OpenBSD 3.2 Available

fredrikv writes "Right on time, the files defining OpenBSD 3.2 have moved away from "snapshots" to the 3.2 directory of the OpenBSD mirrors. It is well known as the world's most secure operating system and now sports chroot'd Apache, fewer suid binaries, cool pictures for xdm-logins, a brilliant "antispoof" packet filtering rule and as usual includes lots of small updates and fixes. The files are there. What are you waiting for?"

Waiting for..

[Karamchand]

..legal official ISO images ;-)

Naah, just kidding. Everyone ought to order & buy her/his official OpenBSD CDs to support our favourite OS!

Re:Waiting for..

[penguin_punk]

"Naah, just kidding. Everyone ought to order & buy her/his official OpenBSD CDs to support our favourite OS!"

Yup. I've never used OpenBSD before, but I pre-ordered my cd when ./ last posted that this release was coming out of beta.

If all else fails, I'l lgo back to Win2K Advanced Server and I'll have some fancy blowfish stickers.

Wish me luck.

Re:Waiting for..

[nurb432]

How about just non-offical images? Then send in a couple of bucks to Theo.

Yes i realize you can isntall over the wire and then create an image, but not when you are on a slow link.

Re:Waiting for..

[Pinball+Wizard]

How does buying OpenBSD support Windows 2000?

Well for one thing, the packet filter has a feature that turns away Code Red(and similar malformed data/buffer overflow attacks) before they can harm your precious Windows machine.

In all likelyhood, an OpenBSD firewall will protect Windows machines from vulnerabilites that have yet to be exploited.

Re:Waiting for..

[BitHive]

Why do you need ISO images? I bought the CD for 2.5, but never used it. The boot floppy is all you need--I've installed OpenBSD in just a few minutes off the net over broadband.

Re:Waiting for..

[Shanep]

Yes i realize you can isntall over the wire and then create an image, but not when you are on a slow link.

Actually, I just finished downloading OpenBSD 3.2 for i386. It stopped while I was sleeping so it could have come faster if my 56k ISP didn't have a time limit for dial-up connections.

Just grab the i386 directory with "wget -cr ftp-or-http...", burn it to /3.2/i386/ as a bootable CD using cdrom32.fs as the boot image.

You now have an i386 bootable OpenBSD 3.2 CD with just a 121MB download. If you don't want a GUI, you could omit the downloading of anything that starts with x to make it an even smaller download (67MB).

You could download the system and kernel sources, ports and packages if you want too...

I just did it over 56k no problem. I still like to buy OpenBSD CD's though. Now I'm off to get macppc and mac68k (my CD will also be macppc bootable)...

Re:Waiting for..

[Shanep]

Forgot to mention. My favorite method is to copy my OpenBSD downloads to my iBook, served as http with Apache when required I do local network installs where ever I need to take it.

Network installs are really nice, and doing it with just a floppy over a fast internet connection is excellent too.

I love OpenBSD. It's so clean it's clinical. The only time my OpenBSD machines have down time is when I'm upgrading them to the latest releases or patches.

FreeBSD

[drxenos]

I've always been a fan of FreeBSD. How does OpenBSD compare?

Re:FreeBSD

[c13v3rm0nk3y]

I've always been a fan of FreeBSD. How does OpenBSD compare?

Try this link. There are a bunch of FAQs, some of them directly compare *BSD, Linux &etc.

Re:FreeBSD

[Karamchand]

According to the release notes there are "Over 1800 pre-built and tested packages".
Just FYI :-)

Re:FreeBSD

[CoolVibe]

Depends on what you want to do. FreeBSD is better suited as a workstation or a high-performance server. OpenBSD does great for bastion-hosts and firewalls.

Re:FreeBSD

[Ryvar]

Short Answer:
OpenBSD has less 'nice' functionality, slightly less performance tuning, and no SMP support.

On the other hand it has an extremely well-audited source tree (by largely the same developers as OpenSSH), SoftUpdates, the new systrace work, an excellent brand new packetfilter that has yet to fail to impress from either a security or speed standpoint . . .

OpenBSD isn't really so much the most secure OS in the world as it is in many situations the most secure OS on the x86. For most of us around here, that's probably close enough as makes no odds.

The last release (in a bug that affected the prior release as well) had an OpenSSH issue in the default installation that became the first remote compromise for the default installation in nearly 5 years of the operating system. Admittedly, most things are turned off by default (although I wish a few more - portmap, inetd). Because of this and a few other errata, 3.2 has been looked forward to for a long time.

To sum, you have a stripped-down no-nonsense OS with all of the unnecessary crap tossed out of the default installation and available as ports and packages to those that want it. The perfect OS for those who want a secure router, and/or single/few-function server. This isn't an appropriate choice if you need more than a commandline, really, and there's a fair amount of pride amongst the user community over that.

Re:FreeBSD

On the other hand it has an extremely well-audited source tree (by largely the same developers as OpenSSH), SoftUpdates,
FreeBSD has softupdates too.

Admittedly, most things are turned off by default (although I wish a few more - portmap, inetd)
portmap is turned off by default in OpenBSD 3.2.

The perfect OS for those who want a secure router, and/or single/few-function server.
my OpenBSD workstation runs the same apps i need to work as my linux workstation does, and that is quite a few apps, yes i do real work.

This isn't an appropriate choice if you need more than a commandline, really,
X works fine in OpenBSD and i bet most users who use OpenBSD use X on OpenBSD desktops and commandline on *all* their Unix servers, regardless of flavour (why should a dedicated webserver/firewall/database need X running?).

Re:FreeBSD

[Ryvar]

FreeBSD has softupdates too.
Ah, thanks. Wasn't aware of that.

portmap is turned off by default in OpenBSD 3.2.
Yeah, the previous poster mentioned. That's really cool.

X works fine in OpenBSD and i bet most users who use OpenBSD use X on OpenBSD desktops and commandline on *all* their Unix servers, regardless of flavour (why should a dedicated webserver/firewall/database need X running?).
I guess that was my point right there - FreeBSD, when I used it a while back, seemed more useful for a workstation. OpenBSD for an edge-of-network machine. But there's no saying each can't be the other, just that there are certain roles the developers seemed to focus on, that's all. Sorry if I ruffled any features.

Re:FreeBSD

[5foot2]

OpenBSD has always installed better for me as a desktop system than freebsd. Sound and apm on laptops has always worked out of the box, where as freebsd has given me some headaches. The lack of Mozilla on OpenBSD pisses me off, and the lack of SMP rules it out as a server choice on most of my production boxes. I also really hate the need for a local source tree and compilers to do errata updates. Sure I could build on another box and move stuff over, but what a pain in the ass. I'd love to see a secure binary updates system from Theo/OpenBSD.

Re:FreeBSD

[Telent]

To sum, you have a stripped down no-nonsense OS with all of the unnecessary crap tossed out of the default installation and available as ports and packages to those who want it. The perfect OS for those who want a secure router, and/or single/few-function server. This isn't an appropriate choice if you need more than a commandline, really, and there's a fair amount of pride amongst the user community over that.

Uhhhh... I hate to be rude, but what crack are you smoking?

"Few-function"? Right now, off the top of my head, I use OpenBSD for:

• POP3/IMAP4/SMTP mail
• FTP
• Samba backups for Windows clients at my place of employment
• Apache web server with PHP, Perl, CGI, FrontPage includes, and all those other nifty modules
• IRC server
• Firewall (NAT'ing)
• Router

This is all on my servers, both at my work and at my home. These do not even have a GUI installed... but if you want more than a command line, that has it, too. I mean, it's *really* difficult to install the x* .tgz bundles when you're installing, then configure your X server and install your favorite window manager from ports. Took me all of five minutes, last time I did it.

That brings me to my desktop. I use my computer for a lot of stuff. Mail, web surfing, 3D modelling, test compiles, image editing, HTML editing, writings (technical and otherwise), media playing (Flash, DVD's, mp3's, CD's), and much, much more. This computer, a PIII 850 laptop, runs single-boot OpenBSD 3.1-stable, soon to be 3.2 (after I write this post.) I use Enlightenment, and damn, but it *flies*.

No, if you need your hand held on every single little thing, or you're scared off by a text installer (which, by the way, is easier than any GUI installer I've ever used), then PLEASE stay away. But if you can handle changing a few of the ways you think, give OpenBSD a try as a desktop. You may just like it.

(And just as a data point, I started out with OpenBSD. My first *nix experience, except for a tiny bit of Red Hat several months before, which I *hated* - not flaming, just saying it wasn't for me. I managed to get to the point where I am with it without getting flamed on the lists once, and it's because when I have a problem, I RTFM and STFW. If you're capable of doing the same, it's a refreshing change from the other user communities.)

Re:FreeBSD

[CoolVibe]

If you don't like FreeBSD, but love OpenBSD, yet are miffed by some things of OpenBSD, why not got for NetBSD?

In my experience, NetBSD is very usable for desktop purposes. Also I use it for my routers/firewalls, partially because the NetBSD base install is so damn small.

Re:FreeBSD

[mindstrm]

OpenBSD has no policy routing, and it's firewalling code is not the greatest on earth.
Yes, for a while ipf was a bit ahead of the game.

Most use it because of the perception that it is secure. Well.. if you turn off all the services, which you should do anyway, linux is just as secure.

Re:FreeBSD

[Bishop]

OpenBSD is missing a stable Mozilla. For many workstations users this is a problem.

Re:FreeBSD

[Tet]

why should a dedicated webserver/firewall/database need X running?

Because Oracle, in their infinite wisdom, no longer support a text-mode install. Yes, you can use a response file, but it's a pain in the ass, and I don't think you can do the same for patches. Thus, none of my servers have X installed with the exception of the database machines (no, moving away from Oracle isn't a viable option at this point -- too many PL/SQL stored procedures, and not enough development resources to port them to anything else). I despise Oracle for this. It's a server for $deity's sake. It doesn't need X.

Re:FreeBSD

[Bishop]

This is what I *love* about OpenBSD: One OpenBSD user blasting another user for supporting OpenBSD, but mentioning some of the rough spots.

For the record: I am a big fan of OpenBSD.

Re:FreeBSD

[Shanep]

I've always been a fan of FreeBSD. How does OpenBSD compare?

The install is a very straight forward, no nonsense bare bones affair. My installs typically take on the order of 3 (THREE) minutes.

The file system, config files and man pages are very clean. The resulting install is very tidy and pretty small. From there you add packages to taste.

Re:FreeBSD

[evilviper]

FreeBSD is better suited as a workstation or a high-performance server.

Never understood why people say this... OpenBSD may not be madly porting every desktop app on earth, but it has most anything you could want.

For multimedia, Ogle & MPlayer are in the ports.
For a desktop, just about any Window Manager will compile out of the box.
The latest version of X is always available, and it compiles cleanly without any special steps. (Something that can't be said about FreeBSD)

The single thing I can think of is that FreeBSD supports more sound cards... Big Whoop. With OpenBSD, you don't need to load any modules, or anything like that. If your hardware is supported, it will be detected by the kernel and support loaded. If not, it will say it's not supported, and you can try another one. Far easier setup than ANY other OS.

Re:FreeBSD

[CoolVibe]

Does OpenBSD have a working DRI/DRM/GLX working? Guess not. FreeBSD's works a treat. Also, performance on FreeBSD is snappier, there's SMP support, ELF binary format, sane dynamic linking. All stuff OpenBSD does not (yet) have.

Nah, stick to FreeBSD for your desktop. OpenBSD might be secure and great for firewalls, bastion-hosts, but for a large multiple CPU server box, I rather use FreeBSD, Linux or Solaris.

Re:FreeBSD

[Bishop]

Mozilla may be there, but "stable Mozilla v1.1" is not.

Re:FreeBSD

Cool...when oh when will sendmail be turned off by default? I do not care if it is only listening to localhost, I want it turned off by default and I do not want to rely on a real mail server for logs to to be mailed to root.

Re:FreeBSD

[evilviper]

Does OpenBSD have a working DRI/DRM/GLX working? Guess not.

Guess again. I know FOR A FACT that GLX works just fine (glxinfo says so!). I didn't take the time to check the rest, but I'd certianly assume they are supported... Your insistance otherwise really doesn't mean anything to me at this point.

Also, performance on FreeBSD is snappier

What makes you say that? Don't know how to enable soft updates? Haven't used it in the past 2 years? OpenBSD's performance is great... I can't even guess what would make you believe otherwise.

ELF binary format

Since when does OpenBSD not support ELF? Maybe on Sparc up until recently, or another more obsecure platform...

All stuff OpenBSD does not (yet) have.

Your "facts" are blatantly wrong. Are you very sure you're not a troll?

Re:FreeBSD

[hdw]

OpenBSD is secure, stable and easy to maintain.
I use it for a lot of stuff:

at home, as firewalls, Wlan gateway, fileserver, software development, videograbbing and asorted stuff.

at my friends' and siblings' homes, as firewalls and gateways.

at small business, as firewalls, fileservers, proxies, apacheservers.

at the large telco that pays my salary, as firewalls, security gateways, proxies, MS-VPN servers, radius servers.
In short, I'm a dedicated OpenBSD fanatic, and I'm quite convinced that Theo can walk on water without getting his feet wet, or at least cross shallow ponds with only damp socks.

But this doesn't change the fact that there's several things stopping me from trying to replace the OS on every box I can find.

There's alot software that doesn't install and run clean on OpenBSD.

There's a lot of software that has to be cuddled with a bit before it works.

And from a maintain/support view there's a lot more people trained on various (GNU)/Linuxes, making it much easier (and cheaper) to hire support and contractors.

There's also the lack of stable SMP support, and the lack of support for less common hardware.
Will OpenBSD rule the world? No, I still se it a "targeted" product.
It doesn't promise world domination like Linux.
It doesn't promise maximum portability and support for obscure hardware like NetBSD.
It doesn't aim for maximum software support like FreeBSD.

It promises security and stability, and it delivers.

Re:FreeBSD

[CoolVibe]

[glx doesn't work snip]

Guess again. I know FOR A FACT that GLX works just fine (glxinfo says so!). I didn't take the time to check the rest, but I'd certianly assume they are supported... Your insistance otherwise really doesn't mean anything to me at this point.

On all ports? Linux has GLX working fine on my mac, for instance. I've also had success with NetBSD. OpenBSD wouldn't even run most of the desktop apps I usually run. Also, is direct rendering supported? Sure, you can have glx, but hardware accelerrated? For that you need DRM. Did you know that GLX falls back to software opengl when there's no hardware support?

Performance on FreeBSD is snappier simply because it just is. OpenBSD was never engineered or optimized for speed, only for anat-retentive security. FreeBSD has different design goals that will result in a speedier operating system. SUre, there might be a security advisory or two, but these are solved quickly. Oh, and there's the SMP issue of course, which you avoided. Workstations with multiple CPU's are getting more commonplace all the time. Heck, even I got one.

Also, ELF is something that is in OpenBSD current. Do you expect a end user to run a CVS version of OpenBSD?

You also neglected to interpret one of my answers correctly:

All stuff OpenBSD does not (yet) have

See that word between parentheses? You read over that, did you? Who's trolling who here?

I'm not saying that OpenBSD is absolute crap. It's just not as suitable as a workstation compared to the other BSD's out there.

What Am I Waiting For?

[Zech+Harvey]

Common Criteria certification so it can be just as secure as my Windows 2000 boxen!

Re: What Am I Waiting For?

[dex22]

I was sure he was joking, until I got to "Zech Harvey, MCSE", and now I'm filled with a dreadful uncertainty!

Re: What Am I Waiting For?

[Zech+Harvey]

I had added a to the end of the post, but forgot to set the message type to "Extrans." D'oh!

Re:What Am I Waiting For?

[liquidsin]

Well, it's only at version 3.2. I'm guessing version 3.3 would be like the third service pack of version 3, and it seems you can't get certified until SP3. I'm sure they'll get there soon enough.

Re:What Am I Waiting For?

[Zech+Harvey]

Master Gates, Don't hate me! I really like Windows! I do! I really believe in the power of the MCSE! I didn't just shell out a bunch of money for them to get my foot in the door to the businesses in my area! I promise I'll be good! Honest! It's not true! I don't run Linux at home! Don't find my lack of humor disturbing!!! (Sorry, slow day at work, I'm getting slap-happy)

Re:What Am I Waiting For?

[dazdaz]

That's not even funny, I don't know many industry leaders buy into the certification bull.

OpenBSD questions

1. What advantage does pf have over netfilter? Any links to performance comparisons between the two?
2. Are the fsn.hu isos kosher?

Re:OpenBSD questions

[Karamchand]

ad 1.) In this interview with pf developer Daniel Hartmeier he talks a bit about performance.

Re:OpenBSD questions

[BitHive]

Quoth Daniel Hartmeier, the author of pf:

To prevent attackers from tearing down connections, for instance with spoofed RSTs, the packet filter checks the sequence numbers in each TCP packet. Only the two peers involved in the connection (and the hops in between them) know the right sequence numbers, as initial sequence numbers are generated randomly (or should be, rather, but pf can also randomize sequence numbers for hosts that have predictable ISN generators).

The goal in sequence number comparison is to allow only a minimal window of values through. This is not as easy as it may appear from studying perfect examples of TCP connections. In reality, packets can get lost and are retransmitted, packets take different routes and may arrive in different order than they were sent, etc.

Guido's work shows how to keep lower and upper bounds on the sequence numbers given only the (incomplete) information the packet filter has, with a precision and beauty similar to the one you can find in a mathematic proof.

Well ..

[Mr_Silver]

The the files are there. What are you waiting for?

5:30pm, 8 pints of lager, one dodgy kebab and a chance to yet again make a piss poor attempt to chat the attractive barmaid up.

Well you did ask!

Re:Well ..

[SirSlud]

> to yet again make a piss poor attempt to chat the attractive barmaid up

barmaids get slashdotted by drunk guys every night. i recommend you search your neighbourhood for a mirror so you can have all the bandwidth to yourself.

Re:Well ..

[$rtbl_this]

...i recommend you search your neighbourhood for a mirror...

Surely this would only work if you were a hopeless narcissist.

Re:Well ..

[Snowdog668]

Oh, you've met the drummer for my band... :)

Re:Well ..

[Dr.+Smeegee]

Oh Bytor668 me!
</rush humour>

Re:Well ..

[warpSpeed]

and don't forget your Palm!

Re:Well ..

[Goldberg's+Pants]

Or maybe a masochist?

Nice Chris Morris sig BTW.

Re:Well ..

[$rtbl_this]

Many bonus points for being the first person to spot the reference. I thought I was being willfully obscure. :)

Re:Well ..

[Goldberg's+Pants]

VERY obscure. (I'm a Brit, living in Canada for the last 6 years, but courtesy of MP3 I have every episode of BJ.) Took a couple of seconds to come to mind how I knew it. Great line.

Well, I'm waiting for a downloadable iso

[Hairy_Potter]

and I think I'm going to be waiting a long time.

Re:Well, I'm waiting for a downloadable iso

[LordHunter317]

Download the sources. Burn on a CD. There you go.

IF oyu want it bootable, that's also fairly easy to pull off as well. Just have it boot to the floppy image.

Otherwise, buy a CD.. we need the money.

Re:Well, I'm waiting for a downloadable iso

you could probably find one that someone hand-rolled and put up for download, but you'd be a moron to trust it.

Re:Well, I'm waiting for a downloadable iso

[Richard_at_work]

Already have 10 copies on order :)

Re:Well, I'm waiting for a downloadable iso

[Corporate+Troll]

Why 10 copies? I have one in order, and donated some money instead (I just rounded up to 100Euro). That's better for the project, because they don't have the costs of pressing CD's. Well that's what I think..

Re:Well, I'm waiting for a downloadable iso

[Richard_at_work]

So i can pass on the cds. If i just buy one copy and donate money, then i cant spread the cds around can i? (what with the cd layout being copyrighted, rightly so)

Re:Well, I'm waiting for a downloadable iso

[Corporate+Troll]

Sorry, I didn't expect you to give them away. That of course makes sense, since you cannot copy the CD because of copyright. Since I only have two machines running OpenBSD and know nobody around here who runs and BSD except me I was just assuming that you bought them for yourself.
My fault sorry... Well, donating has a nice sideeffect for vanity because you get mentioned on the Donations Page. Whooohooo!
That said, I recently installed OpenBSD on a machine I had lying around and wanted 3.2, so I did a network install. Works great too, provided you have the bandwidth. So, no need for ISO's if you want to learn OpenBSD (as I saw people complaining about in other posts).

Re:Well, I'm waiting for a downloadable iso

[Richard_at_work]

Yes this is true, tho as i do quite a few installs in buisnesses, i tend to feel a lot more secure in having a fairly up to date physical install media to hand jsut in case i dont have a high bandwidth connection. Plus with 3.1 you got decent stickers, which i know i enjoyed :)

The other reason i purchase a cd rather than download a iso made by someone is it seems to me to be rather a wierd thing to do. Go for a secure distro, then download a iso from someone you have never met, dont know how they are connected with teh team and therefor can be adding god knows what to the install. So peeps, either do a net install, or buy the cds. Please :)

Re:Well, I'm waiting for a downloadable iso

[kyrre]

>since you cannot copy the CD because of copyright.

Please excuse my ignorance. What is this all about? Copyright? Since when was OpenBSD not free?

Re:Well, I'm waiting for a downloadable iso

[Eirik+Seim]

The CD layout is copyrighted by Theo, in order to make some money. Nothing that prevents anyone from creating their own cd, and distribute freely, of cause.

It's a bit weird, the only software I've ever paid for is free :)

Re:Well, I'm waiting for a downloadable iso

[Corporate+Troll]

It's a bit weird, the only software I've ever paid for is free :)
Me too...and honestly, I like it... It gives this warm fuzzy feeling of contributing to something without having to be a guru-coder.
And thanx for explaining the copyright issue to that other poster. :-)

Re:Well, I'm waiting for a downloadable iso

[LooseChanj]

I'd tell you how to make one, but then I'd have to kill you.

I'm waiting

[swillden]

What are you waiting for?

Ummm... a Linux port?

Re:I'm waiting

[questionlp]

Maybe not quite what you are looking for, but there is the infamous Linux Compatibility mode for OpenBSD (as well as FreeBSD and NetBSD) that will allow you to run many Linux applications. OpenBSD also supports the Ext2 file system (again, same with FreeBSD and most likely NetBSD).

Say wha?

[PhysicsScholar]

The the files are there.

I guess the Slashdot outage over the past 10 minutes or so was due to the installation of Apache mod_stutter.

Re:Say wha?

[jmu1]

I'm not quite sure, but i do know that sprint's connection to uunet in atlanta was starting to get banged on pretty hard. Here's a link i use daily to check connections: link

If you're in the SE US you might have had a bit if difficulty getting through. Then again... they did just move.

Where are the background pictures?

[Otter]

cool pictures for xdm-logins...What are you waiting for?

Someone to provide a direct link to the xdm backgrounds so I can use them on my Linux systems.

Actually, I didn't wait and started trawling through their FTP archive looking for them before deciding that was a) selfish and b) stupid. At least I had enough sense not to download XFree hoping they were in there and not in a separate artwork package...

Re:Where are the background pictures?

[Geekboy(Wizard)]

Nope, they are embedded in the source for XF4. You have to run OpenBSD to see them. (Hint: they are #ifdef'ed)

Re:Where are the background pictures?

[dohcvtec]

IIRC, the custom xdm stuff is in xshare.tgz, so you could download xshare.tgz, extract that, and the custom files are somewhere under /etc/X11 (/etc/X11/xdm, maybe? I'm going off of memory) The OpenBSD .tgzs extract to a relative path, so you could extract the tgz in your home directory, find the files you need, and copy them to wherever your Linux distribution wants them.

Re:Where are the background pictures?

[Otter]

Damn, I'd thought he was joking about them being in the source.

Re:Where are the background pictures?

[nemo]

If they're not using XDM themes, then I want to know why not.

That XDM themes seems to have stalled just before 2.0 release is irrelevant!

(Yes, it's a .cx domain. No, it's not what you think it is. Judge all .com by microsoft.com do you?)

Threading issues resolved?

[Jack+Wagner]

Does anyone know if they have the threading issues resolved with the kernel scheduler yet?

Tha last time I worked on any BSD code they were still having some low level race conditions occuring where the kernel scheduler would actually hit two proccesses at the same time which made it look like the program had some mutex corruption when it was actually a problem with the kernel and the semaphores they use to map memory for threads.

Granted if you're only using it as a workstation you'll never see it happen as it only happened under load but I found my clients were forced to move to a commercial Unix (I still recommend Sun) as they were the only products on the market able to handle enterprise type server loads with non-trivial applications. (okay, wer're talking n-tier Olog(n) cluster nodes which is very demanding but still...)

Warmest regards,
--Jack

Re:Threading issues resolved?

I'm not sure I understood all of your complaint. What do you mean about two processes being hit at the same time? Is it possible to observe this on uniprocessor machines?

In any case, I seriously doubt that Solaris is any less vulnerable to such a problem than BSD. The people at Sun may work hard on their scheduling algorithm, but the BSD scheduler was written by Steve Woston himself, and is probably the best in the world.

Re:Threading issues resolved?

[CoolVibe]

Tha last time I worked on any BSD code they were still having some low level race conditions...

How long was that ago? I have never noticed any behaviour like that on the FreeBSD servers I put up. Oh, and one FreeBSD server I had set up once had around 50,000 simultaneous connections going to it, and it didn't flinch.

If it still has problems of the nature you describe, instead of fretting about it, you could send a PR, so the developers can fix it.

Re:Threading issues resolved?

[frantzen]

ummm.. OpenBSD doesn't support MP.

Re:Threading issues resolved?

[kriston]

Umm, threading != MP.

Kris

Re:Threading issues resolved?

[NighthawkFoo]

Are you planning on fixing the link to your consulting web site? It doesn't seem to exist.

Re:Threading issues resolved?

[cheezedawg]

Without MP, his claim that the kernel was "hitting two processes at the same time" doesn't make any sense.

Re:Threading issues resolved?

[Goldberg's+Pants]

I'm sure he's deeply upset.

You just made my friends list.

Re:Too bad

[DrQu+xum]

Gee, too bad OS X doesn't run on my old Sparc Classic X.

And to answer the question "If you run a Sparc, why not NetBSD or Linux?":

1. I like the Ports Collection.
2. The last semi-up-to-date and half-decent Linux I've seen for Sparc32 was SuSE 7.3.

It's good, but not that good

[ryanvm]

It is well known as the world's most secure operating system

Whoa, partner. Sure OpenBSD is designed with security in mind, and as far as the BSDs go (which are generally pretty secure in their own right), it's probably the tightest. But it's quite a leap to say that OpenBSD is the most secure operating system in the entire world.

I don't know which OS would get that "award". But I'd have to believe that it'd be something obscure like a tiny, embedded, OS the NSA uses in their crypto equipment or some such.

Re:It's good, but not that good

[glenmark]

I don't know which OS would get that "award". But I'd have to believe that it'd be something obscure like a tiny, embedded, OS the NSA uses in their crypto equipment or some such.

An embedded OS, especially if it has no networking, sure. For general purpose operating system that actually communicate with the outside world, my vote would have to be OpenVMS. So secure it makes even OpenBSD look as leaky as cheesecloth... (Buffer overflow exploits? No such thing in VMS.)

Re:It's good, but not that good

[c13v3rm0nk3y]

Actually, chunks of OpenBSD have made it into embedded security devices. I don't have the link handy, but the details are on OpenBSD.org.

Re:It's good, but not that good

[kobaz]

Just curious, where can I find info on how OpenVMS is designed to prevent buffer overflow exploits.

Re:It's good, but not that good

[LordHunter317]

Bullcrap. We just had to put in a patch to cover a buffer overflow/memory leak issue in UCX For OpenVMS. We know it caused buffer overflow issues becuase we could bomb Sybase sending it large amounts of data. Now there may be no OS-level overflows, but your statment is just ludicris. Our code is one walking buffer-overflow. Kernel != System, and just because the kernel is secure doesn't mean the system is.

Otherwise, I tend to agree, but OpenVMS is bi*ch to configure.

Re:It's good, but not that good

[glenmark]

Sure, app level buffer overflows can occur (if for example, the programmer uses null-terminated strings instead of descriptors, a necessary evil for implementing most Internet protocols), but the overflowing data does not get executed, nor does it get written to an area for which the application has no privs.

Re:It's good, but not that good

[glenmark]

VMS is architected such that overflowing data cannot be executed (i.e. doesn't get passed along to the shell). As far as the kernel level code itself is concerned, overflows don't occur in the first place due to the universal use of descriptors to pass data to system-level calls.

The complete OpenVMS doc set is available on the web from a link at http://www.openvms.compaq.com. There are also several good books on OpenVMS internals, with links to info on them available at the same place.

Re:It's good, but not that good

[glenmark]

Reference please? I remember mention a few weeks ago of a flaw related to the pop3 executable being installed with too many privs, giving anyone who executes it from the command line the option to willy-nilly overwrite any file with its log file. Config issue. Not a buffer overflow exploit.

Re:It's good, but not that good

[octogen]

(Buffer overflow exploits? No such thing in VMS.)

Ok, so you believe, programs are absolutely immune against buffer overflow exploits on OpenVMS?

Then I'll show you a simple example of a buffer overflow exploit on OpenVMS/Alpha.

---

The victim program compares a user-supplied password with a password stored inside a file.

I wasn't able to include the source code, because I always get errors like "Your comment has too few characters per line (currently 24.5)." if I do.
Email me, if you'd like to get the complete source code, and I'll send it back to you.

$ cc vmshackme.c;1

strcpy(l_input, input); .^
%CC-I-IMPLICITFUNC, In this statement, the identifier "strcpy" is implicitly declared as a function.
at line number 66 in file $DKA100:[USERS.OCTOGEN]VMSHACKME.C;1

if (strncmp(l_input, l_pass, _max_pwd_len) == 0) .....^
%CC-I-IMPLICITFUNC, In this statement, the identifier "strncmp" is implicitly declared as a function.
at line number 68 in file $DKA100:[USERS.OCTOGEN]VMSHACKME.C;1
$ link vmshackme.obj;1
$ type pass.pwd;1
openvms
$ run vmshackme
openvms
Password correct
$ run vmshackme
os400
Wrong password, try again.
$

-----

The program works, as you can see.

Now I'll type in a bit too much:

$ run vmshackme
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Pass word correct
$

-----

What I'm exploiting here is nothing else than a simple example of a buffer overflow.

Even if you can't execute arbitrary code (and I'm quite sure you can do that, too!), you can still damage data structures, data pointers, numeric values like buffer offsets and many other things - so there are a lot of possibilities left for exploiting a buffer overflow vulnerability.
AS/400s have hardware protection for system pointers, so they are even more secure than OpenVMS. But even on AS/400s you can still damage space pointers, and I'm quite sure, this example program would even work on an AS/400.
It might not be possible to execute arbitrary code on an AS/400, but you can still damage many things by exploiting buffer overflows.

---

regards,
octogen

Re:It's good, but not that good

[glenmark]

I didn't say that buffer overflows can't happen (except with system calls), but that buffer overflow exploits don't happen. The example you showed will not permit unauthorized code access (unless you plan on using it as a poorly written telnet deamon or such and completely bypassing SYSUAF for authentication), nor does it allow arbitrary execution of overflowing code.

Re:It's good, but not that good

[PapaZit]

NetBSD is (as far as I know) the ONLY one of the BSDs that ships with NO open services in the default install.

Y'know how OpenBSD used to brag about "X years without a remote root exploit in the default install"? These days, it's NetBSD that carries the "longest since remote root in default" banner, and they'll continue to have it (though they're a bit to understated to brag about it) until OpenBSD turns off incoming SSH and RPC.

Think that's a silly argument? Check your nearest OpenBSD box. Is it running RPC? Does it need to be? Isn't "turn off unnecessary services" one of the fundamentals of securing a box?

Re:It's good, but not that good

[mindstrm]

Not to mention that OpenBSd allows remote root login via ssh... something that has traditionally been verbotten.

Re:It's good, but not that good

[octogen]

VMS is architected such that overflowing data cannot be executed

The same is true for Solaris/SPARC, if you configure it correctly.

You don't need to execute overflowing data, it can even be enough only to change a function pointer, and the program would run some code which was already there before the overflow occurred.

This code would be executable, because it's simply a part of the running program or of a library used by the running program.

Just changing some piece of data which gets passed to a system call can also be enough to break security.

From a technical point of view, applications on OpenVMS are just as vulnerable to buffer overflow exploits as applications on Solaris/SPARC (with noexec_user_stack set to 1).

On both OSs you can't execute overflowing data.

But on both OSs you can (sometimes) circumvent this sort of protection.

Re:It's good, but not that good

[octogen]

The example you showed will not permit unauthorized code access

On my harddisk I have got another example that shows, how an attacker can fool the program into executing a portion of its code, that would normally never be executed, by exploiting a buffer overflow vulnerability.

It is more difficult for an attacker to exploit buffer overflows on VMS than it is on OpenBSD/Intel, but it's not impossible.

VMS' protection from buffer overflow exploits has similar strenghts and weaknesses as Solaris/SPARC's protection mechanisms.
On both platforms you can't execute overflowing data, but you still can play around with existing code - and that's really enough to break the security of either an important application (like a webserver, database,...) or even the whole operating system, if the application has too much privileges.

Protection against buffer overflows does not make a difference between Solaris and VMS. Security mechanisms like least-privilege, compartmentalization are the things, that make the difference. And regarding these things, Trusted Solaris is cleary far superior to SE-VMS.

Re:It's good, but not that good

[oh]

I'm not a VMX expert, but UCX is basically TCP/IP for VMS. I don't know if it uncludes the IP stack, but the FTP and TELNET deamons are part of the UCX package.

You might not be able to overwire kernel space, but as the application has access to multiple user accounts, you hardly need to. Why hack the kernel to get what you want, when you can trick ftpd to downloading it for you when some one with the appropriate privs log in.

Re:It's good, but not that good

[TheReverend]

oops. posting to remove moderation mistake. ignore this.

Re:*BSD

[einer]

In addition to this I was wondering if anyone knew how well the different J2EE containers ran under this BSD? Long ago (18 months, or a generation in IT time) I heard stories that java was not very well supported. Since my OS needs have evolved, I am now looking for a simple, secure and fairly modern operating system that isn't Linux (not that I have a problem with it, just broadening my horizons a bit).

security

[MoceanWorker]

It is well known as the world's most secure operating system

That is true.. if you do a default installation and make absolutely no change to any of the services that come installed with it.. that's why it was secure for 4 something years.. but they didn't mention that if you had an old BIND version at the time it would still be "secure" :-)

Re:security

[c13v3rm0nk3y]

It's pretty common to run a few releases back on important and complex daemons like BIND, or Sendmail.

There is little value in going to BIND 8 or 9 if it has not been audited by the OBSD team first. BIND 4 is well understood and the faults, warts and bugs are well-known. BIND 8 is still new enough that it is considered an unknown.

This is one of the downsides (if you consider it a downsid) of trying to be "secure by design".

Of course, OBSD is free, as in beer and as in speech. This means you can run a parallel box with BIND 8 or 9 (or whatever) yourelf until you deem it safe. The responsibility is now yours to maintain security on that chunk of the OS, but everything is a trade-off, especially in host security.

BIND 8/9 will eventually make it into a future release. 99% of us do not need it, however, and so having a well-known and secure BIND 4 implementation has more value for the rest of us.

Re:security

[Brainchild]

BIND 8/9 will eventually make it into a future release. 99% of us do not need it, however, and so having a well-known and secure BIND 4 implementation has more value for the rest of us.

And a few of us don't care what version of BIND ships with the operating system, because we immediatly chuck it and use djbdns instead, which generally suffers only from D.J. Bernstein's infamous Spartanism rather than from the incredibly baroque design flaws of BIND.

Re:security

[c13v3rm0nk3y]

a few of us don't care what version of BIND ships with the operating system, because we immediatly chuck it and use djbdns [cr.yp.to] instead

Amen to that. Between that and choosing postfix instead of sendmail, my new mantra is "simplifiy, simplify, simplify".

Re:security

[__past__]

And a few of us don't care what version of BIND ships with the operating system, because we immediatly chuck it and use djbdns instead,

Yes, but there are others who insist on using only free software for critical services.

I don't think so....

[Dr_DTHP]

>[OpenBSD is] the world's most secure operating system

Hear that sound? It's the VMS users (all 8 of them, currently, unless Fred's VAX killed his mains power again and he switched to OSX) choking on their lunches in laughter.

Re:I don't think so....

[c13v3rm0nk3y]

Hear that sound? It's the VMS users ... choking on their lunches in laughter

I thought "security by obscurity" didn't count ;)

Re:I don't think so....

[MAXOMENOS]

What you don't hear is the thousands of OS/400 users quietly chuckling to themselves. "Kids..."

Re:I don't think so....

[R.Caley]

[OpenBSD is] the world's most secure operating system

It's well known that MSDOS is the world's most secure operating system.

No network access and so completely secure from remote break in, and if anyone breaks in from the console there is bugger all they can break and no one cases what they do anyway.

Security by obsolescence.

Re:I don't think so....

[glenmark]

Obscurity? Funny, I have the OS listings around here somewhere....

Re:I don't think so....

[Evil-G]

if anyone breaks in from the console there is bugger all they can break

what about:

C:\>format c:

to break it? On another note, i would be devastated if anyone broke my msdos machine, as some games just dont seem to work proerly under anything else.

Re:I don't think so....

[R.Caley]

[if anyone breaks in from the console there is bugger all they can break]

what about:
C:\>format c:

That would be an upgrade.

Re:*BSD

[c13v3rm0nk3y]

...is OpenBSD recommended as an internet server over all of the other distros?

Depends who you talk to ;)

A good place to start is here, to find out what the intentions of the OBSD project are. Then check out the OpenBSD Journal to see what people do with it.

My two cents: OBSD really shines as a secure inet server. Things like httpd, sshd, firewalling, bridging, routing. People do use it as a desktop, but IMHO it is not as desktop-friendly as FreeBSD. *shrug* I run it basically headless, as does everyone I know.

Then again, a cutting-edge desktop system is not a primary concern of the OBSD project.

*ahem*, not quite

[naasking]

It is well known as the world's most secure operating system

Let's rephrase that as, "It is well known as the world's most secure UNIX operating system." Otherwise it's not true.

Re:*BSD

[c13v3rm0nk3y]

Java 1.3 is not "production" ready on any BSD, AFAIK. I've looked into this quite a bit, and even ported an app to FreeBSD.

They have recently been blessed by Sun to provide a native version of the JDK (the previous versions ran in linux_compat mode), but it is not considered production-ready by the developers.

Our customer threw caution to the wind, and has been running our app for a year or so now on FreeBSD. So far, so good. We _did_ QA it. Sheesh.

OpenBSD Java support is still (again, AFAIK)) a tweakers domain. If you need official J2EE, go with Linux (or one of those "others").

OpenBSD 3.2 release

[possible]

Here's a mirror of the official release announcement. Lots of cool new stuff in this release...among them:

• ELF for Sparc
• Non executable stack on many architectures (including x86), non executable heap on many architectures
• More support for hardware crypto accelerators
• Apache runs chrooted by default (if you want)
• systrace

Re:OpenBSD 3.2 release

[cant_get_a_good_nick]

Non executable stack on many architectures (including x86), non executable heap on many architectures

Not to troll (well, not much anyway) but interesting to see this here when Linus was adamant about not getting this into Linux, the whole false sense of security thing. Has this changed in Linux? I've heard of stack smashes, never a head attack. I wonder how common these are.

Re:OpenBSD 3.2 release

[Bishop]

I thought that the openSSH vulnerability was heap based. Maybe I am wrong. Heap attacks are more rare then stack smashing thouhg.

Re:Too bad

[rmadmin]

Good question. I'm finding it hard to decide on an OS for my old sparc32's. Solaris 2.6 seems to run fast, but I fear the security. I've ran Obsd 3.1 on it, and even with 320 meg of ram, its still quite slow. Redhat 6.2 is out of date. Debian I'm just not fond of (sorry, I'm a slack person). Slack quit devel, and someone picked it up with Splack, which is still beta, and well, has problems. SuSE? Never ran it, don't want to, MDK? See SuSE. I haven't tried NetBSD, maybe I'll give that a shot next. Anyone got any other suggestions? (And no, I'm not going to try to compile Gentoo on my poor ole sparc.)

Good to see

[greygent]

Good to see, there are several facets of it that I absolutely love.

Now only if they could speed up the network and disk I/O to the levels of FreeBSD. Oh, and SMP would be great, too, but according to the OpenBSD developers, that's not a hot project of theirs.

So until then, I still keep a watchful eye, and a PC in the closet where it belongs with the latest version installed as a toy to play around with.

Re:what happened?

[grub]

..when the holes in OpenSSH and -SSL were found.


The OpenBSD folks do make OpenSSH but not OpenSSL.

Re:what happened?

[Geekboy(Wizard)]

For a while there I wasn't sure they'd ever get another release out

Every 6 months, right on schedual. There was a release last May, one last December, the June before that, December before that, etc, etc, etc.

What are you waiting for?

> What are you waiting for?

SMP Support.

Re:What are you waiting for?

[__past__]

>> What are you waiting for? >SMP Support. Native Java.

New songs too...

[millert]

The 3.2 song is available via ftp from:
ftp://ftp.openbsd.org/pub/OpenBSD/songs/
ftp://ftp.usa.openbsd.org/pub/OpenBSD/songs/

(other mirrors have not caught up yet)

The lyrics are available from:
http://www.openbsd.org/lyrics.html#32

Most Secure OS

[SirGeek]

According to this article the most secure OS were SCO Unix, Mac OS and Tru 64.

Re:Most Secure OS

[aridhol]

I looked at that article, and couldn't find any real numbers in it. They grouped the *BSDs together, so you can't tell where OpenBSD fit, but probably a small fraction of the 9% for BSD in general.

Re:Most Secure OS

[jfedor]

According to this article [mi2g.com] the most secure OS were SCO Unix, Mac OS and Tru 64.

That depends on what you mean by most secure. For me it's very important how fast they fix the bugs. And remote holes are much more important than local ones (I don't have local users I don't trust).

-jfedor

Re:Most Secure OS

[unFKNreal]

"According to this article [mi2g.com] the most secure OS were SCO Unix, Mac OS and Tru 64."

According to that article, "BSD" is a single OS, and you apparently ignore the fact that the recent MacOS's are based upon BSD.

Re:Most Secure OS

[TheOneEyedMan]

But they don't weight the percentages by number of users.
"Most of the known software vulnerabilities announced in 2002 affected Microsoft Windows (44%) followed by Linux (19%), BSD (9%) and Sun Solaris (7%). By comparison only 0.5% of the vulnerabilities announced in 2002 affected SCO Unix, and 1.9% affected Mac OS and Compaq Tru64 systems respectively."

It might be that no one is noticing mac or BSD flaws beacuse many fewer people care. A straight line weighting doesn't make sense either. We should expect a diminishing marginal return on eyeballs. The point is that this overstates Linux and Windows bugs and understates the others(actually I don't know usage rates on Linux but I assume it is the third most used OS.)

Re:Most Secure OS

I don't have local users I don't trust

you have users you can trust? god, do i want your job.

my users can't be trusted to follow the simplest directions. EVERYTHING better be automatic and iron-clad or they will find a way to break it.

Re:Most Secure OS

[Daleks]

This pattern is mirrored by the overt digital attack data collected for 2002, which demonstrates this has been the worst year on record with 57,977 attacks having already taken place. The most attacked operating system in 2002 has been Microsoft Windows with 31,431 attacks (54%) followed by Linux with 17,218 attacks (30%), BSD (6%) and Solaris (5%). Apple Mac's OS suffered only 31 overt digital attacks, ie, 0.05% of all attacks in 2002 although Apple Mac has roughly 3% of the world's computer market share. SCO Unix suffered 165 digital attacks (0.2%) and Compaq Tru64 suffered 10 attacks (0.02%).

The above uses attacks per overall attacks as the rating for the OS. What should be done is OS specific attacks per installed machines running the particular OS.

MA -- machine attacks
TA -- total attacks
MI -- machines installed
TI -- total installed

The article gives MA/TA, but we want MA/MI. MA/MI gives the vulnerability of a particular OS seperated from the quantity of attacks. I don't know the total number of installed computers, but say it's 10,000,000. Then the MA/MI for Mac's is:

10,000,000 * 0.03 = 300,000
31/300,000 = 0.000103

So about 0.0103%. By contract look at the Windows numbers. Suppose Windows has 75% market share.

10,000,000 * 0.75 = 7,500,000
31,431/7,500,000 = 0.0041908

So about 0.41908%. These numbers show what percentage of installed machines will be affected instead of what portion of all attacks they represent. Another way to think about it is say you have 1 machine running CrappyOS and that machine is attacked. It will only represent 1/57,978 hacks performed in 2002. By contrast MA/MI will be 100%, meaning that every single machine running CrappyOS was hacked.

Numbers don't lie, people do.

Re:Most Secure OS

[styrotech]

According to this article the most secure OS were SCO Unix, Mac OS and Tru 64

I would've thought that based on the number of reported vulnerabilities in the last year (ie the flawed evaluation in the article), Windows 3.1 could also be regarded as one of the most secure OSes.

MacOS (pre X) didn't have any services that listened on TCP/IP, and the other two don't have anybody trying to crack them anymore (or fix them for that matter).

Re:what happened?

[LordHunter317]

The OpenSSL holes have nothing to do with OpenBSD, they are built by a seperate team. 3rd party auditing of the source (which is what OpenBSD does for stuff it doesn't directly develop) won't find everything.

The OpenSSH hole was to be expected, and was long past due. No software is perfect, this just proves it. Face the facs, it'll happening sooner or later.

I don't see what you mean what gee-whiz hardware. Hardware support is still pretty far down on the list, and even my new system is about 80%% supported at best. Security is still the critical issues, but the development teams is humans, and humans miss things.

Flashy features? Again the same thing. The reason I use OpenBSD is because it isn't so darn flashy. That and it just runs.

Path to shame? I think the 3.0 series has been the best yet, and the most innovative. I think it will continue to be too.

Re:what happened?

[c13v3rm0nk3y]

For a while there I wasn't sure they'd ever get another release out...

This puzzled me. I've been running an OBSD router since 2.6 (and we've been running it at work since 2.8). The releases have been coming out pretty much every 6 months, haven't they?

I upgrade about once a year, so I often skip releases, but I think they've only missed the release dates a few times, and only by a week or so.

Bugs will be found, which (of course) is the point of the OBSD project. I just don't see any shame in that. Lot's of organizations get compromised. The real test is how the organization reacts and recovers.

*shrug* From my POV, the releases have been getting better and better. I can't imagine running anything else as an edge box.

Of course, I may be wrong. Even openbsd.org runs Solaris!

And there's a new song, too

[jfedor]

ftp://ftp.openbsd.org/pub/OpenBSD/songs/song32.ogg (please use a mirror)

This time it's a Bond-movie theme, which matches the new logo.

-jfedor

Official 3.2 CD and Poster available too

As for the OpenBSD project, there are some nice 3.2 goodies you can order them now

Support the OpenBSD developers by getting a
3.2 CD $40 or for Europe EUR 45

The new new 3.2 poster is very nice too, get it for
$10 US or EUR 14 in Europe The European size is 70x100 cm

Platforms

[hearingaid]

Other comments have mentioned the security/performance tradeoff, so I won't go into that.

Part of the difference with OpenBSD is that it runs on way more platforms than FreeBSD does. It's not as many as NetBSD (its parent) but it's a lot closer to NetBSD than FreeBSD.

Still won't boot above 8 Gig

[LM741N]

I've been wanting to install OpenBSD on my laptop but it seems like its the only OS that can't have its boot loader above 8Gig on the HD. This is a major shortcoming as far as I am concerned.

Re:Still won't boot above 8 Gig

[c13v3rm0nk3y]

Well, this is a hardship only because you want to dual-boot, I'm guessing. Otherwise, you just partition and mount so that / is on the first 8Gb slice.

There are third-party boot managers that do magic to allow booting to happen from almost anywhere, for almost any OS. I don't know if it works with OBSD or not.

I've only run OBSD stand-alone on headless edge boxes, so I've never worried my pretty little head about the 8Gb limit. I'm assuming most folks who pay for the CDs every 6 months or so feel the same way. Well, that and the stickers. The stickers rule.

Re:Still won't boot above 8 Gig

[LM741N]

Hi,

No, OpenBSD is unique. You have to plan for OpenBSD before you ever install a multiboot machine. The only way to get it to work is to put a small boot partitiion near the beginning of the disk. Unfortunately, thats not how most people end up installing OS's. First Windows, then Linux or something, then another OS, sequentially installed over time. I'd like to try OpenBSD, but I've put so much time into getting my -stable and -current FreeBSD partitions right, that I just can't redo the whole computer.

Re:Still won't boot above 8 Gig

[Geekboy(Wizard)]

3rd party tools let you boot above 8G. There is experimental code that will let you boot above 8G, but there aren't enough testers avaliable.

I'm just glad...

[Mark_Hopkins]

I'm just glad I was able to pull a copy off the usa mirror before the announcement made it to slashdot. :o}

-Mark

Re:I'm just glad...

[Mark_Hopkins]

Because my employer would fire me....

-Mark

Re:what happened?

[aridhol]

Of course, I may be wrong. Even openbsd.org runs Solaris!

If you read their FAQ, you'll see that the reason they run Solaris is bandwidth. OpenBSD.org gets their bandwidth by running on SunSite at the University of Alberta. They don't control their own server.

Re:what happened?

[Jeppe+Salvesen]

They are pretty vocal about all their code audits, but the buffer overflow in OpenSSL should have been detected using grep.

Re:Minimum hardware requirements?

[fmbraga]

You'll need at least 32MB if you will install OpenBSD. Could be 16MB, but you'll have to turn swap on during install, as the Installation Guide will tell you.

Just be careful to read it, and you'll be running OpenBSD in less than 20 minutes.

Re:Too bad

[glenstar]

I've ran Obsd 3.1 on it, and even with 320 meg of ram, its still quite slow...

??????

What in the name of all that is holy are you running to make OpenBSD run "slowly" on a Sparc (even an old Sparc2 or even IPC) with 320MB? Although I prefer NetBSD over OpenBSD, they tend to both be *very* fast and lean.

Can you fill us in... I am very curious.

New PF syntax info

[sedawkgrep]

Does anybody have a link to the description and uses of the improvements made to pf?

The complete 3.2 errata has numerous mentions of improvements, including antispoof and better handling of inappropriate/nonsensical statements. A more thorough explanation is what I'm hoping to find.

Thanks!
sedawkgrep

Re:New PF syntax info

[cant_get_a_good_nick]

From the openbsd man pages:
pf.conf(5)
pfctl(8)
pf(4)

Re:what happened?

[c13v3rm0nk3y]

It was an attempt at humour. I've read the FAQ on this.

6 months

[azimir]

6 Months,

Every 6 months there is an OpenBSD release.
Every time they add .1 to the release number.
It is a simple as that.

yes, we need SMP

[mainmain]

BSD is great, but it's just not going to make inroads into the server market without SMP. It's fine for us amateurs with racks at home and 384k upload at best, but for business that really need to crank it up, OpenBSD falls short.

What's great about Open over Free (and most Linux distros) is simply that one can go from zero to installed, up and running in no time flat. The need to secure the OS is minimal (though as another said, why portmap and why inetd?), which also greatly reduces time to production. And no worries about all of those "extra" packages that one doesn't want installed that get installed whether you like it or not, and then having to find a way to yank them out.

That said, yes, I pre-ordered my CDs.

Jud.

Re:yes, we need SMP

[bmajik]

There's little reason for SMP in openbsd

1) It makes security that much harder. Think /tmp race conditions are bad ? How about race conditions in the kernel ? How about the fact that not even Intel is consistent in their docs on how two x86 chips re-order operations and maintain cache coherence in some situations.

2) 99% of the software on openBSD is fork/exec anyway. You might as well use assymmetric multi-processing, or, better yet, buy 3 uni-proc boxes for the price of a dual proc box, and partition your load accordingly.

Re:yes, we need SMP

[rplacd]

Well, without good threading or SMP, of course most of the software on OpenBSD is fork/exec...

Re:yes, we need SMP

[tigga]

What's great about Open over Free (and most Linux distros) is simply that one can go from zero to installed, up and running in no time flat

I don't understand why you pick up FreeBSD to bash - it could be installed pretty fast too, especially if you are not installing ports collection.

Re:yes, we need SMP

[bmajik]

it gets modded up because its right

point 1 came straight from theo's email a couple years ago

re: point 2:
apache is fork/exec only until you get the hybrid MPM for apache 2.0 (which doesn't work)

I'm a huge advocate of pthreads - and i suspect i've written more high performance MT apps than you have. But SMP+a solid user space threads implementation on top of SMP is hard to do, and will complicate openBSD needlessly, given the sort of work its usually employed in..

Re:yes, we need SMP

[bmajik]

Well, im not saying openbsd will make inroads into the server market, but regardless, i dont feel that lack of SMP is confining openBSD.

I beleive the largest commercial deployment of *bsd boxes is Yahoo, using freebsd, and i seem to recall most of those are uni-proc machines (but i could be wrong on that)

In any case, like i said, for the type of apps that exist on openbsd _today_, its cheaper to just get multiple uniproc boxes and distribute the load (either manually with a junior admin babysitting, or automagically with some clever automation).

it is highly unlikely that pf, for instance, would get faster with SMP, as that would be an extensive re-gutting of the bsd kernel to make it highly re-entrant (i.e. interrupts being serviced by all cpus, and so on)

look how long its taken linux to try and not be a joke in the smp world. look at the system call latency that solaris and NT take on because of their highly SMP-friendly architectures..

you're right, i shouldn't presume who's done what. I was merely pointing out that i _like_ SMP and i _like_ MT programming, but in the case of OpenBSD, i feel it adds nothing but complicates much. I'd prefer to have a mature SMP implementation (solaris) running whatever MT apps i have behing a mature security product (openbsd)

daemon-y goodness

[lemkebeth]

Did anyone else read this:

from the daemon-goodness dept.

and think:

from the daemon-y goodness dept.

Ah well, I must be reading too much AtAT.

Re:*BSD

[Whyzzi]

I thought the most secure OS was Windows 95. With NIC support like that nobody should be able to connect to your computer.

Wrong. The most secure OS in the world is the one that you cannot load onto a computer. So I use the next best thing: OpenBSD.

OpenBSD based floppy firewall?

[minipunk]

Anyone know if one exists? Please send URL!

Re:OpenBSD based floppy firewall?

[Transcendent]

microbsd.net

not quite OpenBSD, but it's a BSD that fits on a coupla floppys.

Re:OpenBSD based floppy firewall?

[Electrum]

Try ClosedBSD, a FreeBSD based firewall. It rocks.

Re:SMP support

[a+(+h+3+r+0+n]

That's great! I'm sure they'll be happy to accept your code to further the SMP cause. That is, unless you code like you spell.

Re:Minimum hardware requirements?

[Daniel_Staal]

I'm not exactly sure, and I don't think it's been thoughoughly tested to find the minimum... It's in the 16MB range (and is the same as the default OS). You can run with less, but that needs a custom kernel. If it boots, you can install.

The real Release notes:

[fries]

... couldn't make it through the 'Lameness filter'.

Please go to http://deadly.org where they did make it through.

OpenBSD use.

[azimir]

Warning: OpenBSD camp follower talking!

It has been over two years (since 2.7, actually) since OpenBSD sucked me in with its simplicity, security and *good* documentation.

In that time I have never started Xwindows on an OpenBSD machine. There is no need.

OpenBSD has been a solid firewall, router, bridge, MX, DNS server, NIS, NFS, Web, SSH/SCP/SFTP machine with nary a GUI to be seen.

With 3.2 they have finally done superb work with locking down services. This is even extended to services that are not on by default, such as apache. They have also gotten right of that annoying /etc/nat.conf file! Time for a round of upgrades.

Re:OpenBSD use.

[b0r1s]

NIS is an ugly, ugly piece of software that needs to die, quickly. Spreading that mess on an otherwise secure system should be illegal.

Re:OpenBSD use.

[rplacd]

OpenBSD has been a solid firewall, router, bridge, MX, DNS server, NIS, NFS, Web, SSH/SCP/SFTP machine with nary a GUI to be seen.

(emphasis mine)

Some would count the lack of a GUI as a downside. Don't knock GUIs -- even web-based ones. They can really help out with the easy stuff. And since it's a Unix, you can always pop up a shell window to do the more complicated stuff.

Check out Mac OS X for an example of this.

Re:OpenBSD use.

[azimir]

Check out Mac OS X for an example of this.

I love the OSX 10.2 iBook I get to use at work.
It is a wonderful machine with everything I've needed so far.
I am seriously considering one for my next big computer purchase in the future.

Some would count the lack of a GUI as a downside.

I'm sorry if I don't like to have a GUI, especially a web based one, running on my firewall. The simpler the rules the better, and I would want to be *very* sure that code was locked down. Locking down a GUI seems to be a waste of resources when you can get along easily if you are willing to edit text files to accomplish the same thing.

I have been working with a new print server at work, and have been quite happy with the web configuration that comes with CUPS. GUIs have their place, but not on my OpenBSD machines that only have power & ethernet cables running into them.

Re:OpenBSD use.

[azimir]

I agree. Please write in the UNIX replacement that *actually* works here please: _____________________________

Re:OpenBSD use.

[mindstrm]

Okay.. it's me pet peeve.. but...
Can OpenBSD do policy routing?

I don't mean "kind of in some situations with this hack".. but actual policy routing.

Re:OpenBSD use.

[b0r1s]

Ldap over ssl can do passwords and authentication ... check out pam_ldap.

Re:what happened?

[alsta]

"The OpenSSL holes have nothing to do with OpenBSD, they are built by a seperate team."

Really? I thought the OpenBSD team built OpenSSL for use with OpenBSD and OpenSSH. Or do you mean that the OpenSSL team writes OpenSSL and Theo & Co. build it?

"3rd party auditing of the source (which is what OpenBSD does for stuff it doesn't directly develop) won't find everything."

I thought the whole point that is touted with the code audits is that they don't let any bugs in. And to further develop on this statement, you're suggesting that having source code doesn't help any with finding bugs? I didn't know that Ballmer was right all this time.

"Face the facs, it'll happening sooner or later."

Latin factum, from neuter of factus, past participle of facere. A fact is something that has happened, not something that will or may happen. Anything that will or may happen coincides with assumptions and probabilities.

"I think the 3.0 series has been the best yet, and the most innovative. I think it will continue to be too."

Are you for real? Are you telling me hat software becomes better and/or more functional with time?

Please provide .iso's

[dazdaz]

People always get annoyed with this, however we would like .iso's of OpenBSD. I believe the philosophy is flawed in that .iso's are not made available so people have to purchase the cd's which helpds fund the project. However this limits the distribution of OpenBSD. If anyone could download an .iso, become familiar with OpenBSD, the userbase would be larger and therefore more people would purchase the official CD's.

What do others think?

Re:Please provide .iso's

[c13v3rm0nk3y]

In my experience, if you provide an ISO, nobody buys a CD, and they just burn the ISO. With OBSD, at least one person buys a CD, and all his/her friends copy that.

This helps OBSD make exactly one sale, instead of none.

Seriously, I don't know. There isn't much incentive to buy OpenBSD CD sets (or any free OS, for that matter) in the first place. Giving the CDs away is just not going to help that, if you ask me.

Then again, I've bought few CD sets myself; I usually just get a few t-shirts and install via FTP and/or create my own ISO.

Re:Please provide .iso's

[ostiguy]

ISOs are wasteful for OpenBSD. With the boot floppies images, and 3-5 .tgz's totaling 40ish megs, you can have a fully functional firewall box. Even if you were installing X, and other desktop oriented niceties, there are 10ish .tgz in total, probably not eclipsing 200megs altogether. If they hosted ISOs, that is a 600 meg download.

OpenBSD has a CLI, but clean install routine. If you read the install directions, anyone can successfully install it via ftp, with only 50-200megs of net traffic.

Finally, they put in a ton of effort to have great man pages. Thus, the support base expects you to read before asking questions. Therefore, if you aren't willing to read the install guide to do a ftp based install, you aren't going to have much luck with the OS and its support community.

ostiguy

Re:Please provide .iso's

[Roadmaster]

Maybe Theo meant it as a filter; if a user can't install without ISOs then he's not worthy of using OpenBSD. :)

Seriously, making your own OpenBSD CD is not that hard; you just download the files, the boot floppy images, then boot with that floppy, check the path in which it looks for the installation files, and then make a CD with files in that path and using the boot floppy image as your El Torito boot image. I've been doing it since 2.9 and it works like a charm. I put all the files on CD anyway, to save HD space on our server, and making it so that the CD was bootable and could be installed from was obvious and simple.

Re:Please provide .iso's

"What do others think?"

Well, I think you are lazy. Download the install files, download the bootdisk, run mkisofs using the bootdisk file as the bootable image for the cd, cdrecord dev=0,0,0 speed=8x -data obsd.iso and you have a bootable cd image. Hrm. Anyways, THAT is what I think. Alternatively, you could download an .iso that someone else made. Google is your friend. Empower yourself, that is the primary benefit of Free Software.

Re:Please provide .iso's

[Cadre]

What do others think?

The installation is easy. People who beg for ISO's are too lazy (or stupid) to do a simple: dd if=floppy32.fs of=/dev/rfd0c bs=32k (or fdimage -q floppy32.fs a:) to make a bootable floppy.

Seriously, that fact that ISOs aren't available really helps to cut down on all the newbies posting to OpenBSD forums who need their hand held through everything.

Re:Please provide .iso's

[aschlemm]

Seems like all those users that whine about there not being ISO images can't even bother to go visit the OpenBSD website and read any of the online documentation that is available there. I've done several FTP based installs myself and it only required me to make a boot floppy. Once you have a running system you can download all of the source via AnonCVS and compile your own OpenBSD release and burn your own CDROMs of it if you want.

One thing that is different about OpenBSD is that the patches are released in source code form and so you have to compile the system yourself to keep it up to date. I keep an up to date source code tree of the latest OpenBSD stable release and with a couple of shell scripts that automate the process I've been building my own OpenBSD releases for a while now. I even put together a old PPro 200 system that I use as a dedicated build system. I download the created tarballs from my build system and use them to update my live BSD systems when I need to.

Re:Please provide .iso's

[be-fan]

Not necessarily laziness. In my laptop, for example, I don't HAVE a floppy drive. Haven't used one in years. Of course, I could use the floppy image to boot from a hard drive (yes, it does work, thanks to grub) but that's probably asking just a bit too much...

Re:Please provide .iso's

[mindstrm]

Right.
That's the problem with OpenBSD.

One one hand, we have people professing how great it is and that anyone should use it, and on the other, we have a community that is so elitist that they come down like the mighty hammer of God on anyone who isn't already an expert.

Something could be more user friendly? That's because it's for experts only.

Some feature isn't added that everyone else has? That's because nobody REALLY needs it, and it sucks anyway.

Re:Please provide .iso's

[Bishop]

Debian installs require a few too many floppies for my likeing. Where "too many" is more then one. Hence I make bootable CDs with drivers.tgz and basedebs.tgz. I would prefer if Debian.org supplied a minimal boot cd so that it would be tested with the rest of the installer. (However I am not willing to become the maintainer so I can't complain.)

Re:Please provide .iso's

[Michael+Wardle]

Debian does provide official CD images. You can also buy a CD set from any number of vendors, obtain an unofficial network install CD image or create your own CD using Jigdo.

Re:Please provide .iso's

[grub]

..we have a community that is so elitist that they come down like the mighty hammer of God on anyone who isn't already an expert. Something could be more user friendly? That's because it's for experts only.

Nonsense. Years back when I went from Linux->FreeBSD I searched a lot, read a lot and experimented a lot. Ditto when I went from FreeBSD->OpenBSD. There is a boatload of information out there, unfortunately people run onto the mailing lists immediately after an install with questions answered in the FAQs, the manpages (which are superb) and via any search engine. Many then have the balls to say "Oh, I'm not subscribed to the list, mail me privately." Does this sound like someone wanting to truly learn a new OS? No, they want a free OS with 1-800 24x7 support.

The bottom line as I see it is this: Developers are not there to hold anybody's hand, the mail lists are not there to do one's homework, nor are there to act as one's "google proxy"

Re:Please provide .iso's

[hdw]

Come on, how hard is it to download the floppyimage, create a boot floppy and do a netinstall?
Or download the installfiles and burn a CD?

And if some feature is missing?
It's a Free OS, fix the feature yourself and submit it to the team, or dog/hire someone to do it for you.

Elitist?
Because anyone asking questions that are explained in detail in FAQ are told to go back and read the FAQ?
Because anyone asking question that are explained in detail in the manpages are told to read the manpages?

Re:Please provide .iso's

[mindstrm]

Hey look.. I fully realize that OpenBSD doesn't "OWE" me anything, including features I want.

My point was that the key players seem to come across as assholes a lot of the time. It's not that they don't want to add a new features; they can pick and choose what they develop, of course...

My point wasn't that they should add features, it was that, if you ask about a feature that was left out, they proceed to lambast you and/or tell you why that feature "Sucks". They would be better off to say "we just didn't see it as important" and be polite.

Often they would be better off simply not responding.

Re:Please provide .iso's

[hdw]

Why do you ask for a feature in a free product?

If you want a certain feature then either add it yourself or pay someone to do it.

They've given away a serious amount of time and effort to create this free product.
If they choose to be 'assholes' it's their right.
If you don't want to use their product, it's your choice.

Re:Please provide .iso's

[mindstrm]

Who asked for features? I just pointed out that they can be real assholes for no reason.

I'm only pointing out that they like to show off their product, encourage everyone to use it, and then act like assholes towards a lot of the new poeple using it. Not exactly nice neighbour behavior.

THAT is my only point.

Re:Please provide .iso's

[hdw]

Your point is valid.

My point is that I prefer good coders with bad people skills over bad coders with good people skills.

Antispoof?

[tzanger]

Isn't that like rp_filter on Linux?

Re:*BSD

Wrong. The most secure OS in the world is the one that you cannot load onto a computer.

The most effective form of birth control is abstinence!

Same horrible fdisk and disklable process?

[LM741N]

I've installed OpenBSD about 10 times now, and I've always been amazed that they've kept the just terrible disk partitioning and labeling scheme for the install. Does the new release have any new features in that area? If not, please just steal some code from FreeBSD or somewhere! Then I won't have to use a calculator to do an install :) :)

Re:Same horrible fdisk and disklable process?

[dazdaz]

I often wonder if it's kept in order to keep an element of elitism attached with OpenBSD. Afterall look what happened to Linux.

Re:Same horrible fdisk and disklable process?

Well, I added printing (and data entry)
for arbitrary units (ie - m, g, k, b, c (cylinders)) to fdisk a while back, so
a calculator should not be necessary anymore.

just do a "p m" in fisk like you used to do in disklabel.

Re:Same horrible fdisk and disklable process?

[Karn]

Afterall look what happened to Linux.


Yep. It's becoming successful and usable. We can't have that happen to OpenBSD now, can we?

Re:Same horrible fdisk and disklable process?

[psxndc]

No offense man, but by the 10th time you should have figured out you can use "M" and specify megs for partition size. Accept the default locations on the disk and guestimate in MB on what you need for /, swap, /tmp, /var, /home, and use the rest for /usr. Each time you add a partition, it will place the start of it after the end of the last one. Easy as pie.

Yes, the disk partitioning is the least intuitive part of the install, but it only took a complete newbie like myself a few times (3, maybe 4) to feel comfortable with it so I think you might have missed something in the documentation. I was using "Building Linux and OpenBSD Firewalls" at the time as well, but it's all there on the screen for you.

psxndc

Re:Same horrible fdisk and disklable process?

[be-fan]

It's also been overrun be newbie users who are trying to turn it into Windows. I'm not saying that new users are bad, and I think it's good that Linux has become succesful, but I just wish that new Linux users would take some time to understand the culture attached OS before trying to change it. It's like they say, when in Rome, do as the Roman's do. Instead, many people are just acting like so-called ugly-Americans.

Re:Same horrible fdisk and disklable process?

[be-fan]

Don't get me wrong. I don't think that Linux has changed yet. And personally, I love KDE. It's not even that a lot of "unenlightened" users are switching to it. It's just that a lot of people come into Linux expecting it to be exactly like Windows, and then complain when its not. They don't respect the culture attached to the OS, and that's what peeves me.

Re:Same horrible fdisk and disklable process?

[Karn]

It appears we both appreciate the same things, but you were backing up the post of someone who promoted elitism of an OS to prevent 'what happened to Linux', which is what I disagree with.

Sure, there are going to be people and companies using free software who don't deserve it, but this isn't a reason to claim that the system is flawed.

PF Rules

[norweigiantroll]

I'm thinking of installing this as a server / firewall / IPMasq router. Anyone know where I can get a "HOWTO" or something similar like the IPMasq howto for Linux?

Re:Too bad

[rmadmin]

75 Mhz SS20 with 320 meg ram, 4 gig baracuda scsi. Maybe it wasn't _THAT_ slow. I'm probably just too used to my production boxen. Dual PIII 900mhz boxen with gig of ram will spoil you. I am going to put 3.2 on there. Maybe I just had something seriously configured wrong, but it just felt like it was sluggish. Oh well, we shall see!

if you have the bandwidth for isos you have it for

[waspleg]

1.44 floppy net-based installs, which is what i usually use and i've been using openbsd since 2.5

just because there are no "Official" iso's does not mean that they are not available from "Unofficial" sources just look around but you really should support hte project if you can

(the t-shirts/posters/stickers are all cool and the later can only be found w/ the official cdrom distribution)

my personal server (which is used primarily for NAT and personal ftp) has been running OpenBSD for years and it's certainly hte most elegant and simply designed UNIX based system that I've ever used and is far more intuitive and secure than Linux (which i have also dealt with since '95 and presently have a debian desktop machine running under my desk so no flames please) by default.. anyway my $.02

here is a link to the floppy internet based install instructions: http://www.openbsd.org/faq/faq4.html#Media

Re:Still won't boot above 8 Gig - Clueless AC

[c13v3rm0nk3y]

...and yet we still get idiots whining about completely useless crap like this monk3yboyCRAP...

1. I posted a reply about the 8Gb limit for the OpenBSD boot partition in, not the original posting. You might want to re-read the thread. This time, take a moment to read the words contained therein. They contain ideas. Some ideas require you to think.
2. I already pointed out that most folks use OBSD as an edge server, and that the 8Gb limit is not so important for the intended audience. See point #1.
3. You are an idiot. Yet another clueless AC.

I hate it when I get all testy. I get modded down.

No need for HOWTOS !

[gruntvald]

Just sign up for the openbsd-misc mailing list and fire away! The friendly folks there are all conversant with Linux terminology, so just ask for IPMasq and they'll know what you're talking about. HTML email is preferred, so it looks better in the archives, and if you can do a diagram in flash you'll get bonus points.

Re:what happened?

[Helter]

""3rd party auditing of the source (which is what OpenBSD does for stuff it doesn't directly develop) won't find everything." I thought the whole point that is touted with the code audits is that they don't let any bugs in. And to further develop on this statement, you're suggesting that having source code doesn't help any with finding bugs? I didn't know that Ballmer was right all this time." There's a HUGE difference between not finding EVERYTHING and not finding ANYTHING. The poster was saying that even with code audits, unless they wrote the source themselves it would be very doubtful that they could find EVERY bug.

Re:*BSD

[rplacd]

As a matter of fact, Java's not that great on Linux, either. Take a look at the Freenet Java compat table.

Write once, test everywhere...

Re:*BSD

[c13v3rm0nk3y]

Write once, test everywhere...

You better believe it. The development work to make yet another port is pretty easy (except for the OS/390 -- that was especially fun) but the QA is crazy.

Well, we do have a chunk of native code that the Java hangs off of, but that is very POSIX, so we usually don't run into problems there.

Re:what happened?

[almeida]

Replying to this just to undo the accidental "redundant" moderation. I meant to mark this post as "informative." Sorry about that.

Re:what happened?

[mindstrm]

OpenSSL is a completely different project with no direct relation to OpenBSD.

OpenBSD audits & builds it's own versions of all packages it ships with, including removing libraries and/or features from those packages that go against OpenBSD's licensing policies.

The point of code audits is to TRY to find bugs; it is not a de-facto guaranteed way to ensure there are NO bugs. Code that is audited for bugs generally has less bugs than code that is not.

Why I don't use openbsd.

[mindstrm]

He means you don't use it to do tons of things on one server.

Usually because you can't run it on large hardware (lack of SMP support).

Oh, you CAN, of course, it's a solid bsd... but you smack into scaling problems on any kind of volume.

As a firewall and a router, it is NOT as functional as Linux, and there are things it simply will not do that linux will.

Re:Why I don't use openbsd.

[Telent]

He means you don't use it to do tons of things on one server.

Usually because you can't run it on large hardware (lack of SMP support).

Oh, you CAN of course, it's a solid bsd... but you smack into scaling problems on any kind of volume.

Really? Is that so? I know several large corporate users, Adobe Systems amongst them that would disagree with you.

As a firewall and a router, it is NOT as functional as Linux

Indeed. Filtering by MAC (unless you use it as a bridge, which is the only real place for MAC filtering), and filtering based on packet (unless you run a proxy, as the networking gods intended for higher-level functions such as content-based filtering.) It's been discussed before. I try to keep away from Linux/BSD comparison flamewars, but I will say that it does every function that several large companies want it to, or they wouldn't be using it.

and there are things it simply will not do that linux will.

<cheapshots>No, it won't get hacked within ten seconds (no exaggeration) of putting an unpatched install on the Net like Linux will. No, it won't crash on you because of some deadly library conflict or rpm chicken-and-egg hell. No, it won't be vulnerable to $BUFFER_EXPLOIT_OF_THE_HOUR like Linux.</cheapshots>

(Yeah, I'll get modded down to the depths of Hell for this. No, I'm not a BSD bigot. I configure Linux for people all the time. But arguing that it's worse for firewalls, a VERY security-based application, than Linux... sorry, that's just stupid.)

Re:Why I don't use openbsd.

[mindstrm]

Regarding unpatched installs.. I'm talking about real world applications here, not newbies setting up their first network. How secure it is out of hte box is not as much of a concern; I lock it down anyway. THat means OpenBSD takes me 5 minutes less to set up. Whoptie doo.

Secondly: No policy routing. If I am wrong, PLEASE let me know... but from what I can see, OpenBSD does not do policy routing. I require policy routing.

A large corporate user might use OpenBSD, but can you explain to me how I can use OpeNBSD on a 4 or 8 processor box and get any kind of speed increase out of it? No? That's my point.
Clustering works, but only to a point and only for some applications.

OpenBSD does some firewalling tasks very elegantly and uniquely.. and for that they get a cookie.. but overall it lacks.

As for your cheapshots...
1) Putting up unconfigured installs on the net is stupid anyway.
2) Everyone quotes how 'security enhanced' OpenBSD is... like some kind of blind dumb mantra. Yes, they audit the code like mad, yes, the default install is secure.
And when I put up my debian box for a firewall... it has no services running either, and you would be HARD pressed to get into it that quickly.

You can make the argument that a firewall should be as simple as possible, in which case OpenBSD is fine.. but it lacks flexibility that I need.

Received CDs today

[rinsoblue]

I received my CDs today in the mail. I haven't removed the shrink-wrap yet but I bet it's going to be good again.

Congratulations OpenBSD team.

Re:I DO think so....

[evilviper]

Well, keep laughing... Ever heard of chroot, privlidge seperation, and systrace?

OpenBSD is what you make of it... If you set everything SUID it's certainly not going to be very secure, but you can secure an OpenBSD system extremely well if you want to do so.

Stick that in your VMS pipe and smoke it!

Re:Still won't boot above 8 Gig- IDIOt

[grub]

OpenBSD is a SERVER operating system. 99.99999% of the people using OpenBSD use OpenBSD as a SERVER

Rubbish.

The OpenBSD ports tree, while not as brimming with goodies as FreeBSDs, has loads of software for use on the desktop.

My desktop *NIX boxes at home and work are both OpenBSD with lots of decent software installed via ports. I hardly think that developers would bother making a port of only .00001% of the users would use it. In fact a number that low would be a partial user. Perhaps a finger or two.

Signed files? MD5s?

[piranha(jpl)]

I appreciate OpenBSD a lot; I use it on one system at home, and plan to do two more OpenBSD installations. There are some really cool things, like systrace, that aren't available for Linux yet.

That said, how can I trust that my copy of the "world's most secure operating system" hasn't been tampered with? OpenBSD does not sign their files with PGP, GnuPG, or OpenSSL (yes, the latter has been suggested on lists). OpenSSH does. Why can't OpenBSD?

The ports tree, the kernel source, and the rest of the base source (ports.tar.gz, srcsys.tar.gz, and src.tar.gz) don't even have published MD5 hashes (but the archetecture-specific binaries do). The source matters, because (aside from using potentially unstable snapshots binaries) you need the source to apply security patches as security issues are discovered.

For an OS with such a focus on cryptography "because we can", I don't see it being used where it counts. (I've written to the misc list, and only received one response. I've filed a bug report and have received none.)

Re:what happened?

[lyberth]

1 remote hole in six years is bad compared to what?
its lazy compared to what?
We all know that Microsoft has a very good week if no holes are found. And take any linux distro or other operating system for that matter that is more than 3 years old, and tell me which one has less than two remote holes.

New BSD branch: NiceBSD

[hdw]

Given the great amount of people who seem too like the features and function of OpenBSD but are miffed by the 'rude' responses by the OpenBSD crowd in general and the OpenBSD dev team in specific I've decided to start a new *BSD code branch "NiceBSD".

The project goals for NiceBSD is skip all the coding and writing stuff and concentrate on being nice and polite to the users.

All code and documentation will be ripped from OpenBSD and updated every week.

Users asking question that can be answered by reading FAQs or man pages will get the correct quote in a nice and polite way.

Users asking questions not covered by FAQs and man pages will be informed that we don't have a clue, in a nice and polite manner.

Users asking for new features will informed that we will consider it for the next release.


I haven't decided upon which cute mascot to use for NiceBSD but I think that a Donkey or a Jackass would be perfect.

Agreed.

[mindstrm]

Their product is excellent.