I stumbled into a fascinating question the other day while looking at an identity management implementation requiring near total reliability and enormous resilience against external network attack; but not a lot of capacity. Here's the background.
The software selected is all open source, so it can run on just about anything and the "platform" choices, so far at least, seem to have come down to two:
- Solaris 10 on SPARC III, probably in a Sun 280; and,
- openBSD on PPC, probably in an X-serve with dual G5s.
The reason for using older hardware is simple paranoia: Today, openBSD defines the state of the art on highly secure PC Unix. there's been enough experience with these that there's little remaining risk of exploitable hardware problems suddenly cropping up. The reason for choosing these specific options is almost equally simple: x86 is automatically ruled out for secure applications, and neither HP-UX on Itanium nor Linux on Power5 is a viable contender - dead and too expensive in the long term, respectively.
As a result the RISC chip choices come down to SPARC and PPC, and these are the appropriately sized boxes for those two OSes.
Note, however, three things:
- first, the big attraction offered by openBSD is that it ships, and installs, closed - meaning that system integrity will be protected from whoever installs later upgrades because that person is going to be forced to review exactly which services are really needed and manually intervene after the installation to make them, and only them, available.
- secondly, openBSD does run on SPARC64, but there's bad blood between Sun and the BSD community arising from a memory management problem on the pre-200Mhz UltraSPARC II. While I think any risks associated with this are imaginary, I don't know it; and in response I'm just not going to put these two together in an obvious target environment.
- and thirdly, the next generation of AMD x86 gear now seems likely to complete the integration of RISC like exploit protection in the hardware - so going with the dead ended PowerMac architecture now is unlikely to become a downstream issue because the successor technology is clearly on the way, and clearly within the openBSD support envelope.
The software choices are a lot more difficult than the hardware ones.
Solaris 10 is an extremely powerful tool and its record against external attacks is pretty good. Like any Unix, Solaris has had hundreds of vulnerabilities exposed and fixed, but there have been essentially no external exploits -and those are the kind I'm most concerned about. There have, however, been a number of internal exploits - the standard thing on Unix in which the perpetrator starts out with a legitimate user account and tries to upgrade his, or her, privileges.
OpenBSD has a roughly comparable record against external attack, and, I think, a slightly better one against internal permissions upgrade attacks. I'm not terribly worried about these, but, as they say, if the price is right, why not do it? -and there's no direct software or other functionality cost to going BSD instead of Solaris.
There may, however, be an indirect cost in terms of client response. An article under the title "Is Linux For Losers?" appeared on forbes.com in June of last year. Written by Daniel Lyons, the article presents an interview with Theo de Raadt, prime mover behind openBSD.
Here are three excerpts:
Theo de Raadt is a pioneer of the open source software movement and a huge proponent of free software. But he is no fan of the open source Linux operating system.
Linux is immensely more popular than all of the open source BSD versions. De Raadt says that's partly because Linux gets support from big hardware makers like Hewlett-Packard and IBM, which he says have turned Linux hackers into an unpaid workforce.
"These companies used to have to pay to develop Unix. They had in-house engineers who wrote new features when customers wanted them. Now they just allow the user community to do their own little hacks and features, trying to get to the same functionality level, and they're just putting pennies into it," De Raadt says.
"I think our code quality is higher, just because that's really a big focus for us," De Raadt says. "Linux has never been about quality. There are so many parts of the system that are just these cheap little hacks, and it happens to run." As for Linus Torvalds, who created Linux and oversees development, De Raadt says, "I don't know what his focus is at all anymore, but it isn't quality."
Torvalds, via e-mail, says De Raadt is "difficult" and declined to comment further.
"Difficult" indeed - in part because I think he's saying that the Linux community has sold out; and not only didn't get anything in return, but may not even be aware that it happened.
Back in 1994 de Raadt got in trouble with his then colleagues in the netBSD group and was basically read out of the community. If you're interested in the details, he's got everything you want to know on-line and I think you'll find it doesn't exactly rebound to the credit of the people involved.
Today, of course, openBSD defines the state of the art on highly secure PC Unix - and I think he's absolutely right about what HP and IBM are doing with Linux.
Unfortunately, the presence of things like these in the public record confuses the selection issue because this is a key guy stating a highly negative position others can, and do, disagree with. What I can do, of course, is simply argue that genius is always regarded as difficult by its lessors, and then just assume away issues of longer term stability and support, but that's not a very satisfying answer.
A more interesting one would be to argue that de Raadt's rebellion then may well have been the pivotal event allowing the entire BSD community to escape the fate he seems to feel has befallen the Linux community now: corporate control, limits on innovation, and a loss of quality.
And that's the fascinating question I mentioned earlier: it's a great argument and I think I can build a strong case for it, but to what extent is it actually right?