why BSDs got no love (and why security gets no love)

Chad Perrin perrin at apotheon.com
Thu Dec 31 07:27:10 UTC 2009


On Tue, Dec 29, 2009 at 03:17:05PM -0800, Charlie Kester wrote:
> On Tue 29 Dec 2009 at 14:51:23 PST Chad Perrin wrote:
> >On Tue, Dec 29, 2009 at 12:39:01PM -0800, Charlie Kester wrote:
> >>
> >>One question, however.  Are we prepared to back up the claim that the
> >>"sexy" bits of PC-BSD are the least secure?  Your argument depends on
> >>that claim, since it's also implied in your description of development
> >>team's priorities.
> >
> >Define "we".  As I'm not a core developer for FreeBSD, nor anyone in a
> >position of official representation of either the OS development project
> >or the Foundation, my statements in the article should not be taken as
> >necessarily indicative of anyone's opinions but my own.
> 
> I said "we" rather than "you" because I agree with your argument. :)

Ahh, gotcha.  Thanks for clarifying.


> >
> >The claim about the "sexy" bits of PC-BSD is based on my experience with
> >tarted-up GUIs and "feature-rich" software.  It is intended as a
> >generalization rather than a categorical statement of absolute truth.
> >
> >All stuffy pedantry of mine aside, though, if you want to expand on
> >your concerns, I'd be happy to read about them.
> 
> I was wondering if anyone has done a study of reported security holes
> and if that data supports the assertion that the "sexy" GUI stuff PC-BSD
> adds was more likely to be involved than the base OS.

The only studies I know of that even come close to addressing these
issues are the studies that show there tends to be a semi-constant rate
of bugs per so-many lines of code for software projects within particular
subcultures.  That being the case, the sheer weight of lines of code
involved in KDE (the default GUI of PC-BSD), for instance, implies
substantial increase in total number of potentially security-damaging
bugs on the system.

More to the point, though, kitchen sink style installs also tend to run
extra services, redundant server processes, auto-run a bunch of stuff,
and so on -- and I don't really feel I personally need a study to tell me
that's a recipe for security failure somewhere down the road.  I totally
understand the desire for some kind of statistical study that supports
that claim, though, whether for your own edification or for that of
others.


> 
> But even if there hasn't been any such study, I think it would be
> worthwhile to flesh out your assertion with a few examples of the kind
> of security problems that arise when the "sexy" stuff is used.

I don't recall off-hand whether I've written previous articles on that
subject.  I may write some in the future that address that in more depth.
Since that point in particular seemed somewhat outside the scope of the
article to try to support in depth, I kinda left it where it lay.  Nobody
has challenged the point in the discussion thread following the article,
last I checked. . . .


> 
> As I said above, I think the argument stands or falls on our ability to
> defend this point.

Given an obvious need to do so, I'm happy to offer what support I have
for the point.  You're the only person who has asked, though.

-- 
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-advocacy/attachments/20091231/08ccd2a7/attachment.pgp


More information about the freebsd-advocacy mailing list