If you actually read the thread he was reacting to the premise that: as a secure operating system, OpenBSD should implement virtualisation (in this case, Xen) due to its security benefits.
A premise which he rightly shat directly on, and is his statement is completely congruent with the presence of a VM hypervisor in OpenBSD.
"OpenBSD should implement virtualisation (in this case, Xen) due to its security benefits."
A specific answer that only took a day to form.
"If you actually read the thread"
Still this again, though. That's three people whose position is that anyone wanting to know OpenBSD's position on virtualization should spend 20m-1hr digging through threads like that and many dozens of hours watching video presentations/interviews. Just in case the answer's there. That's quite unreasonable given one link to a definitive answer on a mailing list, site, etc is all it would take. It's not a one-off thing as this topic comes up endlessly with them having the same response minus some exceptions.
So, given them acting that way, it's a reasonable default for outsiders to assume they didn't give a crap, got way behind on virtualization, cite comments like that just to save time, and finish by adding they're finally doing something. It's actually more effort than OpenBSD supporters put in those discussions. At least one had the wisdom to send me a video with Theo straight up saying it wasn't a priority. QED on whole topic. See how easy that was?
> anyone wanting to know OpenBSD's position on virtualization should spend 20m-1hr digging through threads like that
Okay, okay. Personally, I think the fact that OpenBSD did not support any of the current virtualisation solutions, and now have an appropriate one in the works says a lot about their position.
And, frankly, what use is an organisations "position" on VM hosting to a user? It either supports it or it doesn't, and if you don't plan on developing it the reasons don't really matter.
EDIT: I'm also going to point out that mailing list posts in general rarely stand on their own, and exist within a context.
"Personally, I think the fact that OpenBSD did not support any of the current virtualisation solutions, and now have an appropriate one in the works says a lot about their position."
It's ambiguous far as past is concerned. Two possibilities are (a) they didn't care for longest but caved on the issue or (b) they wanted it, waited for a solid codebase that never showed, and finally did one of their own. All I can tell is that it matters to them now.
"And, frankly, what use is an organisations "position" on VM hosting to a user? It either supports it or it doesn't, and if you don't plan on developing it the reasons don't really matter."
Not true. Very few develop for Linux or FreeBSD vs number of stakeholders. Nonetheless, many features non-developers would want came about because people needed it or were talking about it. I agree with you for OpenBSD specifically, though, as they've been clear about "code it if you want it so bad."
"EDIT: I'm also going to point out that mailing list posts in general rarely stand on their own, and exist within a context."
True, too. Probably best way to apply that is to just not quote mailing lists if it's a huge conversation. I only quote or back those references because later interviews corroborated them a bit for virtualization in general. We certainly shouldn't just grab things off mailing lists without a context, though.
Eh, I think you're being overly harsh. He expresses strong disdain for the whole concept on the x86 platform, and it's not unreasonable to extrapolate that to a "this is such a bad idea, so dangerous that we won't supply such an inherently broken thing".
It's perfectly reasonable to extrapolate his views against virtualization to a general case given these two lines:
"x86 virtualization is about basically placing another nearly full kernel, full of new bugs"
"You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."
He clearly hates x86 more than most but his point applies in general. He's not the only one whose made it and there's truth in it. It's why high assurance virtualization... well.. applied high assurance to those parts haha. Also, why attempts at robust, resource virtualization typically pushed as much complexity out of the hypervisor as possible upward to the OS's that were on less privileged rings or capability-isolated depending on which system.
However, I said then he was wrong because the hypervisor and even VMM functions are less complex than a whole OS. The past examples showed they can be implemented very simply. We got further confirmation with the NOVA microhypervisor, OKL4 platform, separation VMM's (eg LynxSecure), and so on. People are still finding kernel flaws in the UNIX-like OS's due to architecture, language used, and intrinsic complexity. Many less problems in aforementioned software.
The selective reading might be on you although I'm thinking it's how it's worded rather than readers' fault. Anyone reading your link would catch this line:
"But instead we have many uneducated people saying: 'Yes, it increased hardware utilization, and it improved security too'. And that's complete and utter bullshit."
Whereas, as I referenced, many VMM systems did increase security via isolation with something simpler than the arbitrary OS and monolithic software contained. Lowest TCB I saw with minimum necessary features was in 50-100KB range. What's OpenBSD's + VMM's TCB size, again? :P
Taking 2nd link into account, it still has that thing about it claiming virtualization can't improve security posture, prevention or recovery. That was repeatedly proven false in academic and production systems with some surviving pentests by pro's that regularly tore through UNIX OS's and commercial fodder. So, his statement against security potential of virtualization is "complete and utter bullshit."
Note: As with other link, it becomes true if one is talking about common offerings, esp on x86.
A premise which he rightly shat directly on, and is his statement is completely congruent with the presence of a VM hypervisor in OpenBSD.