"Copyleft is less free than permissive licenses because permissive licenses allow you to make proprietary forks of free software" is a worldview that just straight-up makes no sense at all
The only BSD license apologia that made sense to me was #OpenBSD's attitude of, "We'd rather the corporations use our good code and not give back than come up with their own crappy solutions."
In that view, its a service to the community at large to help the security of commercial software.
Not saying I agree, really, but it has some logic, rather than complaining that the GPL is a one-way street (and somehow commercialism isn't).
#OpenBSD 7.5 seems likely to be released soon. I considered switching back. But I just don't feel like I could make it a "forever OS", because there are factors which could force me to use something else. Either I get a new computer and have unsupported hardware, or somebody makes me use some software that doesn't run on it.
#Silverblue seems a safer bet for both of these possibilities.
How OpenBSD is dealing with the xz problem (as seen on the OpenBSD.ports mailing list). This package is not in the base system (it is on my laptop, though):
"openssh does not directly use liblzma. However debian and several other
distributions patch openssh to support systemd notification, and libsystemd
does depend on lzma."
I feel like #OpenBSD isn't better than Linux for this kind of security problem. The base OS would probably stay safe. But most ports don't have pledge and unveil applied. And I doubt ports committers read everything they package. A malicious port will pwn your data even if the OS is safe.
Sharing some technical details about how I'm setting up the hosted email service. It will not be a service of BSD Cafe but tied to my own business. It will run entirely on BSD systems and on bare metal, NOT on "cloud" VPS. It will use FreeBSD jails or OpenBSD or NetBSD VMs (but on bhyve, on a leased server - I do not want user data to be stored on disks managed by others). The services (opensmtpd and rspamd, dovecot, redis, mysql, etc.) will run on separate jails/VMs, so compromising one service will NOT put the others at risk. Emails will be stored on encrypted ZFS datasets - so all emails are encrypted at rest - and only dovecot will have access to the mail datasets. I'm also considering the possibility of encrypting individual emails with the user's login password - but I still have to thoroughly test this. The setup will be fully redundant (double mx for SMTP, a domain for external IMAP access that will be managed through smart DNS - which will distribute the connections on the DNS side and, in case of a server down, will stop resolving its IP, sending all the connections to the other. Obviously, everything will be accessible in both ipv4 and ipv6 and in two different European countries, on two different providers. Synchronization will occur through dovecot's native sync (extremely stable and tested). All technical choices will be clearly explained - the goal of this service is to provide maximum transparency to users on how things will be handled.
Let me rephrase, is a huge pile of C code, running in privileged mode in a shared address space, highly concurrent, using its own homegrown memory model based on volatile instead of the one the language spec defines and the compilers implement, dealing with untrusted data, implementing many complex protocols, data formats, & functionality, managing a bunch of "objects" with complex ownership and lifetime semantics, embedding its own JIT — secure?
WHOA. That's what they're replacing iptables with? Madness.
Don't get me wrong, I love Linux, and have done so for over 20 years.
But tell me you're an over-engineered, scope-conquering (because creeping wasn't enough) madhouse exaproject without telling me you're an over-engineered, scope-conquering madhouse exaproject.
@stefano
It seems both #freebsd and #openbsd might have vulnerabilities in their NFS implementation according to the https://t2.fi/schedule/2024/
presentation from the guys from signedness.org. Just bringing this to your attention since you run public facing services. Now i'm patiently waiting till Apr 18 to learn more about it :)