When I was younger and had more time, I loved the BSDs. FreeBSD seemed so coherent, I loved the ports collections etc. And FBSD had a reputation for good code. From 2000-2004 I ran FBSD exclusively on my servers. Then slowly, FBSD seemed to start to splinter. First Matt Dillon took off for DragonflyBSD and then I started using Linux more. When I needed a firewall, I chose OpenBSD because Theo seemed to have a tight (some would say too tight) grip on the project.
When FBSD integrated ZFS, I took a look and decided that while I love that file/storage system, FBSD itself had turned more into a lesser version of itself. Perhaps this was due to more pressure from Linux, and fewer developers/contributors.
This entire Wireguard debacle has pretty much turned me off ever using FBSD again. From the inclusion of Sendmail as the default MTA (really? over Postfix) to the lack of development control outlined in this article, I can't trust it.
You also have NetBSD. WireGuard is going to be available with release 10.0 and the default MTA is Postfix.
NetBSD is a low profile BSD, but very capable.
This is an incredibly good piece of journalism. It gives tangible examples of the issues found, puts it in context of prior work done by the developer, features first-hand verification of the claims made against the code; the author reached out for comment to all the parties involved.
I'm also consistently impressed by the quality of comments at Ars Technica whenever I visit the site.
This convinced me to subscribe. We need more journalism of comparable quality.
“you either have a commit bit (enabling you to commit code to FreeBSD's repositories) or you don't. It's hard to find code reviews, and there generally isn't a fixed process ensuring that vitally important code gets reviewed prior to inclusion. This system thus relies heavily on the ability and collegiality of individual code creators.”
From my perspective, this whole thing is due to a severe failure of the development process. The sub-standard code should never have been committed. But if there is no process, is it really a failure? Or is this just how it is on FreeBSD?
It's not. We do a lot of code review, and it's done publicly. It's easy to look at the commit logs. I find it telling that the article doesn't spend even one word trying to delve into our code review practices. This case was an aberration.
Ars seems to be calling all open source software insecure. I’m not saying they are wrong but what’s the value in their article? Is it gotcha journalism, or are they warning us not to trust bsd based systems in general. The article starts as a gotcha piece but concludes by saying there’s no review in place to catch these problems.
Having deployed Netgate PFsense hardware at my last 3 startups words cannot express how disappointed I am in this. I have also recommended them to others. I understand that mistakes happen, but I feel their response was utter garbage. Unfortunately I am done with them and will have to find another option for the future. We need a project to put a web GUI on PF on OpenBSD (while I can sort the .conf files, not everyone can).
Thank you to Jason Donenfeld (Wireguard), Kyle Evans (FreeBSD) and Matt Dunwoodie (OpenBSD) for jumping in and fixing this in a week!
Good that folks on FreeBSD have proper controls that stopped the problem before it was released, and shame on Ars Technica for bringing completely irrelevant 10+ year old eviction dispute into an article about technical issues as if it were relevant. This bullshit needs to stop. I mean I get that the guy may have some issues, and burnout is a very real thing, and if the code is low quality then it needs to be addressed, but it shouldn't be "oh and also his code is bad because of 10-year old story that has nothing to do with the code in question". We really can do without this stuff, and if they just dropped that whole section, the article would be much improved.
Calling the story "eviction dispute" is quite an understatement. They served 4 years jail sentence for sawing huge hole through tenants' living room and forging threatening
letters as if they were coming from tenants.
The story is relevant, because:
1. It was already out there in the public. Skipping it completely would be unprofessional.
2. It gives a possible explanation for low code quality.
3. The developer in question is open about his past.
4. Person who went so far as resort to destruction and deceit in the physical world, could easily cut corner in the code review process:
So some Twitter grand inquisitors, whose names always seem to appear if individuals are targeted, discovered some unpleasant details about someone's past.
Code quality (especially when written under pressure) is unrelated to that and I've seen horrible code from from model citizens who check all the Twitter boxes of goodness.
It seems very dangerous to contribute to open source these days if you are not in the right Twitter cliques.
The nice thing is that the FreeBSD developers who were interviewed apparently remained fair and said that the target had produced high quality code before.
> It seems very dangerous to contribute to open source these days if you are not in the right Twitter cliques.
Nope. Lots of people contribute to Open Source without being in any Twitter cliques, they're just getting on with the work and doing their best.
One could also flip what you wrote, on its head and say "It seems very difficult to be visible in open source these days if you have been doing things that are illegal or frowned upon". It's the same thing, just without the persecution complex.
At least bad opinions on Twitter are not a crime... and you know, perhaps Ars shouldn’t bring it up, but it’s hard when they themselves refer to it as a personal set back. But even though I absolutely believe everyone deserves a second chance, I really find it hard to sympathize with a person who does what is alleged, doesn’t apologize (as far as I have heard), attempts to flee the charges, then has the gull to lament over how it has negatively impacted their career. At this point it feels like they are more upset about how they had to face consequences for their actions than anything else.
I don’t wish perpetual punishment on anyone for almost any reason. But still... it feels like some necessary self-improvement is sorely missing. I certainly say this as a person who is flawed and full of anti-patterns.
[+] [-] greedo|5 years ago|reply
When FBSD integrated ZFS, I took a look and decided that while I love that file/storage system, FBSD itself had turned more into a lesser version of itself. Perhaps this was due to more pressure from Linux, and fewer developers/contributors.
This entire Wireguard debacle has pretty much turned me off ever using FBSD again. From the inclusion of Sendmail as the default MTA (really? over Postfix) to the lack of development control outlined in this article, I can't trust it.
Perhaps Theo's strategy was the better path.
[+] [-] libx|5 years ago|reply
[+] [-] yakubin|5 years ago|reply
I'm also consistently impressed by the quality of comments at Ars Technica whenever I visit the site.
This convinced me to subscribe. We need more journalism of comparable quality.
[+] [-] cbsks|5 years ago|reply
“you either have a commit bit (enabling you to commit code to FreeBSD's repositories) or you don't. It's hard to find code reviews, and there generally isn't a fixed process ensuring that vitally important code gets reviewed prior to inclusion. This system thus relies heavily on the ability and collegiality of individual code creators.”
From my perspective, this whole thing is due to a severe failure of the development process. The sub-standard code should never have been committed. But if there is no process, is it really a failure? Or is this just how it is on FreeBSD?
[+] [-] markjdb|5 years ago|reply
It's not. We do a lot of code review, and it's done publicly. It's easy to look at the commit logs. I find it telling that the article doesn't spend even one word trying to delve into our code review practices. This case was an aberration.
[+] [-] splithalf|5 years ago|reply
[+] [-] myrandomcomment|5 years ago|reply
Thank you to Jason Donenfeld (Wireguard), Kyle Evans (FreeBSD) and Matt Dunwoodie (OpenBSD) for jumping in and fixing this in a week!
[+] [-] rufius|5 years ago|reply
OpnSense is the truly open source alternative and is a solid option. It was started in protest of pfSense’s less open behavior.
[+] [-] galaxyLogic|5 years ago|reply
That got me thinking what's so bad about returning true? What should they be returning?
Then I realized that what article must is trying to complain about is: "Validation functions which ALWAYS return true".
[+] [-] smsm42|5 years ago|reply
[+] [-] becausepc|5 years ago|reply
The story is relevant, because:
1. It was already out there in the public. Skipping it completely would be unprofessional.
2. It gives a possible explanation for low code quality.
3. The developer in question is open about his past.
4. Person who went so far as resort to destruction and deceit in the physical world, could easily cut corner in the code review process:
https://reviews.freebsd.org/D26137
https://news.ycombinator.com/item?id=26596108
[+] [-] ncmncm|5 years ago|reply
[+] [-] icedchai|5 years ago|reply
[+] [-] h2odragon|5 years ago|reply
[+] [-] dalwk|5 years ago|reply
Code quality (especially when written under pressure) is unrelated to that and I've seen horrible code from from model citizens who check all the Twitter boxes of goodness.
It seems very dangerous to contribute to open source these days if you are not in the right Twitter cliques.
The nice thing is that the FreeBSD developers who were interviewed apparently remained fair and said that the target had produced high quality code before.
[+] [-] cmsj|5 years ago|reply
Nope. Lots of people contribute to Open Source without being in any Twitter cliques, they're just getting on with the work and doing their best.
One could also flip what you wrote, on its head and say "It seems very difficult to be visible in open source these days if you have been doing things that are illegal or frowned upon". It's the same thing, just without the persecution complex.
[+] [-] jchw|5 years ago|reply
I don’t wish perpetual punishment on anyone for almost any reason. But still... it feels like some necessary self-improvement is sorely missing. I certainly say this as a person who is flawed and full of anti-patterns.
[+] [-] Flex247A|5 years ago|reply