OPNsense Forum
English Forums => General Discussion => Topic started by: yonas on June 02, 2016, 04:30:09 am
-
Don't start a flame war ;D
After reading the interesting pfSense roadmap (https://blog.pfsense.org/?p=1588) by Jim Thompson, I was surprised by two things.
First and foremost, LibreSSL will probably never be accepted into pfSense:
"Finally, since I mentioned OpenSSL, let me say this: Other projects may explore alternative implementations of OpenSSL (e.g. LibreSSL), but pfSense is unlikely to do this for three reasons:
1) OpenSSL had its issues, but a good, long-time (> 30 year) friend named Rich Salz is now leading the development there. I’ve known Rich since 1985, and I trust his leadership of the OpenSSL project.
2) Intel is focused on OpenSSL, as is the Linux Foundation, and their funding. There will be more test path coverage and more performance work in OpenSSL than any other implementation.
3) I don’t like the attitude of the people behind the LibreSSL project. Talking smack about the project you forked from is bad form. I’ll say no more than to quote Frank Zappa on the subject."
The arguments are very weak. Points 1 and 3 are extremely subjective and openly biased, and all points ignore the fact that LibreSSL has already proven to be more secure than OpenSSL, having fewer vulnerabilities since it's release (https://en.wikipedia.org/wiki/LibreSSL#Security_and_vulnerabilities).
Secondly, the first, and likely most important, reason for switching from PHP to Python for pfSense 3.0 was simply "Personally, I have no time for PHP..."
....This is not a very in-depth analysis of why Python is the most appropriate language for pfSense. I can imagine many people would argue to use Go, or Node, or something else.
Considering that PHP is much more widely used than Python, using less popular language becomes a barrier to entry for developers. Hence, making such decisions shouldn't be done so carelessly.
OPNsense has already incorporated LibreSSL and security hardening features from HardenedBSD. That's very proactive.
-
Hi Yonas,
Thanks, still a long way to go for this project, but some of the goals we've set have been achieved and proven to work reliably. I wasn't sure how well e.g. LibreSSL would work as an alternative, but FreeBSD and their package manager did a great job in making this seamless and easy. I prefer it on my own installs, did not have any problems in a long time.
As far as the roadmap for 3.0 goes, well, we did not think 3.0 would be here anytime soon. We now have a substantial rework that is 2.3 and the new 2.4 is already queued up. There is no Python rework in sight. Whether or not we as OPNsense had anything to do with that shift in priority is for others to decide.
I just personally think that a project that existed for over 10 years (not even counting m0n0wall before) on top of PHP will (ever so naturally) lack the agility to rebuild everything in Python, while continue supporting the old versions and keeping them as sharp as possible. The python rework alone would take a few years to accomplish, so there ought to be a partial migration strategy in place eventually.
DPDK, as another point, seemed like a good choice, but was later abandoned in favour of Netmap, which still has problems that we see even now that Suricata 3.0 offers native bindings. I would have hoped to see more in this domain up until now from over the electric fence, but then again such things take a lot of time, and then even more time. :)
From OPNsense 15.1 to what is going to be 16.7, we're about 50% done with the reworks we've set out to do, only now getting to the core of the system: filter adjustments in order to allow more flexible NAT setups and make a step away from "same same but different".
And I say 50%, which takes us into 2018, where we could potentially achieve full privilege separation, PHP running as non-root, removing the bulk of the static PHP pages in favour of the MVC framework and offering flexible data models for easy extension throughout the system, making plugins more powerful than ever.
But first, let's focus on 16.7. ;)
Cheers,
Franco
-
Awesome, thanks Franco!
-
It looks like Jim Thompson, the infamous owner of Netgate, supporter of FreeBSD and lone ranger of the pfSense trademark doesn't appreciate a second opinion on his matters.
His expert view on this boils down to I should overdose on drugs.
https://twitter.com/gonzopancho/status/739993290963984384
I don't like to say it, but FreeBSD really has a nasty attitude and bullying problem they are eventually going to have to face with such a high profile, high quality sponsor. ;)
-
The rationale for any type of development ought to be:
Under-promise, over-deliver. And if you can't make it, don't be a dick about it and just tell you're not going to make it. Everybody knows anyway.
-
Hey Franco, I'm sorry you had to go through that. I just spent the last two hours going through all the tweets by the troll known as "htilonom". Reading his Twitter history, it looks like he has a long history of trolling others as well. I wish I could have simply said "ignore him, don't feed the trolls", but Jim Thompson joined in the absolutely disrespectful and unprofessional bashing. I'm much more disappointed by Jim's behaviour than a random troll on the Internet. IMHO, leaders in the open source community should be an example to look up to, not only in computer coding, but especially in human interactions. I have hope that he will stop this line of bashing, and apologize for his disrespectful behaviour.
Regarding Wikipedia, I went through all of the back-and-forth edit wars. We have to commit an effort to get the Wikipedia pages and references back up by working with the Wikipedia editors, starting with https://en.wikipedia.org/wiki/List_of_router_and_firewall_distributions . We should also mention OPNsense as a fork of pfSense on https://en.wikipedia.org/wiki/PfSense . I don't think we need to mention OPNsense on the m0n0wall page, since OPNsense has much more in common with pfSense.
Regarding the supposed copyright infringement
https://github.com/opnsense/core/commit/ed6c71d6a31b64a220d4bf89ba9bd83478011073
You clearly left the authors name, email, and copyright year intact.
Removing "part of pfSense by Scott Ullrich" and "originally based on m0n0wall (http://neon1.net/m0n0wall)" is OK because you still explicitly give copyright credit to Scott Ullrich and Manuel Kasper. You also left out any mention of OPNsense, so representation is more uniform.
More generally, no one should be angry that OPNsense forked pfSense. That's how open source works. In particular, the BSD community is a big proponent of using BSD-licensed software for any purpose, whether commercial or personal, competitive or benign. We work together - not against each other. Some people like to pin two software projects against each other, as though they were enemies - FreeBSD vs. Linux, Microsoft vs. Apple, MySQL vs. MariaDB, etc, etc. When you talk to the FreeBSD Foundation, Bill Gates, and Steve Jobs, they will be the first to tell you that we actively share new ideas with each other, including code whenever possible.
By cooperatively working together, OPNsense and pfSense can dramatically improve the quality of firewall software for everyone, and raise the bar for FreeBSD-based firewall solutions.
-
A few months back I was curious as to what Manuel Kasper thought about the whole copyright issue that a few trolls have been complaining about. Below is an email conversation I had with Manuel a few months back:
Hello Manuel Kasper,
OPNsense has been targeted by harsh individuals for leaving out what they believe is part of the copyright notice from m0n0wall and pfsense. The question I would like answered if you have the time is whether or not the below bold text Is part of m0n0wall's copyright notice:
part of m0n0wall (http://m0n0.ch/wall)
Copyright (C) 2003-2006 Manuel Kasper mk@neon1.net.
All rights reserved.
OPNsense has included:
Copyright (C) 2003-2006 Manuel Kasper mk@neon1.net.
All rights reserved.
But not:
part of m0n0wall (http://m0n0.ch/wall)
Was "part of m0n0wall (https://m0n0.ch/wall)" intended to be part of the copyright notice? Your answer may clarify some issues OPNsense is facing. Thank you for your time and thank you for the time you spent working on m0n0wall. I used it for several years.
Shane
azdps
I removed my email from the quote above since I don't want my email to be spammed. Here is Manuel's email response to my copyright question:
On Sunday, April 3, 2016, Manuel Kasper <mk@neon1.net> wrote:
Hello Shane,
I've never really thought about it, but I guess if one had to make an objective judgment, the blank line between "part of m0n0wall" and the "Copyright (C) ..." would suggest that the copyright notice (whose reproduction is required by the license, "[..] must retain the above copyright notice [..]") starts at the word "Copyright". So the "part of m0n0wall" would not be part of the copyright notice.
I hope that people on both sides of this silly little war will come to their senses (pun intended) soon, and focus their time and energy on improving their relative projects instead.
Best Regards,
Manuel
As far as Manuel Kasper is concerned his copyright notice is still in tact in OPNsense. I'll have to agree as well.
I also agree with you yonas reference Jim Thomson's behavior.
I'm much more disappointed by Jim's behaviour than a random troll on the Internet. IMHO, leaders in the open source community should be an example to look up to, not only in computer coding, but especially in human interactions. I have hope that he will stop this line of bashing, and apologize for his disrespectful behaviour.
I wasn't aware that Jim Thomson was the owner of Netgate. I always thought he was a pfSense developer. Based on his childish rants on twitter, I seriously would never consider purchasing Netgate hardware. I'm not trying to be biased but a lot of immature and unprofessional behavior he has exhibited isn't someone I would want to do business with.
I think the email from Manuel Kasper pretty much clarifies the copyright issue though. Initially I wasn't quite sure myself but he definitely made himself clear on his stance on the issue. As far as I'm concerned this issues is resolved and the trolls have no ground to stand on.
-
Thanks azdps, that helps put the nail in the coffin.
-
It's really not about anyone going through anything anymore. Couldn't give more of a damn about it. It's about how pfSense and now more and more FreeBSD wants to represent itself. I do think that shoving away contributors and innovation (on multiple documented accounts, really not just us) is a bad sign. We've taken this to several "authorities" and it's always being brushed off as "you brought this on yourself, you should be better than that".
However, no moderated talks have taken place, with pfSense having labeled us "liars and cheaters" from the beginning and there's no way on earth they are going to change that. That's ok, but it shouldn't also affect the way we do *our* communication and work, but we see a lot of effort spent on pulling Wikipedia entries, trolling Twitter, Reddit, even on other mailing lists and within FreeBSD itself. Oh, and that anonymous mock website that's trying to gain page rank. ;)
But others will have to fix this now, there's nothing we can do other than letting people know that this is happening. I have thought long and hard about what we can do or what we did wrong, but now more than ever I see this is a larger problem we've no chance of addressing, because it lies elsewhere entirely.
Happy fixing to everyone who will still have to deal with this on a daily basis. At least for me this is just a thing that pops up every few weeks when we do something exceptionally well. I'm totally happy with that. :)