Slashdot Mirror
OpenBSD, Reductionist Design
Duke of URL writes: "Sam Williams, of Upside Today has an article discussing OpenBSD's overall design philosophy, with good quotes from Theo de Raadt, the OpenBSD project leader.
Williams also covers how the OpenBSD project goes about supporting their financial needs (by selling t-shirts, CDs, and posters) and briefly covers their lack of desire to receive venture capital despite offers. "
I really don't think this is accurate; I know there were a number of local exploits in the past 6 months that affected all BSDs, including OpenBSD.
most recent exploit: tricky procfs hole. of course, openbsd doesn't mount procfs by default.
Now, this might just be a matter of hair-splitting; perhaps OpenBSD doesn't install any of the vulnerable BSD utils by default.
that is correct.
If that's the case, it's not a fair comparison, since RedHat has a number of different installation levels available.
of course it's a fair comparison. the openbsd developers carefully check over all pieces of the operating system before including them by default. it's a measure that other vendors do not take. you may think that redhat provides a secure installation level, but do you really think that they read every piece of the linux kernel source, hunting for bugs? or even the small important utilities. this is where openbsd pulls ahead.
I really don't think this is accurate; I know there were a number of local exploits in the past 6 months that affected all BSDs, including OpenBSD.
Now, this might just be a matter of hair-splitting; perhaps OpenBSD doesn't install any of the vulnerable BSD utils by default.
If that's the case, it's not a fair comparison, since RedHat has a number of different installation levels available.
That said, I'd like to see things like LIDS incorporated into the Linux kernel, available for all to use. That would go a long way towards helping make Linux distributions more secure, if they'd at least turn on some of the openwall stuff (which has supposedly been incorporated into LIDS).
--
Network Flight Recorder is one such device(not a firewall of course) that cant be configured at all. the openbsd box you want to install is the real deal and they have you there to make it do whatever is needed. i have yet to see a "real" router ping for lowest latency on different lines to determin which one to use for example. but a little perl on a bsd box did that trick nicely.
you can also show them the messages from bugtraq, (a security vunerablilty / exploit mailing list if your not already on it) where sometimes, firewalls and little boxes come up. openbsd does not. almost any security site can help here. rootshell is another quick easy one.
if they keep ignoring you, with your skills, maybe you should work elsewhere or just go to work take advantage of the free time and pay check your getting anyway.
Good question. Let them know that they are not letting you do your job. Let them know that they should either let you do the job, or expect you to find a different job, one where you get both responsibilities and the authority to make things happen.
Alternatively, tell them how you're going to solve the problem, solve the problem that way, then tell them you've solved the problem.
If it's a matter of not having an extra box to build a firewall with, pick up a used box yourself, or claim the old machine next time someone upgrades their desktop.
There are lots of people doing work on Linux for free. Some of that work is even off in userland where it will help some or all of the BSDs as well.
There are people employed by Red Hat (and I expect others) that are payed to work on Red Hat. The folks that work for Red Hat Labs for example.
Sure. But Linux has done the work to get them. It's users were more excited. More intrested in recuriting others. More willing to try a new devlopment model. More willing to try a new bisness model. More willing to risk the goose that gave them their golden egg.
People doing it for the ego boost would be somewhat more intrested in who has the larger user base. People intrested in doing coding on an OS they can sell the boss may go for the one that has recieved more press. People tired of Windows coding may see the alternitave covered in the press and go for it.
So, yeah, the press helps. And some people who use BSD are jelious of Linux's success. Some people who use BSD are delighted by Linuxes success. Some people who use BSD are happy to see BSD get a bit more press too. Some people who use BSD would rather keep it's eletest nature and not see so much press. I'm all of the above, in diffrent mesures as the days pass.
But you've got to admit that the majority of Slashdot posters come across as clueless teenagers looking for a flamefest. I applaud the moderators for moderating that particular post down, as its author was clearly in the dark when it comes to the development of BSD and operating systems in general.
As noted on the OpenBSD pages, there are a similar number of developers working on the core of OpenBSD as there are for Linux. Put simply, there just aren't that many coders out there who have the skills to work on a task like operating system development. Likewise, there is a threshold to how much of a large piece of software an individual can understand in its entirety. The Alan Cox's and Theo's of this world are pretty few and far between, but contrarily there are enough to sustain the development of Linux and the free BSD's.
As for the original posters claim that developers should focus on Linux because it has a wider installed base than say FreeBSD, is to misunderstand the design goals of Linux. While OpenBSD concentrates on being stable and secure, while perhaps not state of the art, Linux aims to support as many peripherals as possible. This leads to experimental code in the kernel source tree, but a bigger chance that it will work on the latest hardware.
Linux and OpenBSD have greatly differing design goals, and the original posters ignorance of them rightly deserved his post's critical moderation.
Chris Wareham
because he is ignorant to the facts his post should be moderated down and ignored right?
... but this moderation struck me as spot on. The original poster didn't couch their message in terms of a question, but more like a blunt statement.
When it comes across as flamebait, then yes.
He or she obviously didn't even take the time to read the article which Slashdot was linking too, or else the nature of OpenBSD would have been apparent.
It all comes down to whether you want Slashdot to descend into a morass of 'Frequently Asked Questions' (or frequently stated misconceptions as is more often the case). Personally I'd like a slightly more informed level of discourse on Slashdot - not the inane drivel I have to contend with on Usenet.
At the same time the balance has to be right. I'd hate to see the level of pedantry and nit-picking that permeates comp.lang.c
Chris Wareham
Hmmm, you obviously misread the intention of my post. You also used a rather poor analogy.
Racecars don't have CD players. I can't make my car into a racecar by yanking out my CD player
Bad analogy because I can strip down Linux and make a secure server. It may not be as reassuringly secure as OpenBSD, but given the disproportionate number of security holes in applications (as opposed to the kernel) then I'm content. The real analogy is to compare a rally car to a roadgoing version of the same model. The rally car has been finely honed for performance in much the same way OpenBSD is tweaked for security. The roadgoing version offers more features, but you may not need that added functionality. To carry the analogy to an extreme, OpenBSD is like making the rally car available to me - but I have to accept the possible limitations in functionality.
By stating that a Linux user should strip down their install if they wish to be security conscious, I wasn't implying that they should give OpenBSD a miss. In fact, the main reason I stick with Linux is because I have considerably more experience with it than with OpenBSD. As I came from a SVR4 rather than BSD background that may be the reason why, (I find I have to 'relearn' things occasionally on BSD systems, while most Linux distros strike me as more SysV-ish).
THe install base of Linux compared to OpenBSD does offer up the possibility that bugs are more quickly found in the former. However I find greater reassurance in OpenBSD's code audit than the possibility that bugs are reporte more readily for Linux systems. In this I assume you are in agreement.
Chris Wareham
Some people who use BSD are delighted by Linuxes success
An interesting point of view is the one I came across in a book on building firewalls with Linux and OpenBSD. Some in the BSD community look upon Linux with its bigger install base as an ideal testing ground for new software. This camp positively encourages development targeted at Linux at first, with the possibility of porting across to the BSD systems at a later date.
There is a certain amount of the snobbery evident in this view. They see the Linux userbase as more tolerant of buggy software, with the obvious implication that the whole system is buggier. This is redolent of the complacency in the BSD community with regard to how their operating systems are perceived. Many potential users are put off by the condescending attitude that is more prevalent in BSD circles than in Linux ones.
This attitude certainly put me off of using FreeBSD, especially as I found it a poor desktop system in comparison to the typical Linux distro. Thankfully, this seems to be changing as a number of people migrate to dual booting a BSD operating system alongside Linux, or switching altogether.
Chris Wareham
Perhaps it is time for the temporary-permanent OpenBSD box? Set it up for the "time being" and soon weeds will be growing up around the edges. Of course I'm in a slightly less PHB place so this might not be an option - but you could try it!
If is passworded, the developer can do nothing about the user making their password their boyfriend's nickname, or putting it on a post-it note on their monitor.
The system must not accept foolishly easy passwords; it must enforce mixed-case with special characters.
There will always be first-time users, as well as human mistakes, and hot-headed if not straightforward evil intentions.
I'm all for educating users, but it can not be the sole basis of security, can it?
On the other hand, scaring lusers with love viruses is a great way to teach them about secure system. Or rather, less flawed ones.
I think, therefore thoughts exist. Ego is just an impression.
Quite right indeed
Then again, that is exactly the reason why you have to assume that the average user is hostile. User itself might not be, but those who see the password might be.
Anyway, forcing it to be near random noise makes it less easy to be guessed without seeing that note.
Post-It's should come with self-destruction enabled in case they get a password-resembling string written on them!
I think, therefore thoughts exist. Ego is just an impression.
Just to add my "me too" post:
:)...
:)
:)
Yes, minimalist is good when you want to get the job done.
I couldn't be happier with openbsd at work -- it handles firewalling for the part of the network that needs to be hidden, it handles NAT for the windows boxen of the developers, it has 69 aliases on the external nic which handle web pages by portforwarding.. and all of this from a spiffy 486/66 box with 8 megs of ram...
I can safely say that little or no other unixen can do that without desperately needing beefier hardware.
Oh, and yes -- once configured as a silent firewall it could just be left there, without me having sleepless nights wandering when the new security hole will occur...
And to top that off, you can almost daily find Theo in #openbsd @efnet and he *will* answer your questions, provided they are not extremely stupid (mine are sometimes
So, if you ever need a secure, silent workhorse that needs little or no tweaking to get working -- use openbsd
flame on...
Does OpenBSD support a firewall that has a chainlike structure like linux's ipchains? People say that OpenBSD is more secure for a firewall, which I would gladly accept, but what I want to know is if you have a really complicated firewall setup, can OpenBSD keep up because it has a logarithm chainlike design, or is it a linear packet-matching design like other firewalls? I only ask because some commercial quality firewalls (including the pre-boxed ones) can get extremely poor performance when you start passing large amounts of traffic through a firewall with a large number of settings.
Can someone familiar with OpenBSD internals provide an answer to this?
Fuck off, Bastard.
WHY must there be so many different distributions of Linux?
WHY are there so many SVR4 variants?
Us UNIX geeks like to have variety, I suppose. Maybe it's not always in the best interests of solidarity and progress, but having the choices there is a nice feeling.
"That's Tron. He fights for the Users."
Only if the software has no easily exploitable bugs is the uneducated user the primary flaw in security.
It's not people leaving their passwords on Post-it (TM) notes that allows people to hack hundreds or thousands of boxes to do a DDOS attack with.
Trees can't go dancing
So do them a big favor
Pretend dancing stinks!
This article says "OpenBSD population 7000"
7000 is an accurate number of CDs sold for OpenBSD 2.6, but not total!!!
Luser unsecurity hype is mostly unnecessary; software developers need to be more conscious.
Bollocks. If is passworded, the developer can do nothing about the user making their password their boyfriend's nickname, or putting it on a post-it note on their monitor.
The uneducated user is the primary flaw in security.
Pax,
White Rabbit +++ Divide by Cucumber Error ++
free experimental electronic music netlabel at www.viablehybrid.com
WHy do we have soo many different unix variants. Its time we got all the people stop wasting their time with so many different unices. Time to UNITE. TIMe Join LINUX...... Be a penguin or sit on a Window }:) UTS MOooooooS !
So you're saying we should just shut the forks up? :)
Pax,
White Rabbit +++ Divide by Cucumber Error ++
free experimental electronic music netlabel at www.viablehybrid.com
Insanity is the last line of defence for the master diplomat. But you have to lay the groundwork early.
If Open BSD wants venture capitalists, they should get someone OTHER Theo to talk to them. He can have an attitude (as an example, think about things like the OpenSSH.ORG/COM Issue). If you take both sides statements with a grain of salt, It seems like the owner of OpenSSH.ORG was WILLING to make a deal (if OpenBSD/SSH would just add some links to OTHER open source security projects). But Theo copped a 'tude and sicked SlashDot on the owner of the OpenSSH.ORG domain (not a good PR thing).
As an aside (and a vent) they (read Theo) aren't not listening to the community. The other BSD's (Free and Net) both are now releasing ISO images to download. When I wanted to do some comparisons of Free/Net/Open BSD's, I wanted to download the ISO's and burn CD's (at work, since at home I only had a 33.6K dial up). For Net and Free BSD's this was not a problem. When I got to OpenBSD, Nope.. No ISO. When I asked (in what I believe to be a polite manner) I was told basically to stick it that if I wanted a CD, I had to purchase it becuase creating an ISO would cause his sales on CD's to go to nothing (Really ? Tell this to RedHat, FreeBSD, NetBSD, etc.) Sorry, with opensource I try before I buy..
Not good to annoy someone who helps plan server deployment at their company (and for their own company). So.. No OPEN BSD.. No Purchases (since I DO purchase open source software and CD's.. I have been buying FreeBSD since 2.2.5 and have 4 different Linux Distro's too).
UPS Sucks
The thought of BSD, any version, as "minimalist" is pushing it. But compared to the shovelware that's sold as operating systems today, I suppose it makes sense. Still, compare QNX.
"I'm quite tech-savvy". Understand that when someone says something like this, it's like a girl saying "I have gigantic boobies": not only is it faintly goofy-sounding, but the information being imparted will either be obvious to the observer or clearly untrue. In neither case is it an advantage to make the statement, and it can only hurt you if the observer disagrees.
And since you call yourself an NT and VB \"guru\", and you're talking about UNIX, that makes you an A-cup girl in a prom dress, and let me tell you, honey, no amount of Kleenex is gonna help.
I was going to argue some technical points, but I need another beer. Hang on.
---
Benjy Feen
http://www.monkeybagel.com
---
Benjy Feen
http://www.monkeybagel.com
---
Hmm, no mention that 98% of OpenBSD users have downloaded the Os, or did a FTP install. (which works very nice) I think they could have mentioned that somewhere. I place that number MUCH higher than 7,000.
I am a highly regarded professional marketer, concentrating on the "tech-savvy" demographic. It has been proven time and time again, that there are 2 things that will get people to buy.
1) sex
2) fear
Anyone with experience of the open source community (bearded, sandal wearing, grateful dead listening, socialistic, eliter-than-thou socipaths) will realise that sex is noth something they will understand in any meaningful way. Hence the marketing strategy must be all about FEAR. (or at the more 31337 would say P|-|334R.
For BSD (Open, Net, Free, Whatever, they're all the same) to become popular and reach the dizzy heights that RedHat has achieved, it needs to change the marketing strategy.
If I were in charge, I would instigate a Monthly release cycle. This way, the comfort and satisfaction a nerd gets from being "up to date" would be a short lived thing, and he would be constantly needing to upgrade to stay current. Even a moron can see the revenue streams here.
Also, I would try and get the marketing story a bit more coherent. I mean, what DIFFERENTIATES *BSD from all its competitors (Linux, BeOs, Solaris) etc.
I'm quite tech-savvy, being an NT and VB "guru" but I don't know operating systems. However the experts I've spoken with are clear, Free/Open/Net Bsd needs DirectX and XML support in the kernal, in order to compete with Windows, on a feature by feature comparision.
I realise now that slashdot readers do not care for my insightful observations, however I continue to post them, as I personally am conviced of my expertise, and do not require it to be validated by a bunch of whining 16-year old Korn-listening skript kiddies, hell bent on destroying the music industry with their illegal "napster" protocols.
RedHat Linux has more security advisories, but that's a consequence of including so much software as part of the standard distribution. They also include lots of beta and recently developed code. OpenBSD in comparison only uses carefully audited code and older, well tried applications. The downside to the OpenBSD approach is that you only get a small set of tools with the standard disribution.
So you should pick what you need from your Linux distribution, and don't install anything else. Or install OpenBSD if you want to. Just remember that a lot of free software is currently written with Linux as its primary target, so you may need to tweak it to get it going on OpenBSD.
Comparing RedHat Linux to OpenBSD simply on the basis of how often security flaws are found in the entire distribution is misleading.
(disclaimer: I happily use both RedHat Linux and OpenBSD, so I know the strengths and weaknesses of both)
Chris Wareham
This is what I have been saying for a while now.
There is a strong, growing need of
Luser unsecurity hype is mostly unnecessary; software developers need to be more conscious.
@input = map {
$cgi->param($key) =~
( $key, $1 );
} $cgi->param(),
I think, therefore thoughts exist. Ego is just an impression.
> n0w 5hut th3 phukk up b3f0r3 1 k1ck j00r 455, f4gg0t.
What's scary is that I'm getting to where I can actually read this stuff as a stream, rather than having to decypher it one character at a time.
Maybe I'm ready to tackle perl now.
--
Sheesh, evil *and* a jerk. -- Jade
Then perhaps, although probably not, if he's a PHB, pointing him to GNATbox and/or www.dubbele.com will help - these are the 'plug it in' boxes he talks about, and they use BSD variants..
Of course, it's because RedHat began treating Linux as a traditional product that must be "released" that has made it the investor's baby of open source. Free/NetBSD have been around longer than Linux, but they didn't get the attention because they're more concerned with refining the code than writing press releases and speaking at conferences.
But then, it seems that a few BSD folks, like Theo, are doing the publicity thing; perhaps to try to avoid being left in the populist dust of Linux. I just hope it doesn't adversely affect the quality of the software.
Not that Linux hasn't done wonders and that the high profile distros are doing anything "bad", of course. But I'd hate to see BSD suffer because everyone instantly associates open-source with Linux; and further associating Linux with Red Hat. I don't want to lose options because they're not as popular.
Any sufficiently advanced civilization is indistinguishable from Gods.
OpenBSD:
Three years without a remote hole in the default install!
Two years without a localhost hole in the default install!
RedHat:
Three weeks without a remote hole in the default install!
Two weeks without a localhost hole in the default install!
Thats all im going to say.
Chaos, Mayhem, and Destruction: Not
The reductionist philosophy of OpenBSD has rubbed off on me as well. My dual boot machine contains RedHat Linux on one drive, and OpenBSD on the other. The Linux install is stripped down by most peoples standards, but includes all sorts of bells and whistles like GNOME, AbiWord, Mozilla, etc. all fastiduously kept uptodate with latest versions.
...).
Meanwhile, my OpenBSD install has the bare minimum - Blackbox WM, NEdit, DDD, Gimp and Communicator. The KISS philosophy that permeates OpenBSD really is infectious. The sparsity of a new OpenBSD install belies the extreme care that goes into what is there. The man pages are upto date and accurate, the tools are rock solid.
I really, really recommend looking into OpenBSD for development boxes as well as it's usual server niche. My productivity has increased since the switch from Linux, as I get les of an urge to spend time compiling pre-release kernels and the latest GNOME tarballs. Instead I do that at home (hmmm, maybe I need to get out more
I disagree with the interpretation of the UpsideToday article's "Like craft brewers, de Raadt and the OpenBSD development team prefer to let the software age a little, offering only two updates per year."
Two updates per year at fairly predictable times is quite fast for operating systems. Also this contrasts with the philosophy of no guarantees whatsoever about when releases will be made, a philosophy that I believe has been demonstrated to result in the longest aged software, for no good reason.
Looking at OpenBSD's current changelog, they are at least testing almost all of the important recently released software such as GCC's and Perl's.
I think UpsideToday has it 180 degrees backwards. OpenBSD's fairly regular releases means that users will get inspected and verified packages faster than if they used another operating system where there is no set schedule. I think OpenBSD simply has better management in this respect because they have a disciplined schedule. They're releasing and updating at the fastest rate possible.
I use OpenBSD not because I necessarily like or agree with everything Theo has done that may be controversial over the years. I use OpenBSD because, all things considered, it's a damn good OS. The developers work hard with a primary goal of producing the best code, not just code-that-works-and-supports-latest-doohickey.
As I said in a previous OpenBSD thread, I don't care if the project lead eats children for breakfast and pushes old people out of wheelchairs for fun; if it works and I like it, I'll damn well use it.
"That's Tron. He fights for the Users."
I've emailed the story link to my PHB, who asked me to recommend what to use for a firewall. I wrote a report that concluded OpenBSD -- it's free, an it's good. Now he keeps asking me about various little "firewall" boxes where you plug the server into one end and the internet into the other and hope for the best. Any ideas of how to explain "You would pay more money for a less good thing"?
They've already tagged me as "that wierd linux girl" so every non-microsoft solution I suggest gets nodded at and then pretty much ignored. I mean, you morons hired me to handle your technology, why oh why won't you listen?
Aarrrgh
People always whine about OpenBSD not having official ISO images available online. Think about it: If you are on a slow modem connection to the Internet, would you rather download a 650MB ISO image, or a custom created 100MB image that's exactly what you need? I thought so...Here's how to do it:
/path/to/openbsd/distribution/files
/path/to/openbsd/distribution/files/cdrom26.fs. (and yes there are other options, read the man page: http://www.openbsd.org's man page of mkisofs
If you read the mkisofs man page, it's only a matter of setting up 2 options, one to point to the floppy disk image that you are going to boot from (for OpenBSD they are labeled *.fs, use cdrom26.fs for a CD) and then specify a _location_ destination for the boot.catalog.
So just set up the mkisofs like you would for any other CD, then use -b cdrom.fs and -c boot.catalog and you'll be fine. (the *.fs file path is relative to the other files). It couldn't be simpler.
Here's an example:
mkisofs -b cdrom26.fs -c boot.catalog -L -R -o openbsd.iso
and cdrom26.fs is presumed to be at
If people would quit complaining, they'd realize that it's BETTER this way, as you can create customized cdroms. I make -current CDROMs for x86 and put every package and licensed file on there. It's great...
Oh and here's how you burn it:
cdrecord -v speed=4 dev=/dev/cd0c driver=mmc_cdr openbsd.iso
The cdrecord options are for either ATAPI or SCSI since we unified the driver in 2.6.
Give 2.7 a try, it's wonderful!! And DO buy the CDROMs, they help the project in so many ways...
Linux AFAIK only has one version, RedHat (although other version known as "distros" exist, they are not 100% Official, like RedHat is.
The confusion about which BSD is the true "100% Official" BSD must be losing them users.
RedHat's 100% official RedHat site is at RedHat