OpenBSD 6.2
openbsd.org> The i386 and amd64 platforms have switched to using clang(1) as the base system compiler.
Nice!
There is a fascinating writeup on some problems that were caused by autoconf config file mistakes that didn't manifest themselves in gcc but showed up in the switch to clang:
Followed by
> Disable some optimizations in clang(1) due to incompatibility with security.
Some. And for good reason, IMHO.
This is a draft of the release notes for a release which has not happened yet:
Released October 15, 2017
Broken links apparent in the doc as well.
There's no bonus karma for waiting until the release is announced.
Off topic a bit, but anyone here use OpenBSD? I'd be interested in hearing why you use it, and what your experience has been like.
I've been using it as my only firewall OS of choice since the 2.5 release in '99.
I have almost always used it as a firewall or networking appliance, and only rarely used it as a desktop OS, and never on my main machine.
It has evolved over the decades to be a swiss army knife of network functionality that rivals expensive appliances like the F5 in certain areas. Things like PF, CARP, rdomains, relayd, ifstated, openbgpd, ospfd, opensmtp, unbound, nsd and sane ipsec tools among others in the base system allow for some amazing possibilities. Config file syntax of the various tools has been converging on a nice, consistent, mostly self-documenting "standard" as well.
Constant auditing and refactoring has proactively fixed many holes before that were used in exploits on other platforms, and has brought a steady improvement in performance over the years.
As others have pointed out the entire system has a very consistent and well integrated feel. The documentation is very well maintained.
Support of devices with poor documentation or binary blobs has been slow to come, but does eventually tend to make it into the system. 802.11n on atheros is the example of something I personally had to wait a long time for.
I use OpenBSD on my personal server. It does not do anything advanced, but runs email, a few websites, IRC bots, and such. I am not a professional systems administrator, nor do I consider myself a particularly competent one (I'm a compiler researcher). OpenBSD is the only system where I feel confident that what I have set up will be reasonably functional and secure. This is partly because OpenBSD comes with sane defaults and excellent documentation, but also because most software in the base system has fairly few features, and is focused on the common case, so I have less rope with which to hang myself. At the same time, it is so simple that I can actually understand in detail what's going on, and what the configuration files do.
Experienced systems administrators may have other reasons for preferring OpenBSD - I really wouldn't know. To me, OpenBSD certainly fills a niche for someone who is fundamentally knowledgeable about computers (and willing to read documentation and write configuration files), yet is not a full-time sysadmin.
Same as others below I use it as a firewall and have used OpenBSD since it was available for my Sparcstation IPC.
Don't get me wrong - my lab desktop at work is Fedora 26, my little lab boxes are mostly running Debian Stretch and I'm an RCHE current on things like SystemD who has a ton of RH boxes I support day in and day out. But OpenBSD is very old school UNIX in its simplicity; there is no cruft in the base OS because it's really built for a few specific purposes.
There are downsides to running OpenBSD; it didn't win any packet shifting races versus other BSDs last I looked, but it is (arguably) the most secure of the BSDs and for a firewall it is undeniably otherwise fit for purpose. Any old $100 refurbished PC from Microcenter and a couple of Intel NICs are all you need to build a whitebox firewall with lots of interesting knobs.
Every time I upgrade I literally throw all my configs to a USB stick, put in a new hard drive and do an install from scratch. Copying configs back and looking for changes between the distributions is the relatively painless work of a couple of hours and forces me to make sure nothing major has changed either in behavior of or the software packages themselves.
If there's any downside to OpenBSD it is that it isn't newbie friendly... I call it a full contact operating system because some of the list members can be abrupt to folks asking questions found in the FAQ.
sysmerge(8) will handle all that config file diffing and change reconciliation. Of course not a bad idea at all to back up important stuff before an upgrade.
I'm aware but I built the habit before that was available.
I've used FreeBSD on my laptop (lenovo x201) for a long time, I've also installed OpenBSD from time to time. The rumors on the internet was that OpenBSD had better hardware support. I remember someone claiming that whereas FreeBSD developers use VMs to develop, OpenBSD devs used native machines (mostly laptops). I faintly remember that installing OpenBSD was harder than FreeBSD. FreeBSD came with a terminal graphical installer, partioning etc. happened automatically.
The problem I had with BSDs was that they were slower than Linux. Especially when it came to boot times, Linux booted up in seconds due to parallel starting of system services. On FreeBSD the same machine with an SSD took nearly half a minute to boot. Some people here on HN had advised me to use a parallel system initializer, or never completely shutdown my laptop. Always keeping the laptop at sleep did not work for me, because I was (and am) very paranoid when it comes to computers, I can't sleep if my computer is not shutdown and has an ethernet cable plugged into it. Using a parallel system initializer did not work, because I was too lazy to set one up.
Battery consumption was another issue. Although FreeBSD provided decent battery life, utilities like powertop did not exist for BSD platforms.
What I liked about FreeBSD was that it was a pure OS. When I opened htop, I could see only a handful of processes running, and I knew what each process did.
On the other hand, everything required manual configuration. I basically lived in the terminal to operate my laptop. But that is probably due to my lazyness to automate and write scripts.
I'd also be interested in the differences in day-to-day life between FreeBSD and OpenBSD.
I don't get why people put so much emphasis on the boot time nowadays. I have a 5 years old laptop which takes less than 30 seconds to boot, with Xorg already.
Even if you power cycle every day. If you ACPI sleep (and it works great), you I'll have to boot your machine once every 6 months, when there is a new OpenBSD release.
I would much rather "spend 30 seconds" every 6 months to boot the OS I want to run for 12 hours/day than to "save some seconds" in months to run an OS that I don't for the same amount of time.
I'm not sure people realize how much complexity you have to add to make a system boot even a couple of seconds faster. If you somehow have to diagnose a problem in a system like this, all the seconds you saved in a lifetime will be spent on a single debugging session.
> every 6 months
Most people don't want or can't afford to have their computer running 24/7. Especially if they're not using it for more than 11 hours of that day. And if you use more than one OS on one computer, fast startup can save you a lot of time switching between those.
> I'm not sure people realize how much complexity you have to add to make a system boot even a couple of seconds faster.
Not true. I shaved 20 seconds off my boot time recently, by digging around in config files and disabling services that were never used, by backgrounding non-essential services that took a long time to start up, and by reducing the grub bootloader time. Everything I did was trivial, yet it cumulatively brought a large reduction in startup time, it's gone from one minute to ~30ish seconds now.
I guess I shouldn't make too many assumptions. I'm sure plenty of people are still using Windows on 10-year-old towers attached to CRTs. But my Macbook Air goes several months without a reboot, as did my previous one, and the one before it, going back at least 10 years. I don't even think about it. My servers are rebooted much more often, simply because of kernel patches and upgrades. Fortunately startup is usually quick for both OpenBSD and Linux as, ironically, there are far fewer services and the hardware is less complex than typical consumer machines.Most people don't want or can't afford to have their computer running 24/7> Most people don't want or can't afford to have their computer running 24/7
I think the various power save modes have replaced shutdown for most personal computers. Even on my desktop (yes, I still have one of those at home) I just suspend it and only reboot on certain upgrades.
> Most people don't want or can't afford to have their computer running 24/7.
I'm always telling my family and friends to reboot their damn computers every now and then. In my experience most people never turn their PCs off.
If you want GUI configuration tools for FreeBSD, then look to TrueOS (formerly known as PC-BSD).
It's generally easy to maintain on my server. With normally fewer than 40 processes/daemons running at any time, I can reason about what's going on, as opposed to Linux or macOS.
Downsides are that much of the system feels stuck in ancient times (there seems to be more support and documentation for tape drives than SSDs), the ongoing removal of sometimes useful software like sqlite from base, and anemic or absent support for secondary hardware platforms and features like Bluetooth.
It's generally easy to maintain on my server. With normally fewer than 40 processes/daemons running at any time, I can reason about what's going on, as opposed to Linux or macOS.
This really can't be emphasized enough.
It's very simple to see what's running. Right now on my OpenBSD system, when I do
the answer is 51. But that's misleading. Because:ps ax |wc -l
Etc. So there are really very few processes, and they're all easily understood.nsd 5 processes ntpd 3 processes nfsd 5 processesIn contrast, I just tried the same ps on my macOS Sierra laptop that I'm typing this on, and the count was 510. Ten times as many!!!
Mere mortals can't easily understand all of that.
C:\Users\me>tasklist /NH | FIND /v "vivaldi" /c
60
Windows 10 minus all the vivaldi (~chrome) processes. You can trim most OSes to the reasonable essentials if you try hard enough.
Use it on all servers except our file server (FreeBSD and ZFS) and the required other software servers (RedHat and Windows). I like the ease of configuration and consistency.
The new syspatch has saved some time and other than getting a hang of disk partitions, the install is super easy.
I use it to run my mailserver (OpenSMTPd is awesome), among other things. It's also my default OS for non-x86 desktops/laptops (it works remarkably well on PowerPC Macs).
It's simple and (generally) correct. It has defaults that make sense. Its run control system is readable. OpenHTTPD and OpenSMTPD are the easiest daemons to administer I've ever used.
I have OpenBSD on my firewall, a small old machine running irssi and an old laptop for fiddling.
My experience is that it's simple to use and well documented.
I'd concur with the simple to use and excellent documentation. I use OpenBSD on an old laptop, see...
http://sohcahtoa.org.uk/openbsd.html
...for details. And I'll be updating the page for 6.2 in a bit.
I tried... but it has no 802.11n support, from my understanding. That was a deal breaker for me.
Also, I was using an ancient CardBus ethernet adapter and it kept freezing up. Works fine on Linux. It's just unfortunate that all the things I tried had problems.
Linux just worked on the system I was using.
Home router/firewall. Outer-most point in my network. Inside I have a turris and used to even have an Apple but the outer-most point has been an OpenBSD firewall since 4.x.
My first job in IT was such a prolific openbsd advocate that we were listed on their homepage as one of the companies that use openbsd.
My current opinion is that I would never put myself or anyone else through using OpenBSD. Linux can do anything it can and I've actually become an SElinux advocate in the last 2-3 years.
I do however trust it completely on my home firewall and it gives me some practice with BSD.
I use it on my think pad... Rock solid after I fudged it to use my favourite DE (i3) lighter on the CPU than freeBSD and a lot of interesting completeness. (like ifconfig being able to use WPA keys etc)
As a firewall it's unbeatable; I've been using it this way since late nineties. I fell in love with its simplicity and excellent performance. Everything just works. An old PC can handle huge traffic with ease, it's just a question of good NICs. Of course you can do pretty much the same on Linux, but in OpenBSD it's more elegant and coherent.
Mail server, web server, CalDAV and CardDAV server, and development laptop. Never looked back.
What do you use for CalDAV and CardDAV? I only found Nextcloud to be working well.
I use it wherever I can. It's my main desktop system at work and at home. I like the simplicity and reasonably conservative rate of change.
We use OpenBSD for our firewalls at work.
I've used it on my laptop. Primarily because it has had few vulnerabilities and is very stable.
>I've used it on my laptop. Primarily because it has had few vulnerabilities and is very stable.
The OpenBSD propaganda works I see...
Do you really think the tools you use like your web browser, mail client etc, have less vulnerabilities on OpenBSD than on any other BSD or linux distribution, please...
> Do you really think the tools you use like your web browser, mail client etc, have less vulnerabilities on OpenBSD...
A reasonable question, but presumptuously and poorly framed, I think. Mitigation efforts like privilege separation[0] (for daemons), ASLR[1], SSP[2], and now KARL[3] are designed to make things systemically better. I'm personally a NetBSD person, and don't see that ending anytime soon, but I do appreciate the work that OpenBSD does and pay attention with interest. I expect some of their work to be ported to my environment directly, and other effects to be felt tangentially. People running different or "weird" environments is a good thing.
[0] https://en.wikipedia.org/wiki/Privilege_separation
[1] https://en.wikipedia.org/wiki/Address_space_layout_randomiza...
[2] http://wiki.osdev.org/Stack_Smashing_Protector
[3] http://undeadly.org/cgi?action=article&sid=20170613041706
OT, but I've had trouble in the past when trying out NetBSD; I wanted to install it on my laptop with full disk encryption, but I clearly was missing something about how to do it properly, and I've never been able to find a good guide for it. Any chance you might know a blog post or something that details how to do this properly for a NetBSD newbie like me?
I've run it in the past, but not recently. I'll see if something appears to me and try to post it here for you.
And good luck with your NetBSD journey, with or without FDE. I've thoroughly enjoyed my years with it as my primary OS.
I'd start here - https://www.netbsd.org/docs/guide/en/chap-cgd.html and point your IRC client to #netbsd on irc.freenode.net.
Thanks! I've tried out most of the other common BSDs (FreeBSD, OpenBSD, DragonflyBSD, and TrueOS) but I've always had more trouble with NetBSD for some reason. Hopefully I'll have better luck with it this time!
All of those were developed on linux and linux distributions and were available on those before obsd...
Yes, browsers are a large attack surface. But I'd take a quick peek at the recent Security improvements section on this release page, and also OpenBSD's innovations page.
https://www.openbsd.org/innovations.html
OpenBSD was the second OS to enable W^X JIT on its firefox package, W^X being made mandatory system-wide, and in Theo de Raadt's most recent conference talk he mentions chromium being pledged. Both browsers are compiled as PIE by default.
That's not the point. Of course that the software will have the same number of bugs/vulnerabilities on OpenBSD. The question is how much damage an exploit/crash will do overall. OpenBSD has quite a few of protection mechanisms in place.
> Do you really think the tools you use like your web browser, mail client etc, have less vulnerabilities on OpenBSD than on any other BSD or linux distribution, please...
Yes. OpenBSD employs several mechanisms that improve the security of every application e.g. W^X and stack protector.
All of those are available on linux distributions, enabled by default.
Not only that, they were developed on linux distributions and available on them way before obsd.
No, they are not.
Stack protector was developed by Immunix, W^X was developed by Openwall, both for linux.
Actually "your web browser, mail client etc" do a lot of system calls to do networking et al, so yes, they do have less vulnerabilities than on Linux.
I don't think you know where the vast majority(95%+ ) of browser vulnerabilities are...
Congrats OpenBSD!
No big deal, but https://www.openbsd.org/images/MoBSD.gif is not found. Broken images sucks, but, again, no big deal.
Even following the OpenBSD mailing lists I didn't realize all the anti ROP features they put into this release. The big idea is that popular attack surfaces are randomly relinked at boot/upgrade/run time. Now now the kernel, libc, libcrypto, and ld are unique to each machine. So instead of a single information leak giving away the whole game it gives away basically nothing. An attacker would need to chain many, many information leaks together to get anything useful so the bar is raised quite a bit.
Has anyone ever installed OpenBSD for Macbook White (MB 5,2)?
I'm interested to resurrect this laptop since Apple no longer support (newer OSX can't be installed) the hardware.
I would love to see OpenBSD + Openbox + Crunchbang theme/window-decorator.
Yes, I successfully run it two older MacBooks for server use. I haven’t tried WiFi or sound but everything else, including trackpad and X, worked fine for me. There were other tweaks to make suitable for a server, but OpenBSD has otherwise resurrected the laptops. Bonus: this hardware predates Intel ME.
If it has a Broadcom wifi, then you're probably SOL on that front