I don't really have time to answer your other points, but systrace is in the base system, and to my knowledge it has never been in ports. So yes if you do a fresh install of OpenBSD 3.2 or later you will get systrace.

See eg http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/systrace.c

The problem is not a lack of an implementation, but not any implementation will do. It has to be suitable, and meet the OpenBSD project goals.

AppArmour and RSBAC are GPL. Trusted BSD is rather large, relies on some FreeBSDisms, and IMO is overengineered, I think it would be quite a hard sell, but there may be useful ideas. The fact is that even if something useful can be pulled out of Trusted BSD, someone is going to have to put in the time and do it. The reason they might do this, thankless or not, is because they want some sort of MAC in OpenBSD :-).

I think there is a fair amount of FUD on both sides. A few people do try to make out that MAC is a critical security component, when in fact it is merely a useful tool, and as all discussions so far show, it is far from being universally loved or adopted.

systrace is a good example of my point, despite being attacked by some developers, it was added to the kernel and base system, and recent discussions on removing it have decided to leave it alone despite its problems because it is useful as a ports debugging tool.

With due respect, I think both you and the author of the "insecure" article have some fundamental misunderstandings about OpenBSD and the way the project works.

Just to note I don't speak for the project here, this is just my impressions from being involved for a short time.

Firstly, jokes about theocracy aside, OpenBSD is not a dictatorship. There are a lot of developers, and they don't all agree about everything.

So, even if some OpenBSD developers say they are skeptical about MAC, it doesn't mean all are, or that there is no way to salvage it, or that any code involving the term MAC would be dismissed out of hand. It just means that as it is now, well, they are skeptical. And nobody has appeared with suitable code to change minds. And perhaps that developers are tired of hearing about it from people who manifestly aren't going to contribute.

Secondly, in OpenBSD, contribution drives everything. People who write articles or feature requests or posts on Slashdot are taken much less seriously (if they are taken seriously at all) than people who contribute to the project. Many other OSS projects are the same, but in OpenBSD it is very plain.

Thirdly - and this is something most people seem to miss - any MAC implementation must meet the projects' goals (which are something that no current implementation I have seen does, and certainly not one which anyone has submitted code to implement in OpenBSD). At least it must: be good code; be appropriately licensed; be simple and understandable; be documented; and (important!) be secure by default.

So, if you sit down, design and write a MAC framework that meets those criteria, it will be properly considered. You will have to fight your corner, of course, and make a case that persuades others why it is useful, and accept review and make changes if necessary, but if you are prepared to do the work it will be taken seriously - it may not be accepted, but it will be given a lot more weight than writing an article about it.

The fact is that until someone is prepared to stop talking and hack on MAC support, this whole thing is really a nonissue inside the project. All developers have their own interests (sometimes many of them) and at the moment it is clear none of them care enough about MAC (whether it has benefits or not) strongly enough to get involved.

Of course you can order a CD and then download. Buying a CD is a way of supporting the project, not just an installation mechanism.

It is a volunteer project - there is only one full time developer - and like all such it is a compromise between support and new features, and it happens that at the moment most people prefer doing development rather than maintenance. If everyone was interested in maintenance, OpenBSD releases might have a longer lifetime, but development pace would be considerably slower.

The fact is that as OpenBSD, unlike Linux, does not have large commercial backers, so unless people donate their time and money to work on the things they consider important, it becomes unlikely to happen. Perhaps you would like to donate some of your time to supporting older releases? I can say with some confidence that if you prefer just to complain, most OpenBSD users and developers will care very little for your opinions.

Note that there are commercial organizations providing OpenBSD support if you require it.

I don't know where you get your ideas about poor hardware support, OpenBSD hardware support is not hugely worse than, for example, FreeBSD, and better in some areas.

> I wonder what Theo will say about all this? 9 times out of 10 he tends to scorn things,
> so I wonder if he'll embrace this with open arms, or just shun it like he does most things.

This is an official OpenBSD effort, all of the directors are OpenBSD developers. I'm sure
Theo was pretty central to setting it up, he is unlikely to shun it.

this in support of the company that produced the GBA

Er... yeah, do you have any issue with the GBA?

a system that launched with Super Mario 64 DS

You're aware that other games have been released since Super Mario 64 right?

why doesn't the DS do anything else for me? With 35 million other folks out there owning one, it seems like there should be more here than whatever video game is inserted+pictochat.

You may be aware that the Nintendo DS is a game console, its first and foremost goal is to allow you to play games, not watch movies of listen to MP3s (even though first and third-party addons do actually allow you to)

The fact that it was built, marketed and thought of as a portable game console focused on allowing the user to play games, the very fact you criticize, is in fact probably one of the DS' sources of success. A minor one compared to the SW library, but one nonetheless.

Not to mention the complete and utter failure of the PSP's "entertainment center" strategy (have you checked the UMD movies sales as of late? Do you see many people using the PSP as their MP3 player? They're in the shitter and I don't, respectively)

If there were it would have to be sold seperately

As a matter of fact, there are, and they are already.

But I will give the PSP credit in the vein of my criticism against the DS: the PSP has upgradeable firmware and nothing that shows the lack of vision that pictochat displays.

Haven't seen the PSP's upgradeable firmware feature used for any upgrade yet, unless you consider "homebrew" crackdown an upgrade.