Ars Technica article focused on Wireguard regarding FreeBSD

Crivens

Moderator
Staff member
Moderator

Reaction score: 1,611
Messages: 2,493

I have noticed that Wireguard has been implemented in other operating systems very quickly considering the complexity of it. These are reported to be of a better quality but I would be surprised if there aren't issues further down the line for them.
The professional thing for them would be to brew up some cup, shut up, lock up and do a verrry close look at the thing. Maybe there is crud they didn't see?
 

eternal_noob

Aspiring Daemon

Reaction score: 397
Messages: 630

My cat told me that a greedy criminal (ab)used his commit rights to make some quick money.

Any references to historical events, real people, or real locales are used fictitiously. Other names, characters, places, and incidents are the product of the author's imagination, and any resemblance to actual events or locales or persons, living or dead, is entirely coincidental.
 

Beastie7

Aspiring Daemon

Reaction score: 577
Messages: 692

Noticed it, too. Like television "news", it's to stir up emotions not report real problems that concern you. Once a theme loses drawing power, they move on.
Except that it did report a real problem.

There are no checks and balances with commit privileges, no proper code review channel. Why am I donating to a project where one developer is allowed to dump shitty code just before a release of a professional operating system. It does beg the question, where else is this crap happening?

Seeing this type of behavior certainly doesn’t help with my pre-existing frustrations with the system. Maybe if we had 11ac I wouldn’t be so triggered.
 
OP
sidetone

sidetone

Daemon

Reaction score: 851
Messages: 1,752

FreeBSD will survive this, and also adapt to it. I hope Pf Sense survives it too. Sometimes they say negative publicity is good publicity, but not for software or a lot of things.

It's really that fans and those who thought it was a good replacement wanted it in Pf Sense. That's part of why it got so far. It making it to CURRENT was a litmus test for Pf Sense, and it got in that OS too soon. However, I remember reading that.

I don't know about Wireguard, if it's good it deserves another chance, but its code needs independent review. Maybe reviewed code can be on a third party repository platform independent of OS, only added from an upstream repository once its there. That would only be from those who desire Wireguard, or want a parallel derivative that follows behind Wireguard's upstream. Kind of like how Xenocara follows Xorg. If it was a simple to make error by the company, then all of this isn't needed. I wonder if OpenBSD will do a rewrite of it, (a fork is more likely if this didn't happen) as they host other projects.

Ars Technica ran an article on a vulnerability on OpenSSL days ago: https://arstechnica.com/gadgets/202...ty-flaw-that-allows-hackers-to-crash-servers/. It's a similar vulnerability as found in Wireguard: that authentication was bypassed. Now I realize there was already another thread about this as HeartBleed.

This comes to mind. The Linux kernel likely won't have problems much larger than this. But a lot of GNU and GPL code is going to have a lot of issues. If GNUTLS has an issue, it will be one like any of the BSD's had recently, and perhaps not be much worse than that.
 

richardtoohey2

Aspiring Daemon

Reaction score: 300
Messages: 609

Any reason you keep calling Wireguard by the name Netguard? Is there some background story?

On another of your points, so far as I know, OpenBSD worked closely with the Wireguard developers before Wireguard "landed" in OpenBSD.
 

drhowarddrfine

Son of Beastie

Reaction score: 2,280
Messages: 4,262

My point has been, and always will be, that the most important thing that happened is ... nothing.

The second most important thing that happened is that a gap in the development process will be closed.

This howling over the quality of this operating system due to this only shows the aptitude and ineptitude of those doing the howling. These are the rantings of the unknowing and those who wish to make themselves feel superior by pointing out the failure in others while succeeding at nothing themselves. Pointing out failure that, essentially, caused no harm and did nothing is the lowest form of person. Such as most of the commentors on Ars and typical posters on reddit.

I also wish to say that I refuse to let this make me feel bad or feel bad about FreeBSD. It does not affect me. I doubt it affects anyone here, either. And I am positive that no one sitting in any corporate office or outside of Ars and these forums has mentioned it in any meaningful conversation they had today.
 
OP
sidetone

sidetone

Daemon

Reaction score: 851
Messages: 1,752

Any reason you keep calling Wireguard by the name Netguard? Is there some background story?

On another of your points, so far as I know, OpenBSD worked closely with the Wireguard developers before Wireguard "landed" in OpenBSD.
I made a mistake. I must have mixed up WireGuard and Netgate.

The problem is around Macy's commits: whether that was honest human error, carelessness, intentional or problems that were difficult to be foreseen. Not the original code of WireGuard. Netgate simply wanted WireGuard in Pf Sense, and used FreeBSD as a litmus test.

It's saying it was too close for comfort for going into a FreeBSD release. It was in development, where it's well known that, that's not for production systems. FreeBSD current is known for being for testing grounds. Stable is kind of like this way too. The tone of the article is: everyone involved screwed up badly and has a stain on them from this.

Damage was done for Pf Sense and Netgate. It looks like their intention wasn't for bad code to get in. They asked someone who had a reputation for being a good developer and had commit privileges, alternatively the article says he had problems unrelated to software development. Maybe they'll update their release to be without WireGuard. Wireguard's reputation was also hurt from this.

I also question the author's level of expertise for making conclusions, and the associations made. IE, implications of GPL2 code making into the kernel of a development branch, as some GPL2 code is accepted in base. FreeBSD had GPL2 code in its base before, such as GCC, Binutils and modules/drivers. If that's a big deal, that's easily an honest mistake, because a lot of modules in FreeBSD are GPL2, and someone simply moved something from modules to the kernel.

Often, program code isn't portable. Maybe the committer tried to get it in before a release, and ended up adding code to get it in, then made a mistake by moving a FreeBSD module (where GPL2 is allowed) to kernel (where it doesn't belong). Maybe other code was added, as FreeBSD's base is rather slim, and a lot of ports and Linux program builds aren't slim, to simply get it to work. As a separate example, a lot builds with GNU make, but more compatibility work is needed to get BSD make to work. The case isn't about which make was used (as this was a common example), but other software (BSD make was obviously used). However, FreeBSD did replace GNU's binutils for FreeBSD 13 with Elf utils. Adding a bunch of software can make programs work, but the core issue is compatibility issues to make it work with what's in base.

Update:
License
The kernel components are released under the GPLv2, as is the Linux kernel itself.
Other projects are licensed under MIT, BSD, Apache 2.0, or GPL, depending on context.

GPLv2 getting into the development kernel was an honest mistake, where they didn't keep track of everything. All the WireGuard author has to do if they choose, is dual license kernel components which they are the full author of that are needed to go into Pf Sense and FreeBSD.

The harsh criticism that Macy criticized someone else for using GPL code, then did it himself goes overboard. I was likely an honest mistake.

About Macy: What are squatter rights and basic tenant protections in California? Tenants deserve rights, and I say leniency. Squatters are arguably another topic. This is why I wondered heavily how much relevance of what someone did outside of software, had to do with committing code. Sometimes it matters.


This problem has a lot to do with trying to get code in before a release. The insinuation is that Macy intentionally put bad code in. Maybe he did, as the author implies, but that we don't know right now. It's more than likely, Macy's insertion of GPL code into the FreeBSD development kernel wasn't intentional.

This is why it's good not to rush things in to a newly coming release.

When more information comes about, the article itself may be a minor stain on Ars Technica more than on FreeBSD. Not for saying more standards need to be implemented, but for the approach it took.
 

Mjölnir

Daemon

Reaction score: 1,502
Messages: 2,114

Can you elaborate? I searched for "WireGuard", "NetG", "marcy" (case-insensitive), found none.
EDIT Rollback: found my mistake, should have searched for "macy" instead. Looks like he's not frightened of different architectures & domains of CS. Good. Multi-talented unsiversal interests, seems to be ablke to quickly get into the topic; great. Where can I find the tests that were ideally written before trying to weave that non-trivial code into the FreeBSD kernel? Starting to investigate...
 

vigole

Daemon

Reaction score: 1,418
Messages: 1,243

On FreeBSD part:
It didn't bite the RELEASE. thus I see no problem.

On Article itself:
Obviously It's a hit piece. Typical of red tops, like Arstechnica.

On Arstechnica:
Last time (many years ago) I've heard of Arstechnica, it was at Steve creepy Gibson Show. He was constantly reading articles from Arstechnica
-- the only thing he is good at it, i.e. reading articles and blogs, beside fear-mongering and gossip.
A rule of thumb: If he likes it, you should avoid it.
 

Zirias

Daemon

Reaction score: 1,413
Messages: 2,467

On FreeBSD part:
It didn't bite the RELEASE. thus I see no problem.
It was on a releng branch up to the second release candidate. For code with such horrific issues, this is a problem. Someone will have to think about ways to prevent that from happening again.
On Article itself:
Obviously It's a hit piece.
Well, kind of, indeed.
Steve creepy Gibson Show.
Not sure whether you're talking about this lunatic running GRC with these "awesome" secunakeoil tools?
 

vigole

Daemon

Reaction score: 1,418
Messages: 1,243

It was on a releng branch up to the second release candidate. For code with such horrific issues, this is a problem. Someone will have to think about ways to prevent that from happening again.
I won't argue with that. That was from Normal user point of view, i.e. people like me!, Not as a FreeBSD developer, because I realy don't know what's the implication.

Not sure whether you're talking about this lunatic running GRC with these "awesome" secunakeoil tools?
Yes, exactly. Mr. Windows XP Raw socket (1) and WMF (2)

(1) https://www.theregister.com/2001/07/09/steve_walks_on_water_youre/
(2) https://www.zubairalexander.com/blog/microsoft-disputes-wmf-backdoor-claim/
 

vigole

Daemon

Reaction score: 1,418
Messages: 1,243

By the way, what happened to "Ban the Box"?
How does his arrest record have anything to do with anything? We've been told repeatedly, by similar media outlets that "Box" is bad, and #banthebox
Who am I kidding!
 
OP
sidetone

sidetone

Daemon

Reaction score: 851
Messages: 1,752

It depends. The article did overreach by passing off harsh assumptions as absolute truths without knowing everything.

If someone goes though life by being a lying cheating scumbag, or goes around causing drama. Let's say, someone defrauded others, stole, embezzled, stabbed people for money, and makes their living by lying and robbing. Also if the person is cruel, even if it has nothing to do with committing code. Ok, something like that would matter.

In this case it's different. There's a separation between what that person did and the committed code. Were they squatting, or was he trying to kick out people who tried to pay their rent? If they were squatters, Macy still took the wrong approach.


I already pointed out about being criticized excessively over the GPL code in question, and how that would be an easy mistake to make. It didn't make it to release anyway.

The biggest issue is about trying to get code into a newly coming release. This will always cause problems, no matter the intent. There may be more, but this is what we know for sure.
 

Zirias

Daemon

Reaction score: 1,413
Messages: 2,467

I won't argue with that. That was from Normal user point of view, i.e. people like me!, Not as a FreeBSD developer, because I realy don't know what's the implication.
All I contribute (so far?) is in the ports tree, so… this still worries me, because it was very close and should have been caught much earlier. Although I assume such an incident is a singular one.
 

drhowarddrfine

Son of Beastie

Reaction score: 2,280
Messages: 4,262

And if you also notice on the mailing lists that it's not mentioned anywhere which just how much the media can blow things out of proportion among the amateurs and hobbyists with nothing else to do with their time.

I'm not downplaying the incident. I'm, again, saying it's an internal issue just like any other issues that come up in the course of time and it will be dealt with accordingly. Business as (somewhat) usual.
 

_martin

Daemon

Reaction score: 276
Messages: 1,072

Zirias Thanks for posting the link, you spared me some googling time.
I like the Ars Technica article. It pointed out to a problem. It's similar to a near collision in aviation. Nothing really happened but one has to pay really close attention to it and avoid it in the future.
Core team is aware of this, they addresses it and I've no doubt some improvements will come out of it.
 

obsigna

Daemon

Reaction score: 863
Messages: 1,260

Now, I took a breath and tried to understand what WireGuard is about, and how it would be superior to traditional VPN’s. So I started my search on Wikipedia — and just stopped it already here:
Acclaim
WireGuard aims to provide a simple and effective virtual private network implementation. A 2018 review by Ars Technica observed that popular VPN technologies such as OpenVPN and IPsec are often complex to set up, disconnect easily (in the absence of further configuration), take substantial time to negotiate reconnections, may use outdated ciphers, and have relatively massive code bases of over 400,000 and 600,000 lines of code, respectively, which hinders debugging.[6]

WireGuard's design seeks to reduce these issues, aiming to make the tunnel more secure and easier to manage by default. By using versioning of cryptography packages, it focuses on ciphers believed to be among the most secure current encryption methods, and at the time of the Ars Technica review had a codebase of around 4000 lines of kernel code, about 1% of either OpenVPN or IPsec, making security audits easier. WireGuard was praised by Linux kernel creator Linus Torvalds, who contrasted it to OpenVPN and IPsec as a "work of art".[7] Ars Technica reported that in testing, stable tunnels were easily created with WireGuard, compared to alternatives, and commented that it would be "hard to go back" to long reconnection delays, compared to WireGuard's "no nonsense" instant reconnections.[6]
So, Ars Tecnica tells us that the traditional VPN systems are effectively not working. What is Jim Salter of Ars Tecnica talking about? IPsec is complex to setup and disconnects easily? Of course, if you are a dumb-ars, everything is complicated, and normally you are disconnected anyway, with or without IPsec or for what it matters with or without OpenVPN. BTW: The number of lines of IPsec in the FreeBSD kernel is wc -l /usr/src/sys/netipsec/* = 20092.

And why does Linux’s WireGuard got 4000 lines and for FreeBSD, according to the very same[6] Jim Salter, 10times as much hit our kernel, which would be actually 2times of the total IPsec code.

Then one of the best ciphers –– Curve25519, ChaCha20 (sounds like haha120) — created by one guy (Bernstein) who knows exactly two categories of people, namely himself and idiots.

The big question remains, why do we want this piece of fuzz. Wiki and Ars need to get the numbers and the facts straight, and then the next time when our IPsec connection drops (every this and then when Easter and Christmas are celebrated on the same day) we perhaps got some time and sufficient inspiration to start to think about on why WireGuard may become important to our life some day.
 

Trihexagonal

Son of Beastie

Reaction score: 2,314
Messages: 2,885

If someone goes though life by being a lying cheating scumbag, or goes around causing drama. Let's say, someone defrauded others, stole, embezzled, stabbed people for money, and makes their living by lying and robbing. Also if the person is cruel, even if it has nothing to do with committing code. Ok, something like that would matter.

In this case it's different. There's a separation between what that person did and the committed code. Were they squatting, or was he trying to kick out people who tried to pay their rent? If they were squatters, Macy still took the wrong approach.
You pointed out the difference but failed to make it immediately afterward.

I see his private life in regard to how he conducted himself as a Committer as irrelevant. It's how he conducts himself in an ethical manner as a Committer. He seems to have had some problems in that area of Trust and tighter oversight may be called for.

Look at all the crazy things I've talked about doing in my private life. Didn't I still write a Tutorial to help people, keep it updated and try to help when I can? And, for the most part, haven't I conducted myself in a Ethical manner?

I don't agree with the way he conducted himself in his private life. If he would have been my Landlord and tried that business he would have got his butt kicked by a 64 year old man. I'd have gone to jail and what would happen to my good reputation here? :rolleyes:

What should happen?
 

Snurg

Daemon

Reaction score: 589
Messages: 1,349

Still I don't agree with the tone of the article. It's written in a way that just presumes there are severe structural problems (which would imply something about the general quality of FreeBSD)
There are, I know from personal experience, but will not detail for good reasons.

FreeBSD Status Report 2018 Q2 said:
  • Matt Macy's (mmacy@) commit bit was restored under the mentorship of Sean Bruno (sbruno@).
I have read some things that Sean Bruno wrote in the course of time, found it "interesting" (however, forgot in which way I found it "interesting"), and I guess I will look again to get an idea what his role may be.

I don't agree with the way he conducted himself in his private life. If he would have been my Landlord and tried that business he would have got his butt kicked by a 64 year old man. I'd have gone to jail and what would happen to my good reputation here? :rolleyes:
My respect for you would increase even more.
That criminal imho should never even have been allowed a commit bit.
Not to speak of getting his commit bit restored under sort of "mentorship", after he managed to get his commit bit revoked.

What should happen?
Imho Just what happens when a near-catastrophical nuclear incident happened:
Not only examining the present nuclear infrastructure, identifying and remedying the weak points, but also examining the safety culture and working procedures.
 

Trihexagonal

Son of Beastie

Reaction score: 2,314
Messages: 2,885

He faced consequences for what he did in life. At a certain point, what someone does in their life applies to what they do in software. In many cases, like this one, his personal life, and commit bits are two different things.
*
*
We have to hear both sides of this story, and this ends up becoming a discussion not even related to software or anything computer related. I don't feel like doing that, yet, I may not resist and respond.
Nothing personal, sidetone, but I see that logic as flawed.
 
Top