"Torvalds, via e-mail, says De Raadt is “difficult” and declined to comment further."
https://www.forbes.com/2005/06/16/linux-bsd-unix-cz_dl_0616t...
Imagine being so hard you're labelled as "difficult" by no other but Linus Torvalds
> A simple tool was presented, iofuzz, that exposes exploitable security flaws in most, if not all, virtual machines available today. To the knowledge of the author, no similar research has been conducted before. The results produced by crashme, a tool well known for over a decade, locating trivial flaws dem- onstrates this. No virtual machine tested was robust enough to withstand the testing procedure used, and multiple exploitable flaws were presented that could allow an attacker restricted to a vir- tualised environment to reliably escape onto the host system. The results obtained demonstrate the need for further research into virtualisation security and prove that virtualisa- tion is no security panacea.
https://taviso.decsystem.org/virtsec.pdf
He’s not wrong based on the research at the time. The mistake is presenting this as if it’s something that will be true for all time. Is virtualization a panacea? No. CPU manufacturers can’t even protect against side channel attacks. But it’s completely missing what this provides which is that the difficulty and cost of creating an exploit is higher today than 20 years ago. And it’s amusing to hear someone blasting away at the security of others when BSD has its own share of problems and architectural weaknesses are discovered through popularity of your system being an attack target, not because you’re smarter than everyone else and made better choices (sometimes it can be true in places, but harder to maintain for a big piece of software like an OS)
I don't understand the constant (almost always unsubstantiated) criticism of the *BSDs from many Linux advocates.
Personally I evaluate each OS by it's merit, and I've concluded that OpenBSD, FreeBSD and some Linux distributions(I use arch btw) are solid operating systems.
On the server I prefer FreeBSD because of it's amazing flexibility, and stable yet evolutionary base system and in my opinion, superior init system. Simple RC scripts FTW.
I use Arch Linux for superior software and hardware support, related to client usage.
I use OpenBSD for various network appliances.
I wished more people would take issue with developers' bad attitudes.
I know this is an extremely unpopular take, but I refuse to use software where the main dev(s) are openly abusive to others. Sadly this includes the majority of open source operating systems and many other very popular applications... but it's my decision and you're welcome to disagree with me. I am not trying to prevent others from using said software, and I don't look down on them for it.
I think if everyone was always forced to separate the art from the artist, then boycotting wouldn't even be a thing, so there should probably be some kind of middle ground.
That is old news, Theo was harsh, arrogant and rude. He was not always right, but always RIGHT!!
But ten years ago. What is the point now?
If OpenBSD pretended Qubes OS was a feature prototype/reference OS build and made a fork of OpenBSD to feature-match Qubes OS (calling it QuBSD or something), that would be great!
I would love to know how OP came across this email nearly 20 years after the fact
My favorite Theologism:
"My favorite part of the "many eyes" argument is how few bugs
were found by the two eyes of Eric (the originator of the
statement). All the many eyes are apparently attached to a
lot of hands that type lots of words about many eyes, and
never actually audit code." -Theo de Raadt
https://en.wikipedia.org/wiki/Linus%27s_lawDude is 100% right
I think de Raadt and OpenBSD are hugely overrated and some takes are as dumb as the one in the post.
OpenBSD is only secure because because it does pretty much nothing and does it very slowly (its firewall just recently broke the 4gbps firewalling capabilty, for example) but somehow a cult has formed around it ¯\_(ツ)_/¯
god bless usenet. The good ol' flame wars aren't what they are used to anymore with all this moderation and trolling feeding each other around here.
Even very smart, very accomplished people can be very wrong. Xen is seeing a resurgence from Xen Orchestra and I've used it in my homelab. It's quite pleasant. I also, of course, use de Raadt's software as well.
One of his dumber takes. Virtualization replaces an ultra-functional general-purpose kernel evolved over decades to support every conceivable application with a drastically smaller "kernel" (KVM and the userland hypervisor). It's a drastic attack surface reduction, and the empirical data bears that out: kernel LPEs aren't even newsworthy (there's whole repos full of unnamed, unremarked-upon LPEs), and KVM escapes are very rare.