[GTALUG] interesting article on FreeBSD kernel almost getty dangerous code
Lennart Sorensen
lsorense at csclub.uwaterloo.ca
Mon Mar 29 14:08:35 EDT 2021
On Sun, Mar 28, 2021 at 02:47:46PM -0400, D. Hugh Redelmeier via talk wrote:
> <https://arstechnica.com/gadgets/2021/03/buffer-overruns-license-violations-and-bad-code-freebsd-13s-close-call/>
>
> Summary: a WireGuard port to FreeBSD was sponsored by Northgate (pfSense
> company). The port was of poor quality and dangerously so. Nobody caught
> it until after pfSense was released with it, and just before FreeBSD
> released it. The messenger was tortured, but not shot.
>
> Bonus: the guy who ported the code was a felon / bad landlord.
>
> Lesson: open source software does not get enough quality control.
> Especially code that might affect security. Some Linux distros attempt QC
> (e.g. RedHat) but I'm sure it is inadequate.
I think a more correct lesson is: FreeBSD has so few people involved
(and their processes for comming don't require review) that things don't
get checked in many cases. I certainly don't get the impression that
there is much activity or use going on with any of the BSDs anymore
(and in my opinion having used them, rightfully so.).
Certainly the linux kernel has stuff reviewed by multiple people, in
public, and has to go through multiple people before being accepted in.
Things can still go wrong, but I don't think anything like what FreeBSD
experienced here would be possible.
--
Len Sorensen
More information about the talk
mailing list