perrin at apotheon.com
Sun Jun 3 18:34:02 UTC 2007
On Sun, Jun 03, 2007 at 10:42:33AM +0300, Manolis Kiagias wrote:
> Chad Perrin wrote:
> > On Sun, Jun 03, 2007 at 09:15:22AM +0300, Manolis Kiagias wrote:
> >> Chad Perrin wrote:
> >>> I'm not saying that's what the OpenBSD project does. I'm just saying
> >>> that, for instance, the availability of the ath driver contradicts a
> >>> claim that security is a top priority of the FreeBSD project. Only if
> >>> it was installed and operational by default would that really be the
> >>> case.
> >>> Obviously, I'm assuming it's not installed by default. From what I've
> >>> read so far, it's not -- please correct me if I'm wrong.
> >> Actually to set the record straight, the ath driver is installed by
> >> default in 6.2 RELEASE.
> >> Installed by default meaning the card is recognized during FreeBSD setup
> >> and the user is able to configure it immediately from sysinstall.
> >> The ath driver was also present in 6.1 RELEASE (and maybe earlier?)
> >> although it had to be manually activated as a kernel module and it was
> >> not immediately obvious it was supported since it was not present in
> >> sysinstall during setup.
> > That still sounds like it's not "installed by default" in the sense that
> > I meant it. By "installed by default", I mean you install the system
> > and, without even knowing it (or making a decision), you discover you
> > have a closed-source driver in your system.
> I see your point, bear in mind however that someone who is installing a
> system that he believes consist of only free software may easily
> overlook the fact one of the drivers is not, esp. if it is silently
> recognized and configured with little intervention during setup. A
> security-conscious admin would of course research both the OS and the
> market and choose his hardware wisely. This leaves this kind of
> "vulnerability" to smaller systems (maybe home systems) where the OS is
> installed to existing hardware that was previously used with proprietary
> OSes and where the user / admin is not experienced or knowledgeable
> enough to care.
> In fact it would be better if proprietary drivers were clearly marked as
> such (or a relevant message shown in FreeBSD setup). It's been quite
> some time since I setup my atheros in FreeBSD but I cannot recall seeing
> any warning or indication about the ath driver.
I agree with that idea -- that any proprietary software should be
clearly and unavoidably marked as such. In fact, I'd be happier if
every pkg-descr file in the ports tree included a mention of the license
terms under which the software is distributed.
> >> Although the whole security issue is of course highly debatable, don't
> >> forget how much more secure FreeBSD (or other open source OSes) are
> >> compared to proprietary systems. I've been (and still am) a competent
> >> Windows 200X server admin for years and have seen oh so many holes. Mind
> >> you, most of them actually get exploited. It is nowhere near this in
> >> FreeBSD.
> > One of the keys for this is the fact that they're open source software,
> > of course. To the extent that something like the ath driver is part of
> > your system whether you want it or not, that additional security benefit
> > is reduced. I'm just trying to differentiate between closed source
> > software that affects system security and closed source software that
> > doesn't -- because anything that isn't actually running doesn't affect
> > security (all else being equal).
> Agree with you completely on this, binary-only drivers can cause trouble
> even if well written. If nothing else, the company which writes them has
> limited resources or even incentive to support them and had they been
> open source fixes - security or other - would be implemented in a timely
> manner. I do prefer total open source on my server for security and
> peace of mind. The desktop is however a different thing, I can live with
> the occasional atheros or nvidia driver.
Until such time as there are high quality laptops that provide the
functionality I want/need and also do not use any hardware that requires
closed source drivers for full functionality, I'll be "forced" to use
closed source drivers for my primary system.
Actually, at present I'm not using any closed source drivers for my
primary system, but only because the closed source drivers don't bloody
well work. Because of this, I have to maintain an entire closed source
operating system on another partition. It may eventually be replaced
with a Linux partition so I can use the drivers I need, but something
seems strange and wrong about dual-booting Linux with FreeBSD. It's a
personal hang-up, I guess.
Uh . . . so my point is simply that I, too, prefer no closed source
software, but make exceptions for "desktop" systems sometimes. I wish I
didn't have to.
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
Dr. Ron Paul: "Liberty has meaning only if we still believe in it when
terrible things happen and a false government security blanket beckons."
More information about the freebsd-questions