Removing WireGuard Support From FreeBSD Base
kevans at freebsd.org
Tue Mar 16 16:49:10 UTC 2021
You may have recently noticed some chatter around the internet about
FreeBSD's in-kernel WireGuard implementation, and the work we've done
on it in the last week. You may have also noticed additional chatter
afterwards with regards to the original implementation. I'd like to give
some context and information with regards to the current situation, as
well as provide some insight into the future as one of the developers
With regard to the original implementation, this will be my only
commentary on the matter. I'm a developer, and I'm passionate
about the work that I do- often to a fault. I've said some things that
I regret; the accusations that Scott Long alluded to in an e-mail on FreeBSD
mailing lists were indeed made by me, and his phrasing of what I
said was much kinder than it could have been. These were mistakes,
and I'm going to own that. However, my personal belief is that neither
Netgate, pfSense, nor the original developer deserved the level of
scorn and criticism that they've received in the past days from both the
press and the community at large.
In the next day or so, I will be committing a removal of all WireGuard
related bits from our 'main' branch, including the work that I recently
committed. It will be followed up by a removal of the implementation
from stable/13, and we will seek appropriate approval to remove it
from releng/13.0 as well. Please, do not be concerned by any of this;
this is being done with mutual support from all parties.
Did the original implementation have issues? Yes, it did. Are we
certain that our new version -doesn't- have issues? I believe it
doesn't, but it hasn't been through thorough enough review. We hacked
on this for a week, and we all reviewed each others' work in the
process. The problem is that this work, in particular, is a driver with fairly
severe security implications. Review by "three developers working
and beating on it" is not the higher bar that we should be
holding this to. While I believed I was doing what's right for the
community, it's become clear that what's right for the community is
to take a step back and do this the right way.
Note that we're not dropping this effort. We will continue iterating
on this out-of-tree, and we will go through the proper review
channels. Folks will be unhappy in the interim because we're removing
it right now, but in the end we will have a better FreeBSD because of
it. There will be a kernel module available in ports at some point,
but not before it's ready.
Moving forward, myself, members of Netgate, and members of the larger
community *are* working together on strictly technical details. I urge
anyone with an interest in reviewing the driver to also get in touch with me.
Please, let's move forward as a community on this.
More information about the freebsd-arch