Why would anyone find it embarrassing that OpenBSD is not RedHat? They don't have the staff or the funding to curate an operating system and all the ports. Rather than do a poor job maintaining a large code base they prefer to do the best job they can on the core OS. What's embarrassing about that?
Nobody is suggesting OpenBSD not being RedHat should be embarrassing.
However, it is not ideal to have a security-focused OS not directly provide binpatches for the base system and core libraries like libressl. Trusting OpenBSD.org is one thing, but trusting additional entities like mtier, etc. just to get security updates without having to compile is another.
FWIW, I think we should feel embarrassed about not giving more funding & time to OpenBSD given everything they already do for us.
The traditional means of patching is recompiling from source. That is the ONLY officially supported method.
This is just another convenient option. I fail to see the problem here.
If you want supported first-party binary security patches you should be using a project that provides that, such as FreeBSD, or just about any Linux distro that is not Gentoo.
I think there would be no problem with OpenBSD supporting an automated build-and-recompile tool, that would be perfectly fine and would stop people like me bitching about updates. Yeah yeah "it's trivial for you to write etc etc" but that's not the point: it's like saying that developing a text editor is simple so we shouldn't provide vi. This sort of thing is better designed and implemented by people who know the OS inside out, not by users.
For what it is worth the project does provide regular binary updates for both the base system and ports for -current (snapshots). If I were to guess, I would guess that one of the reasons that the project does not provide binary updates for -stable is because they are busy providing binary builds for -current. Since all the devs run -current, you can see which one they choose to invest their limited resources in.
Following current is pretty simple if you're happy to track snapshots, which are updated regularly (usually every week). If you're worried about stability, remember that -current turns into -stable twice a year, so current is pretty stable, and any issues that do crop up get fixed very quickly, because they impact the developers.
The problem is that the OpenBSD team doesn't want to write and maintain a tool like that, and they also don't want to utilize their sparse resources hosting the necessary package build infrastructure for all of the architectures they support. They are volunteers, so it really is up to them to work on whatever they want to work on.
Additionally, the amount of security patches we're talking about here is so small that just updating from source code really isn't that big of a deal for most people.
> it really is up to them to work on whatever they want to work on.
Sure, and it really is up to me to keep bitching :)
Besides, the contradiction here is that they are not all volunteers: M:Tier employs some of them exactly to do that job. So, they don't want to do it, but they'll do it if the price is right? Why can't this pricing be done transparently through OpenBSD, rather than some obscure third-party company?
If the problem is funding, why can't they do like RedHat or Oracle, who ask for money to provide automated updates? Oh yeah they do, but through m:tier for some sort of reason (tax? street rep? We can but speculate).
> just updating from source code really isn't that big of a deal for most people.
It's enough to keep the m:tier service running and people like me bitching, so clearly for a lot of people it is. It's enough that every other linux distro out there does it. Denying it over and over won't change that.
> Besides, the contradiction here is that they are not all volunteers: M:Tier employs some of them exactly to do that job. So, they don't want to do it, but they'll do it if the price is right? Why can't this pricing be done transparently through OpenBSD, rather than some obscure third-party company?
So you're begrudging some of the OpenBSD developers for having a day job? That is completely absurd. How are they supposed to feed themselves and their families?
Several of FreeBSD's core developers work for Apple. Red Hat employs a large chunk of the GNU and Linux ecosystems. Red Hat actually does something very similar to what M:Tier does.
M:Tier is really just another example of a company that is providing value added support over the offerings of a freely available open source project. They are even generous enough to provide their openup script under an open source license and binary updates free of charge for the most recent version of OpenBSD. I think that is a pretty good deal for everyone involved.
> So you're begrudging some of the OpenBSD developers for having a day job?
Au contraire, I begrudge why they have to do their OpenBSD-related day-job, working on what is basically an essential part of any modern OS (update distribution infrastructure), outside of the official project and with no official endorsement. It devalues them, it devalues the project and only invites speculation on the motives of such arrangements.
> Several of FreeBSD's core developers work for Apple.
Do I have to pay an Apple subscription to get automatic FreeBSD updates? No.
> Red Hat employs a large chunk of the GNU and Linux ecosystems
Sure, and I do have to pay to get automated updates from them, but at least I know they are official. M:tier packages are not official but sort-of wink-wink-nudge-nudge. For a project living and dying on trust, it's a poor show.
> M:Tier is really just another example of a company that is providing value added support
Sure, but my point is that OpenBSD is a pretty isolated example of a project that actively refuses to provide what any comparable project provides, with very flimsy excuses. This leaves the space open for m:tier to make a buck that really belongs to the OpenBSD project. IMHO the project (which is otherwise extremely fond of reminding us that they are short of money) gets shortchanged here, even if some individuals might not be.
> Sure, and I do have to pay to get automated updates from them, but at least I know they are official. M:tier packages are not official but sort-of wink-wink-nudge-nudge. For a project living and dying on trust, it's a poor show.
Well that is because the official and ONLY supported way to patch an OpenBSD system is to compile from source. Like pretty much all of OpenBSD's documentation, the instructions to do so are very clear.
M:Tier provides a service that is merely a convenience. It is not essential and I would suspect that only a small fraction of OpenBSD users even make use of their openup script and binary package updates at all.
I suspect you are being purposely obtuse and cannot understand that the way in which your favorite $OS is not the only right way to do things.
The OpenBSD project has no obligation to provide binary updates. They provide source code patches and clear instructions of how to apply them. This is actually better for security because you can actually see what is being changed by the patch if you know a little bit about programming.
> I suspect you are being purposely obtuse and cannot understand that the way in which your favorite $OS is not the only right way to do things.
The OpenBSD project actively refuses to provide a service that pretty much any other OS project provides, so that a commercial entity can make a buck, and I am the one being purposely obtuse?
> only a small fraction of OpenBSD users even make use of their openup script
Until it relies on m:tier servers, of course. Why would I have to trust an unrelated company to update a security-conscious OS?
> This is actually better for security
This is actually worse for security because it relies on sysadmins being human robots that constantly check errata, or being faultless programmers who will never botch a hacked-together-enough-that-works custom script to get errata and apply patches. But hey, don't take it from me, hear it from m:tier themselves: "Keeping your installed OpenBSD packages up to date is hard and time-consuming. Nobody wants to read the mailing lists to spot security fixes and/or updates never mind wanting to build new packages from their ports tree and manually install them on each of their servers and/or desktops."
We are not talking about the same thing. I am not arguing they should be more responsible for third-party codebases, this is not an issue of ports vs base. This is far more an issue of infrastructure, of source vs binary. Simply offering binpatches for their core OS would still be a huge step forward.
