Some unexpected news from the OpenBSD Journal: "The OpenBSD Foundation is happy to announce that Microsoft has made a significant financial donation to the Foundation. This donation is in recognition of the role of the Foundation in supporting the OpenSSH project. This donation makes Microsoft the first Gold level contributor in the OpenBSD Foundation's 2015 fundraising campaign."
[Editor Update] Techrights has a different take on the reasons behind the funding, speculating that:
Windows is known for gaping holes [...] i.e. the very opposite of OpenBSD. For these two entities to work together (NSA resistor and the NSA's number one partner) is to have an incompatible relationship. Nothing on top of Windows can be secured and as we pointed out in our past articles about this, SSH keys will be put at risk. Microsoft's 'help' to OpenBSD reminds us of Microsoft's 'help' to Novell, where the goal was to use Novell to promote Windows, even inside Linux (e.g. Hyper-V).
It's not a payment intended to help OpenSSH development. Microsoft looks to get its money's worth (shareholders' money). So it's about putting secure Free software on an insecure proprietary software platform (with back doors), in order to promote and increase its use.
(Score: 5, Informative) by NCommander on Friday July 10 2015, @06:30AM
My biggest problem with OpenBSD, and why I won't use it in an actual server environment is it lacks mandatory access controls like AppArmor or SELinux; OpenBSD specifically rejects it saying its no substitute. The thing is, any codebase of a large size is going to have holes, and OpenBSD's security record *only* applies to the base system; once you install anything from ports, all bets are off. We use AppArmor to secure the Apache instances running the site, which made running Apache 1.3 more tolerable until we completed the partial rewrite required to upgrade.
I'm truly grateful for the OpenBSD project for providing things like Portable OpenSSH, and LibreSSL as well as pioneering the concept of open VCS access (which is where the Open part of OpenBSD gets its name from), but the fact is that I find most of their claims towards security to ring hollow if you try and do anything that isn't part of the preinstalled system. Nothing going to stop a remote code exploit in $COMMON_SERVER_PACKAGE from wrecking your day. Microsoft donating to the project will likely help boost the libressl project and get it to the point that it will start replacing openssl in some distros, as well as lead to probably another Open* project.
Still always moving
(Score: 3, Informative) by Dr Spin on Friday July 10 2015, @08:47AM
Apache IS part of the base installation of OpenBSD, and runs in a jail (sandbox). So does Bind.
Other server apps can easily do so, if you want them to.
Warning: Opening your mouth may invalidate your brain!
(Score: 2, Informative) by Anonymous Coward on Friday July 10 2015, @11:00AM
Apache has been removed from base in 5.6 in favor of nginx which is removed in favour in-house-developed httpd.
(Score: 2) by NCommander on Friday July 10 2015, @03:53PM
Apache was from the 1.3 branch, then replaced with nginx and then again replaced with a homebrew httpd. I did forget OpenBSD shipped with bind, but on the flip side, it also ships with sendmail (which a misconfiguration is as good as a security exploit. And sendmail.cf was never friendly)
Still always moving