[cbsks]

This does not paint FreeBSD in a good light.

“you either have a commit bit (enabling you to commit code to FreeBSD's repositories) or you don't. It's hard to find code reviews, and there generally isn't a fixed process ensuring that vitally important code gets reviewed prior to inclusion. This system thus relies heavily on the ability and collegiality of individual code creators.”

From my perspective, this whole thing is due to a severe failure of the development process. The sub-standard code should never have been committed. But if there is no process, is it really a failure? Or is this just how it is on FreeBSD?

[markjdb]

> Or is this just how it is on FreeBSD?

It's not. We do a lot of code review, and it's done publicly. It's easy to look at the commit logs. I find it telling that the article doesn't spend even one word trying to delve into our code review practices. This case was an aberration.

[ruph123]

The core group had a chance to state this when they were asked for a response. This one word could’ve come from any of the FreeBSD devs contacted by the author. Instead back came either nothing or a general statement without any real message.

[markjdb]

That's fair. At the time, though, it wasn't clear that the author's angle was that FreeBSD doesn't have a culture of doing code reviews. We do, and I don't think one has to look very hard to see that.

[mannykannot]

The FreeBSD organization should not have had to be told what issues this incident raises, so this response raises one more flag about how the organization is handling it.

This defensiveness in FreeBSD's response, this reaction of minimizing rather than facing up to the seriousness of the problem revealed here, the attempt to redirect the conversation towards anything but the specific issue, only reinforces the impression that FreeBSD may not be ready to deal with it effectively.

Of course, as FreeBSD is open source, its users are in no position to demand anything, but any potential user may, and should, attempt to determine how likely it is meet her needs in all respects.

[cbsks]

Well, at least once code was committed without being thoroughly reviewed. Clearly FreeBSD’s development process needs some refinement to ensure that the entire code is actually reviewed during a code review.

[cbsks]

As a FreeBSD user, that's good to hear :)

Has there been any discussion about why the process failed in this case, and what is going to be done to make sure something similar doesn't happen in the future?

This is the review for the original commit, in case anyone is interested: https://reviews.freebsd.org/D26137

[markjdb]

There's some discussion happening now and I do expect to see some process changes coming out of this. It's tricky. The review you link does nominally follow the process of creating a review and having some discussion, but there isn't much actual code review happening there.

[splithalf]

Ars seems to be calling all open source software insecure. I’m not saying they are wrong but what’s the value in their article? Is it gotcha journalism, or are they warning us not to trust bsd based systems in general. The article starts as a gotcha piece but concludes by saying there’s no review in place to catch these problems.

[Voline]

This is just incorrect. Nowhere in the article does the author, Jim Salter, generalize about all open source software. When someone in the comments did make that leap, Salter pointed out that if these had been closed-source projects the bad code would have been put into production and no one would have known better.

[splithalf]

You’re right. I misread the original to be general criticism of open source, but the author made his statement specific to FreeBSD release 13.

“Neither Netgate's responses, FreeBSD Core's, nor the off-record responses we heard from independent FreeBSD community members lead us to believe that there was in fact any process in place that could reasonably have been expected to catch this issue prior to it going out into the world in 13.0-RELEASE”

But it would help if he made it clear why he felt this criticism was specific to FreeBSD release13. It sounds to a naive reader like a critique that could apply to much of open source software. The author didn’t say that, but it’s a reasonable extrapolation to make.

[ehvatum]

> Ars seems to be calling all open source software insecure

> The article starts as a gotcha piece

Haha, that’s the problem. You, Netapp, value saving face so very much that you are incapable of constructive response to well-meaning, fair, and honest criticism.

[splithalf]

Not netapp and I don’t use or endorse their products. I just don’t like angry mobs or journalism that uses angry mobs as a business model. Too much anger and retribution in the world, not enough forgiveness or compassion. If this code was up for review for months and nobody noticed the printf debugging code in the crypto then I’m sorry but blaming this one bad person seems gratuitous to me, and shortsighted. Are concludes the article by saying this is a bsd/open source problem. How does that help anyone?