On 10/17/15 15:59, français wrote:
I always find it amusing how OpenBSD is "audited", yet there's not one audit report on the OpenBSD website. The closest answer I've been able to find on the mailing list is to review all of the CVS commit logs. Yeah, that's not opaque in the slightest...
I was going to let this just pass because my day is a bit overfull already, but I guess I'm a glutton for punishment. Note that I don't have any formal attachment to the OpenBSD project, so what follows is my opinion only, formed by some years of interacting with the OpenBSD project as well as other parts of the open source world.
Your choice of words is a bit curious - 'opaque' is certainly not what I would have called providing full access to the source code with close to real-time access to commits as they happen, in almost all cases with informative comments for each step. A potentially valid criticism at some level would have been to say that this provides too much detail and making sense of the overall picture is too hard for a newcomer.
But keep in mind that OpenBSD is developed and maintained primarily for and by its developers, who are most certainly capable of making sense of source code and commit logs. We all get to use the system and enjoy the benefits, but if you're looking for a high-level executive summary style document, that's simply not something that's useful to the project itself. (Then again, I wouldn't be terribly surprised to find that such documents have been produced for their own internal use by organizations that were considering implementing OpenBSD in their systems.) You will find quite a few summaries of work done and planned at various stages in the papers and presentations collection http://www.openbsd.org/papers/, some of them may even be high level enough to give the less tech minded some idea of the overall work.
And of course, by now we're looking back at a full 20 years of work, so even a very high level executive summary would either need to be quite a few pages or be essentially useless handwaving.
That said, if reading commit logs and source code (even via the friendly cvsweb interface http://cvsweb.openbsd.org/cgi-bin/cvsweb/) is too much work, start with the papers and presentations at http://www.openbsd.org/papers/.
The bigger problem with OpenBSD is it's community. In the FreeBSD world, you have PC-BSD and pfsense, both of which are generally welcomed by the community. With OpenBSD, there were two sister projects that tried to target a similar audience: GnoBSD and Comixwall. Comixwall was the equivalent of pfsense for easy router/firewall management and GnoBSD was an attempt to make an easy-to-use desktop. Both, however, ended up shutting down after Theo and various users told them that their projects were worthless and that they weren't contributing to OpenBSD. Because Theo and various users told them that their projects were worthless and that they weren't contributing to OpenBSD?
If OpenBSD users and developers said that these projects were useless and that the people behind them were not contributing back to OpenBSD, maybe that was the (possibly unpleasant to some) truth?
It's been a while since both and I can't be bothered right now to look things up, but I can say this: I have yet to find a web interface to firewalls adminstration that I personally found useful, and barring exotic hardware trouble, I can get a useful desktop with OpenBSD up and running within 20 minutes from bare metal, and it's a reasonable assumption that most misc@ posters know enough pkg_add and package names to do the same.
So essentially the projects were packaging of something that was either trivial or not needed (or actively harmful, depending on who you ask), and if the people marketing these trivial efforts were seen to be unlikely to maintain a healthy relationship to their upstream project, I would call them useless too.
If you're doing a derivative of an open source project, keeping a sane relationship to your upstream is is an essential part of your self preservation. If those derivative projects were run by people who didn't see that fairly basic fact, that's their loss, not ours.
-- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
