OpenBSD 3.2 Available

fredrikv writes "Right on time, the files defining OpenBSD 3.2 have moved away from "snapshots" to the 3.2 directory of the OpenBSD mirrors. It is well known as the world's most secure operating system and now sports chroot'd Apache, fewer suid binaries, cool pictures for xdm-logins, a brilliant "antispoof" packet filtering rule and as usual includes lots of small updates and fixes. The files are there. What are you waiting for?"

FreeBSD

[drxenos]

I've always been a fan of FreeBSD. How does OpenBSD compare?

Re:FreeBSD

[c13v3rm0nk3y]

I've always been a fan of FreeBSD. How does OpenBSD compare?

Try this link. There are a bunch of FAQs, some of them directly compare *BSD, Linux &etc.

Re:FreeBSD

[CoolVibe]

Depends on what you want to do. FreeBSD is better suited as a workstation or a high-performance server. OpenBSD does great for bastion-hosts and firewalls.

Re:FreeBSD

[Ryvar]

Short Answer:
OpenBSD has less 'nice' functionality, slightly less performance tuning, and no SMP support.

On the other hand it has an extremely well-audited source tree (by largely the same developers as OpenSSH), SoftUpdates, the new systrace work, an excellent brand new packetfilter that has yet to fail to impress from either a security or speed standpoint . . .

OpenBSD isn't really so much the most secure OS in the world as it is in many situations the most secure OS on the x86. For most of us around here, that's probably close enough as makes no odds.

The last release (in a bug that affected the prior release as well) had an OpenSSH issue in the default installation that became the first remote compromise for the default installation in nearly 5 years of the operating system. Admittedly, most things are turned off by default (although I wish a few more - portmap, inetd). Because of this and a few other errata, 3.2 has been looked forward to for a long time.

To sum, you have a stripped-down no-nonsense OS with all of the unnecessary crap tossed out of the default installation and available as ports and packages to those that want it. The perfect OS for those who want a secure router, and/or single/few-function server. This isn't an appropriate choice if you need more than a commandline, really, and there's a fair amount of pride amongst the user community over that.

Re:FreeBSD

On the other hand it has an extremely well-audited source tree (by largely the same developers as OpenSSH), SoftUpdates,
FreeBSD has softupdates too.

Admittedly, most things are turned off by default (although I wish a few more - portmap, inetd)
portmap is turned off by default in OpenBSD 3.2.

The perfect OS for those who want a secure router, and/or single/few-function server.
my OpenBSD workstation runs the same apps i need to work as my linux workstation does, and that is quite a few apps, yes i do real work.

This isn't an appropriate choice if you need more than a commandline, really,
X works fine in OpenBSD and i bet most users who use OpenBSD use X on OpenBSD desktops and commandline on *all* their Unix servers, regardless of flavour (why should a dedicated webserver/firewall/database need X running?).

Re:FreeBSD

[Telent]

To sum, you have a stripped down no-nonsense OS with all of the unnecessary crap tossed out of the default installation and available as ports and packages to those who want it. The perfect OS for those who want a secure router, and/or single/few-function server. This isn't an appropriate choice if you need more than a commandline, really, and there's a fair amount of pride amongst the user community over that.

Uhhhh... I hate to be rude, but what crack are you smoking?

"Few-function"? Right now, off the top of my head, I use OpenBSD for:

• POP3/IMAP4/SMTP mail
• FTP
• Samba backups for Windows clients at my place of employment
• Apache web server with PHP, Perl, CGI, FrontPage includes, and all those other nifty modules
• IRC server
• Firewall (NAT'ing)
• Router

This is all on my servers, both at my work and at my home. These do not even have a GUI installed... but if you want more than a command line, that has it, too. I mean, it's *really* difficult to install the x* .tgz bundles when you're installing, then configure your X server and install your favorite window manager from ports. Took me all of five minutes, last time I did it.

That brings me to my desktop. I use my computer for a lot of stuff. Mail, web surfing, 3D modelling, test compiles, image editing, HTML editing, writings (technical and otherwise), media playing (Flash, DVD's, mp3's, CD's), and much, much more. This computer, a PIII 850 laptop, runs single-boot OpenBSD 3.1-stable, soon to be 3.2 (after I write this post.) I use Enlightenment, and damn, but it *flies*.

No, if you need your hand held on every single little thing, or you're scared off by a text installer (which, by the way, is easier than any GUI installer I've ever used), then PLEASE stay away. But if you can handle changing a few of the ways you think, give OpenBSD a try as a desktop. You may just like it.

(And just as a data point, I started out with OpenBSD. My first *nix experience, except for a tiny bit of Red Hat several months before, which I *hated* - not flaming, just saying it wasn't for me. I managed to get to the point where I am with it without getting flamed on the lists once, and it's because when I have a problem, I RTFM and STFW. If you're capable of doing the same, it's a refreshing change from the other user communities.)

Re:FreeBSD

[CoolVibe]

If you don't like FreeBSD, but love OpenBSD, yet are miffed by some things of OpenBSD, why not got for NetBSD?

In my experience, NetBSD is very usable for desktop purposes. Also I use it for my routers/firewalls, partially because the NetBSD base install is so damn small.

Re:FreeBSD

[Bishop]

OpenBSD is missing a stable Mozilla. For many workstations users this is a problem.

Re:FreeBSD

[Tet]

why should a dedicated webserver/firewall/database need X running?

Because Oracle, in their infinite wisdom, no longer support a text-mode install. Yes, you can use a response file, but it's a pain in the ass, and I don't think you can do the same for patches. Thus, none of my servers have X installed with the exception of the database machines (no, moving away from Oracle isn't a viable option at this point -- too many PL/SQL stored procedures, and not enough development resources to port them to anything else). I despise Oracle for this. It's a server for $deity's sake. It doesn't need X.

Re:FreeBSD

[Bishop]

This is what I *love* about OpenBSD: One OpenBSD user blasting another user for supporting OpenBSD, but mentioning some of the rough spots.

For the record: I am a big fan of OpenBSD.

Re:FreeBSD

[Shanep]

I've always been a fan of FreeBSD. How does OpenBSD compare?

The install is a very straight forward, no nonsense bare bones affair. My installs typically take on the order of 3 (THREE) minutes.

The file system, config files and man pages are very clean. The resulting install is very tidy and pretty small. From there you add packages to taste.

Re:FreeBSD

[evilviper]

FreeBSD is better suited as a workstation or a high-performance server.

Never understood why people say this... OpenBSD may not be madly porting every desktop app on earth, but it has most anything you could want.

For multimedia, Ogle & MPlayer are in the ports.
For a desktop, just about any Window Manager will compile out of the box.
The latest version of X is always available, and it compiles cleanly without any special steps. (Something that can't be said about FreeBSD)

The single thing I can think of is that FreeBSD supports more sound cards... Big Whoop. With OpenBSD, you don't need to load any modules, or anything like that. If your hardware is supported, it will be detected by the kernel and support loaded. If not, it will say it's not supported, and you can try another one. Far easier setup than ANY other OS.

Re:FreeBSD

[CoolVibe]

Does OpenBSD have a working DRI/DRM/GLX working? Guess not. FreeBSD's works a treat. Also, performance on FreeBSD is snappier, there's SMP support, ELF binary format, sane dynamic linking. All stuff OpenBSD does not (yet) have.

Nah, stick to FreeBSD for your desktop. OpenBSD might be secure and great for firewalls, bastion-hosts, but for a large multiple CPU server box, I rather use FreeBSD, Linux or Solaris.

Re:FreeBSD

[Bishop]

Mozilla may be there, but "stable Mozilla v1.1" is not.

Re:FreeBSD

[evilviper]

Does OpenBSD have a working DRI/DRM/GLX working? Guess not.

Guess again. I know FOR A FACT that GLX works just fine (glxinfo says so!). I didn't take the time to check the rest, but I'd certianly assume they are supported... Your insistance otherwise really doesn't mean anything to me at this point.

Also, performance on FreeBSD is snappier

What makes you say that? Don't know how to enable soft updates? Haven't used it in the past 2 years? OpenBSD's performance is great... I can't even guess what would make you believe otherwise.

ELF binary format

Since when does OpenBSD not support ELF? Maybe on Sparc up until recently, or another more obsecure platform...

All stuff OpenBSD does not (yet) have.

Your "facts" are blatantly wrong. Are you very sure you're not a troll?

Re:FreeBSD

[hdw]

OpenBSD is secure, stable and easy to maintain.
I use it for a lot of stuff:

at home, as firewalls, Wlan gateway, fileserver, software development, videograbbing and asorted stuff.

at my friends' and siblings' homes, as firewalls and gateways.

at small business, as firewalls, fileservers, proxies, apacheservers.

at the large telco that pays my salary, as firewalls, security gateways, proxies, MS-VPN servers, radius servers.
In short, I'm a dedicated OpenBSD fanatic, and I'm quite convinced that Theo can walk on water without getting his feet wet, or at least cross shallow ponds with only damp socks.

But this doesn't change the fact that there's several things stopping me from trying to replace the OS on every box I can find.

There's alot software that doesn't install and run clean on OpenBSD.

There's a lot of software that has to be cuddled with a bit before it works.

And from a maintain/support view there's a lot more people trained on various (GNU)/Linuxes, making it much easier (and cheaper) to hire support and contractors.

There's also the lack of stable SMP support, and the lack of support for less common hardware.
Will OpenBSD rule the world? No, I still se it a "targeted" product.
It doesn't promise world domination like Linux.
It doesn't promise maximum portability and support for obscure hardware like NetBSD.
It doesn't aim for maximum software support like FreeBSD.

It promises security and stability, and it delivers.

Re:FreeBSD

[CoolVibe]

[glx doesn't work snip]

Guess again. I know FOR A FACT that GLX works just fine (glxinfo says so!). I didn't take the time to check the rest, but I'd certianly assume they are supported... Your insistance otherwise really doesn't mean anything to me at this point.

On all ports? Linux has GLX working fine on my mac, for instance. I've also had success with NetBSD. OpenBSD wouldn't even run most of the desktop apps I usually run. Also, is direct rendering supported? Sure, you can have glx, but hardware accelerrated? For that you need DRM. Did you know that GLX falls back to software opengl when there's no hardware support?

Performance on FreeBSD is snappier simply because it just is. OpenBSD was never engineered or optimized for speed, only for anat-retentive security. FreeBSD has different design goals that will result in a speedier operating system. SUre, there might be a security advisory or two, but these are solved quickly. Oh, and there's the SMP issue of course, which you avoided. Workstations with multiple CPU's are getting more commonplace all the time. Heck, even I got one.

Also, ELF is something that is in OpenBSD current. Do you expect a end user to run a CVS version of OpenBSD?

You also neglected to interpret one of my answers correctly:

All stuff OpenBSD does not (yet) have

See that word between parentheses? You read over that, did you? Who's trolling who here?

I'm not saying that OpenBSD is absolute crap. It's just not as suitable as a workstation compared to the other BSD's out there.

What Am I Waiting For?

[Zech+Harvey]

Common Criteria certification so it can be just as secure as my Windows 2000 boxen!

Re:What Am I Waiting For?

[liquidsin]

Well, it's only at version 3.2. I'm guessing version 3.3 would be like the third service pack of version 3, and it seems you can't get certified until SP3. I'm sure they'll get there soon enough.

Well ..

[Mr_Silver]

The the files are there. What are you waiting for?

5:30pm, 8 pints of lager, one dodgy kebab and a chance to yet again make a piss poor attempt to chat the attractive barmaid up.

Well you did ask!

Re:Well ..

[SirSlud]

> to yet again make a piss poor attempt to chat the attractive barmaid up

barmaids get slashdotted by drunk guys every night. i recommend you search your neighbourhood for a mirror so you can have all the bandwidth to yourself.

Re:Well ..

[$rtbl_this]

...i recommend you search your neighbourhood for a mirror...

Surely this would only work if you were a hopeless narcissist.

Re:Well ..

[warpSpeed]

and don't forget your Palm!

I'm waiting

[swillden]

What are you waiting for?

Ummm... a Linux port?

Re:I'm waiting

[questionlp]

Maybe not quite what you are looking for, but there is the infamous Linux Compatibility mode for OpenBSD (as well as FreeBSD and NetBSD) that will allow you to run many Linux applications. OpenBSD also supports the Ext2 file system (again, same with FreeBSD and most likely NetBSD).

Re:Well, I'm waiting for a downloadable iso

[LordHunter317]

Download the sources. Burn on a CD. There you go.

IF oyu want it bootable, that's also fairly easy to pull off as well. Just have it boot to the floppy image.

Otherwise, buy a CD.. we need the money.

Re:OpenBSD questions

[Karamchand]

ad 1.) In this interview with pf developer Daniel Hartmeier he talks a bit about performance.

Re:Well, I'm waiting for a downloadable iso

you could probably find one that someone hand-rolled and put up for download, but you'd be a moron to trust it.

Where are the background pictures?

[Otter]

cool pictures for xdm-logins...What are you waiting for?

Someone to provide a direct link to the xdm backgrounds so I can use them on my Linux systems.

Actually, I didn't wait and started trawling through their FTP archive looking for them before deciding that was a) selfish and b) stupid. At least I had enough sense not to download XFree hoping they were in there and not in a separate artwork package...

Re:Where are the background pictures?

[Geekboy(Wizard)]

Nope, they are embedded in the source for XF4. You have to run OpenBSD to see them. (Hint: they are #ifdef'ed)

Re:Where are the background pictures?

[dohcvtec]

IIRC, the custom xdm stuff is in xshare.tgz, so you could download xshare.tgz, extract that, and the custom files are somewhere under /etc/X11 (/etc/X11/xdm, maybe? I'm going off of memory) The OpenBSD .tgzs extract to a relative path, so you could extract the tgz in your home directory, find the files you need, and copy them to wherever your Linux distribution wants them.

It's good, but not that good

[ryanvm]

It is well known as the world's most secure operating system

Whoa, partner. Sure OpenBSD is designed with security in mind, and as far as the BSDs go (which are generally pretty secure in their own right), it's probably the tightest. But it's quite a leap to say that OpenBSD is the most secure operating system in the entire world.

I don't know which OS would get that "award". But I'd have to believe that it'd be something obscure like a tiny, embedded, OS the NSA uses in their crypto equipment or some such.

Re:It's good, but not that good

[glenmark]

I don't know which OS would get that "award". But I'd have to believe that it'd be something obscure like a tiny, embedded, OS the NSA uses in their crypto equipment or some such.

An embedded OS, especially if it has no networking, sure. For general purpose operating system that actually communicate with the outside world, my vote would have to be OpenVMS. So secure it makes even OpenBSD look as leaky as cheesecloth... (Buffer overflow exploits? No such thing in VMS.)

Re:It's good, but not that good

[c13v3rm0nk3y]

Actually, chunks of OpenBSD have made it into embedded security devices. I don't have the link handy, but the details are on OpenBSD.org.

Re:It's good, but not that good

[LordHunter317]

Bullcrap. We just had to put in a patch to cover a buffer overflow/memory leak issue in UCX For OpenVMS. We know it caused buffer overflow issues becuase we could bomb Sybase sending it large amounts of data. Now there may be no OS-level overflows, but your statment is just ludicris. Our code is one walking buffer-overflow. Kernel != System, and just because the kernel is secure doesn't mean the system is.

Otherwise, I tend to agree, but OpenVMS is bi*ch to configure.

Re:It's good, but not that good

[glenmark]

Sure, app level buffer overflows can occur (if for example, the programmer uses null-terminated strings instead of descriptors, a necessary evil for implementing most Internet protocols), but the overflowing data does not get executed, nor does it get written to an area for which the application has no privs.

Re:It's good, but not that good

[glenmark]

VMS is architected such that overflowing data cannot be executed (i.e. doesn't get passed along to the shell). As far as the kernel level code itself is concerned, overflows don't occur in the first place due to the universal use of descriptors to pass data to system-level calls.

The complete OpenVMS doc set is available on the web from a link at http://www.openvms.compaq.com. There are also several good books on OpenVMS internals, with links to info on them available at the same place.

Re:It's good, but not that good

[glenmark]

Reference please? I remember mention a few weeks ago of a flaw related to the pop3 executable being installed with too many privs, giving anyone who executes it from the command line the option to willy-nilly overwrite any file with its log file. Config issue. Not a buffer overflow exploit.

Re:It's good, but not that good

[octogen]

(Buffer overflow exploits? No such thing in VMS.)

Ok, so you believe, programs are absolutely immune against buffer overflow exploits on OpenVMS?

Then I'll show you a simple example of a buffer overflow exploit on OpenVMS/Alpha.

---

The victim program compares a user-supplied password with a password stored inside a file.

I wasn't able to include the source code, because I always get errors like "Your comment has too few characters per line (currently 24.5)." if I do.
Email me, if you'd like to get the complete source code, and I'll send it back to you.

$ cc vmshackme.c;1

strcpy(l_input, input); .^
%CC-I-IMPLICITFUNC, In this statement, the identifier "strcpy" is implicitly declared as a function.
at line number 66 in file $DKA100:[USERS.OCTOGEN]VMSHACKME.C;1

if (strncmp(l_input, l_pass, _max_pwd_len) == 0) .....^
%CC-I-IMPLICITFUNC, In this statement, the identifier "strncmp" is implicitly declared as a function.
at line number 68 in file $DKA100:[USERS.OCTOGEN]VMSHACKME.C;1
$ link vmshackme.obj;1
$ type pass.pwd;1
openvms
$ run vmshackme
openvms
Password correct
$ run vmshackme
os400
Wrong password, try again.
$

-----

The program works, as you can see.

Now I'll type in a bit too much:

$ run vmshackme
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Pass word correct
$

-----

What I'm exploiting here is nothing else than a simple example of a buffer overflow.

Even if you can't execute arbitrary code (and I'm quite sure you can do that, too!), you can still damage data structures, data pointers, numeric values like buffer offsets and many other things - so there are a lot of possibilities left for exploiting a buffer overflow vulnerability.
AS/400s have hardware protection for system pointers, so they are even more secure than OpenVMS. But even on AS/400s you can still damage space pointers, and I'm quite sure, this example program would even work on an AS/400.
It might not be possible to execute arbitrary code on an AS/400, but you can still damage many things by exploiting buffer overflows.

---

regards,
octogen

Re:It's good, but not that good

[glenmark]

I didn't say that buffer overflows can't happen (except with system calls), but that buffer overflow exploits don't happen. The example you showed will not permit unauthorized code access (unless you plan on using it as a poorly written telnet deamon or such and completely bypassing SYSUAF for authentication), nor does it allow arbitrary execution of overflowing code.

Re:It's good, but not that good

[PapaZit]

NetBSD is (as far as I know) the ONLY one of the BSDs that ships with NO open services in the default install.

Y'know how OpenBSD used to brag about "X years without a remote root exploit in the default install"? These days, it's NetBSD that carries the "longest since remote root in default" banner, and they'll continue to have it (though they're a bit to understated to brag about it) until OpenBSD turns off incoming SSH and RPC.

Think that's a silly argument? Check your nearest OpenBSD box. Is it running RPC? Does it need to be? Isn't "turn off unnecessary services" one of the fundamentals of securing a box?

Re:It's good, but not that good

[octogen]

VMS is architected such that overflowing data cannot be executed

The same is true for Solaris/SPARC, if you configure it correctly.

You don't need to execute overflowing data, it can even be enough only to change a function pointer, and the program would run some code which was already there before the overflow occurred.

This code would be executable, because it's simply a part of the running program or of a library used by the running program.

Just changing some piece of data which gets passed to a system call can also be enough to break security.

From a technical point of view, applications on OpenVMS are just as vulnerable to buffer overflow exploits as applications on Solaris/SPARC (with noexec_user_stack set to 1).

On both OSs you can't execute overflowing data.

But on both OSs you can (sometimes) circumvent this sort of protection.

Re:It's good, but not that good

[oh]

I'm not a VMX expert, but UCX is basically TCP/IP for VMS. I don't know if it uncludes the IP stack, but the FTP and TELNET deamons are part of the UCX package.

You might not be able to overwire kernel space, but as the application has access to multiple user accounts, you hardly need to. Why hack the kernel to get what you want, when you can trick ftpd to downloading it for you when some one with the appropriate privs log in.

security

[MoceanWorker]

It is well known as the world's most secure operating system

That is true.. if you do a default installation and make absolutely no change to any of the services that come installed with it.. that's why it was secure for 4 something years.. but they didn't mention that if you had an old BIND version at the time it would still be "secure" :-)

Re:security

[c13v3rm0nk3y]

It's pretty common to run a few releases back on important and complex daemons like BIND, or Sendmail.

There is little value in going to BIND 8 or 9 if it has not been audited by the OBSD team first. BIND 4 is well understood and the faults, warts and bugs are well-known. BIND 8 is still new enough that it is considered an unknown.

This is one of the downsides (if you consider it a downsid) of trying to be "secure by design".

Of course, OBSD is free, as in beer and as in speech. This means you can run a parallel box with BIND 8 or 9 (or whatever) yourelf until you deem it safe. The responsibility is now yours to maintain security on that chunk of the OS, but everything is a trade-off, especially in host security.

BIND 8/9 will eventually make it into a future release. 99% of us do not need it, however, and so having a well-known and secure BIND 4 implementation has more value for the rest of us.

Re:security

[c13v3rm0nk3y]

a few of us don't care what version of BIND ships with the operating system, because we immediatly chuck it and use djbdns [cr.yp.to] instead

Amen to that. Between that and choosing postfix instead of sendmail, my new mantra is "simplifiy, simplify, simplify".

Re:security

[__past__]

And a few of us don't care what version of BIND ships with the operating system, because we immediatly chuck it and use djbdns instead,

Yes, but there are others who insist on using only free software for critical services.

I don't think so....

[Dr_DTHP]

>[OpenBSD is] the world's most secure operating system

Hear that sound? It's the VMS users (all 8 of them, currently, unless Fred's VAX killed his mains power again and he switched to OSX) choking on their lunches in laughter.

Re:I don't think so....

[c13v3rm0nk3y]

Hear that sound? It's the VMS users ... choking on their lunches in laughter

I thought "security by obscurity" didn't count ;)

Re:I don't think so....

[MAXOMENOS]

What you don't hear is the thousands of OS/400 users quietly chuckling to themselves. "Kids..."

Re:I don't think so....

[R.Caley]

[OpenBSD is] the world's most secure operating system

It's well known that MSDOS is the world's most secure operating system.

No network access and so completely secure from remote break in, and if anyone breaks in from the console there is bugger all they can break and no one cases what they do anyway.

Security by obsolescence.

Re:I don't think so....

[glenmark]

Obscurity? Funny, I have the OS listings around here somewhere....

Re:I don't think so....

[R.Caley]

[if anyone breaks in from the console there is bugger all they can break]

what about:
C:\>format c:

That would be an upgrade.

Re:*BSD

[c13v3rm0nk3y]

...is OpenBSD recommended as an internet server over all of the other distros?

Depends who you talk to ;)

A good place to start is here, to find out what the intentions of the OBSD project are. Then check out the OpenBSD Journal to see what people do with it.

My two cents: OBSD really shines as a secure inet server. Things like httpd, sshd, firewalling, bridging, routing. People do use it as a desktop, but IMHO it is not as desktop-friendly as FreeBSD. *shrug* I run it basically headless, as does everyone I know.

Then again, a cutting-edge desktop system is not a primary concern of the OBSD project.

Re:Threading issues resolved?

[CoolVibe]

Tha last time I worked on any BSD code they were still having some low level race conditions...

How long was that ago? I have never noticed any behaviour like that on the FreeBSD servers I put up. Oh, and one FreeBSD server I had set up once had around 50,000 simultaneous connections going to it, and it didn't flinch.

If it still has problems of the nature you describe, instead of fretting about it, you could send a PR, so the developers can fix it.

*ahem*, not quite

[naasking]

It is well known as the world's most secure operating system

Let's rephrase that as, "It is well known as the world's most secure UNIX operating system." Otherwise it's not true.

Re:*BSD

[c13v3rm0nk3y]

Java 1.3 is not "production" ready on any BSD, AFAIK. I've looked into this quite a bit, and even ported an app to FreeBSD.

They have recently been blessed by Sun to provide a native version of the JDK (the previous versions ran in linux_compat mode), but it is not considered production-ready by the developers.

Our customer threw caution to the wind, and has been running our app for a year or so now on FreeBSD. So far, so good. We _did_ QA it. Sheesh.

OpenBSD Java support is still (again, AFAIK)) a tweakers domain. If you need official J2EE, go with Linux (or one of those "others").

OpenBSD 3.2 release

[possible]

Here's a mirror of the official release announcement. Lots of cool new stuff in this release...among them:

• ELF for Sparc
• Non executable stack on many architectures (including x86), non executable heap on many architectures
• More support for hardware crypto accelerators
• Apache runs chrooted by default (if you want)
• systrace

Re:OpenBSD 3.2 release

[cant_get_a_good_nick]

Non executable stack on many architectures (including x86), non executable heap on many architectures

Not to troll (well, not much anyway) but interesting to see this here when Linus was adamant about not getting this into Linux, the whole false sense of security thing. Has this changed in Linux? I've heard of stack smashes, never a head attack. I wonder how common these are.

Re:OpenBSD 3.2 release

[Bishop]

I thought that the openSSH vulnerability was heap based. Maybe I am wrong. Heap attacks are more rare then stack smashing thouhg.

Good to see

[greygent]

Good to see, there are several facets of it that I absolutely love.

Now only if they could speed up the network and disk I/O to the levels of FreeBSD. Oh, and SMP would be great, too, but according to the OpenBSD developers, that's not a hot project of theirs.

So until then, I still keep a watchful eye, and a PC in the closet where it belongs with the latest version installed as a toy to play around with.

Re:what happened?

[grub]

..when the holes in OpenSSH and -SSL were found.


The OpenBSD folks do make OpenSSH but not OpenSSL.

Re:what happened?

[Geekboy(Wizard)]

For a while there I wasn't sure they'd ever get another release out

Every 6 months, right on schedual. There was a release last May, one last December, the June before that, December before that, etc, etc, etc.

What are you waiting for?

> What are you waiting for?

SMP Support.

Re:What are you waiting for?

[__past__]

>> What are you waiting for? >SMP Support. Native Java.

New songs too...

[millert]

The 3.2 song is available via ftp from:
ftp://ftp.openbsd.org/pub/OpenBSD/songs/
ftp://ftp.usa.openbsd.org/pub/OpenBSD/songs/

(other mirrors have not caught up yet)

The lyrics are available from:
http://www.openbsd.org/lyrics.html#32

Most Secure OS

[SirGeek]

According to this article the most secure OS were SCO Unix, Mac OS and Tru 64.

Re:Most Secure OS

[aridhol]

I looked at that article, and couldn't find any real numbers in it. They grouped the *BSDs together, so you can't tell where OpenBSD fit, but probably a small fraction of the 9% for BSD in general.

Re:Most Secure OS

[jfedor]

According to this article [mi2g.com] the most secure OS were SCO Unix, Mac OS and Tru 64.

That depends on what you mean by most secure. For me it's very important how fast they fix the bugs. And remote holes are much more important than local ones (I don't have local users I don't trust).

-jfedor

Re:Most Secure OS

[TheOneEyedMan]

But they don't weight the percentages by number of users.
"Most of the known software vulnerabilities announced in 2002 affected Microsoft Windows (44%) followed by Linux (19%), BSD (9%) and Sun Solaris (7%). By comparison only 0.5% of the vulnerabilities announced in 2002 affected SCO Unix, and 1.9% affected Mac OS and Compaq Tru64 systems respectively."

It might be that no one is noticing mac or BSD flaws beacuse many fewer people care. A straight line weighting doesn't make sense either. We should expect a diminishing marginal return on eyeballs. The point is that this overstates Linux and Windows bugs and understates the others(actually I don't know usage rates on Linux but I assume it is the third most used OS.)

Re:Most Secure OS

I don't have local users I don't trust

you have users you can trust? god, do i want your job.

my users can't be trusted to follow the simplest directions. EVERYTHING better be automatic and iron-clad or they will find a way to break it.

Re:Most Secure OS

[Daleks]

This pattern is mirrored by the overt digital attack data collected for 2002, which demonstrates this has been the worst year on record with 57,977 attacks having already taken place. The most attacked operating system in 2002 has been Microsoft Windows with 31,431 attacks (54%) followed by Linux with 17,218 attacks (30%), BSD (6%) and Solaris (5%). Apple Mac's OS suffered only 31 overt digital attacks, ie, 0.05% of all attacks in 2002 although Apple Mac has roughly 3% of the world's computer market share. SCO Unix suffered 165 digital attacks (0.2%) and Compaq Tru64 suffered 10 attacks (0.02%).

The above uses attacks per overall attacks as the rating for the OS. What should be done is OS specific attacks per installed machines running the particular OS.

MA -- machine attacks
TA -- total attacks
MI -- machines installed
TI -- total installed

The article gives MA/TA, but we want MA/MI. MA/MI gives the vulnerability of a particular OS seperated from the quantity of attacks. I don't know the total number of installed computers, but say it's 10,000,000. Then the MA/MI for Mac's is:

10,000,000 * 0.03 = 300,000
31/300,000 = 0.000103

So about 0.0103%. By contract look at the Windows numbers. Suppose Windows has 75% market share.

10,000,000 * 0.75 = 7,500,000
31,431/7,500,000 = 0.0041908

So about 0.41908%. These numbers show what percentage of installed machines will be affected instead of what portion of all attacks they represent. Another way to think about it is say you have 1 machine running CrappyOS and that machine is attacked. It will only represent 1/57,978 hacks performed in 2002. By contrast MA/MI will be 100%, meaning that every single machine running CrappyOS was hacked.

Numbers don't lie, people do.

Re:Most Secure OS

[styrotech]

According to this article the most secure OS were SCO Unix, Mac OS and Tru 64

I would've thought that based on the number of reported vulnerabilities in the last year (ie the flawed evaluation in the article), Windows 3.1 could also be regarded as one of the most secure OSes.

MacOS (pre X) didn't have any services that listened on TCP/IP, and the other two don't have anybody trying to crack them anymore (or fix them for that matter).

Re:what happened?

[LordHunter317]

The OpenSSL holes have nothing to do with OpenBSD, they are built by a seperate team. 3rd party auditing of the source (which is what OpenBSD does for stuff it doesn't directly develop) won't find everything.

The OpenSSH hole was to be expected, and was long past due. No software is perfect, this just proves it. Face the facs, it'll happening sooner or later.

I don't see what you mean what gee-whiz hardware. Hardware support is still pretty far down on the list, and even my new system is about 80%% supported at best. Security is still the critical issues, but the development teams is humans, and humans miss things.

Flashy features? Again the same thing. The reason I use OpenBSD is because it isn't so darn flashy. That and it just runs.

Path to shame? I think the 3.0 series has been the best yet, and the most innovative. I think it will continue to be too.

Re:what happened?

[c13v3rm0nk3y]

For a while there I wasn't sure they'd ever get another release out...

This puzzled me. I've been running an OBSD router since 2.6 (and we've been running it at work since 2.8). The releases have been coming out pretty much every 6 months, haven't they?

I upgrade about once a year, so I often skip releases, but I think they've only missed the release dates a few times, and only by a week or so.

Bugs will be found, which (of course) is the point of the OBSD project. I just don't see any shame in that. Lot's of organizations get compromised. The real test is how the organization reacts and recovers.

*shrug* From my POV, the releases have been getting better and better. I can't imagine running anything else as an edge box.

Of course, I may be wrong. Even openbsd.org runs Solaris!

And there's a new song, too

[jfedor]

ftp://ftp.openbsd.org/pub/OpenBSD/songs/song32.ogg (please use a mirror)

This time it's a Bond-movie theme, which matches the new logo.

-jfedor

Official 3.2 CD and Poster available too

As for the OpenBSD project, there are some nice 3.2 goodies you can order them now

Support the OpenBSD developers by getting a
3.2 CD $40 or for Europe EUR 45

The new new 3.2 poster is very nice too, get it for
$10 US or EUR 14 in Europe The European size is 70x100 cm

Platforms

[hearingaid]

Other comments have mentioned the security/performance tradeoff, so I won't go into that.

Part of the difference with OpenBSD is that it runs on way more platforms than FreeBSD does. It's not as many as NetBSD (its parent) but it's a lot closer to NetBSD than FreeBSD.

Still won't boot above 8 Gig

[LM741N]

I've been wanting to install OpenBSD on my laptop but it seems like its the only OS that can't have its boot loader above 8Gig on the HD. This is a major shortcoming as far as I am concerned.

Re:Still won't boot above 8 Gig

[c13v3rm0nk3y]

Well, this is a hardship only because you want to dual-boot, I'm guessing. Otherwise, you just partition and mount so that / is on the first 8Gb slice.

There are third-party boot managers that do magic to allow booting to happen from almost anywhere, for almost any OS. I don't know if it works with OBSD or not.

I've only run OBSD stand-alone on headless edge boxes, so I've never worried my pretty little head about the 8Gb limit. I'm assuming most folks who pay for the CDs every 6 months or so feel the same way. Well, that and the stickers. The stickers rule.

Re:Still won't boot above 8 Gig

[LM741N]

Hi,

No, OpenBSD is unique. You have to plan for OpenBSD before you ever install a multiboot machine. The only way to get it to work is to put a small boot partitiion near the beginning of the disk. Unfortunately, thats not how most people end up installing OS's. First Windows, then Linux or something, then another OS, sequentially installed over time. I'd like to try OpenBSD, but I've put so much time into getting my -stable and -current FreeBSD partitions right, that I just can't redo the whole computer.

Re:what happened?

[aridhol]

Of course, I may be wrong. Even openbsd.org runs Solaris!

If you read their FAQ, you'll see that the reason they run Solaris is bandwidth. OpenBSD.org gets their bandwidth by running on SunSite at the University of Alberta. They don't control their own server.

Re:what happened?

[Jeppe+Salvesen]

They are pretty vocal about all their code audits, but the buffer overflow in OpenSSL should have been detected using grep.

Re:Minimum hardware requirements?

[fmbraga]

You'll need at least 32MB if you will install OpenBSD. Could be 16MB, but you'll have to turn swap on during install, as the Installation Guide will tell you.

Just be careful to read it, and you'll be running OpenBSD in less than 20 minutes.

Re:Too bad

[glenstar]

I've ran Obsd 3.1 on it, and even with 320 meg of ram, its still quite slow...

??????

What in the name of all that is holy are you running to make OpenBSD run "slowly" on a Sparc (even an old Sparc2 or even IPC) with 320MB? Although I prefer NetBSD over OpenBSD, they tend to both be *very* fast and lean.

Can you fill us in... I am very curious.

New PF syntax info

[sedawkgrep]

Does anybody have a link to the description and uses of the improvements made to pf?

The complete 3.2 errata has numerous mentions of improvements, including antispoof and better handling of inappropriate/nonsensical statements. A more thorough explanation is what I'm hoping to find.

Thanks!
sedawkgrep

Re:New PF syntax info

[cant_get_a_good_nick]

From the openbsd man pages:
pf.conf(5)
pfctl(8)
pf(4)

6 months

[azimir]

6 Months,

Every 6 months there is an OpenBSD release.
Every time they add .1 to the release number.
It is a simple as that.

Re:Say wha?

[jmu1]

I'm not quite sure, but i do know that sprint's connection to uunet in atlanta was starting to get banged on pretty hard. Here's a link i use daily to check connections: link

If you're in the SE US you might have had a bit if difficulty getting through. Then again... they did just move.

yes, we need SMP

[mainmain]

BSD is great, but it's just not going to make inroads into the server market without SMP. It's fine for us amateurs with racks at home and 384k upload at best, but for business that really need to crank it up, OpenBSD falls short.

What's great about Open over Free (and most Linux distros) is simply that one can go from zero to installed, up and running in no time flat. The need to secure the OS is minimal (though as another said, why portmap and why inetd?), which also greatly reduces time to production. And no worries about all of those "extra" packages that one doesn't want installed that get installed whether you like it or not, and then having to find a way to yank them out.

That said, yes, I pre-ordered my CDs.

Jud.

Re:yes, we need SMP

[bmajik]

There's little reason for SMP in openbsd

1) It makes security that much harder. Think /tmp race conditions are bad ? How about race conditions in the kernel ? How about the fact that not even Intel is consistent in their docs on how two x86 chips re-order operations and maintain cache coherence in some situations.

2) 99% of the software on openBSD is fork/exec anyway. You might as well use assymmetric multi-processing, or, better yet, buy 3 uni-proc boxes for the price of a dual proc box, and partition your load accordingly.

Re:yes, we need SMP

[bmajik]

it gets modded up because its right

point 1 came straight from theo's email a couple years ago

re: point 2:
apache is fork/exec only until you get the hybrid MPM for apache 2.0 (which doesn't work)

I'm a huge advocate of pthreads - and i suspect i've written more high performance MT apps than you have. But SMP+a solid user space threads implementation on top of SMP is hard to do, and will complicate openBSD needlessly, given the sort of work its usually employed in..

Re:yes, we need SMP

[bmajik]

Well, im not saying openbsd will make inroads into the server market, but regardless, i dont feel that lack of SMP is confining openBSD.

I beleive the largest commercial deployment of *bsd boxes is Yahoo, using freebsd, and i seem to recall most of those are uni-proc machines (but i could be wrong on that)

In any case, like i said, for the type of apps that exist on openbsd _today_, its cheaper to just get multiple uniproc boxes and distribute the load (either manually with a junior admin babysitting, or automagically with some clever automation).

it is highly unlikely that pf, for instance, would get faster with SMP, as that would be an extensive re-gutting of the bsd kernel to make it highly re-entrant (i.e. interrupts being serviced by all cpus, and so on)

look how long its taken linux to try and not be a joke in the smp world. look at the system call latency that solaris and NT take on because of their highly SMP-friendly architectures..

you're right, i shouldn't presume who's done what. I was merely pointing out that i _like_ SMP and i _like_ MT programming, but in the case of OpenBSD, i feel it adds nothing but complicates much. I'd prefer to have a mature SMP implementation (solaris) running whatever MT apps i have behing a mature security product (openbsd)

OpenBSD based floppy firewall?

[minipunk]

Anyone know if one exists? Please send URL!

Re:OpenBSD based floppy firewall?

[Transcendent]

microbsd.net

not quite OpenBSD, but it's a BSD that fits on a coupla floppys.

Re:OpenBSD based floppy firewall?

[Electrum]

Try ClosedBSD, a FreeBSD based firewall. It rocks.

Re:Waiting for..

[nurb432]

How about just non-offical images? Then send in a couple of bucks to Theo.

Yes i realize you can isntall over the wire and then create an image, but not when you are on a slow link.

Re:SMP support

[a+(+h+3+r+0+n]

That's great! I'm sure they'll be happy to accept your code to further the SMP cause. That is, unless you code like you spell.

The real Release notes:

[fries]

... couldn't make it through the 'Lameness filter'.

Please go to http://deadly.org where they did make it through.

OpenBSD use.

[azimir]

Warning: OpenBSD camp follower talking!

It has been over two years (since 2.7, actually) since OpenBSD sucked me in with its simplicity, security and *good* documentation.

In that time I have never started Xwindows on an OpenBSD machine. There is no need.

OpenBSD has been a solid firewall, router, bridge, MX, DNS server, NIS, NFS, Web, SSH/SCP/SFTP machine with nary a GUI to be seen.

With 3.2 they have finally done superb work with locking down services. This is even extended to services that are not on by default, such as apache. They have also gotten right of that annoying /etc/nat.conf file! Time for a round of upgrades.

Re:OpenBSD use.

[rplacd]

OpenBSD has been a solid firewall, router, bridge, MX, DNS server, NIS, NFS, Web, SSH/SCP/SFTP machine with nary a GUI to be seen.

(emphasis mine)

Some would count the lack of a GUI as a downside. Don't knock GUIs -- even web-based ones. They can really help out with the easy stuff. And since it's a Unix, you can always pop up a shell window to do the more complicated stuff.

Check out Mac OS X for an example of this.

Re:what happened?

[alsta]

"The OpenSSL holes have nothing to do with OpenBSD, they are built by a seperate team."

Really? I thought the OpenBSD team built OpenSSL for use with OpenBSD and OpenSSH. Or do you mean that the OpenSSL team writes OpenSSL and Theo & Co. build it?

"3rd party auditing of the source (which is what OpenBSD does for stuff it doesn't directly develop) won't find everything."

I thought the whole point that is touted with the code audits is that they don't let any bugs in. And to further develop on this statement, you're suggesting that having source code doesn't help any with finding bugs? I didn't know that Ballmer was right all this time.

"Face the facs, it'll happening sooner or later."

Latin factum, from neuter of factus, past participle of facere. A fact is something that has happened, not something that will or may happen. Anything that will or may happen coincides with assumptions and probabilities.

"I think the 3.0 series has been the best yet, and the most innovative. I think it will continue to be too."

Are you for real? Are you telling me hat software becomes better and/or more functional with time?

Please provide .iso's

[dazdaz]

People always get annoyed with this, however we would like .iso's of OpenBSD. I believe the philosophy is flawed in that .iso's are not made available so people have to purchase the cd's which helpds fund the project. However this limits the distribution of OpenBSD. If anyone could download an .iso, become familiar with OpenBSD, the userbase would be larger and therefore more people would purchase the official CD's.

What do others think?

Re:Please provide .iso's

[c13v3rm0nk3y]

In my experience, if you provide an ISO, nobody buys a CD, and they just burn the ISO. With OBSD, at least one person buys a CD, and all his/her friends copy that.

This helps OBSD make exactly one sale, instead of none.

Seriously, I don't know. There isn't much incentive to buy OpenBSD CD sets (or any free OS, for that matter) in the first place. Giving the CDs away is just not going to help that, if you ask me.

Then again, I've bought few CD sets myself; I usually just get a few t-shirts and install via FTP and/or create my own ISO.

Re:Please provide .iso's

[ostiguy]

ISOs are wasteful for OpenBSD. With the boot floppies images, and 3-5 .tgz's totaling 40ish megs, you can have a fully functional firewall box. Even if you were installing X, and other desktop oriented niceties, there are 10ish .tgz in total, probably not eclipsing 200megs altogether. If they hosted ISOs, that is a 600 meg download.

OpenBSD has a CLI, but clean install routine. If you read the install directions, anyone can successfully install it via ftp, with only 50-200megs of net traffic.

Finally, they put in a ton of effort to have great man pages. Thus, the support base expects you to read before asking questions. Therefore, if you aren't willing to read the install guide to do a ftp based install, you aren't going to have much luck with the OS and its support community.

ostiguy

Re:Please provide .iso's

[Roadmaster]

Maybe Theo meant it as a filter; if a user can't install without ISOs then he's not worthy of using OpenBSD. :)

Seriously, making your own OpenBSD CD is not that hard; you just download the files, the boot floppy images, then boot with that floppy, check the path in which it looks for the installation files, and then make a CD with files in that path and using the boot floppy image as your El Torito boot image. I've been doing it since 2.9 and it works like a charm. I put all the files on CD anyway, to save HD space on our server, and making it so that the CD was bootable and could be installed from was obvious and simple.

Re:Please provide .iso's

[Cadre]

What do others think?

The installation is easy. People who beg for ISO's are too lazy (or stupid) to do a simple: dd if=floppy32.fs of=/dev/rfd0c bs=32k (or fdimage -q floppy32.fs a:) to make a bootable floppy.

Seriously, that fact that ISOs aren't available really helps to cut down on all the newbies posting to OpenBSD forums who need their hand held through everything.

Re:Please provide .iso's

[aschlemm]

Seems like all those users that whine about there not being ISO images can't even bother to go visit the OpenBSD website and read any of the online documentation that is available there. I've done several FTP based installs myself and it only required me to make a boot floppy. Once you have a running system you can download all of the source via AnonCVS and compile your own OpenBSD release and burn your own CDROMs of it if you want.

One thing that is different about OpenBSD is that the patches are released in source code form and so you have to compile the system yourself to keep it up to date. I keep an up to date source code tree of the latest OpenBSD stable release and with a couple of shell scripts that automate the process I've been building my own OpenBSD releases for a while now. I even put together a old PPro 200 system that I use as a dedicated build system. I download the created tarballs from my build system and use them to update my live BSD systems when I need to.

Re:Please provide .iso's

[be-fan]

Not necessarily laziness. In my laptop, for example, I don't HAVE a floppy drive. Haven't used one in years. Of course, I could use the floppy image to boot from a hard drive (yes, it does work, thanks to grub) but that's probably asking just a bit too much...

Re:Please provide .iso's

[Bishop]

Debian installs require a few too many floppies for my likeing. Where "too many" is more then one. Hence I make bootable CDs with drivers.tgz and basedebs.tgz. I would prefer if Debian.org supplied a minimal boot cd so that it would be tested with the rest of the installer. (However I am not willing to become the maintainer so I can't complain.)

Re:Please provide .iso's

[grub]

..we have a community that is so elitist that they come down like the mighty hammer of God on anyone who isn't already an expert. Something could be more user friendly? That's because it's for experts only.

Nonsense. Years back when I went from Linux->FreeBSD I searched a lot, read a lot and experimented a lot. Ditto when I went from FreeBSD->OpenBSD. There is a boatload of information out there, unfortunately people run onto the mailing lists immediately after an install with questions answered in the FAQs, the manpages (which are superb) and via any search engine. Many then have the balls to say "Oh, I'm not subscribed to the list, mail me privately." Does this sound like someone wanting to truly learn a new OS? No, they want a free OS with 1-800 24x7 support.

The bottom line as I see it is this: Developers are not there to hold anybody's hand, the mail lists are not there to do one's homework, nor are there to act as one's "google proxy"

Re:Well, I'm waiting for a downloadable iso

[Richard_at_work]

Already have 10 copies on order :)

Re:Well, I'm waiting for a downloadable iso

[Richard_at_work]

So i can pass on the cds. If i just buy one copy and donate money, then i cant spread the cds around can i? (what with the cd layout being copyrighted, rightly so)

Same horrible fdisk and disklable process?

[LM741N]

I've installed OpenBSD about 10 times now, and I've always been amazed that they've kept the just terrible disk partitioning and labeling scheme for the install. Does the new release have any new features in that area? If not, please just steal some code from FreeBSD or somewhere! Then I won't have to use a calculator to do an install :) :)

Re:Same horrible fdisk and disklable process?

[dazdaz]

I often wonder if it's kept in order to keep an element of elitism attached with OpenBSD. Afterall look what happened to Linux.

Re:Same horrible fdisk and disklable process?

[psxndc]

No offense man, but by the 10th time you should have figured out you can use "M" and specify megs for partition size. Accept the default locations on the disk and guestimate in MB on what you need for /, swap, /tmp, /var, /home, and use the rest for /usr. Each time you add a partition, it will place the start of it after the end of the last one. Easy as pie.

Yes, the disk partitioning is the least intuitive part of the install, but it only took a complete newbie like myself a few times (3, maybe 4) to feel comfortable with it so I think you might have missed something in the documentation. I was using "Building Linux and OpenBSD Firewalls" at the time as well, but it's all there on the screen for you.

psxndc

Re:Same horrible fdisk and disklable process?

[be-fan]

It's also been overrun be newbie users who are trying to turn it into Windows. I'm not saying that new users are bad, and I think it's good that Linux has become succesful, but I just wish that new Linux users would take some time to understand the culture attached OS before trying to change it. It's like they say, when in Rome, do as the Roman's do. Instead, many people are just acting like so-called ugly-Americans.

Re:Same horrible fdisk and disklable process?

[be-fan]

Don't get me wrong. I don't think that Linux has changed yet. And personally, I love KDE. It's not even that a lot of "unenlightened" users are switching to it. It's just that a lot of people come into Linux expecting it to be exactly like Windows, and then complain when its not. They don't respect the culture attached to the OS, and that's what peeves me.

Re:Threading issues resolved?

[cheezedawg]

Without MP, his claim that the kernel was "hitting two processes at the same time" doesn't make any sense.

if you have the bandwidth for isos you have it for

[waspleg]

1.44 floppy net-based installs, which is what i usually use and i've been using openbsd since 2.5

just because there are no "Official" iso's does not mean that they are not available from "Unofficial" sources just look around but you really should support hte project if you can

(the t-shirts/posters/stickers are all cool and the later can only be found w/ the official cdrom distribution)

my personal server (which is used primarily for NAT and personal ftp) has been running OpenBSD for years and it's certainly hte most elegant and simply designed UNIX based system that I've ever used and is far more intuitive and secure than Linux (which i have also dealt with since '95 and presently have a debian desktop machine running under my desk so no flames please) by default.. anyway my $.02

here is a link to the floppy internet based install instructions: http://www.openbsd.org/faq/faq4.html#Media

Re:Still won't boot above 8 Gig - Clueless AC

[c13v3rm0nk3y]

...and yet we still get idiots whining about completely useless crap like this monk3yboyCRAP...

1. I posted a reply about the 8Gb limit for the OpenBSD boot partition in, not the original posting. You might want to re-read the thread. This time, take a moment to read the words contained therein. They contain ideas. Some ideas require you to think.
2. I already pointed out that most folks use OBSD as an edge server, and that the 8Gb limit is not so important for the intended audience. See point #1.
3. You are an idiot. Yet another clueless AC.

I hate it when I get all testy. I get modded down.

Re:Well, I'm waiting for a downloadable iso

[Richard_at_work]

Yes this is true, tho as i do quite a few installs in buisnesses, i tend to feel a lot more secure in having a fairly up to date physical install media to hand jsut in case i dont have a high bandwidth connection. Plus with 3.1 you got decent stickers, which i know i enjoyed :)

The other reason i purchase a cd rather than download a iso made by someone is it seems to me to be rather a wierd thing to do. Go for a secure distro, then download a iso from someone you have never met, dont know how they are connected with teh team and therefor can be adding god knows what to the install. So peeps, either do a net install, or buy the cds. Please :)

Re:Waiting for..

[Pinball+Wizard]

How does buying OpenBSD support Windows 2000?

Well for one thing, the packet filter has a feature that turns away Code Red(and similar malformed data/buffer overflow attacks) before they can harm your precious Windows machine.

In all likelyhood, an OpenBSD firewall will protect Windows machines from vulnerabilites that have yet to be exploited.

Re:*BSD

[c13v3rm0nk3y]

Write once, test everywhere...

You better believe it. The development work to make yet another port is pretty easy (except for the OS/390 -- that was especially fun) but the QA is crazy.

Well, we do have a chunk of native code that the Java hangs off of, but that is very POSIX, so we usually don't run into problems there.

Re:OpenBSD questions

[BitHive]

Quoth Daniel Hartmeier, the author of pf:

To prevent attackers from tearing down connections, for instance with spoofed RSTs, the packet filter checks the sequence numbers in each TCP packet. Only the two peers involved in the connection (and the hops in between them) know the right sequence numbers, as initial sequence numbers are generated randomly (or should be, rather, but pf can also randomize sequence numbers for hosts that have predictable ISN generators).

The goal in sequence number comparison is to allow only a minimal window of values through. This is not as easy as it may appear from studying perfect examples of TCP connections. In reality, packets can get lost and are retransmitted, packets take different routes and may arrive in different order than they were sent, etc.

Guido's work shows how to keep lower and upper bounds on the sequence numbers given only the (incomplete) information the packet filter has, with a precision and beauty similar to the one you can find in a mathematic proof.

Re:Waiting for..

[Shanep]

Yes i realize you can isntall over the wire and then create an image, but not when you are on a slow link.

Actually, I just finished downloading OpenBSD 3.2 for i386. It stopped while I was sleeping so it could have come faster if my 56k ISP didn't have a time limit for dial-up connections.

Just grab the i386 directory with "wget -cr ftp-or-http...", burn it to /3.2/i386/ as a bootable CD using cdrom32.fs as the boot image.

You now have an i386 bootable OpenBSD 3.2 CD with just a 121MB download. If you don't want a GUI, you could omit the downloading of anything that starts with x to make it an even smaller download (67MB).

You could download the system and kernel sources, ports and packages if you want too...

I just did it over 56k no problem. I still like to buy OpenBSD CD's though. Now I'm off to get macppc and mac68k (my CD will also be macppc bootable)...

Re:Waiting for..

[Shanep]

Forgot to mention. My favorite method is to copy my OpenBSD downloads to my iBook, served as http with Apache when required I do local network installs where ever I need to take it.

Network installs are really nice, and doing it with just a floppy over a fast internet connection is excellent too.

I love OpenBSD. It's so clean it's clinical. The only time my OpenBSD machines have down time is when I'm upgrading them to the latest releases or patches.

Re:I DO think so....

[evilviper]

Well, keep laughing... Ever heard of chroot, privlidge seperation, and systrace?

OpenBSD is what you make of it... If you set everything SUID it's certainly not going to be very secure, but you can secure an OpenBSD system extremely well if you want to do so.

Stick that in your VMS pipe and smoke it!

Re:Still won't boot above 8 Gig- IDIOt

[grub]

OpenBSD is a SERVER operating system. 99.99999% of the people using OpenBSD use OpenBSD as a SERVER

Rubbish.

The OpenBSD ports tree, while not as brimming with goodies as FreeBSDs, has loads of software for use on the desktop.

My desktop *NIX boxes at home and work are both OpenBSD with lots of decent software installed via ports. I hardly think that developers would bother making a port of only .00001% of the users would use it. In fact a number that low would be a partial user. Perhaps a finger or two.

Signed files? MD5s?

[piranha(jpl)]

I appreciate OpenBSD a lot; I use it on one system at home, and plan to do two more OpenBSD installations. There are some really cool things, like systrace, that aren't available for Linux yet.

That said, how can I trust that my copy of the "world's most secure operating system" hasn't been tampered with? OpenBSD does not sign their files with PGP, GnuPG, or OpenSSL (yes, the latter has been suggested on lists). OpenSSH does. Why can't OpenBSD?

The ports tree, the kernel source, and the rest of the base source (ports.tar.gz, srcsys.tar.gz, and src.tar.gz) don't even have published MD5 hashes (but the archetecture-specific binaries do). The source matters, because (aside from using potentially unstable snapshots binaries) you need the source to apply security patches as security issues are discovered.

For an OS with such a focus on cryptography "because we can", I don't see it being used where it counts. (I've written to the misc list, and only received one response. I've filed a bug report and have received none.)