Code quality of FreeBSD compared to OpenBSD?

[CoTones]

They want to use features that OpenBSD doesn't have either, like Bluetooth.

Poor OpenBSD devs, how they get electricity in their caves?

I doubt that that is true. Is there a survey or something to back that claim?

Great question. This is the FreeBSD forum so it should be quick and easy to get the answer, right? Honest too..?

 

[vigole]

majority of FreeBSD developers don't run FreeBSD as a desktop system.
[...]
Contrary, most OpenBSD developers run OpenBSD as a desktop daily.

Stats please.
Words like "majority", "most", etc are good enough for TV and their audience, but not for FreeBSD Forums.

 

[Crivens]

Let's see:

1. Company issued Laptop Win10.​
2. Company issued Laptop Win10​
3. Private Laptop running 12-Stable​
4. Private Laptop running 10.4​
5. Private Laptop running Haiku​
6. Fileserver running 12-Stable​

Good enough?

 

[vigole]

I'm not a FreeBSD developer. Anyway!

1. Work laptop: Win10
2. Personal computer: base/releng/12.1 (no dual boot)

[EDIT]: There's also VMs:

1. base/stable/11
2. base/releng/11.4
3. base/releng/12.1
4. base/head

 

[CoTones]

Great Statistics... You won!

Half a bee, philosophically, must ipso facto half not be.
But half the bee has got to be, vis-a-vis its entity. See?
But can a bee be said to be or not to be an entire bee,
When half the bee is not a bee, due to some ancient injury?

 

[sidetone]

 

[Jose]

One of the things that was often mentioned in such discussions is sendmail. Do we need sendmail in base? It could be argued that it should be moved to the ports collection. On the other hand, we need at least some kind of mail delivery support in base, so things like cron jobs and the periodic script outputs work out of the box, which is essential. And sendmail is comparatively small – replacing it with a slimmer delivery agent won’t really save much space (DragonFly BSD did that, but for other reasons).

DMA looks awesome. I really wish it replaced Sendmail in base. I have anti-nostalgia for Sendmail. Too many hours trying to get it to, you know, send mail and then worrying about what security vulnerabilities I had exposed thanks to sendmail.cf's many, many gotchas.

Edit: and here are my BS stats. Two desktops duel-booting Windows 7 and Freebsd 12.1. Freebsd 12.1 server. Gentoo server. Openbsd firewall. Mac laptop. I iz not developr. Do I win something?

 

[ekvz]

I doubt that that is true. Is there a survey or something to back that claim?

FWIW, I run FreeBSD as a desktop for 25 years.

I think i've stumbled across the source of this claim some time ago. If i remember correctly this goes back to some guy supposedly making this observation at a conference and who knows maybe he was even right about it. Repeating this statement years later while leaving out the source to make it sound all inclusive is nothing but flame bait though. Even if not putting desktop usage in relation to code quality doesn't make any sense at all anyways.

 

[sidetone]

What's the share of opensource users who use FreeBSD compared to OpenBSD overall? FreeBSD already has more desktop users from that alone.

Perhaps there's a comparable amount of developers who use a FreeBSD desktop as its primary OS to OpenBSD developers who use that as a primary desktop.

 

[ekvz]

DMA looks awesome. I really wish it replaced Sendmail in base. I have anti-nostalgia for Sendmail. Too many hours trying to get it to, you know, send mail and then worrying about what security vulnerabilities I had exposed thanks to sendmail.cf's many, many gotchas.

Seconded. While i don't have much of a relationship with sendmail at all i'd prefer DMA any just from looking at the configuration. To bad it doesn't support my edge case usecase but it would probably do just fine for most people.

 

[drhowarddrfine]

Nobody knows.
Really don't care.

When I ran my little web dev company, we rarely talked about Linux but we occasionally discussed OpenBSD. So there must be more OpenBSD users than Linux users.
End of discussion.

 

[kpedersen]

I think i've stumbled across the source of this claim some time ago. If i remember correctly this goes back to some guy supposedly making this observation at a conference.

Yes, I think I found similar a few years back. If I recall it was even said in jest from another FreeBSD developer in a semi self-deprecating / modest humor kind of way. And yet it seems at some point it was taken too literally at face value. Possibly because sarcasm doesn't really translate well to text transcripts. Who knows?

I have personally found FreeBSD to be equally as user-friendly as its competition... OpenBSD XD

 

[Matlib]

As for one specific example of a remote hole is OpenSMTPD which was vulnerable for two years before it was found.[...]

Namely, it launched shell -c commands with parameters like e-mail addresses taken directly from remote input without any escaping!! So much for code auditing

 

[sidetone]

we rarely talked about Linux but we occasionally discussed OpenBSD. So there must be more OpenBSD users than Linux users.

I, did, not, know, that!

 

[ekvz]

Namely, it launched shell -c commands with parameters like e-mail addresses taken directly from remote input without any escaping!! So much for code auditing

Ouch. If that's true it's pretty much </thread>. One would think this to be exactly the kind of code that's the first thing to get doublechecked up to the very last bit during audits. Also stuff like this is so extremely easy to avoid in 99% of all cases. Just limit the amount of accepted characters and forget about it. The other 1% that need escaping because some of the problematic characters have to be allowed might be a bit trickier but come on...

 

[Jose]

Ouch. If that's true it's pretty much </thread>. Stuff like this is so extremely easy to avoid in 99% of all cases. Just limit the amount of accepted characters and forget about it. The other 1% that need escaping because some of the problematic characters have to be allowed might be a bit trickier but come on...

Never been a fan of Opensmtpd, but maybe that's just because I'm a Postfix fanboi. I don't think it's fair to judge the whole Openbsd project based on just that part, though. They do have a pretty good track record.

 

[richardtoohey2]

You guys can say what you want, but I know my Atari ST was better than your Amiga!

 

[kpedersen]

Ouch. If that's true it's pretty much </thread>. One would think this to be exactly the kind of code that's the first thing to get doublechecked up to the very last bit during audits. Also stuff like this is so extremely easy to avoid in 99% of all cases.

Unfortunately it is pretty close to that. It stems from the fact that using the shell and piping data, even though is convenient is not entirely designed for security.

A good breakdown of the issue from the developer.

OpenSMTPD advisory dissected

TL;DR: - Qualys released an advisory for a bad, bad vulnerability - an MTA is a very bad software to have a vulnerability in - hole was plugged but that's not enough, similar bugs should be mitigated in the future - article discusses what could have prevented escalation despite the bug What...

poolp.org

I am also slightly surprised it happened but it can. But the error was owned up to, a quick fix was applied and now hopefully OpenSMTPD is bullet proof again

 

[Jose]

I am also slightly surprised it happened but it can. But the error was owned up to, a quick fix was applied and now hopefully OpenSMTPD is bullet proof again

Ahem, that was the third security vulnerability found in Opensmtpd in a month:

CVE-2020-8794 Can Lead to Privilege Escalation and RCE

A root privilege escalation and remote execution vulnerability (designated as CVE-2020-8794) was discovered in OpenSMTPD. The flaw originates from an out-of-bounds read, which attackers can take advantage of to execute arbitrary code.

www.trendmicro.com

The others look pretty bad to me too.

Contrast with the entire history* of security vulnerabilities in Postfix:

Postfix Postfix : List of security vulnerabilities

Security vulnerabilities of Postfix Postfix : List of all related CVE security vulnerabilities. CVSS Scores, vulnerability details and links to full CVE details and references.

www.cvedetails.com

The Opensmtpd author is right in that an SMTP MTA is kind of a worst possible case for writing a secure daemon. You have to parse all this user input text in a privileged process. What I take issue with, and what I think smacks of hubris in the entire Openbsd project, is the idea that there are structural changes you can make to prevent bad things from happening. Opensmtpd was already using privilege separation, and that wasn't enough. I'm now supposed to believe that the latest brainwaves, pledge and unveil, are going to make it impossible for bad things to happen. They may be right. I am skeptical.

* Postfix has been around since 1998. It's possible vulnerabilities were discovered in Postfix before 2008 that are not listed on this page. Please enlighten me if you find any.

 

[scottro]

By the way [USER=63411]ekvz[/USER], you're right about the claim. A member who hasn't been around in awhile, and is missed, IMO, Oko mentioned that and then brought it up every time the subject came up, that FreeBSD devs used Mac and OpenBSD devs used OpenBSD.

But as I watch this thread go on for pages, I kind of think it comes down to what you want. I remember, and I've mentioned it before, how, in a discussion over mutt vs. pine, someone wrote, people pull out all sorts of technical reasons to justify what is, in the end, an emotional decision.

 

[Jose]

This machine has 16 cores and two threads per core. Freebsd's multiprocessing support is better than Openbsd. There's nothing emotional about that.

 

[drhowarddrfine]

Emotion?! Are you guys crazy??!!! You gotta be outta your mind!!!!!!!! SINCE WHEN DOES EMOTION PLAY INTO ANY OF THIS????????!!!!!!!!!!!!!!!!!!!!AAAAAAAHHHHHHHHHHHHH

 

[kpedersen]

Ahem, that was the third security vulnerability found in Opensmtpd in a month:

Eeek.

Well... all fixed and now bullet proof again!!! XD...

(But just to be sure, I will keep mine to only listening on localhost for now)

Postfix looks to be doing quite well. I am actually surprised that it has so few CVEs, even since 2008. That daemon is hit fairly hard each day.

 

[kpedersen]

Emotion?!

May I introduce you to the new FreeBSD CoC?

 

[getopt]

I cringe every time I see postings like here.