1. 5

    I’ve been trying to get a patchfix into OpenBSD with no luck. No response to my patch on tech@openbsd.org. This isn’t the first time. Can any OpenBSD contributor help me out?

    1. 7

      If you didn’t get any feedback, just keep asking the list for feedback every two weeks by replying to your own post. There’s a bit of luck to it because each patch has to catch someone’s interest in a moment when they have time to deal with it.

      1. 4

        Cool I can do that, thanks for the tip.

        1. -1

          just keep asking the list for feedback every two weeks by replying to your own post.

          What a ridiculous response. Not even an apology. That’s no way to run a welcoming community or encourage people to contribute.

          1. 9

            Nothing to apologize for - what did you expect? Sending reminders is a common idiom on tech@ where a mail gets drown easily by other threads.

            Making sure your submissions are well tested and reasoned helps getting a response, but you cannot demand anything.

            1. 1

              what did you expect?

              Maybe this is how OpenBSD runs things, if that’s the culture there, that’s fine, but don’t expect it to attract very many contributors.

              1. 5

                It does attract contributors. In fact, this culture is one of the reasons joined the project.

                So I eventually started reviewing the diff but failed to do so because it was both malformed (did not apply) and broken (did not compile). That is, instead of focusing on the intented changes, reviewers get thrown back because they did not test it. Note how I explicitly mentioned this in my previous reply.

                Edit: I mixed you up with the OP/diff author, text adjusted.

                1. 4

                  Thank you for the review kn, very much appreciated. I hastily reposted an old version of the patch. I’ll make sure the diff applies cleanly in my reply and fix up the SIGCHLD typo.

                2. 6

                  Maybe this is how OpenBSD runs things, if that’s the culture there, that’s fine, but don’t expect it to attract very many contributors.

                  Ah but whose job is it to reply to every mail? Whose job is it to apologize if whoever had the first job failed to deliver? What is this sentient entity called OpenBSD that supposedly runs things? Does it have the power to appoint an individual for such a role?

                  1. -2

                    What is this sentient entity called OpenBSD that supposedly runs things?

                    It’s called the OpenBSD Foundation. You can read about it on its website. This year, it has about half a million to spend on answering your other questions.

                    1. 8

                      You gotta be joking. They provide funding for the project. They don’t run the project.

                      1. 0

                        I assumed that in order to provide funding for a project you need to decide what to fund and what not to fund, and that sort of decision-making is called “running the project”, but I guess I was mistaken, my bad.

                        1. 7

                          I just decided to fund you as my personal assistant. Your salary is $20 a month, you work 24/7, aren’t you so glad that I run you now? Hand over the keys to your house by the way, because with this decision, I run it…

                          Actually the OpenBSD Foundation isn’t the OpenBSD Project. The OpenBSD Foundation doesn’t own OpenBSD, and there are things it cannot do because it does not own OpenBSD. It can’t hand out commit bits, it can’t change the website, it can’t turn people into mailing list admins.. it does not run OpenBSD. If someone or something really “runs” OpenBSD, I’d say it’s Theo… and no, Theo doesn’t run the Foundation. The Foundation doesn’t run Theo either. The Foundation doesn’t decide what Theo or the individual developers (volunteers mainly!) of the project do, though they can choose to support whatever it is by providing funding.

                          1. -1

                            What is this sentient entity called OpenBSD that supposedly runs things?

                            If someone or something really “runs” OpenBSD, I’d say it’s Theo

                            1. 5

                              Which leads to the follow up question.. you want him to force the volunteers to reply to every mail and apologize for every mail that wasn’t responded to? Or you want him to employ people for that purpose? Out of his own pocket?

                              Sorry, I just don’t see the issue of some messages directed at a volunteer-driven software group going unresponded to because the volunteers happened to be volunteering their time for something else at the time (or whatever the reason).

                              If people are so entitled to responses, I no longer wonder why some people get burned out on OSS development. I wouldn’t, at least not for that reason, because I have no trouble ignoring issues I don’t have time for. It is my own time.

                              IMHO kn is right, there is nothing to apologize for.

                              1. 0

                                I’ve seen small businesses provide better support to their users and developers on far less budget than OpenBSD has.

                                For the past 5 or so years they’ve received hundreds of thousands of dollars each year, and each year they had a surplus averaging ~$100k that they didn’t seem to use for anything.

                                Are you telling me they can’t afford to pay someone to say, “we’re looking into this”, or “we’re sorry the patch didn’t compile”, or even setup an automated patch submission system? Because if you are, according to their public finances page, that would be a lie.

                                1. 3

                                  The OpenBSD Project isn’t a business. I think you’re just trolling here and it’s dumb.

                                  1. -1

                                    I’m not trolling, and I’m done with this conversation because it’s clear it’s going nowhere fast.

                                    EDIT: and to be clear, from the OSS projects I’ve seen — even those that do not have a half-million dollar budget and a foundation — still somehow manage to reply to developers who’ve put in the time and effort into submitting a pull request. They also have pull requests. And automated build systems. And aren’t stuck in 1990 with their version control system.

                                    1. 6

                                      You are generalizing from one example and you don’t know our comunity well enough to judge it.

                                      During almost 10 years now I have committed many patches from other contributors and never had my own patches go ignored, which is why I stuck around in OpenBSD in the first place.

                                      1. 0

                                        You are generalizing from one example and you don’t know our comunity well enough to judge it.

                                        And how do you know how well I know the OpenBSD community? You have no clue.

                                        Over on Mastodon I pointed out that OpenBSD “perpetuates false and negative stereotypes that security people don’t care about usability, or that security must come at a cost of usability”.

                                        That’s a fact. And then OpenBSD developer @mulander jumped in to call me a troll, and on top of it, demand that I work for free to submit patches to the project. So I pointed out to him how the OpenBSD community treats those who work for free and submit patches.

                                        I’ve observed this project for many years, and I think it gets a bit too much hype on Lobsters lately for delivering a terrible user experience. Sure, there are lots of things to praise about it, but I don’t see anyone criticizing it for its glaringly obvious faults, so the end result is a community that is delusional, and a harmful role model.

                                        1. 4

                                          Link the thread so people can judge by themselves.

                                          Also link yourself trying to spin the thing around on Mastodon and on twitter.

                                          1. 0

                                            I did, see my reply below from before your comment. But sure I should have linked it here as well.

                                          2. 1

                                            Your opinions are not facts. I don’t think the “community” is what’s delusional here.

                                            1. -1

                                              It’s not an opinion, it’s a fact, and one OpenBSD fanbois don’t dispute.

                                        2. 1

                                          Great. I hope you feel better now that you’ve got this all out of your system.

                  2. 4

                    There is nothing to apologize for. It is a volunteer project. Developers are people who live lives, not borg drones assimilating other people’s patches.

                    1. 4

                      All of your comments in this thread of inappropriate. They are inappropriate regardless of whether other folk’s comments are or are not appropriate and regardless of whether they do or do not contain true statements.

                      Please drop the issue, do not bring it back up, and do not engage in this style of discussion again on lobste.rs.

                  3. 3

                    What stsp said, but also, can you link us to the thread?

                      1. 2

                        I just get

                        I expected an e-mail address, but none was defined.

                        1. 2

                          Sorry I’m not entirely sure what the best way is to post a link to a thread on the OpenBSD listserv. If you log in you should be able to see the thread.

                          EDIT: use this http://openbsd-archive.7691.n7.nabble.com/lib-libfuse-Handle-signals-that-get-sent-to-any-thread-tp352472p353099.html

                          1. 2

                            marc.info works pretty well. I’d say it’s the preferred interface for most people.

                            1. 1

                              thanks for the pointer

                    1. 2

                      Not a contributor, but I figure it might help to point out what patch you sent.

                    1. 1

                      This conference is currently running (October 18 + 19)

                      Videos of talks are being uploaded as they become available.

                      There is a live stream as well: http://streaming.media.ccc.de/osmocon18

                      1. 2

                        Previously and previously on Lobsters.

                        1. 1

                          Oh, sorry for the dupe. I hadn’t seen those. Thanks!

                        1. 1

                          Don’t miss this link in the article if you want technical details: https://homebrewserver.club/low-tech-website-howto.html

                          1. 13

                            The OS itself in my opinion is not ready for widespread desktop usage…

                            Would I install it on my granma’s computer? Most likely not, but nor would I GNU/Linux. However, it is just right for my kind of usage (workstation on a Thinkpad Carbon Gen 3).

                            OpenBSD is by far the most stable and predictable OS I am running (that includes OSX and GNU/Linux) and I am running -current. It does everything that needs being done and does it well.

                            I agree with OP that one has to like configuring stuff by editing files and reading manpages on the CLI. That being said, configurations are usually pretty terse, man pages well detailed and examples in the man abundant.

                            OpenBSD is a powertool for powerusers. It’s not being developed for mass market appeal and that’s actually one of its most attractive features.

                            1. 11

                              Actually, it is exactly the system I would install on my granma’s computer: A clean OpenBSD desktop with two icons: “Internet” and “Mail”.

                              She will never get a virus, break it, or fail to fake windows phone scams.

                              My mother ran a Linux box for many years before jumping to a mac, and she was happy. Everything worked, nothing ever broke. It was predictable. Nowadays Linux is less predictable, especially after an upgrade, but OpenBSD is :)

                              Edit: However I wouldn’t recommend OpenBSD to a “regular user” friend.

                              1. 7

                                Actually, it is exactly the system I would install on my granma’s computer: A clean OpenBSD desktop with two icons: “Internet” and “Mail”.

                                Geez, what an assumption ;), maybe grandma is a UNIX wizard and uses qutebrowser and mutt and launches them from the terminal.

                                At any rate, as far as I understand from various posts (haven’t tried OpenBSD since the early 00s), “Internet” would be very slow. Moreover, she would not be able to watch Netflix, since Widevine is not supported on OpenBSD. Oh, and she probably can’t Skype with her grandchildren, etc.

                                Do you non-tech beloved ones a favor and buy them an iPad. Despite the problems of Apple or Apple hardware, it is the most secure consumer platform, that gets updates for at least half a decade, and probably supports any popular application they’d want (Skype, Netflix, Youtube, Facebook, etc.).

                                1. 6

                                  An iPad would work well for some people, but for many of my older relatives, they have trouble with the touchscreen input. They can all type reasonably well, since they’re of a generation where Typing was an entire course you took in school, but find touchscreen-typing to be frustrating. As far as something similar but with a kb, not sure whether iPad+bluetooth kb, or just a MacBook would be easier.

                                  1. 4

                                    An iPad would work well for some people, but for many of my older relatives, they have trouble with the touchscreen input. They can all type reasonably well, since they’re of a generation where Typing was an entire course you took in school, but find touchscreen-typing to be frustrating.

                                    That’s interesting and a good point. Though it does not apply to everyone. My mother is in her sixties and never used a computer until 5 years ago (well, except for a domain specific-terminal application when she worked in a library in the 90ies). Despite doing some courses, etc. she always found computers too complex. However, since my dad bought an iPad for her ~5 years ago she has been using it very actively. She is able to do everything she wants - iMessaging, sending e-mail, and browse the web. Later, she also started using a smartphone, since ‘it is just a small iPad’.

                                    At any rate, iPad + KB vs. MacBook would strongly depend on the person and how much they want beyond a simple media consumption device. Of course, if someone is going to compose documents on a device all day, an iPad is a bad option.

                                    Of course, when it comes to typing you don’t want to buy a MacBook 12”/Pro now either ;). The butterfly keyboard is terribly unreliable (my 2016 MBP’s keys are sticky all the time).

                                    1. 1

                                      Sounds like my grandmother. She does almost everything through a web browser. I had her use Ubuntu briefly. She had no trouble with using it but just prefered the look and feel of Windows. So she went back. I still get malware calls on occasion.

                                    2. 2

                                      On phones, touch typing sucks for me cuz I have shaky fingers. Miss the keys and have to backspace a lot. Happens less on tablet with big keys. Doesnt happen with a physical keyboard regardless of size. I think it’s the extra, tactile feedback my brain gets from raised keys.

                                      1. 1

                                        I use an iPad (with a bluetooth keyboard) while on vacations as a substitute laptop. And with an SSH client program I can even do development on a remote server [1].

                                        [1] I may not like it that much, as the bluetooth keyboard I use is hard for me to use [2]. But I can do it.

                                        [2] Even the keyboards on Mac laptops suck. I generally only use IBM Model M keyboards, but taking one on vacation is a bit overkill I think.

                                      2. 2

                                        Geez, what an assumption ;), maybe grandma is a UNIX wizard and uses qutebrowser and mutt and launches them from the terminal.

                                        Sounds like OpenBSD would work even better for your grandmother than we first thought!

                                        “Internet” would be very slow.

                                        Why would that be?

                                        Do you non-tech beloved ones a favor and buy them an iPad. Despite the problems of Apple or Apple hardware, it is the most secure consumer platform, that gets updates for at least half a decade, and probably supports any popular application they’d want (Skype, Netflix, Youtube, Facebook, etc.).

                                        Sorry but no way would I ever subject anyone I know to using an iPad. Not only is their hardware crap (overheating the moment you do anything with it), and not only is their software locked-down-to-the-point-of-unusably crap, but tablets in general are absolutely pointless devices that have no reason to exist in the home. Tablets are great if you’re an engineer that needs to have a lightweight device with a good bright screen that they can use to look at plans on site. For my mother? Why wouldn’t she just use a laptop?

                                        Want to make a spreadsheet of your expenses? Nope, sorry, tablet spreadsheet software is garbage. Hope you like having a keyboard pop up over whatever you’re doing every time you want to input anything. Hope you like being unable to copy a row in a single drag of the mouse like you can on desktop, instead having to apparently click, copy, and manually paste into each cell. etc. They’re just bad devices for doing anything productive with a computer, and contrary to popular belief most people want to sometimes do something productive with their computer, whether it’s making a spreadsheet of their expenses, writing a letter to the editor of their paper, making a newsletter for their knitting association, or whatever. Sure they also want to watch Netflix, but that doesn’t mean that all they want to do is watch Netflix.

                                        1. 2

                                          Why would that be?

                                          https://www.tedunangst.com/flak/post/firefox-vs-rthreads

                                          but tablets in general are absolutely pointless devices that have no reason to exist in the home. Tablets are great if you’re an engineer that needs to have a lightweight device with a good bright screen that they can use to look at plans on site. For my mother? Why wouldn’t she just use a laptop?

                                          Both my parents and wife are completely happy iPad users. Outside work, my wife usually uses her tablet, despite having a laptop. They are safe, fast and effortless (require virtually no tech support). Interestingly, I as an engineer don’t need or want one. I had an iPad and Nexi on several occasions, but would never use them.

                                          YMMV

                                        2. 1

                                          ipads serve ads and manipulate you. allowing a manipulator access to a loved one doesn’t sound like a favor, not for the loved one at least.

                                          1. 5

                                            You will have to expand on that statement. The iPad I’m using to type this does not serve any ads outside apps. Nor do I feel manipulated.

                                            1. 0

                                              ads inside apps are still ads, as are push notifications from apps. and of course ios/app developers aren’t trying to make you feel manipulated.

                                            2. 3

                                              What ads? Paid apps typically don’t show ads. Besides that Safari on iOS has a content blocking API. Install e.g. Firefox Focus, which is a Safari ad blocker (besides a privacy-focus browser), and websites in Safari are ad-free.

                                              I have an iDevice (iPhone) and I never see an ad.

                                              1. 1

                                                youtube and facebook both show ads, and many facebook stories are ads even if they don’t look it. you can circumvent that on an ipad? could your grandma?

                                                1. 3

                                                  What exactly does that have to do with the iPad? Facebook and Youtube are hardly specific to the iPad. Circumvention being ad-blocking? Won’t block facebook stories that are ads.

                                                  1. 1

                                                    the ipad has facebook and youtube apps, as /u/iswrong pointed out.

                                                  2. 1

                                                    Well, the comparison here is unfair. In OpenBSD they wouldn’t even have a Facebook or Youtube app. If they’d use the browser to access Facebook/Youtube in OpenBSD, there would be no difference, since Safari can also do ad blocking. Plus they would get hardware-accelerated video ;).

                                                    1. 1

                                                      right, BSD and Linux don’t have apps, so their utility isn’t tied to apps which show ads and manipulate you. OpenBSD has alternatives to facebook and youtube which don’t have these problems.

                                            3. 2

                                              Feels like a Chromebook would have a lot of the same advantages?

                                              1. 2

                                                What do you mean by “predictable” here? In my experience most major Linux distributions care far more about backwards compatibility between releases than OpenBSD does.

                                                1. 1

                                                  Might pretend on the distro. Ubuntu is annoying about changes that break stuff or needlessly force me to learn new way to do old thing.

                                              2. 9

                                                OpenBSD feels to me similar to how Linux felt 10 years ago: precisely aimed at me. Now it feels like the ‘powers that be’ in the Linux community are only interested in targeting mobile devices and turning GNOME into macOS’s awful UI design of not letting you do anything that they didn’t think of beforehand.

                                                1. 4

                                                  Why not run Gentoo or NixOS? Both give you as many configuration options as you require and neither sacrifice any speed? If you are security conscious I believe Gentoo still runs the “hardened” sources.

                                                  1. 2

                                                    My concerns have nothing to do with security or configuration. I currently run Gentoo.

                                              1. 2

                                                Is there a video of the talk up anywhere?

                                                1. 1

                                                  There will be no videos from EuroBSDcon this year, sadly.

                                                1. 1

                                                  Author says a common class of gadgets uses such and such registers. Says avoid them in favor of other registers. Maybe the gadget type with those registers is common because the registers themselves are common from compiler choices. Switching registers might lead to gadgets just using those registers instead. Or are there x86-specific reasons that using different registers will do entirely different things you can’t gadget?

                                                  Other than that confusion, slides look like great work. Especially on ARM.

                                                  1. 15

                                                    Author here. Thanks for having a look! It was fun to do this talk.

                                                    Yes, there are X86 specific reasons that other registers don’t result in ROP gadgets. If you look at Table 2-2 in the Intel 64 and IA-32 Architectures Software Developer’s Manual you can see all of the ModR/M bytes for each register source / dest pair, and other places in that section describe how to encode the ModR/M bytes for various instructions using all of the possible registers. When I surveyed the gadgets in the kernel and identified which intended instructions resulted in C3 bytes that were used as returns in gadgets, there were a large number of gadgets that were terminating on the ModR/M byte encoding the BX series registers. You are correct that these gadgets are common because the compiler frequently chooses to use the BX series registers, and the essence of my change to clang is to encourage the compiler to choose something else. By shifting RBX down behind R14, R15, R12 and R13 the compiler will choose these registers before RBX, and therefore reduce the incidence of the use of RBX resulting in a C3 ModR/M byte. We can see that this works because just shifting the BX registers down the list results in fewer unique gadgets.

                                                    To directly answer your inquiry, gadgets arising from using R14, R15, R12, R13 instead (now that they will be more common) are not a problem. The REX prefix is never C3, and we can look at the ModR/M bytes encoding operations using those registers, and none of them will encode to C3. When I look at gadgets that arise from instructions using these registers, they don’t get their C3 bytes from the instruction encoding - they get them from constants where the constant encodes to a C3, so the register used is irrelevant in these cases. So moving RBX down behind R14, R15, R12 and R13 doesn’t result in more gadgets using those registers.

                                                    There are other register pairs that result in a C3 ModR/M byte. Operations between RAX and R11 can result in a C3 ModR/M byte, but these are less common when we survey gadgets in the kernel (~56 in the kernel I have here now). RAX and R11 were already ahead of RBX in the default list anyway, so moving RBX down the list does not result in more gadgets using R11. If you ask why we haven’t moved R11 down next to RBX, the answer is that gadgets using R11 this way are not that numerous, so it hasn’t risen to the top of the heap of most-common-sources-of-gadgets (and therefore has not got my attention). There are many other sources of gadgets that can be fixed and will have a larger impact on overall gadget counts and diversity.

                                                    I hope this clarifies that part of the talk. :-)

                                                    1. 3

                                                      Thank eveyone for the answers. Thank you in particular for this very-detailed answer that clarifies how x86’s oddities are creating the attack vectors.

                                                      The reason I wanted to know is that I planned to design around high-end ARM chips instead of x86 where possible because I believed we’d see less ISA-related attacks. Also, certain constructions for secure code might be easier to do on RISC with less performance hit. Your slides seem to support some of that.

                                                      1. 2

                                                        To be fair, x86 doesn’t create the attack vectors, but does make any bugs much easier to exploit.

                                                        ARM doesn’t have nearly the same problem - you can always ROP into a jump to THUMB code on normal ARM instructions, but these entry points are usually more difficult to find than an 0xc3.

                                                      2. 1

                                                        I’m curious to learn more about ROP. I’d like to examine adding support for another target to ROPgadget.py. So what designates a gadget? Any sequence of instructions ending in a return? How do attackers compose functionality out of gadgets? By hand, or is there some kind of a ‘compiler’ for them?

                                                        1. 3

                                                          You might be interested in the ROP Emporium’s guide. Off the top of my head the only automatic tools I know of are ropper and angrop.

                                                      3. 5

                                                        Switching registers might lead to gadgets just using those registers instead. Or are there x86-specific reasons that using different registers will do entirely different things you can’t gadget?

                                                        If I understand this correctly, it’s because the ebx register causes opcodes to be created that contain a return instruction, i.e., opcodes that are useful in ROP. So by avoiding ebx as much as possible, you also avoid creating collateral ROP gadgets with early returns. This issue only happens because x86/amd64 have variable-length opcodes.

                                                        1. 4

                                                          As far as I understand, the register allocation trick is indeed x86-specific. The point is to avoid C3 bytes because these will polymorph into the RET instruction when used in unaligned gadgets. See the “polymorphic gadget” and ‘register selection’ sections in the slide set.

                                                        1. 1

                                                          So, is this about using OpenBSD as a development environment for working on MirageOS applications?

                                                          1. 7

                                                            Yes. More precisely, it is about running mirageos unikernels in vmm: See https://marc.info/?l=openbsd-tech&m=150743896827764&w=2

                                                          1. 6

                                                            Wow, there are a lot of self-hosters here. I self hosted back in University, then used Gmail for a number of years, and went back to self hosting around 2013. I recently migrated my server from openSUSE on Linode to OpenBSD on Vultr. Here an Ansible role if anyone is interested:

                                                            https://github.com/sumdog/bee2/tree/master/ansible/roles/openbsd-email

                                                            My stack: Inbound: OpenSMTPD -> SpamPD (spam assassin) -> OpenSMTPD -> ClamAV -> OpenSMTPD -> procmail -> dovecot Outbound: OpenSMTPD -> DKIM proxy -> OpenSMTPD (relay)

                                                            1. 1
                                                            1. 9

                                                              It landed, but I still have some follow up work to get full support for all types of snapshots. The process that does disk I/O starts with the fds preopened, and is chrooted and pledged, which makes opening the base images of the multi disk snapshots hard.

                                                              1. 2

                                                                Thanks for working on this.

                                                                (I’m really hoping that someday I’ll be able to install Debian under vmm(4) from official install media. Currently it doesn’t detect any CD drives, and I’ve not been able to figure out why).

                                                                1. 1

                                                                  Because Debian install media lack virtio drivers.

                                                                  1. 1

                                                                    I wonder if we could persuade them to include them?

                                                                    I suppose virtualbox and qemu emulate physical CD drives rather than virtio?

                                                              1. 12

                                                                Lots of null pointer dereferences, use-after-free, and double free. OpenBSD really needs a language with affine types or smart pointers that integrates with C. ;)

                                                                1. 6

                                                                  Such a language needs to work on every hardware platform they support and have a BSD licensed compiler/toolchain 🙃

                                                                  1. 5

                                                                    I actually think starting to use C++ in kernel is no-brainer, like GCC did. C++ doesn’t have hardware or toolchain problem, does it?

                                                                    1. 1

                                                                      Although I’m against C++, it’s clearly an option with more safety features and low-cost abstractions all the time. I”ll note that folks developing L4 microkernels and Genode started using it for those reasons. At this point, I’d rather whatever it is be a safer C with better abstractions that outputs vanilla C. That would solve most of tooling and integration issues that come with language switch. It also dodges C++‘s huge complexity. It’s ridiculously complex.

                                                                      1. 3

                                                                        a safer C with better abstractions that outputs vanilla C.

                                                                        Sounds like Nim to me. MIT license.

                                                                        1. 3

                                                                          It’s close! I’m eyeballing it for that use with Brute-Force Assurance. It would have way more acceptance than a Scheme-based solution. I’d have to swap its syntax out since C developers switch to C-like languages more than Python-like languages. The compiler for this purpose should produce C that looks like what a person would write more than a machine. It should at least be an option. Lets it get used incrementally in existing, C projects. Finally, the people I see online griping about the compiler means they need to focus hard on getting it in good shape or someone has to build a separate, certifying compiler.

                                                                          So, that’s what I was thinking when I assessed Nim as C replacement in general and for safety critical. Oh yeah, contracts! Frama-C or Ada-style contracts supported by default. Lets you encode whatever extra stuff the type system doesn’t already handle. I don’t know if they have contracts.

                                                                    2. 2

                                                                      Im sure they could build the language or C extensions given they built a whole OS and maintained (still do?) a compiler for it. It would also help them achieve their security goals better than their developers are doing now with C language. A good investment I’d say.

                                                                      1. 10

                                                                        This could happen if one or more people with interest and motivation showed up and managed to work well with the project to integrate this with the system as yet another form of mitigation.

                                                                        As for the existing devs, they are all already very busy scratching their own itches and pursue their own ideas, some related to security, some not. And generally they don’t like to be told what to work on in the time they volunteer.

                                                                        1. 1

                                                                          Exactly. The average coder in Rust is currently outperforming the OpenBSD team on these kinds of bugs due to type system. That means these bugs happen since they don’t care enough to prevent them. They’re about QA and mitigation tech up to a certain point with certain bug-adding tech (eg C language). Past that point or with different mitigations (esp language), they start making excuses about time, itches, and so on. I’ll keep pointing this out every time evidence of easily-prevented bugs comes in. Maybe something will click in a reader’s head that leads to a solution.

                                                                          Many of them also tell other people how they should be doing UNIX design, quality or security. Sometimes even in a snooty way. They like doing that despite aggravation it might cause others. You say those same people don’t like “to be told” they should use more secure tech in a security-focused project. It sounds like there’s a life lesson in there somewhere on top of some security lessons.

                                                                          1. 5

                                                                            since they don’t care enough to prevent them

                                                                            That’s a tad inflammatory nay? Suggesting that not using rust in tantamount to not caring. Its not like the Linux/BSD kernel could be rewritten in rust in a day, there is 20+ years of development in there.

                                                                            And while its not exactly a fair compairson as its been run against linux for longer, 9 issues (which have been fixed) versus quite a few in linux suggests something in OpenBSD is working.

                                                                            1. 1

                                                                              Yeah, a tad inflammatory to match the style of their mailing lists talking about other OS’s or hardware vendors not doing enough for security. I always give them credit for their strong points of simplified UNIX, code review/quality, mitigations, and great documentation. Plus, I like a few of them personally.

                                                                              Far as your counterpoint, it’s a strawman (full rewrite) that’s not even what Im proposing. I’m saying folks that cared seeing the language cause issues would make a safer version like others did in other projects (eg Clay, Cyclone). One highly-compatible with C. They’d write new code in that language. The extensive rewrites of existing code they already do would be done in that language. Over time (years), most or all the OS would be converted to the safer language. Someone might even write tools to automate this.

                                                                              1. 5

                                                                                The idea of a slightly modified C which would somehow prevent use-after-free and similar bugs is good. It’s similar to other ideas OpenBSD has already realized such as adding C API functions which are easier to use safely, or hardening of the C run-time against ROP. And it’s not as if the C we’re writing did not contain non-standard extensions already (packed structs, gcc-isms inherited by clang, etc.)

                                                                                Now, where are some compiler-writing C langauge lawyer academics with the needed skills who would sit down with a bunch of OpenBSD hackers and volunteer a lot of their spare time for this? In over 10 years of involvement with the project I’ve never met a person with this skill set. In a volunteer project you have to work with the skills you happen to get.

                                                                                1. 1

                                                                                  Glad you’re open to the possibility if you had help for it. The people behind Clay and Cyclone might have helped given they were already doing hardest parts. It’s possible you didn’t know those languages exist. The folks good at researching and developing languages usually aren’t good at polish, outreach, and so on.

                                                                                  It’s possible we need a sponsor organization or new type of volunteer for such a role. One that’s a middle-person between the team with time to build compilers and the people that would use them. Such a person would need to be able to influence compiler developers to ensure they don’t do anything that kills adoption. I figure there’d be a lot of negotiations with middle person doing tie breakers on stuff people were divided on. Probably also need to be a compiler developer themselves so they can do the polish, packaging, and later maintenance.

                                                                      2. 2

                                                                        I realize this is mostly bikeshedding, but does the core team regularly (or ever) consider this? Or is this seen as too much overhead - learning the subtleties of a new language/implementation on top of the difficulty of os/kernel development. I would think the D language folks would love to team up with one of the BSDs to focus on whatever language demands the OS team would come up with.

                                                                    1. 7

                                                                      I’m not familiar with the size of the OpenBSD kernel, can anyone give a sense of what fraction of the kernel 226 syscalls is?

                                                                      1. 9

                                                                        That’s pretty close to every syscall I believe. The last syscall is 330, but there are several large gaps.

                                                                        http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/kern/syscalls.master?rev=1.188&content-type=text/x-cvsweb-markup

                                                                        1. 12

                                                                          syscalls like ioctl() trigger so many code paths that it would make sense to count each ioctl type as a separate syscall for purposes of fuzzing.

                                                                        2. 1

                                                                          I second this question. That’s a big number for security-focused OS. Might be reasonable, too, given it’s monolithic kernel with batteries included. I did a quick check on the site. Didn’t see a full list of system calls.

                                                                        1. 5

                                                                          Germany has an equivalent called Freifunk that is quite popular.

                                                                          1. 2

                                                                            Was it not true that it was illegal to have unsecured wifi in Germany? Or has this been overturned?

                                                                            1. 8

                                                                              It was never illegal, but the operator was liable for all network activity. That was recently reversed.

                                                                              1. 2

                                                                                The new law instead allows content owners to force individual wifi operators to block certain web sites from being reachable via their open network. The technical ‘how’ is of course left unspecified. It will be interesting to see how this rule gets applied in practice.

                                                                              2. 3

                                                                                What tedu says is correct. The liability problem iis gone.

                                                                                The official Freifunk firmware dodged that by routing outbound traffic through a VPN though.

                                                                            1. 1

                                                                              Although this response is reasonable up to and including the first point, the second point is a little less convincing. The idea that it’s okay to be bad at security simply because someone else was bad at security is unfortunate at best.

                                                                              The first point is - although not completly wrong - definitely debatable since these connections can be made simultaneously and aren’t blocking each other, which seems like they are trying to insinuate here.

                                                                              1. 10

                                                                                I think there’s a distinction to be made between “bad at security” and “not actually a security boundary”. If you retroactively redefine public info to be a secret, it shouldn’t be surprising that everyone is “bad” at protecting it, or that someone might pushback and say not a bug.

                                                                                1. 1

                                                                                  And how and why is a username considered public information, they asked? https://lobste.rs/u

                                                                                  1. 1

                                                                                    If you assume every user on your system is public info then you are making privacy decisions on behalf of and at the expense of others, and the alternate solution of treating them as private information doesn’t harm anyone. What are the concerns with the user information being private as opposed to public?

                                                                                    If there isn’t a reason for it to be public, then I’d say that it’s absolutely bad in this case. Both from a security and from a general user perspective.

                                                                                  2. 3

                                                                                    They mentioned the MaxStartups parameter, which does seem like it will cause connections to block.

                                                                                    1. 1

                                                                                      Ah! Legit :) Hopefully that’s a low number by default

                                                                                  1. 4

                                                                                    This is really interesting to get an idea of how people are taking advantage of BSD! I now have a much nicer idea of why people are going to it (and am a bit tempted myself). That feeling of having to go through ports and simply not having 1st-class support for some software seems… rough for desktop usage though

                                                                                    1. 3
                                                                                      1. 1

                                                                                        I mean “someone talks to me about an application and I’m interested in trying it out on my system”?

                                                                                        I feel like the link to the CVE database is a bit of an unwarranted snipe here. I’m not talking too much about security updates, just “someone released some software and didn’t bother to confirm BSD support so now I’m going to need to figure out which ways this software will not work”.

                                                                                        To be honest I don’t really think that having all userland software come in via OS-maintained package managers is a great idea in the first place (do I really need OS maintainers looking after anki?). I’m fine downloading binaries off the net. Just nicer if they have out of the box support for stuff. I’m not blaming the BSDs for this (it’s more the software writer’s fault), just that it’s my impression that this becomes a bit of an issue if you try out a lot of less used software.

                                                                                        1. 4

                                                                                          As an engineer that uses and works on a minority share operating system, I don’t really think it’s reasonable to expect chiefly volunteer projects to ship binaries for my platform in a way that fits well with the OS itself. It would be great if they were willing to test on our platform, even just occasionally, but I understand why they don’t.

                                                                                          Given this, it seems more likely to expect a good experience from binaries provided by somebody with a vested interest in quality on the OS in question – which is why we end up with a distribution model.

                                                                                          1. 2

                                                                                            Yep, this makes a lot of sense.

                                                                                            I’m getting more and more partial to software relying on their host language’s package manager recently. It’s pretty nice for a Python binary to basically always work so long as you got pip running properly on your system, plus you get all the nice advantages of virtual environments and the like letting you more easily set things up. The biggest issue being around some trust issues in those ecosystems.

                                                                                            Considering a lot of communities (not just OSes) are getting more and more involved in distribution questions, we might be getting closer to getting things to work out of the box for non-tricky cases.

                                                                                            1. 8

                                                                                              software relying on their host language’s package manager

                                                                                              In general I’m not a fan. They all have problems. Many (most?) of them lack a notion of disconnected operation when they cannot reach their central Internet-connected registry. There is often no complete tracking of all files installed, which makes it difficult to completely remove a package later. Some of the language runtimes make it difficult to use packages installed in non-default directory trees, which is one way you might have hoped to work around the difficulty of subsequent removal. These systems also generally conflate the build machine with the target machine (i.e., the host on which the software will run) which tends to mean you’re not just installing a binary package but needing to build the software in-situ every time you install it.

                                                                                              In practice, I do end up using these tools because there is often no alternative – but they do not bring me joy.

                                                                                              Operating system package managers (dpkg/apt, rpm/yum, pkg_add/pkgin, IPS, etc) also have their problems. In contrast, though, these package managers tend to at least have some tools to manage the set of files that were installed for a particular package and to remove (or even just verify) them later. They also generally offer some first class way to install a set of a packages from archive files obtained via means other than direct access to a central repository.

                                                                                              1. 3

                                                                                                For development I use the “central Internet-connected registry.”, for production I use DEB/RPM packages in a repository:

                                                                                                • forces you to limit the number of dependencies you use, otherwise too much work to package them all;
                                                                                                • force you to choose high quality dependencies that are easy to package or already packaged;
                                                                                                • makes sure every dependency is buildable from source (depending on language);
                                                                                                • have an “offline” copy of the dependencies, protect against “left-pad” issues;
                                                                                                • run unit tests of the dependencies during package build, great for QA!;
                                                                                                • have (PGP) signed packages that uses the distribution’s tools to verify.

                                                                                                There are probably more benefits that escape me at the moment :)

                                                                                      2. 1

                                                                                        That feeling of having to go through ports and simply not having 1st-class support for some software seems… rough for desktop usage though

                                                                                        What kind of desktop software do you install from these non-OS sources?

                                                                                        1. 2

                                                                                          Linux is moving more and more towards Flatpak and Snap for (sandboxed) application distribution.

                                                                                          1. 2

                                                                                            I remember screwing around with Flathub on the command line in Fedora 27, but right now on Fedora 28, if you enable Flatpak in the Gnome Software Center thingy, it’s actually pretty seamless - type “Signal” in the application browser, and a Flatpak install link shows up.

                                                                                            With this sort of UX improvements, I’m optimistic. I feel like Fedora is just going to get easier and easier to use.

                                                                                      1. 11

                                                                                        Note that SMT doesn’t necessarily have a posive effect on performance; it highly depends on the workload. In all likelyhood it will actually slow down most workloads if you have a CPU with more than two cores.

                                                                                        In case you’re wondering, this refers to OpenBSD’s giant-locked kernel. Some parts of this kernel are now unlocked (e.g. network stack) but for some workloads 2 CPUs can be faster than 3 or more due to lock contention.

                                                                                        1. 1

                                                                                          Per my understanding, every “physical” CPU can have many cores, and each core can have multiple hardware thread if SMT is supported. So every “hardware thread” is a “logical” CPU. For OpenBSD kernel, does it do special operations according to physical CPU, core and hardware thread? Or just consider “logic” CPU? Thanks!

                                                                                          1. 2

                                                                                            As far as I know the SMT threads were simply exposed as additional CPUs to the scheduler.

                                                                                            1. 1

                                                                                              @stsp Thanks for your response!

                                                                                              If I understand correctly, disable SMT means cut half the “logical” CPU, right? For example, if the server has one CPU, 2 cores, and every core has 2 hardware threads, in theory, the server has 4 “logical” CPUs. Assume my workload has 4 thread, and every thread is independent and computing-intensive (mostly user-space computation, not involved kernel part, such as syscall, or accessing network, etc.). Currently the workload can occupy the whole 4 “logical” CPUs. But now, if the count of “logical” CPU is halved, and my workload’s 4 thread need to contend for 2 “logical” CPUs. So in this scenario, the workload’s performance should be downgraded.

                                                                                              Is it correct? Thanks in advance!

                                                                                              1. 3

                                                                                                At least when HT was new, it also meant the caches would be halved unless you disabled HT in bios. So if your threads are doing different things they might suffer from it.

                                                                                                1. 1

                                                                                                  As far as I understand, it doesn’t mean that all 4 threads can progress in parallel, it will depend on which unit in the CPU each thread is utilizing.

                                                                                          1. 5

                                                                                            I can’t follow this at all the way it’s presented.

                                                                                            1. 4

                                                                                              No worries, you are not the only one who is having trouble following it.

                                                                                              This is not an editorialized piece of writing trying to guide you towards a particular point of view. It just shows unredacted facts. The intent is to allow anyone to be a bystander in the discussion that actually occurred and make up their own minds about related questions if they have an interest in doing so. And it is only happening in public because interpretations of what happened contradicting the facts were circulated in public (most recently at BSDcan).

                                                                                              There are no easy answers to the questions raised by the full- vs coordinated-disclosure debate in general. If you are involved in the disclosure process of a security problem and fix, whatever you do, one way or another someone else might potentially be put at risk as a consequence of your actions. And not every risk assessment will lead to the same conclusions.

                                                                                              1. 1

                                                                                                Near as I can figure, there was a bunch of back-channel communications about the issue in the OpenBSD community until the guy who found the issue contacted CERT because he figured out the issue went way beyond OBSD. The OpenBSD folks apparently don’t trust CERT and decided to push a fix to protect OBSD users possibly at the expense of, well, everyone else because…I don’t know…screw them, I guess.

                                                                                                You put us in a conundrum. We knew there was a problem and how to fix it. And when you got CERT involved, we had to assume that information about the problem was now leaking beyond your control into government agencies and private companies, and that some of those “in the know” would have had 2 months of extended embargo time to use an exploit against OpenBSD users. I don’t see any reason to trust every single person in those parts of the security community and in these institutions to act responsibly.

                                                                                              1. 3

                                                                                                wouldn’t you have to agree to an embargo in order to break it?

                                                                                                also: How about blaming the people who created the flaw instead of the people trying to fix it?

                                                                                                1. 8

                                                                                                  Oh believe me, I would like to blame Damien Bergamini for lots of things :) But that wouldn’t do the overall great results of his work justice.

                                                                                                  KRACK was a common flaw across many independent WPA implementations. Which was quite surprising. It has been argued that it’s an 802.11 standard flaw because the standard authors didn’t alert anyone that the state machines described in the documents were incomplete and didn’t account for this issue. But of course the standard authors didn’t notice the problem either at the time.

                                                                                                  1. 7

                                                                                                    “because the standard authors didn’t alert anyone that the state machines described in the documents were incomplete and didn’t account for this issue.”

                                                                                                    Another example where formal specification of a standard might have caught a problem. Especially if it involved state machines.

                                                                                                  2. 2

                                                                                                    wouldn’t you have to agree to an embargo in order to break it?

                                                                                                    Yes, but if you don’t agree to it, don’t complain if you aren’t given disclosure.

                                                                                                    How about blaming the people who created the flaw instead of the people trying to fix it?

                                                                                                    Because that’s not a mutually exclusive position, and a transparent attempt to create a moral high ground where none exists. You can blame both the people who created the flaw and the people who trying to fix it if they act in bad faith.

                                                                                                    1. 4

                                                                                                      Yes, but if you don’t agree to it, don’t complain if you aren’t given disclosure.

                                                                                                      It’s rather hard to agree to an embargo if you’re not notified of it or offered a chance to agree.

                                                                                                      1. 0

                                                                                                        Since the OBSD folks are talking about the embargo and their participation (or not) in it in all of the emails cited, I assume you’re speaking of the general case and not this specific one. I agree that, in the general case, if you aren’t notified it’s hard to agree to an embargo. That’s not the case here, of course.

                                                                                                        1. 8

                                                                                                          The OBSD people were talking about how they heard rumors of an embargo, and could not get a response from anyone relevant. They were absolutely clear that if they had been able to agree to the embargo, they would have. They were not offered the option.

                                                                                                          The best they got was “You didn’t get a response because you asked the wrong people”. When asked who the right people were – crickets.

                                                                                                  1. 6

                                                                                                    This news caused the public release for XSA-267 / CVE-2018-3665 (Speculative register leakage from lazy FPU context switching) to be moved to today.

                                                                                                    1. 16

                                                                                                      These embargoed and NDA’d vulnerabilities need to die. The system is broken.

                                                                                                      edit: Looks like cperciva of FreeBSD wrote a working exploit and then emailed Intel and demanded they end embargo ASAP https://twitter.com/cperciva/status/1007010583244230656?s=21

                                                                                                      1. 8

                                                                                                        Prgmr.com is on the pre-disclosure list for Xen. When a vulnerability is discovered, and the discoverer uses the responsible disclosure process, and the process works, we’re given time to patch our hosts before the vulnerability is disclosed to the public. On balance I believe participating in the responsible disclosure process is better for my customers.

                                                                                                        Pre-disclosure gives us time to build new packages, run through our testing process, and let our users know we’ll be performing maintenance. Last year we found a showstopping bug during a pre-disclosure period: it takes time and effort to verify a patch can go to production. With full disclosure, we would have the do so reactively, with significantly more time pressure. That would lead to more mistakes and lower quality fixes.

                                                                                                        1. 2

                                                                                                          This is a bad response to the issue. The bad guys probably already have knowledge of it and can use it. A few players deemed important should not get advanced notification.

                                                                                                          1. 15

                                                                                                            Prgmr.com qualifies for being on the Xen pre-disclosure list by a) being a vendor of a Xen-based system b) willing and able to maintain confidentiality and c) asking. We’re one of 6 dozen organizations on that list–the criteria for membership is technical and needs-based.

                                                                                                            If you discover a vulnerability you are not obligated to use responsible disclosure. If you run Xen you are not obligated to participate in the pre-disclosure list. The process consists of voluntary coordination to discover, report, and resolve security issues. It is for the people and organizations with a shared goal: removing security defects from computer systems.

                                                                                                            By maintaining confidentiality we are given the ability, and usually the means to have security issues resolved before they are announced. Our customers benefit via reduced exposure to these bugs. The act of keeping information temporarily confidential provides that reduced exposure.

                                                                                                            You have described a voluntary process with articulable benefits as “needing to die,” along with my response being “bad.” As far as I can tell from your comments you claim “the system is broken” because some people “should not get advanced notice.” I’ve described what I do with that knowledge, and why it benefits my users. I’m thankful the security community tells me when my users are vulnerable and works with me to make them safer.

                                                                                                            Can you improve this process for us? Have I misunderstood you?

                                                                                                            1. 11

                                                                                                              Some bad guys might already have knowledge of it. Once it’s been disclosed, many bad guys definitely have knowledge of it, and they can deploy exploits far, far faster than maintainers, administrators and users can deploy fixes.

                                                                                                              1. 8

                                                                                                                You’re treating “the bad guys” like they’re all one thing. In actuality, there’s a string of bad guys from people who will use a free, attack tool to people who will pay a few grand for one to people who can customize a kit if it’s just a sploit to people who can build a sploit from a description to rare people who had it already. There’s also a range in intent of attackers from DOS to data integrity to leaking secrets. The folks who had it already often just leak secrets in stealthy way instead of do actual damage. The also use the secrets in a limited way compared to average, black hat. They’re always weighing use vs detection of their access.

                                                                                                                The process probably shuts down quite a range of attackers even if it makes no difference for the best ones who act the sneakiest.

                                                                                                                1. 4

                                                                                                                  The process probably shuts down quite a range of attackers even if it makes no difference for the best ones who act the sneakiest.

                                                                                                                  I believe the process is so effective at shutting down “quite a range of attackers” that it works despite: a) accidental leaks [need for improvement of process] b) intentional leaks [abuse] c) black hats on the pre-disclosure list reverse engineering an exploit from a patch. [fraud] In aggregate, the benefit from following the process exceeds the gain a black hat would have from subverting it.

                                                                                                            2. 9

                                                                                                              Well, it’s complicated. (Disclosure: we were under the embargo.)

                                                                                                              When a microprocessor has a vulnerability of this nature, those who write operating systems (or worse, provide them to others!) need time to implement and test a fix. I think Intel was actually doing an admirable job, honestly – and we were fighting for them to broaden their disclosure to other operating systems that didn’t have clear corporate or foundation backing (e.g., OpenBSD, Dragonfly, NetBSD, etc). That discussion was ongoing when OpenBSD caught wind of this – presumably because someone who was embargoed felt that OpenBSD deserved to know – and then fixed it in the worst possible way. (Namely, by snarkily indicating that it was to address a CPU vulnerability.) This was then compounded by Theo’s caustic presentation at BSDCan, which was honestly irresponsible: he clearly didn’t pull eager FPU out of thin air (“post-Spectre rumors”), and should have considered himself part of the embargo in spirit if not in letter.

                                                                                                              For myself, I will continue to advocate that Intel broaden their disclosure to include more operating systems – but if those endeavoring to write those systems refuse to honor the necessary secrecy that responsible disclosure demands (and yes, this means “embargoed and NDA’d vulnerabilities”), they will make such inclusion impossible.

                                                                                                              1. 18

                                                                                                                We could also argue Theo’s talk was helpful in that the CVE was finally made public.

                                                                                                                Colin Percival tweeted in his thread overview about the vulnerability that he learned enough from Theo’s talk to write an exploit in 5 hours.

                                                                                                                If Theo and and the OpenBSD developers pieced enough together from rumors to make a presentation that Colin could turn into an exploit in hours, how long have others (i.e., bad guys) who also heard rumors had working exploits?

                                                                                                                Theo alone knows whether he picked-up eager FPU from developers under NDA. Even if he did, there’s zero possibility outside of the law he lives under (or contracts he might’ve signed) that he’s part of the embargo. As to the “spirit” of the embargo, his decision to discuss what he knew might hurt him or OpenBSD in the future. That was his call to make. He made it.

                                                                                                                Lastly, I was at Theo’s talk. Caustic is not how I would describe it, nor would I categorize it as irresponsible. Theo was frustrated that OpenBSD developers who had contributed meaningfully to Spectre and Meltdown mitigation had been excluded. He vented some of that frustration in the talk. I’ve heard more (and harsher) venting about Linux in a 30 minute podcast than all the venting in Theo’s talk.

                                                                                                                On the whole Theo’s talk was interesting and informative, with a sideshow of drama. And it may have been what was needed to get the vulnerability disclosed and more systems patched.


                                                                                                                Disclosure: I’m an OpenBSD user, occasional port submitter, BSDCan speaker and workshop tutor, FreeNAS user and recommender, and have enjoyed many podcasts, some of which may have included venting.

                                                                                                                1. 4

                                                                                                                  If Theo and and the OpenBSD developers pieced enough together from rumors to make a presentation that Colin could turn into an exploit in hours, how long have others (i.e., bad guys) who also heard rumors had working exploits?

                                                                                                                  It was clear to me the day Spectre / Meltdown were disclosed that there would be future additional vulnerabilities of the same class based on that discovery. I think there is circumstantial evidence suggesting the discovery was productive for the people who knew about it in the second half of 2017 before it was publicly disclosed. One can safely assume black hats have had the ability to find and use novel variations in this class of vulnerability for at least six months.

                                                                                                                  If Theo did pick up eager FPU from a developer under embargo that demonstrates just how costly it is to break embargo. Five hours, third hand.

                                                                                                                  1. 4

                                                                                                                    If Theo did pick up eager FPU from a developer under embargo that demonstrates just how costly it is to break embargo. Five hours, third hand.

                                                                                                                    I have absolutely no idea what point you’re trying to make. Certainly, everyone under the embargo knew that this would be easy to exploit; in that regard, Theo showed people what they already knew. The only new information here is that Theo is every bit as irresponsible as his detractors have claimed – and those detractors would (of course) point out that that information is not new at all…

                                                                                                                    1. 1

                                                                                                                      With respect, how is Theo irresponsible for reducing the time the users of his OS are vulnerable?

                                                                                                                      Like, the embargo thing sounds a lot to the ill-informed like some kind of super-secret clubhouse.

                                                                                                                  2. 4

                                                                                                                    Theo definitely wasn’t part of the embargo, but it’s also unquestionable that Theo was relying on information that came (ultimately) from someone who was under the embargo. OpenBSD either obtained that information via espionage or via someone trying to help OpenBSD out; either way, what Theo did was emphatically irresponsible. Of course, it was ultimately his call – but he is not the only user of OpenBSD, and is unfortunate that he has effectively elected to isolate the community to serve his own narcissism.

                                                                                                                    As for the conjecture that Theo served any helpful role here: sorry, that’s false. (Again, I was under the embargo.) The CVE was absolutely going public; all Theo did was marginally accelerate the timeline, which in turn has resulted in systems not being as prepared as they otherwise could be. At the same time, his irresponsible behavior has made it much more difficult for those of us who were advocating for broader inclusion – and unfortunately it will be the OpenBSD community that suffers the ramifications of any future limited disclosure.

                                                                                                                    1. 6

                                                                                                                      Espionage? You’re suggesting one of:

                                                                                                                      1. Someone stole the exploit information, leaked it to the OpenBSD team, a team known for proactively securing their code, on the off-chance Theo would then further leak it (likely with mitigation code), causing the embargoed details to be released sooner than expected,

                                                                                                                      2. OpenBSD developers stole the exploit information, then leaked it (while committing mitigation code), causing the embargoed details to be released sooner than expected.

                                                                                                                      The first doesn’t seem plausible. The second isn’t worthy of you or any of the developers on the OpenBSD team.

                                                                                                                      I’m sure you’ve read Colin’s thread. He contacted folks under embargo after he wrote his exploit code based on Theo’s presentation. The release timeline moved forward. OSs that had no knowledge of the vulnerability now have patches in place. Perhaps those users view “helpful” in a different light.


                                                                                                                      Edit: Still boggling over the espionage comment. Had to flesh that out more.

                                                                                                                      1. 8

                                                                                                                        Theo has replied:

                                                                                                                        In some forums, Bryan Cantrill is crafting a fiction.

                                                                                                                        He is saying the FPU problem (and other problems) were received as a leak.

                                                                                                                        He is not being truthful, inventing a storyline, and has not asked me for the facts.

                                                                                                                        This was discovered by guessing Intel made a mistake.

                                                                                                                        We are doing the best for OpenBSD. Our commit is best effort for our user community when Intel didn’t reply to mails asking for us to be included. But we were not included, there was no reply. End of story. That leaves us to figure things out ourselves.

                                                                                                                        Bryan is just upset we guessed right. It is called science.

                                                                                                                        He’s also offered to discuss the details with Bryan by phone.

                                                                                                                        1. 4

                                                                                                                          Intel still has 7 more mistakes in the Embargo Execution Pipeline™️ according to a report^Wspeculation by Heise on May 3rd.

                                                                                                                          https://www.heise.de/ct/artikel/Exclusive-Spectre-NG-Multiple-new-Intel-CPU-flaws-revealed-several-serious-4040648.html

                                                                                                                          Let the games begin! 🍿

                                                                                                                          1. 1

                                                                                                                            What’s (far) more likely: that Theo coincidentally guessed now, or that he received a hint from someone else? Add Theo’s history, and his case is even weaker.

                                                                                                                            1. 13

                                                                                                                              While everyone is talking about Theo, the smart guys figuring this stuff out are Philip Guenther and Mike Larkin. Meet them over beer and discuss topics like ACPI, VMM, and Meltdown with them and you won’t doubt anymore that they can figure this stuff out.

                                                                                                                              1. 6

                                                                                                                                In another reply you claim your approach is applied Bayesian reasoning, so let’s go with that.

                                                                                                                                Which is more likely:

                                                                                                                                1. A group of people skilled in the art, who read the relevant literature, have contributed meaningful patches to their own OS kernel and helped others with theirs, knowing that others besides themselves suspected there were other similar issues, took all that skill, experience and knowledge, and found the issue,

                                                                                                                                or

                                                                                                                                1. Theo lied.

                                                                                                                                Show me the observed distribution you based your assessment on. Show me all the times Theo lied about how he came to know something.

                                                                                                                                Absent meaningful data, I’ll go with team of smart people knowing their business.

                                                                                                                                1. 4

                                                                                                                                  Absent meaningful data

                                                                                                                                  Your “meaningful data” is 11 minutes and 5 seconds into Theo’s BSDCan talk: “We heard a rumor that this is broken.” That is not guessing and that is not science – that is (somehow) coming into undisclosed information, putting some reasonable inferences around it and then irresponsibly sharing those inferences. But at the root is the undisclosed information. And to be clear, I am not accusing Theo of lying; I am accusing him of acting irresponsibly with respect to the information that came into his possession.

                                                                                                                                  1. 3

                                                                                                                                    Here is at least one developer’s comment on the matter. He points to the heise.de article about Spectre-NG as an example of the rumors that were floating around. That article is a long way from “lazy FPU is broken”.

                                                                                                                                    Theo has offered to discuss your concerns, what you think you know, what he knew, when and how. He’s made a good-faith effort to get his cellphone number to you. If you don’t have it, ask.

                                                                                                                                    If you do have his number, call him. Ask him what he meant by “We heard a rumor that this is broken.” Ask him what rumor they heard. Ask him whether he was referring to the Spectre-NG article.

                                                                                                                                    Seriously, how hard does this have to be? You engaged productively with me when I called you out. You’ve called Theo out. Talk to him.

                                                                                                                                    And yes, I get it. Your chief criticism at this point is responsible disclosure. But as witnessed by the broader discussion in the security community, there’s no single agreed-upon solution.

                                                                                                                                    While you’ve got Theo on the phone you can discuss responsible disclosure. Frankly, I suggest beer for that part of the discussion.


                                                                                                                                    Edit: Clarify that Florian wasn’t saying he knew heise.de were the source.

                                                                                                                                  2. 0

                                                                                                                                    Reread the second sentence in my reply you linked.

                                                                                                                                  3. 2

                                                                                                                                    This is plain libel, pure and simple.

                                                                                                                                    1. -2

                                                                                                                                      It is Bayesian reasoning, pure and simple.

                                                                                                                                      That said, this is a tempest in a teacup, so call it whatever you want; I’m gonna go floss my cat.

                                                                                                                                2. 6

                                                                                                                                  Sorry – I’m not accusing anyone of espionage; apologies if I came across that way.

                                                                                                                                  What I am saying is that however Theo obtained information – and indeed, even if that information didn’t originate with the leak but rather by “guessing” as he is now apparently claiming – how he handled it was not responsible. And I am also saying that Theo’s irresponsibility has made the job of including OpenBSD more difficult.

                                                                                                                                  1. 9

                                                                                                                                    The spectre paper made it abundantly clear that addtional side channels will be found in the speculative execution design.

                                                                                                                                    This FPU problem is just one additonal bug of this kind. What I’d like to learn from you is:

                                                                                                                                    1. What was the original planned public disclosure date before it was moved ahead to today?

                                                                                                                                    2. Do you really expect that a process with long embargo windows has a chance of working for future spectre-style bugs when a lot of research is now happening in parallel on this class of bugs?

                                                                                                                                    1. 5
                                                                                                                                      1. The original date for CVE-2018-3665 was July 10th. After the OpenBSD commit, there was preparation for an earlier disclosure. After Theo’s talk and after Colin developed his POC, the date was moved in from July 10th to June 26th, with preparations being made to go much earlier as needed. After the media attention today, the determination was made that the embargo was having little effect and that there was no point in further delay.

                                                                                                                                      2. Yes, I expect that long embargo windows can work with Spectre-style bugs. Researchers have been responsible and very accommodating of the acute challenges of multi-party disclosure when those parties include potentially hypervisors, operating systems and higher-level runtimes.

                                                                                                                                      1. 10

                                                                                                                                        Thanks for disclosing the date. I must say I am happy that my systems are already patched now, rather than in one month from now.

                                                                                                                                        I’ll add that some new patches with the goal of mitigating spectre-class bugs are being developed in public without any coordinated disclosure:

                                                                                                                                        http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/9474cbef7fcb61cd268019694d94db6a75af7dbe

                                                                                                                                        https://patchwork.kernel.org/patch/10202865/

                                                                                                                                    2. 5

                                                                                                                                      Thanks for the clarification.

                                                                                                                                      I don’t think early disclosure is always irresponsible (the details of what and when matter). Others think it’s never irresponsible; and some that it’s always irresponsible. Good arguments can be made for each position that reasonable people can disagree about and debate.

                                                                                                                                      One thing I hope we can all agree on is that we need clear rules for how embargoes work (probably by industry). We need clear, public criteria covering who, what, when and how long. And how to get in the program, ideally with little or no cost.

                                                                                                                                      It’s a given that large companies like Microsoft will be involved. Open-source representatives should have a seat at the table as well. But “open source” can’t just mean Red Hat and a few large foundations. OSs like OpenBSD have a presence in the ecosystem. We can’t just write the rules with a “You must be this high to ride” sign at the door.

                                                                                                                                      And yeah, Theo’s talk might make this more difficult going forward. Hopefully both sides will use this event as an opportunity to open a dialog and discuss working together.

                                                                                                                                      1. 6

                                                                                                                                        Right, I completely agree: I’m the person that’s been advocating for that. I was furious with Intel over Spectre/Meltdown (despite our significant exposure, we learned about it when everyone else did), and I was very grateful for the work that OpenBSD and illumos did together to implement KPTI. This time around, I was working from inside the embargo to get OpenBSD included. We hadn’t been able to get to where we needed to get, but I also felt that progress was being made – and I remained optimistic that we could get OpenBSD disclosure under embargo.

                                                                                                                                        All of this is why I’m so frustrated: the way Theo has done this has made it much more difficult to advocate this position – it has strengthened the argument of those who believe that OpenBSD should not be included because they cannot be trusted. And that, in my opinion, is a shame.

                                                                                                                                        1. 11

                                                                                                                                          Look at it from OpenBSD’s perspective though. They (apparently) tried emailing Intel to find out more, and were told “no”. What were they supposed to do? Just wait on the hope that someone, somewhere, was lobbying on their behalf to be included, with no knowledge of that lobbying?

                                                                                                                        1. 2

                                                                                                                          Slide 15 mentions that deraadt@ signs the patch file. This made me wonder: What happens if he unexpectedly falls critically ill or dies? For at least one OpenBSD release cycle, there might just be no way to sign anything.