Re: [hackers] [ii][patch] add support for OpenBSD unveil(2)

From: Roberto E. Vargas Caballero <>
Date: Thu, 13 Sep 2018 09:39:44 +0100


On Wed, Sep 12, 2018 at 08:08:39PM +0200, Laslo Hunhold wrote:
> that's your choice as the maintainer and I am not a fanboy. OpenBSD is
> objectively more secure and it's mainly due to their approach. Credit
> where credit is due.

You shpuld read those [1] and [2]. OpenBSD *IS NOT* objectively
more secure. It only had less security defects because it has less
people inspecting the code. For so many years OpenBSD was running
with very important vulnerabilities that weren't noticied by anyone.

> > If you don't understand any of my reasons, then you should stop
> > posting here and begin to post to OpenBSD, I am pretty sure that Theo
> > will be more friendly than we are (irony mode off).
> Your reasons are simple to understand. The main argument is to
> ask: "When we add OpenBSD-specific code, why not Linux-specific code as
> well?".

No, my point is about having suckless code, and having that ifdef
there makes the code suckmore. Offline I suggested other solutions,
as Dimitris and Hiltjo can confirm, like for example having the patches
in the repo and a rule in the Makefile to patch the sources, or like
creating local versions of the interfaces (ex: mypledge) and having
the ifdef there, or having a file per system with the specific
code of the system. All this options were discarded because at the
end we are missing the point of suckless: Good code and simplicity
as first objective.

> In an ideal world we would have portable interfaces for this, but there
> aren't. Surely ii runs without unveil() just fine, however, you have
> bigger problems when you need a good source of entropy that is secure
> to "tap".

No. This is how when we complaint about the linux users putting
#/bin/bash or using GNU extensions in Makefiles. Core OpenBSD
developers are totally differtent, but OpenBSD is creating a full
culture of people around that only has a centralized view of the
world. They don't contrast the point and they don't generate a
critical actitude, everything that comes from OpenBSD is right,
and OpenBSD is the more secure system, which is obviously false
(there are other systems that are more secure and more reliable,
but maybe less usable, than OpenBSD). This is why I called you a
fanboy, because you don't have that critical spirit and you don't
try to think by yourself, you only repeat dogmas that someone else


Received on Thu Sep 13 2018 - 10:39:44 CEST

This archive was generated by hypermail 2.3.0 : Thu Sep 13 2018 - 10:48:22 CEST