[montyedwards]

Nobody is suggesting OpenBSD not being RedHat should be embarrassing.

However, it is not ideal to have a security-focused OS not directly provide binpatches for the base system and core libraries like libressl. Trusting OpenBSD.org is one thing, but trusting additional entities like mtier, etc. just to get security updates without having to compile is another.

FWIW, I think we should feel embarrassed about not giving more funding & time to OpenBSD given everything they already do for us.

http://www.openbsdfoundation.org/campaign2016.html

Maybe someone at OpenBSD Foundation should get itself listed at smile.amazon.com and make it even easier for people to contribute.

[the_trapper]

The traditional means of patching is recompiling from source. That is the ONLY officially supported method.

This is just another convenient option. I fail to see the problem here.

If you want supported first-party binary security patches you should be using a project that provides that, such as FreeBSD, or just about any Linux distro that is not Gentoo.

[toyg]

I think there would be no problem with OpenBSD supporting an automated build-and-recompile tool, that would be perfectly fine and would stop people like me bitching about updates. Yeah yeah "it's trivial for you to write etc etc" but that's not the point: it's like saying that developing a text editor is simple so we shouldn't provide vi. This sort of thing is better designed and implemented by people who know the OS inside out, not by users.

[Mordak]

For what it is worth the project does provide regular binary updates for both the base system and ports for -current (snapshots). If I were to guess, I would guess that one of the reasons that the project does not provide binary updates for -stable is because they are busy providing binary builds for -current. Since all the devs run -current, you can see which one they choose to invest their limited resources in.

Following current is pretty simple if you're happy to track snapshots, which are updated regularly (usually every week). If you're worried about stability, remember that -current turns into -stable twice a year, so current is pretty stable, and any issues that do crop up get fixed very quickly, because they impact the developers.

[the_trapper]

The problem is that the OpenBSD team doesn't want to write and maintain a tool like that, and they also don't want to utilize their sparse resources hosting the necessary package build infrastructure for all of the architectures they support. They are volunteers, so it really is up to them to work on whatever they want to work on.

Additionally, the amount of security patches we're talking about here is so small that just updating from source code really isn't that big of a deal for most people.

[toyg]

> it really is up to them to work on whatever they want to work on.

Sure, and it really is up to me to keep bitching :)

Besides, the contradiction here is that they are not all volunteers: M:Tier employs some of them exactly to do that job. So, they don't want to do it, but they'll do it if the price is right? Why can't this pricing be done transparently through OpenBSD, rather than some obscure third-party company?

If the problem is funding, why can't they do like RedHat or Oracle, who ask for money to provide automated updates? Oh yeah they do, but through m:tier for some sort of reason (tax? street rep? We can but speculate).

> just updating from source code really isn't that big of a deal for most people.

It's enough to keep the m:tier service running and people like me bitching, so clearly for a lot of people it is. It's enough that every other linux distro out there does it. Denying it over and over won't change that.

[the_trapper]

> Besides, the contradiction here is that they are not all volunteers: M:Tier employs some of them exactly to do that job. So, they don't want to do it, but they'll do it if the price is right? Why can't this pricing be done transparently through OpenBSD, rather than some obscure third-party company?

So you're begrudging some of the OpenBSD developers for having a day job? That is completely absurd. How are they supposed to feed themselves and their families?

Several of FreeBSD's core developers work for Apple. Red Hat employs a large chunk of the GNU and Linux ecosystems. Red Hat actually does something very similar to what M:Tier does.

M:Tier is really just another example of a company that is providing value added support over the offerings of a freely available open source project. They are even generous enough to provide their openup script under an open source license and binary updates free of charge for the most recent version of OpenBSD. I think that is a pretty good deal for everyone involved.

[toyg]

> So you're begrudging some of the OpenBSD developers for having a day job?

Au contraire, I begrudge why they have to do their OpenBSD-related day-job, working on what is basically an essential part of any modern OS (update distribution infrastructure), outside of the official project and with no official endorsement. It devalues them, it devalues the project and only invites speculation on the motives of such arrangements.

> Several of FreeBSD's core developers work for Apple.

Do I have to pay an Apple subscription to get automatic FreeBSD updates? No.

> Red Hat employs a large chunk of the GNU and Linux ecosystems

Sure, and I do have to pay to get automated updates from them, but at least I know they are official. M:tier packages are not official but sort-of wink-wink-nudge-nudge. For a project living and dying on trust, it's a poor show.

> M:Tier is really just another example of a company that is providing value added support

Sure, but my point is that OpenBSD is a pretty isolated example of a project that actively refuses to provide what any comparable project provides, with very flimsy excuses. This leaves the space open for m:tier to make a buck that really belongs to the OpenBSD project. IMHO the project (which is otherwise extremely fond of reminding us that they are short of money) gets shortchanged here, even if some individuals might not be.