FreeBSD and Apple connection

Hello,

I'm curious about the connection between Apple and FreeBSD. I would like to clarify some things.

Does a high percent of donation come from Apple?

Do FreeBSD developers include code from Apple in the systems?

If yes how do they deal with security issues? (That is an important question because open source communities do not trust Apple. Not only because they are closed source, but they let third party people inside your systems.)

How many people do you have reviewing the code of FreeBSD?

Thank you in advance.
 
Avyd said:
I'm curious about the connection between Apple and FreeBSD.
There isn't any to speak of actually.

Does a high percent of donation come from Apple?
Nope. Not even a small percentage.
http://www.freebsdfoundation.org/donate/sponsors

Do FreeBSD developers include code from Apple in the systems?
Only if Apple has BSD licensed code that solves an issue I wouldn't know why they would do that.

How many people do you have reviewing the code of FreeBSD?
There is no code review like the one that happens with OpenBSD for example.
 
AFAIK, FreeBSD is making use of clang and Grand Central Dispatch, both of which were Apple funded and released under a compatible license.

However much of the code flows the other way - OS X makes use of a heap of FreeBSD userland tools in the shell, and I believe various parts of the Unix "layer" within the OS (yes, it is running under Mach) is based on FreeBSD and is caught up to the FreeBSD tree on a semi-regular basis.

Apple is funding clang/llvm because (like FreeBSD) they want to break their dependence on gcc (Which in Apple's case now is pretty much complete. Pretty sure gcc is no longer installed with Xcode at all). This is of particular importance to Apple because the gcc people have been dragging their feet on Objective-C features.

edit:
Reference: http://wiki.freebsd.org/GCD and http://en.wikipedia.org/wiki/Clang
 
throAU said:
AFAIK, FreeBSD is making use of clang and Grand Central Dispatch, both of which were Apple funded and released under a compatible license.

However much of the code flows the other way - OS X makes use of a heap of FreeBSD userland tools in the shell, and I believe various parts of the Unix "layer" within the OS (yes, it is running under Mach) is based on FreeBSD and is caught up to the FreeBSD tree on a semi-regular basis.

Apple is funding clang/llvm because (like FreeBSD) they want to break their dependence on gcc (Which in Apple's case now is pretty much complete. Pretty sure gcc is no longer installed with Xcode at all). This is of particular importance to apple because the gcc people have been dragging their feet on Objective-C features.

edit:
Reference: http://wiki.freebsd.org/GCD and http://en.wikipedia.org/wiki/Clang

So based on these information - how can I trust FreeBSD if I have zero trust in Apple?

That is the only thing keeps me back from using FreeBSD. Compared to Debian, how many people observe at least the code? After version freeze do FreeBSD have enough people to at least run through the code to make sure nothing nasty is included?
 
Avyd said:
So based on these information - how can I trust FreeBSD if I have zero trust in Apple?

Many people trust in god. FreeBSD sources are open, you can trust in what you see (and than you know) or in what you guess to know.
 
Avyd said:
So based on these information - how can I trust FreeBSD if I have zero trust in Apple?

Apple isn't writing the code but, even if they are, it's still in the open and looked at by other people. Someone, earlier, said there is no code review. Somebody reviews the code somewhere before it's allowed in the system. FreeBSD doesn't allow just anything submitted to make it to RELEASE without reviewing it.

Your comment about Apple letting third parties into their system also doesn't apply to FreeBSD because FreeBSD is not "their system". What Apple does behind closed doors will be far different than what it does out in the open.

But this whole discussion is just tin-hat stuff anyway that doesn't apply to 99.9999% of us.
 
Avyd said:
So based on these information - how can I trust FreeBSD if I have zero trust in Apple?
Clang is not part of the base of the default compiler in FreeBSD 9, although it will be in FreeBSD 10. Furthermore, Apple is one of many contributors to the Clang project. The code is open. Check it for yourself if you don't trust it.

Avyd said:
That is the only thing keeps me back from using FreeBSD. Compared to Debian, how many people observe at least the code? After version freeze do FreeBSD have enough people to at least run through the code to make sure nothing nasty is included?

Tell us how many people "observe at least the code" of Debian and we'll then give you an exact comparison.
 
jrm said:
Clang is not part of the base of FreeBSD 9,
Correction, it is. It's just not used as the default compiler. That's still GCC.
 
Avyd said:
So based on these information - how can I trust FreeBSD if I have zero trust in Apple?

That is the only thing keeps me back from using FreeBSD. Compared to Debian, how many people observe at least the code? After version freeze do FreeBSD have enough people to at least run through the code to make sure nothing nasty is included?

Wow! I thought I was a nut for taking extreme measures when it comes to security.

Not everybody wants to drive a car-bomb into a building, there are those that preserve life and those that don't. Same way with software, that's why the Free Software Foundation, OpenSource movements and much more came to be. When it comes to BSD and Linux, you can browse sources, download and/or alter them to your liking or participate in the development of their Operating Systems or software. That way, you can track/inspect the codes, unlike Apple and Microsoft. Ultimately, you really have no choice but to choose one of the four choices, unless you brew your own Operating System.
 
Avyd said:
So based on these information - how can I trust FreeBSD if I have zero trust in Apple?

That is the only thing keeps me back from using FreeBSD. Compared to Debian, how many people observe at least the code? After version freeze do FreeBSD have enough people to at least run through the code to make sure nothing nasty is included?

You can read the source code like everybody else - or trust that the FreeBSD team have checked it.

Do you trust Google? Microsoft? HP? Oracle? Adobe? There are plenty of other companies who contribute code to many open source projects or supply applications which you pretty much need these days.


p.s.

Apple are a major contributor to webkit. Which powers Chrome, Safari and Opera. Pretty much any current browser which isn't Firefox.

If you're truly as paranoid as you indicate here, how are you sure that the firmware in your NIC is not compromised, or that the microcode in your CPU isn't? I'd be far more worried about that, than possible bugs in an open source project with source code freely available.
 
And I'll add to the thanks, that this is something I've had to tell many over the years new to security. The code is perfect. You've audited it until you dropped. But do you really trust the compiler that generated the OBJ code from it?

Their face when ... Thanks for that reiteration, bro! :)
 
youngunix said:
Wow! I thought I was a nut for taking extreme measures when it comes to security.

The deeper you dig inside, you more problems you see. Just go to a hackerspace and have some conversations. There are much more paranoid people than me, like I'm not sure I am one.

throAU said:
You can read the source code like everybody else - or trust that the FreeBSD team have checked it.

Do you trust Google? Microsoft? HP? Oracle? Adobe? There are plenty of other companies who contribute code to many open source projects or supply applications which you pretty much need these days.

I do not trust any of them.
On my own physical computers I don't use closed source software. On virtual machines I can separate untrusted ones.

throAU said:
p.s.

Apple are a major contributor to webkit. Which powers Chrome, Safari and Opera. Pretty much any current browser which isn't Firefox.

If you're truly as paranoid as you indicate here, how are you sure that the firmware in your NIC is not compromised, or that the microcode in your CPU isn't? I'd be far more worried about that, than possible bugs in an open source project with source code freely available.

We still have Xombrero/xxxterm or Conkeror, which are keyboard based and faster to browse and better to configure. For gui we have Firefox or Konqueror.
Chromium may be ok for non-serious things or if flash is really needed.

Trusting hardware is an important, but rarely discussed topic. Just look at vPro feature in Intel which provides remote hw management. You can disable it theoretically or replace your NIC which does not support that..etc.
Observing your network can help you identify if something is not ok with your hardware - with that you can at least make sure if something nasty is inside it won't go out from your current network.

SirDice said:
After rummaging through my drawers looking for my tin-foil hat I found an old document I think you should read. Even if you have access to the code and can read it it's still no guarantee there's nothing 'bad' going on. But at some point you have to trust something.

Reflections on Trusting Trust

Thank you for the document, I have read it and made me think about a Trust System which contributors join, check each other's code and give trust levels. Just like gpg.
 
@Avyd
Aren't you afraid of posting such questions in open space when you now officially know about the existence of Prism and Tempora? The chance is that your IP address is being logged and bugs are being installed in your home over night.

But seriously, think about how beautiful life could be with less fear. Don't take me wrong - I don't intend to laugh at you! But if you are not a suicide bomber or similar, your activities are of no interest to the agencies, as spying also costs money. Fear of chasing on the other hand is a very popular problem among many of us.

Just my 2 cents.
 
vanessa said:
But seriously, think about how beautiful life could be with less fear.

..so religion saved you with a little pinky cloud. Amen.

But seriously, I just wanted to know the connection between FreeBSD and Apple.

It's not being paranoid, but being curious. Hackers are curious.

I'm not intended to reply for the other parts as these would be too off-topic.
 
Even if you have access to the code and can read it it's still no guarantee there's nothing 'bad' going on.
As I said, though, it's better than code that's behind closed doors that no one can see. Then you're putting trust in the keyholder.
But at some point you have to trust something.
Exactly!
 
You didn't guess it right about the religion - I am a glowing atheist and react mostly allergic to 'believers'.

Regarding your concerns: yes, the question is interesting. There are however dozens of ways not involving IT in order to get information or chase someone down. So, if you are endangered, it wouldn't be enough to use a secure open source OS.

By the way, has Apple seriously donated the cosmical amount of 99$ to FreeBSD (regarding the list)? Wow! I'm impressed!

For me it sounds as would Apple ridicules FreeBSD after profiting so much from the project.
 
As for the code review, after many years I think this is how it works. If there's somebody more knowledgeable than me please chime in.

As far as I know there's only a handful of people that have commit access to the source tree. I believe there's a distinction made between userland and kernel but some people may have access to both. Patches can come from everywhere, the mailing-list or, preferably, via the send-pr system. Because only a handful have commit access they will need to 'review' the code.

I was more thinking about the review process of OpenBSD code but that's probably more of an audit than a review. In this respect the FreeBSD code isn't being audited in the way the OpenBSD code is. But, there's a lot of 'cross-pollination' going on between the different BSDs. If OpenBSD finds some major issue the solution will eventually find it's way to FreeBSD and vise verse.
 
vanessa said:
You didn't guess it right about the religion - I am a glowing atheist and react mostly allergic to 'believers'.

Looks like guessing is not working between us ;)

vanessa said:
Regarding your concerns: yes, the question is interesting. There are however dozens of ways not involving IT in order to get information or chase someone down. So, if you are endangered, it wouldn't be enough to use a secure open source OS.

Definietly.

vanessa said:
By the way, has Apple seriously donated the cosmical amount of 99$ to FreeBSD (regarding the list)? Wow! I'm impressed!

For me it sounds as would Apple ridicules FreeBSD after profiting so much from the project.

"Apple Matching Gifts" - Funny, they donated more than in 2012.

There is also "Steve Jobs, in memory of" and "Microsoft Matching Gifts Program".

Thank you for mentioning, but besides it's funny, I don't think it makes things different in the development.
 
vanessa said:
I am a glowing atheist and react mostly allergic to 'believers'.

HEY! I believe in FreeBSD, its developers and founding fathers �jr . Don't you take that away from me, you lady with a beautiful name �e .
 
SirDice said:
After rummaging through my drawers looking for my tin-foil hat I found an old document I think you should read. Even if you have access to the code and can read it it's still no guarantee there's nothing 'bad' going on. But at some point you have to trust something.

Reflections on Trusting Trust

Pretty much (I've read that article back in the mid-late 90s as well). Worth noting is that the article is from 1972 and the government has no doubt been well aware of how to do this since then or even previously. How much do you trust your device firmware?

At some point it comes down to risk vs. cost of mitigation.

The cost to write your own software entirely from scratch (in machine code, to avoid Thompson's compiler trojan scenario) for your own hardware design, manufactured by yourself (to avoid microcode/firmware bugs by the OEM) is just way too much. Abandoning computer use entirely would be far less costly in terms of time, money and lost functionality.

By the way, Konqueror runs Webkit, and there are proof-of-concepts to escape the VM sandbox on x86.

What are you going to observe your network with? Unless it's an oscilloscope (and you are manually decoding each frame by observing the waveform on the wire), then you are trusting what the firmware in your machine's network adapter is relaying to you. It may well be silently processing frames and not letting you view them due to firmware level bugs (as in, the surveillance kind).

And even if you do all that - as soon as you hit your ISP's router, you're boned. Even if you run your own clean-room implementation of IPsec, if you talk to any other machine with it, you're boned.

So you're going to be limited to IP over avian carrier.

But do you trust the birds?

The latency sucks, too.
 
throAU said:
Pretty much (I've read that article back in the mid-late 90s as well).

At some point it comes down to risk vs. cost of mitigation.

The cost to write your own software entirely from scratch (in machine code, to avoid Richie's compiler trojan scenario) for your own hardware design, manufactured by yourself (to avoid microcode/firmware bugs by the OEM) is just way too much. Abandoning computer use entirely would be far less costly in terms of time, money and lost functionality.

By the way, Konqueror runs Webkit, and there are proof-of-concepts to escape the VM sandbox on x86.

What are you going to observe your network with? Unless it's an oscilloscope (and you are manually decoding each frame by observing the waveform on the wire), then you are trusting what the firmware in your machine's network adapter is relaying to you. It may well be silently processing frames and not letting you view them due to firmware level bugs (as in, the surveillance kind).

And even if you do all that - as soon as you hit your ISP's router, you're boned. Even if you run your own clean-room implementation of IPsec, if you talk to any other machine with it, you're boned.

Proof-of-concepts and the percent of occurrences are different. Chance for that is low and even after escaping the VM, with right priveleges set what can an automated software do? And what's more you can have extra security with hardening like grsecurity or similiar (on FreeBSD there should be an alternative).

My machine adapter, my router, my firewall..etc - I don't think all of them would hide connections. Chances for that are low. Combining devices/software helps.

Why would I use IPSec? Mostly companies use that. Home hosts, private servers, company server..etc are different in many ways and shouldn't be treated the same way.

Konqueror is not webkit - konqueror.org

At the heart of Konqueror is the KHTML rendering engine (which was chosen by Apple to create WebKit, which today forms the basis for modern browsers like Safari and Chrome). It currently supports the latest Web Standards such as HTML5, Javascript, CSS3 and others. Alternatively, Konqueror can also use Webkit if you're looking for compatibility across the board.

throAU said:
And even if you do all that - as soon as you hit your ISP's router, you're boned. Even if you run your own clean-room implementation of IPsec, if you talk to any other machine with it, you're boned.

So you're going to be limited to IP over avian carrier.

But do you trust the birds?

The latency sucks, too.

Is the bird encrypted lol?
 
Back
Top