to expect everyone to be an expert on every supply chain in the world, starting right from the mines and energy production all the way to the store shelf. That’s effectively what you are requiring.

I’m saying this as a very conscious consumer. I care about my carbon footprint, I don’t buy palm oil, I limit plastic consumption, I limit my consumption overall, but it’s all a drop in the ocean and changes nothing. There are still hundreds of compounds in the everyday items I buy whose provenance I know nothing about and which could be even more destructive. Not to mention that manufacturers really don’t want you to know, it’s simply not in their interest.

You’re creating an impossible task and setting people up to fail. It is not the answer.

The blame rests on the producers, not on the consumers.

Consumers are only able to select off of the menu of available products, so to speak. Most of the choices everyday consumers face are dictated by their employers and whatever is currently available to make it through their day.

No person can reasonably trace the entire supply chain for every item they purchase, and could likely be impossible even with generous time windows. Nor would I want every single consumer to spend their non-working time to tracing these chains.

Additionally, shifting this blame to the consumer creates conditions where producers can charge a premium on ‘green’ and ‘sustainable’ products. Only consumers with the means to consume ‘ethically’ are able to do so, and thus shame people with less money for being the problem.

The blame falls squarely on the entities producing these products and the states tasked with regulating production. There will be no market-based solution to get us out of the climate catastrophe, and we certainly can’t vote for a green future with our dollars.

Exactly. The consumers could be doing more on issues like this. They’re complicit or actively contribute to the problems.

For example, I use old devices for as long as I can on purpose to reduce waste. I try to also buy things that last as long as possible. That’s a bit harder in some markets than others. For appliances, I just buy things that are 20 years old. They do the job and usually last 10 more years since planned obsolescence had fewer tricks at the time. ;) My smartphone is finally getting unreliable on essential functions, though. Bout to replace it. I’ll donate, reuse, or recycle it when I get new one.

On PC side, I’m using a backup whose age I can’t recall with a Celeron after my Ubuntu Dell w/ Core Duo 2 died. It was eight years old. Attempting to revive it soon in case it’s just HD or something simple. It’s acting weird, though, so might just become a box for VM experiments, fuzzing, opening highly-untrustworthy URLs or files, etc. :)

Which alternatives would make people happier to consume less – drive older cars, wear rattier clothing, and demand fewer exotic vacations?

Why do people want new cars, the latest fashions, and exotic vacations in the first place? If it’s all about status and bragging rights, then it’s going to take a massive cultural shift that goes against at least two generation’s worth of cultural programming by advertisers on the behalf of the auto, fashion and travel industries.

I don’t think consumerism kicked into high gear until after the end of World War II when modern advertising and television became ubiquitous, so perhaps the answer is to paraphrase Shakespeare:

The first thing we do, let’s kill all the advertisers.

OK, maybe killing them (or encouraging them to off themselves in the tradition of Bill Hicks) is overkill. Regardless, we should consider the possibility that advertising is nothing but private sector psyops on behalf of corporations, and should not be protected as “free speech”.

IMO, Hedonistic adaptation is a problem and getting worse. I try to actively fight against it.

It would be a start if we designed cities with walking and public transportation in mind, not cars.

My neighborhood is old and walkable. I do shopping on foot (I have a bicycle but don’t bother with it). For school/work, take a single bus and a few minutes walking. Getting a car would be a hassle, I don’t have a place to park it, and I’d have to pay large annual fees for rare use.

Newer neighborhoods appear to be planned with the idea that you’ll need a car for every single task. “Residential part” with no shops at all, but lots of room for parking. A large grocery store with a parking lot. Even train stations with a large parking lot, but no safe path for pedestrians/cyclists from the nearby neighborhoods.

There has been no evidence to my knowledge that anyone is slowing old phones down. This continues to be an unfounded rumor

The new features on phones are so fucking stupid as well.

I think the consumer who pays for it is stupid.

Ideology matters, and America has been aggressively promoting toxic capitalist ideology for many decades around the world. Humans aren’t perfect, but we can recognize our problems and create systems around us to help mitigate them. Capitalism is equivalent of giving a flamethrower to a pyromaniac.

Seems like EUPL allows conversion of code into MPL and LGPL, which makes the anti-google point moot.

https://opensource.google.com/docs/thirdparty/licenses/ (I think that’s been posted here some time ago?)

Google is allergic to WTFPL and Beerware, extremely cautious about “just public domain”, and accepts Unlicense and CC0.

Did you know “carte OPUS” is a pun on “carte à puce”?

(Not really, but it’s too good of a factoid to not tell it.)

The problem with the Montréal system is that for whatever reason the fares are tied to calendar dates. If you want to buy a monthly pass, it can only start at the first day of the calendar month and ends at the last one. Weekly passes can only be bought from Monday to Sunday. This creates long lines at the start of the month, hence the desire to buy online.

It also makes it easier for people to hack their own cards in their possession to give themselves free rides.

At least for the Montréal situation, it’s probably far easier to just jump the turnstiles than to attempt any sophisticated trickery. I see people jumping turnstiles frequently enough.

I think if you have a system that most people will not abuse, it can all work out. No need to make it absolutely draconian and tamper-proof unless it’s an actual problem.

That was the main risk that critics said about the Mondex card from what I read. Too bad since it was one of only high-assurance, security developments in commercial sector.

Thanks liwakura. I still see that as a small victory :)

I don’t know if that will ever happen. I’m not sure there is the man-power.

Seamonkey has always been “Firefox but more sane”. Whilst it’s slipping, I think there’s still a need for a project that does this (but uses the quantum- code).

There’s an extension that adds an ‘addon history’ thingamabob to the addons site, so you can select older versions of addons:

https://github.com/lemon-juice/AMO-Browsing-for-SeaMonkey

It’s really imperfect and I have older addons breaking. My heart may soon follow.

It’s not about Intel being an American company, but the fact they chose Israel for manufacturing. I don’t want to spread false facts or something and only stated it as something that I could imagine to have happened.

Don’t be offended I pointed out the Israeli connection. I work with Israelis on a daily basis and as with any country, there are good and foul apples found within.

I don’t mean “I want to make value judgements about which communities are better because they deal with more stuff”, I mean “I would love to hack on kernels but want no part in this kind of environment, where should I go?”

Plus, the various BSD projects have security officers and secure, confidential ways to communicate. It’s not significantly more effort.

Note that I wrote and included a suggested diff for OpenBSD already, and that at the time the tentative disclosure deadline was around the end of August. As a compromise, I allowed them to silently patch the vulnerability.

He agreed to the patch on an already extended embargo date. He may regret that but there was no embargo date actually broken.

@stsp explained that in detail here on lobste.rs.

So I assume Linux developers will no longer receive any advance notice since they were posting patches before the meltdown embargo was over?

By late last year you mean “late December 2017” - I’m going to guess this is much later than the other parties were notified.

macOS 10.13.2 had some related fixes to meltdown and was released on December 6th. My guess is vendors with tighter business relationships (Apple, ms) to Intel started getting info on it around October or November. Possibly earlier considering the bug was initially found by Google back in the summer.

DigitalOcean and AWS both offer FreeBSD images.

there are/were some large scale deployments of BSDs/derived code. apple airport extreme, dell force10, junos, etc.

people don’t always keep track of them but sometimes a company shows up then uses it for a very large number of devices.