OpenBSD 6.2 Released

jggimi · 11-08-2017, 05:17 AM

Quote:

Originally Posted by rufwoof

Is is OK to use the base systems fvwm (2.2.5) which is so old it isn't even supported by the developers anymore?

Break/fix for all content in the base OS is supported by the OpenBSD Project members, via their bugs@ mailing list.

Quote:

I know I could install the more recent package based version (2.6.5)...

The port is supported by its individual maintainer. This is support of the port of the application. It is not support of the application itself, which is via http://fvwm.org/support/.

Quote:

My thinking is that the base system fvwm is audited as part of the general security auditing...

True, but the audit is generaly conducted by humans, and only sometimes augmented with software studies.

Quote:

... (which is more intensive than for packages)...

No, the applications in the ports tree are not audited at all. The ports (the instructions for building the applications on OpenBSD) are reviewed and two developers must approve any commits to the tree - new ports, revisions, updates, or removals.

Quote:

and it may have even be changed in 5.9 for better security (changelog suggests fvwm/fvwm-pager were changed to use pledge (which restricts system operations))

Indeed, the pledge(2) syscall restriction has been applied to the fvwm application in the base OS.

Code:

$ find /usr/xenocara/app/fvwm -type f -exec grep pledge {} +
/usr/xenocara/app/fvwm/fvwm/fvwm.c:  if (pledge("stdio rpath proc exec", NULL) == -1)
/usr/xenocara/app/fvwm/fvwm/fvwm.c:       err(1, "pledge");
/usr/xenocara/app/fvwm/modules/FvwmPager/FvwmPager.c:  if (pledge("stdio", NULL) == -1)
/usr/xenocara/app/fvwm/modules/FvwmPager/FvwmPager.c:    err(1, "pledge");
$

Quote:

... but then again that might have been for the package based (later) version of fvwm).

No. The port has not been pledged.

Code:

$ find /usr/ports/x11/fvwm2 -type f -exec grep pledge {} + 
$

I have run the same find(1) against the port's extracted $WRKSRC, the application does not have pledge() syscall restrictions.

Quote:

My understanding is that the fvwm developers changed the licensing such that later versions after 2.2.5 wont be incorporated into OpenBSD base system...

The port's license description in /usr/ports/x11/fvwm2/Makefile states:

Code:

# GPL/BSD-like (badly worded)

Quote:

... but if sticking with the older version were a security issue I would have thought it would have been pulled out altogether, and that if its still in the base system then its OK to use.

This is the general rule. Old software that is not maintained or is no longer maintainable is removed. There is a long history of removing cruft.

anisoptera · 11-08-2017, 05:28 AM

fvwm versions newer than the version in OpenBSD's base system are GPL licensed and there is a policy of not adding any new GPL code to the base. It's a similar situation to the more recent case of sudo (except sudo was removed completely and the licence of sudo itself didn't change, but it now depends on some GPL'd code).

jggimi, As I understand it fvwm in OpenBSD is technically a "fork"? I don't have access to an OpenBSD box right now, so can't easily check documentation/man pages, etc.

jggimi · 11-08-2017, 05:48 AM

Quote:

Originally Posted by anisoptera

fvwm versions newer than the version in OpenBSD's base system are GPL licensed and there is a policy of not adding any new GPL code to the base. It's a similar situation to the more recent case of sudo (except sudo was removed completely and the licence of sudo itself didn't change, but it now depends on some GPL'd code).

jggimi, As I understand it fvwm in OpenBSD is technically a "fork"? I don't have access to an OpenBSD box right now, so can't easily check documentation/man pages, etc.

Per www.openbsd.org/goals.html, GPL licensing is not acceptable for new modules. But per my interpretation of the port maintainer's interpretation, the licensing of the ported version of the application isn't GPL, it is some sort of GPL/BSD mash-up.

This doesn't appear to be a fork to me. A look at the cvs(1) log of the README, AUTHORS, and COPYING files for the in-base fvwm application show no changes since the application's initial import into the Xenocara packaging of X.Org at OpenBSD 4.2. Anyone who wants to dig further back in history can search the historical x11 and xf4 cvs() repositories.