Weekly Edition
Return to the Front pageSponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
Money trouble at OpenBSD
The OpenBSD project sets the standard for
security in free operating systems. More than with any other project, the
OpenBSD hackers work at tracking down potential security problems before
they affect users. This work has earned OpenBSD a well-deserved reputation
for being hard to break.
A recent posting to the openbsd-misc mailing list has raised a non-technical issue: it seems that OpenBSD's finances are not as solid as its software. The project has been running at a $20,000 (US) annual deficit for the last couple of years, with no relief in sight. The problem, it is said, is that OpenBSD users have stopped buying CDs; instead, they content themselves with grabbing a copy from a network server for free. The sales of CDs and related items are a major source of money for the project; if CD sales do not live up to expectations, income will fall short. LWN asked the OpenBSD project if there was any sort of public information on the group's budget and how it is spent. Unfortunately, it seems that there is no such information. From looking at what information is available, it appears that the biggest single expense is the occasional "hackathons" - coding-intensive developer meetings - run by the project. Beyond that, there's the usual costs for Internet service, equipment, and so on. It appears that very little of OpenBSD's budget goes toward paying salaries to developers. To support its activities, OpenBSD would like to bring in about $100,000 per year. Donations recently have been a very small fraction of that, however. What the OpenBSD folks are saying now is: something has to change, or the project will be unable to continue at its current level of activity in the future. Every free software project must support its work somehow. For small projects, that support may consist of no more than the occasional donation of development time by an interested hacker or two. Larger projects require more, however, in the way of infrastructure and developer time. So most projects, once they achieve a certain level of success, have to find a revenue stream from somewhere. That, often, is when the core developers try to form a business around the project. It may just be a matter of lining up some consulting work to pay for the continued development and maintenance of the code, or there may be a more advanced business plan involved. Sometimes projects are able to obtain sponsors which have some interest in the project's success; witness Google's support of the Mozilla Foundation, for example. Sometimes developers will be hired by a company to work on free code; many Linux kernel hackers make their living in that way. It is a rare project, however, which is able to get very far with sales of CDs and donations. There is little motivation for anybody with a broadband network connection to order CDs; a simple download gets more current software more quickly. This is why Linux distributors have been moving away from CD sales as a business model for years - and those which haven't are wishing they had. The OpenBSD project is simply discovering the same thing others have found out: the value of a CD is quite low. Anybody who is in the business of selling CDs full of free software is in a commodity business, and one which is in competition with its own customers at that. There is no other business of any consequence built around OpenBSD, however. There are few products which incorporate OpenBSD, and few high-profile network-based services which use it. While OpenBSD does not lack for users, it seems there are relatively few who see a business interest in supporting its development. It must be said that the abrasive nature of OpenBSD's leadership cannot be helping in this regard. The same posting hints at one approach for generating some cash:
[What] a lot of people don't seem to realize is that OpenSSH
development is paid from the same pool of money as OpenBSD.
OpenSSH is in use by millions around the world however the revenue
stream just simply isn't there. This is where other projects could
help. Without naming entities or projects by name there are others
out there that are sitting on some cash. It would be wonderful if
these entities could share some of the wealth to keep us going.
The project, in other words, is appealing to "entities" which obtain some value from OpenSSH to kick into the OpenBSD coffers. It is hard to imagine that, for example, Linux distributors - all of which distribute OpenSSH - are not among the "entities" being targeted here. This is just a bit ironic, given how the OpenBSD founder has chosen to trash Linux recently. More disconcerting, however, is the implicit threat: support OpenBSD, or OpenSSH may go down the tubes. The answer the project is likely to hear may not be the one they are looking for; the world may ask, instead, why are OpenBSD and OpenSSH funded from the same pool of money? Might it not be better to separate the two - by forking OpenSSH, if necessary? Certainly some way could be found to keep OpenSSH going if OpenBSD were to come to an end. The end of OpenBSD would be an unfortunate event, however. The project's uncompromising focus on security has raised the bar for all systems and made all of us - even those who have never run OpenBSD - more secure. We all benefit from having a group out there doing the work that the OpenBSD people have taken on. But it is up to the OpenBSD folks to put some of the same attention into securing their financial future, and that means finding a way to obtain money from those who benefit most from OpenBSD's existence. Given the size of the OpenBSD user base and the modest nature of its financial needs, it seems like this problem should have a solution. (Log in to post comments)
Money trouble at OpenBSD Posted Mar 23, 2006 3:57 UTC (Thu) by finster (guest, #32338) [Link] I agree that OpenBSD deserves more support than it receives. I know of one fairly large institution that safely sits behind pf running on OpenBSD. I got the shirt, cd and poster on v3.6. Anyone here think they could push some cash their way? I'd hate to see that project suffer a slow decline or any decline, but that apparently has started.
Money trouble at OpenBSD Posted Mar 23, 2006 4:52 UTC (Thu) by allesfresser (subscriber, #216) [Link] I have very mixed feelings on this article--on one side I am very appreciative for all the security auditing and especially for OpenSSH, which I use every day. On the other hand, as Jon wrote, the abrasive nature of the OpenBSD leader has kept me from ever using OpenBSD again, and certainly not supporting him with my cash. When someone prints a very insulting cartoon of one of the people that has doggedly fought for all of our freedom (that being one R. Stallman) on the CD insert of OpenBSD, I feel it's appropriate to leave by the nearest exit. There's plenty of people out there that manage to maintain a very high level of technical excellence without the mean-spirited and petulant drama that seems to swarm around Mr. DeRaadt. So I will use their product, and not his. And I've found I like the way NetBSD works better anyway... although Slackware is better yet, and its BDFL is quite personable. :-)
Money trouble at OpenBSD Posted Mar 23, 2006 6:10 UTC (Thu) by cventers (subscriber, #31465) [Link] My first reaction to this news was to remember DeRaadt's nonsense in themedia about how 'terrible' Linux is. My second reaction was shock, when I realized they were trying to use OpenSSH to fund OpenBSD. You know, this is something I think the KDE project gets right. They don't have a whole lot of funding, but when one of their developers says "Hey, I need a new PC" or "We're trying to cover costs" (seen it with both k3b and amarok), people give generously. There is no politics attached to it. DeRaadt's downfall will once again be his ironclad, unyielding tendency to be an absolute ass at every turn.
Money trouble at OpenBSD Posted Mar 23, 2006 10:21 UTC (Thu) by kleptog (subscriber, #1183) [Link] I read (I think it was on Slashdot) that OpenBSD has no legal strcture and any donations need to be written out to Theo directly. If this is true I can imagine that businesses will have difficulty providing money, they can't write it off as an expense.
I think the article is correct that they need to find a new way to get that's not related to CDs. For example, have some kind of "licence" that people can pay $100 each for. A business can simply buy a pile, write it off as an expense and not have to deal with associated piles of CDs they don't want anyway... The FSF has been doing something similar for years AFAIK.
Money trouble at OpenBSD Posted Mar 23, 2006 11:07 UTC (Thu) by job (subscriber, #670) [Link] It all sounds silly. Why would OpenSSH go away just because OpenBSD did? It's all free code. The reason OpenSSH has quite a few external committers is because it is very tied to OpenBSD, look at the changelog for OpenSSH-portable some time. I'm not the least bit worried.
That said, I use OpenBSD a lot and would be very sad if bad things happened to the project. Theo chose the BSD route to fame and fortune. But I just don't think donations will cut it in the long run.
Money trouble at OpenBSD Posted Mar 24, 2006 16:08 UTC (Fri) by landley (subscriber, #6789) [Link] OpenSSH still has the following bug:ssh user@somewhere "sleep 100& echo hello" It should exit right after printing hello, but it doesn't. It hangs until the background process goes away. Nothing else behaves like that. Telnet doesn't do that. OpenSSH doesn't show this bug when running on OpenBSD. I ran into this back in 2001: http://www.ussg.iu.edu/hypermail/linux/kernel/0105.0/0039.html And of course I reported it to the OpenSSH developers. They said it was a known issue, and they refused to fix it because they wanted some obscure TTY behavior or Linux to change to match OpenBSD. http://www.cs.helsinki.fi/linux/linux-kernel/2001-23/0401.html I asked the Linux developers and they said the Linux kernel's behavior was correct (presumably off-list because I can't find it in the archives), and they said it was a clear bug in OpenSSH, and Theo was smoking something as usual. This was probably Alan Cox. :) All this was FIVE YEARS AGO, and OpenSSH still has this bug (only when running on Linux, not when running on OpenBSD), and Theo refuses to fix it because of his personal opinions about Linux.
Money trouble at OpenBSD Posted Mar 24, 2006 17:16 UTC (Fri) by allesfresser (subscriber, #216) [Link] So how difficult would it be to patch OpenSSH for Linux to behave properly? (In other words, just ignore Theo and make it work...)
Money trouble at OpenBSD Posted Mar 25, 2006 4:02 UTC (Sat) by landley (subscriber, #6789) [Link] There existed a patch back in 2001. (Somebody emailed it to me inresponse to my LKML posts.) It had been submitted to the OpenBSD guys already, and they categorically rejected it because they insisted Linux's behavior was wrong, not theirs. Rob
Money trouble at OpenBSD Posted Mar 30, 2006 7:09 UTC (Thu) by djm (subscriber, #11651) [Link] Sorry, but your statement of the history of this problem is completely untrue. I am an OpenSSH and OpenBSD developer who spent many hours trying to get to the bottom of this.
Your assertion that "Theo won't fix it because it is only Linux" is simply a lie and demeans those of us who try to make OpenSSH a quality product for all operating systems.
Your LKML link talks about a completely different issue (ssh TCP connection attempts vs SYN timeouts) that was fixed *years* ago. See the ConnectionAttempts and ConnectTimeout options in "man ssh_config".
You can see the history of the real hang on exit bug here: http://bugzilla.mindrot.org/show_bug.cgi?id=52
There have been several simple but incorrect patches proposed for this problem, all of which create other problems. We have *never* asked for Linux kernel behaviour to change, only for someone more knowledgable about the interaction between ttys, grandchild processes and select() to assist us debug the problem.
Only recently has someone actually done this work (patch is in bugzilla above) - if it works out OK then it will probably be committed in the near future. However, very few people have actually stepped forward to test the patch.
Money trouble at OpenBSD Posted Mar 23, 2006 12:48 UTC (Thu) by NAR (subscriber, #1313) [Link] Certainly some way could be found to keep OpenSSH going if OpenBSD were to come to an end.Or rather break the monoculture and develop alternative solutions?
Monoculture? Posted Mar 23, 2006 15:05 UTC (Thu) by GreyWizard (subscriber, #1026) [Link] Perhaps some alternatives already exist.
Monoculture? Posted Mar 23, 2006 21:28 UTC (Thu) by nlee (guest, #730) [Link] I guess its a guess of trust. Theo might be an ass at times, but everyone trusts him to make sure any problem is solved before it might even seen as an issue.
Trust at a level that big firms can understand.
Ssh is one of the single most important tools on the internet to allow sysadmins to sleep at night. Alternatives exist, but they don't have the same level of trust.
In so far as that is true, a good monoculture is better than being forced to either pay for something you are unsure about or very be quite certain things are even close to 100%.
Monoculture? Posted Mar 24, 2006 0:50 UTC (Fri) by finster (guest, #32338) [Link] It would seem that many of us are very happy to trust OpenSSH and use it every day. As mentioned, it lets many a sysadmin sleep at night. Theo's lack of tact is easy to verify, but I figure my dollars go into supporting OpenBSD/OpenSSH. Maybe I should give my head a shake. As for Theo's statements the raise the ire of many, I choose to ignore them.
Monoculture? Posted Mar 24, 2006 1:23 UTC (Fri) by bk (guest, #25617) [Link] Perhaps I'm more thick-skinned than most (or more dense) but I've never interpreted Theo's comments as personal insults. I don't think he's ever written anything like "Linus Torvalds is an idiot and all Linux users are giant poopyheads", he states what are basically technical opinions in admittedly blunt (sometimes coarse) language.
I consider that to be honesty. Obviously he's no diplomat, but calling him an "ass" might be an overstatement. Of course I've never met him in person; perhaps he does come off that way face to face.
He is Posted Mar 24, 2006 7:50 UTC (Fri) by man_ls (subscriber, #15091) [Link] Hate to play Jimmy the Cricket, but remember this if you must. "Linux people do what they do because they hate Microsoft"?
Monoculture? Posted Mar 25, 2006 4:38 UTC (Sat) by allesfresser (subscriber, #216) [Link] As for personal insults, the cartoon I referred to was one of a Richard Stallman look-alike with gnu horns, acting as the Wizard of Oz, with flies buzzing around. It was the flies buzzing around that really made me angry--if you don't agree with Richard's words or actions then hey, go right ahead and say your piece, but there's no reason to make childish snipes like that.
Monoculture, not trust Posted Mar 24, 2006 16:00 UTC (Fri) by GreyWizard (subscriber, #1026) [Link] Monoculture, not trust, was the issue raised by the comment to which I first replied. Even those who find the character of the OpenSSH maintainers unassailable might wish for competing implementations because this facilitates experimentation and limits the damage a mistake in one implementation can do. I was pointing out that we already have alternatives, not recommending one over another.
Monoculture? Posted Mar 24, 2006 15:12 UTC (Fri) by landley (subscriber, #6789) [Link] Actually, I've used Dropbear instead of OpenSSH for years now. It's a fully functional replacement for both client and server, with no external dependencies. (Doesn't use openssl.)
Monoculture? Posted Jun 22, 2006 17:45 UTC (Thu) by gvy (guest, #11981) [Link] It has had issues too.
Money trouble at OpenBSD Posted Mar 23, 2006 17:03 UTC (Thu) by clump (subscriber, #27801) [Link] Or rather break the monoculture and develop alternative solutions?I think you have a great point. I'm sure just about all of us make use of OpenSSH, but it's not so great to have a single point of failure.
Monoculture already broken Posted Mar 23, 2006 17:41 UTC (Thu) by jmorris42 (subscriber, #2203) [Link] PUTTY has been ported. It runs and runs well so that goes some way to solving the client side. Being a gtk app means it isn't a total solution though, a character app using a xterm (gnometerm, kde terminal, rxvt, etc) is my preferred solution.
We would still need a different server component. Dropbear isn't quite enterprise ready after all.
Too bad about the DARPA contract Posted Mar 24, 2006 1:32 UTC (Fri) by roskegg (subscriber, #105) [Link] Seems to me the deficit started around the time DARPA yanked their contract.
Theo is being punished for his uncompromising stands, and his fearlessness in stating his views in public. Those government agencies that were giving him money now view him the way you view a dog that bites its master.
It doesn't matter to them that Theo always told them he would do what he pleased with the money, and wasn't beholden to them. By accepting it, he triggered their expectations of reciprocity, regardless of what disclaiming words came out of his mouth at the time.
I'm glad Theo took the money while it was available; I hope some large companies see how it is in their best interests to fund OpenBSD.
Wasabi systems is growing like gang-busters. Maybe Theo and Co. should set up something like that, and split their time between doing contracts, and hacking on their favorite OS.
I'm sure they already do this on an individual basis. In fact, I'm certain of it. But having some umbrella company or organization may help. Wasabi, chief controller of NetBSD, is growing. And growing. And growing. All under the radar.
Too bad about the DARPA contract Posted Mar 30, 2006 9:01 UTC (Thu) by gowen (guest, #23914) [Link] By accepting it, he triggered their expectations of reciprocityNo, he triggered their expectations of basic politeness and human decency. If you take a man off the street and give him a hot meal you also don't expect reciprocity, but you don't expect him to tell you that your wife's ugly. And if he does, aren't you justified in not giving him dessert?
Too bad about... Posted Jun 22, 2006 17:50 UTC (Thu) by gvy (guest, #11981) [Link] > Wasabi systems is growing like gang-bustersToo bad they've also chosen to badmouth GPL and spread FUD along with sound technical information in the first place. Start like this doesn't necessarily promise long-time recognition...
Money trouble at OpenBSD Posted Mar 24, 2006 21:19 UTC (Fri) by landley (subscriber, #6789) [Link] Anybody else find the Mozilla Foundation's "so much money we're giving itaway" announcement an ironic juxtaposition with the OpenBSD money woes? http://lwn.net/Articles/176706/ Or is it just me?
Failure to communicate Posted Mar 27, 2006 0:19 UTC (Mon) by dormando (subscriber, #3997) [Link] Most people miss the point, so I assume Theo could have worded it better.
OpenSSH is an "offshoot" of OpenBSD work. I don't think anyone bought OpenSSH initially?
I don't think anyone paid for PF.
I doubt some corporation funded OpenBGPD in specific.
Oh, and CARP too. There's also OpenCVS but it doesn't seem too popular.
Funding OpenBSD supports all of these endeavors, as well as new projects as they become necessary. Saying "I want my money to go into X" just ensures we won't be seeing anything new or interesting for a while. Part of that freedom thing... Understand this happens in this community too (Linus and GIT, Andrew and rsync/etc).
Donate to OpenBSD because you want OpenSSH to be better, and something else cool might come out of it too.
Failure to communicate Posted Mar 27, 2006 13:52 UTC (Mon) by finster (guest, #32338) [Link] Well said dormando.
Re: Failure to communicate Posted Mar 27, 2006 21:40 UTC (Mon) by nevyn (subscriber, #33129) [Link] That's pretty misleading, OpenSSH/portable is relevant to a lot of people running a lot of OSes. pf isn't. BGP software isn't.If you want to fund "make cool software I can use on Linux" that's fine, but OpenBSD isn't the place to send your money. If you want fund portable/Linux-specific OpenSSH changes then OpenBSD isn't the place to send your money and frankly you'll probably be better off if theo goes bankrupt.
Re: Failure to communicate Posted Mar 27, 2006 21:57 UTC (Mon) by dormando (subscriber, #3997) [Link] http://www.ucarp.org/project/ucarphttp://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook... http://www.netbsd.org/Documentation/network/pf.html
I don't suggest you donate to OpenBSD to get cool linux software, the world is bigger than that. Just as I wouldn't want to force Linus to do kernel work and never find the time/motivation to create Git, I wouldn't want to stifle others' works as well.
Another often poorly worded (and related) problem with OpenBSD is how they say "So go do it yourself" when posed with significant feature requests. If you want feature X and can pay for it, it's very efficient to commission someone in specific to create said feature and spend the time integrating it.
This is how OBSD got SMP support, and how linux gets a lot of its features. Companies contribute back because it's helpful to them in the long run, either financially (OSDL, etc) or via funded software contributions (IBM, etc).
Money trouble at OpenBSD Posted Mar 30, 2006 13:37 UTC (Thu) by philips (guest, #937) [Link] Also OpenBSD does not accept PayPal donations...
Money trouble at OpenBSD Posted Mar 30, 2006 22:23 UTC (Thu) by djm (subscriber, #11651) [Link] OpenBSD *does* accept PayPal donations and this is clearly listed on http://www.openbsd.org/donations.html
|
|||||||||||