1
General Discussion / Reasons why I'm choosing OPNsense over pfSense
« on: June 02, 2016, 04:30:09 am »
Don't start a flame war
After reading the interesting pfSense roadmap by Jim Thompson, I was surprised by two things.
First and foremost, LibreSSL will probably never be accepted into pfSense:
"Finally, since I mentioned OpenSSL, let me say this: Other projects may explore alternative implementations of OpenSSL (e.g. LibreSSL), but pfSense is unlikely to do this for three reasons:
1) OpenSSL had its issues, but a good, long-time (> 30 year) friend named Rich Salz is now leading the development there. I’ve known Rich since 1985, and I trust his leadership of the OpenSSL project.
2) Intel is focused on OpenSSL, as is the Linux Foundation, and their funding. There will be more test path coverage and more performance work in OpenSSL than any other implementation.
3) I don’t like the attitude of the people behind the LibreSSL project. Talking smack about the project you forked from is bad form. I’ll say no more than to quote Frank Zappa on the subject."
The arguments are very weak. Points 1 and 3 are extremely subjective and openly biased, and all points ignore the fact that LibreSSL has already proven to be more secure than OpenSSL, having fewer vulnerabilities since it's release.
Secondly, the first, and likely most important, reason for switching from PHP to Python for pfSense 3.0 was simply "Personally, I have no time for PHP..."
....This is not a very in-depth analysis of why Python is the most appropriate language for pfSense. I can imagine many people would argue to use Go, or Node, or something else.
Considering that PHP is much more widely used than Python, using less popular language becomes a barrier to entry for developers. Hence, making such decisions shouldn't be done so carelessly.
OPNsense has already incorporated LibreSSL and security hardening features from HardenedBSD. That's very proactive.
After reading the interesting pfSense roadmap by Jim Thompson, I was surprised by two things.
First and foremost, LibreSSL will probably never be accepted into pfSense:
"Finally, since I mentioned OpenSSL, let me say this: Other projects may explore alternative implementations of OpenSSL (e.g. LibreSSL), but pfSense is unlikely to do this for three reasons:
1) OpenSSL had its issues, but a good, long-time (> 30 year) friend named Rich Salz is now leading the development there. I’ve known Rich since 1985, and I trust his leadership of the OpenSSL project.
2) Intel is focused on OpenSSL, as is the Linux Foundation, and their funding. There will be more test path coverage and more performance work in OpenSSL than any other implementation.
3) I don’t like the attitude of the people behind the LibreSSL project. Talking smack about the project you forked from is bad form. I’ll say no more than to quote Frank Zappa on the subject."
The arguments are very weak. Points 1 and 3 are extremely subjective and openly biased, and all points ignore the fact that LibreSSL has already proven to be more secure than OpenSSL, having fewer vulnerabilities since it's release.
Secondly, the first, and likely most important, reason for switching from PHP to Python for pfSense 3.0 was simply "Personally, I have no time for PHP..."
....This is not a very in-depth analysis of why Python is the most appropriate language for pfSense. I can imagine many people would argue to use Go, or Node, or something else.
Considering that PHP is much more widely used than Python, using less popular language becomes a barrier to entry for developers. Hence, making such decisions shouldn't be done so carelessly.
OPNsense has already incorporated LibreSSL and security hardening features from HardenedBSD. That's very proactive.