[the_trapper]

The problem is that the OpenBSD team doesn't want to write and maintain a tool like that, and they also don't want to utilize their sparse resources hosting the necessary package build infrastructure for all of the architectures they support. They are volunteers, so it really is up to them to work on whatever they want to work on.

Additionally, the amount of security patches we're talking about here is so small that just updating from source code really isn't that big of a deal for most people.

[toyg]

> it really is up to them to work on whatever they want to work on.

Sure, and it really is up to me to keep bitching :)

Besides, the contradiction here is that they are not all volunteers: M:Tier employs some of them exactly to do that job. So, they don't want to do it, but they'll do it if the price is right? Why can't this pricing be done transparently through OpenBSD, rather than some obscure third-party company?

If the problem is funding, why can't they do like RedHat or Oracle, who ask for money to provide automated updates? Oh yeah they do, but through m:tier for some sort of reason (tax? street rep? We can but speculate).

> just updating from source code really isn't that big of a deal for most people.

It's enough to keep the m:tier service running and people like me bitching, so clearly for a lot of people it is. It's enough that every other linux distro out there does it. Denying it over and over won't change that.

[the_trapper]

> Besides, the contradiction here is that they are not all volunteers: M:Tier employs some of them exactly to do that job. So, they don't want to do it, but they'll do it if the price is right? Why can't this pricing be done transparently through OpenBSD, rather than some obscure third-party company?

So you're begrudging some of the OpenBSD developers for having a day job? That is completely absurd. How are they supposed to feed themselves and their families?

Several of FreeBSD's core developers work for Apple. Red Hat employs a large chunk of the GNU and Linux ecosystems. Red Hat actually does something very similar to what M:Tier does.

M:Tier is really just another example of a company that is providing value added support over the offerings of a freely available open source project. They are even generous enough to provide their openup script under an open source license and binary updates free of charge for the most recent version of OpenBSD. I think that is a pretty good deal for everyone involved.

[toyg]

> So you're begrudging some of the OpenBSD developers for having a day job?

Au contraire, I begrudge why they have to do their OpenBSD-related day-job, working on what is basically an essential part of any modern OS (update distribution infrastructure), outside of the official project and with no official endorsement. It devalues them, it devalues the project and only invites speculation on the motives of such arrangements.

> Several of FreeBSD's core developers work for Apple.

Do I have to pay an Apple subscription to get automatic FreeBSD updates? No.

> Red Hat employs a large chunk of the GNU and Linux ecosystems

Sure, and I do have to pay to get automated updates from them, but at least I know they are official. M:tier packages are not official but sort-of wink-wink-nudge-nudge. For a project living and dying on trust, it's a poor show.

> M:Tier is really just another example of a company that is providing value added support

Sure, but my point is that OpenBSD is a pretty isolated example of a project that actively refuses to provide what any comparable project provides, with very flimsy excuses. This leaves the space open for m:tier to make a buck that really belongs to the OpenBSD project. IMHO the project (which is otherwise extremely fond of reminding us that they are short of money) gets shortchanged here, even if some individuals might not be.

[the_trapper]

> Sure, and I do have to pay to get automated updates from them, but at least I know they are official. M:tier packages are not official but sort-of wink-wink-nudge-nudge. For a project living and dying on trust, it's a poor show.

Well that is because the official and ONLY supported way to patch an OpenBSD system is to compile from source. Like pretty much all of OpenBSD's documentation, the instructions to do so are very clear.

M:Tier provides a service that is merely a convenience. It is not essential and I would suspect that only a small fraction of OpenBSD users even make use of their openup script and binary package updates at all.

I suspect you are being purposely obtuse and cannot understand that the way in which your favorite $OS is not the only right way to do things.

The OpenBSD project has no obligation to provide binary updates. They provide source code patches and clear instructions of how to apply them. This is actually better for security because you can actually see what is being changed by the patch if you know a little bit about programming.

[toyg]

> I suspect you are being purposely obtuse and cannot understand that the way in which your favorite $OS is not the only right way to do things.

The OpenBSD project actively refuses to provide a service that pretty much any other OS project provides, so that a commercial entity can make a buck, and I am the one being purposely obtuse?

> only a small fraction of OpenBSD users even make use of their openup script

Until it relies on m:tier servers, of course. Why would I have to trust an unrelated company to update a security-conscious OS?

> This is actually better for security

This is actually worse for security because it relies on sysadmins being human robots that constantly check errata, or being faultless programmers who will never botch a hacked-together-enough-that-works custom script to get errata and apply patches. But hey, don't take it from me, hear it from m:tier themselves: "Keeping your installed OpenBSD packages up to date is hard and time-consuming. Nobody wants to read the mailing lists to spot security fixes and/or updates never mind wanting to build new packages from their ports tree and manually install them on each of their servers and/or desktops."

QED.