Darwin's Theories - OpenBSD category

OpenMoko and Android

Tue, 21 Apr 2009 17:35:00 GMT

A few people have asked me at various times for a comparison of the OpenMoko and Android cell phone projects. Given that I advocate for the former, and also for Java which is (and is not) the base language of the latter, I am expected to be able to say something intelligible by way of comparison. So here goes.

Android is a project spearheaded by Google to make an open-source phone. It uses Linux and its own Dalvik virtual machine, and applications are written in Java against the Android API and compiled down to Dalvik bytecode. Android does not expose the rest of the Linux services and does not support other programming languages. Android phones are available from a few carriers.

Openmoko, funded by Openmoko.com, is at the other end of the spectrum: it also uses Linux, but exposes all of it to the developer. The "main" stack of phone apps has been re-written several times, using various X-based toolkits. The "official" OM2009 stack is in large part written in Python. C/C++, Java and Perl are all available. Openmoko phones are available from Openmoko.com. However, because it is all open source:

you can run Android on Openmoko hardware;
you could (people have) run Openmoko software on other devices, including Palm PDAs, other Linux phones, and software emulators;
you can probably run Openmoko software on Android hardware;
you can run QTopia on Openmoko hardware;
you can run one of half a dozen Linux distributions on your Openmoko hardware;
you can (eventually) run other OSes such as OpenBSD on Openmoko hardware;
etc.

From one point of view, they are not enemies. Both support the open source model. But as Openmoko developers have pointed out some time back, Android sits on top of Linux, abandoning most of the open source world and reinventing its own universe. Openmoko embraces all existing open source projects and any new open source comers. As a single example, communicating to your Openmoko phone from a desktop/laptop computer consists merly of running the industry-standard ssh and scp programs, included with every *Nix and readily available for those other OSes that need them. Talking to your Android phone requires finding, installing, and figuring out how to use an ad-hoc program called "adb" (at least the third use of this name, after Unix' Algol/Another DeBugger and Apple's Desktop Bus).

From another point of view, of course, they are competing. Competing for market share (neither has made much inroads in the consumer space). Competing for developer mindshare. Android tends to get a lot more press, partly because of the "big G" lineage.

People sometimes ask if I think Openmoko should just fold up and go on to something different, given how far ahead Android has moved? I've never been a fan of quitting while you're behind. Imagine if Linus Torvalds had quit while Unix was ahead; his then-little school project would never have seen the light of day, and we'd all be running BSD and System V. Nothing wrong with those - BSD was already on its way to becoming a full open source *Nix, as represented today by OpenBSD, FreeBSD and NetBSD - but things would be rather different in what is now the Linux community, to say the least. Or if Bill Gates had quit while IBM was ahead. Or if Steve Jobs had quit while MS-Windows was ahead. Or if the U.S. had quit the space race when the Russians launched Sputnik. You get the idea. Don't quit while you're behind, nor when you're ahead. As Nathaniel Branden once put it, "a beating heart is a living heart" - so keep on pumping!

And, at any rate, the "real" release of Openmoko software, OM.2009, is almost upon us; I am running a beta of it on my Freerunner (GTA02), and it's actually usable as a cell phone. Butt-ugly compared to some of the earlier releases, but it "just works". Formal release is expected this summer.

JavaFX: Late to the gate, but sweet

Sat, 27 Dec 2008 16:49:28 GMT

JavaFX is Sun's new Rich Client strategy for Java. If you haven't seen it yet, check out the demos on the JavaFX home page. Unlike Adobe Flash and unlike M$ Silverlight, this technology actually works on "minority" OSes - my OpenBSD laptop with Java 1.6.0 is officially way behind the requirements, but the demos mostly work in FireFox 3 (except you can't tear off the tear-off applet, that requires Update 10). Despite significant glitches on the web site - Sun should know better - on the day of the announcement (December 4, 2008), I'm impressed.

So much so that I've already added this JavaFX section to my Java Resources page.

Protecting Your Castle

Sun, 21 Dec 2008 16:35:00 GMT

SANS.org has a nice white paper showing how to protect your home network using OpenBSD and other free software. According to the abstract:

"It is possible to clean up the back yard with Free Open Source Software and a little design. Using off the shelf components and Open Source software the family geek can deploy a more multilayered security stance that will provide far more visibility and control over the network. This is not to say that large swaths of the Internet can be cleaned up just by plugging in a box, but to say that if anything should be a safe haven on the internet, it should be the family network, the backyard. It makes sense to clean up the backyard before taking on the world’s trash."

Presumably the same techniques would apply to the average small business. Check it out at http://www.sans.org/reading_room/whitepapers/firewalls/32933.php [PDF].

P.S. According to Bartleby, the quotation in my subtitle, while commonly attributed to William Pitt, comes to us in its present wording from a précis done by Lord Henry Peter Brougham some sixty years later.

Less Is More: OpenBSD on the Acer Aspire One

Sun, 19 Oct 2008 19:23:00 GMT

My writeup of the new Acer Aspire One is up on www.undeadly.org.

"We are certainly entering an era of "small is beautiful", at least when it comes to sub-notebooks. Numerous manufacturers are producing these now, as witness this comparison. The Asus EeePC (some models), the Acer Aspire One reviewed here, and the rumoured Lenovo U8 all use the Intel Atom CPU, which is "dual threaded". This looks like a dual-core, and runs GENERIC.MP. Although it's not as powerful as a dual-core, it's close enough that it's faster than many a few-years-old full size laptop. I've been using the Acer for a few weeks, including on a trans-atlantic flight, after several years with a much-heavier full-size industrial-strength notebook...."

Read the full story here.

Linus Just Doesn't Get It

Wed, 16 Jul 2008 17:54:00 GMT

Linux founder Linus Torvalds makes an amazing claim about Linux security (or not) on gmane.kernel.org (I'm not even gonna help pagerank that article by linking to it; search the newsgroup name and the date 2008-07-08). Speaking about security fixes, he says:

... It makes "heroes" out of security people, as if the people who [just]
fix normal bugs aren't as important.

In fact, all the boring normal bugs are _way_ more important, just
because there's a lot more of them. I don't think some spectacular
security hole should be glorified or cared about as being any
more "special" than a random spectacular crash due to bad locking.

Security people are often the black-and-white kind of people that I
can't stand. I think the OpenBSD crowd is a bunch of masturbating
monkeys, in that they make such a big deal about concentrating
on security to the point where they pretty much admit that nothing
else matters to them.

Normal bugs are "way more important" than security to Linus, the guy in charge of Linux? I'm sure gonna think twice before running Linux on anything connected to the Internet. If he'd actually read the OpenBSD security policy document, or any of our presentations at conferences over the years, rather than just calling silly names, he'd know that OpenBSD works on ordinary bugs as a way of preventing security bugs. But I guess it's easier to sit at home pulling on your tool chain and calling people names, than to actually acquaint yourself with the facts. Well done, Linus. Next time I won't even bother recommending Linux as a second choice after OpenBSD.

P.S. As if to prove the point, the next day, security mailing lists were full of this:

Wei Wang discovered that the ASN.1 decoding routines in CIFS and
SNMP NAT did not correctly handle certain length values. Remote
attackers could exploit this to execute arbitrary code or crash
the system. (CVE-2008-1673)

So they have CIFS and SNMP in the Linux kernel, and they haven't checked for overflows? 'Nuff said!

P.P.S: Apparently not enough said! It seems that the esteemed Mr. Torvalds is also implicated in a massive coverup of security bugs (aka attempted "security through obscurity").