OpenBSD 3.2 Available

fredrikv writes "Right on time, the files defining OpenBSD 3.2 have moved away from "snapshots" to the 3.2 directory of the OpenBSD mirrors. It is well known as the world's most secure operating system and now sports chroot'd Apache, fewer suid binaries, cool pictures for xdm-logins, a brilliant "antispoof" packet filtering rule and as usual includes lots of small updates and fixes. The files are there. What are you waiting for?"

What Am I Waiting For?

[Zech+Harvey]

Common Criteria certification so it can be just as secure as my Windows 2000 boxen!

Re:What Am I Waiting For?

[liquidsin]

Well, it's only at version 3.2. I'm guessing version 3.3 would be like the third service pack of version 3, and it seems you can't get certified until SP3. I'm sure they'll get there soon enough.

Well ..

[Mr_Silver]

The the files are there. What are you waiting for?

5:30pm, 8 pints of lager, one dodgy kebab and a chance to yet again make a piss poor attempt to chat the attractive barmaid up.

Well you did ask!

Re:Well ..

[SirSlud]

> to yet again make a piss poor attempt to chat the attractive barmaid up

barmaids get slashdotted by drunk guys every night. i recommend you search your neighbourhood for a mirror so you can have all the bandwidth to yourself.

Re:Well ..

[$rtbl_this]

...i recommend you search your neighbourhood for a mirror...

Surely this would only work if you were a hopeless narcissist.

Re:Well, I'm waiting for a downloadable iso

[LordHunter317]

Download the sources. Burn on a CD. There you go.

IF oyu want it bootable, that's also fairly easy to pull off as well. Just have it boot to the floppy image.

Otherwise, buy a CD.. we need the money.

Re:FreeBSD

[c13v3rm0nk3y]

I've always been a fan of FreeBSD. How does OpenBSD compare?

Try this link. There are a bunch of FAQs, some of them directly compare *BSD, Linux &etc.

Re:FreeBSD

[CoolVibe]

Depends on what you want to do. FreeBSD is better suited as a workstation or a high-performance server. OpenBSD does great for bastion-hosts and firewalls.

It's good, but not that good

[ryanvm]

It is well known as the world's most secure operating system

Whoa, partner. Sure OpenBSD is designed with security in mind, and as far as the BSDs go (which are generally pretty secure in their own right), it's probably the tightest. But it's quite a leap to say that OpenBSD is the most secure operating system in the entire world.

I don't know which OS would get that "award". But I'd have to believe that it'd be something obscure like a tiny, embedded, OS the NSA uses in their crypto equipment or some such.

Re:It's good, but not that good

[LordHunter317]

Bullcrap. We just had to put in a patch to cover a buffer overflow/memory leak issue in UCX For OpenVMS. We know it caused buffer overflow issues becuase we could bomb Sybase sending it large amounts of data. Now there may be no OS-level overflows, but your statment is just ludicris. Our code is one walking buffer-overflow. Kernel != System, and just because the kernel is secure doesn't mean the system is.

Otherwise, I tend to agree, but OpenVMS is bi*ch to configure.

Re:It's good, but not that good

[PapaZit]

NetBSD is (as far as I know) the ONLY one of the BSDs that ships with NO open services in the default install.

Y'know how OpenBSD used to brag about "X years without a remote root exploit in the default install"? These days, it's NetBSD that carries the "longest since remote root in default" banner, and they'll continue to have it (though they're a bit to understated to brag about it) until OpenBSD turns off incoming SSH and RPC.

Think that's a silly argument? Check your nearest OpenBSD box. Is it running RPC? Does it need to be? Isn't "turn off unnecessary services" one of the fundamentals of securing a box?

I don't think so....

[Dr_DTHP]

>[OpenBSD is] the world's most secure operating system

Hear that sound? It's the VMS users (all 8 of them, currently, unless Fred's VAX killed his mains power again and he switched to OSX) choking on their lunches in laughter.

Re:I don't think so....

[MAXOMENOS]

What you don't hear is the thousands of OS/400 users quietly chuckling to themselves. "Kids..."

Re:I don't think so....

[R.Caley]

[OpenBSD is] the world's most secure operating system

It's well known that MSDOS is the world's most secure operating system.

No network access and so completely secure from remote break in, and if anyone breaks in from the console there is bugger all they can break and no one cases what they do anyway.

Security by obsolescence.

Re:FreeBSD

[Ryvar]

Short Answer:
OpenBSD has less 'nice' functionality, slightly less performance tuning, and no SMP support.

On the other hand it has an extremely well-audited source tree (by largely the same developers as OpenSSH), SoftUpdates, the new systrace work, an excellent brand new packetfilter that has yet to fail to impress from either a security or speed standpoint . . .

OpenBSD isn't really so much the most secure OS in the world as it is in many situations the most secure OS on the x86. For most of us around here, that's probably close enough as makes no odds.

The last release (in a bug that affected the prior release as well) had an OpenSSH issue in the default installation that became the first remote compromise for the default installation in nearly 5 years of the operating system. Admittedly, most things are turned off by default (although I wish a few more - portmap, inetd). Because of this and a few other errata, 3.2 has been looked forward to for a long time.

To sum, you have a stripped-down no-nonsense OS with all of the unnecessary crap tossed out of the default installation and available as ports and packages to those that want it. The perfect OS for those who want a secure router, and/or single/few-function server. This isn't an appropriate choice if you need more than a commandline, really, and there's a fair amount of pride amongst the user community over that.

Re:*BSD

[c13v3rm0nk3y]

...is OpenBSD recommended as an internet server over all of the other distros?

Depends who you talk to ;)

A good place to start is here, to find out what the intentions of the OBSD project are. Then check out the OpenBSD Journal to see what people do with it.

My two cents: OBSD really shines as a secure inet server. Things like httpd, sshd, firewalling, bridging, routing. People do use it as a desktop, but IMHO it is not as desktop-friendly as FreeBSD. *shrug* I run it basically headless, as does everyone I know.

Then again, a cutting-edge desktop system is not a primary concern of the OBSD project.

Re:I'm waiting

[questionlp]

Maybe not quite what you are looking for, but there is the infamous Linux Compatibility mode for OpenBSD (as well as FreeBSD and NetBSD) that will allow you to run many Linux applications. OpenBSD also supports the Ext2 file system (again, same with FreeBSD and most likely NetBSD).

Re:*BSD

[c13v3rm0nk3y]

Java 1.3 is not "production" ready on any BSD, AFAIK. I've looked into this quite a bit, and even ported an app to FreeBSD.

They have recently been blessed by Sun to provide a native version of the JDK (the previous versions ran in linux_compat mode), but it is not considered production-ready by the developers.

Our customer threw caution to the wind, and has been running our app for a year or so now on FreeBSD. So far, so good. We _did_ QA it. Sheesh.

OpenBSD Java support is still (again, AFAIK)) a tweakers domain. If you need official J2EE, go with Linux (or one of those "others").

Re:what happened?

[grub]

..when the holes in OpenSSH and -SSL were found.


The OpenBSD folks do make OpenSSH but not OpenSSL.

Most Secure OS

[SirGeek]

According to this article the most secure OS were SCO Unix, Mac OS and Tru 64.

Re:what happened?

[LordHunter317]

The OpenSSL holes have nothing to do with OpenBSD, they are built by a seperate team. 3rd party auditing of the source (which is what OpenBSD does for stuff it doesn't directly develop) won't find everything.

The OpenSSH hole was to be expected, and was long past due. No software is perfect, this just proves it. Face the facs, it'll happening sooner or later.

I don't see what you mean what gee-whiz hardware. Hardware support is still pretty far down on the list, and even my new system is about 80%% supported at best. Security is still the critical issues, but the development teams is humans, and humans miss things.

Flashy features? Again the same thing. The reason I use OpenBSD is because it isn't so darn flashy. That and it just runs.

Path to shame? I think the 3.0 series has been the best yet, and the most innovative. I think it will continue to be too.

Re:what happened?

[c13v3rm0nk3y]

For a while there I wasn't sure they'd ever get another release out...

This puzzled me. I've been running an OBSD router since 2.6 (and we've been running it at work since 2.8). The releases have been coming out pretty much every 6 months, haven't they?

I upgrade about once a year, so I often skip releases, but I think they've only missed the release dates a few times, and only by a week or so.

Bugs will be found, which (of course) is the point of the OBSD project. I just don't see any shame in that. Lot's of organizations get compromised. The real test is how the organization reacts and recovers.

*shrug* From my POV, the releases have been getting better and better. I can't imagine running anything else as an edge box.

Of course, I may be wrong. Even openbsd.org runs Solaris!

Re:security

[c13v3rm0nk3y]

It's pretty common to run a few releases back on important and complex daemons like BIND, or Sendmail.

There is little value in going to BIND 8 or 9 if it has not been audited by the OBSD team first. BIND 4 is well understood and the faults, warts and bugs are well-known. BIND 8 is still new enough that it is considered an unknown.

This is one of the downsides (if you consider it a downsid) of trying to be "secure by design".

Of course, OBSD is free, as in beer and as in speech. This means you can run a parallel box with BIND 8 or 9 (or whatever) yourelf until you deem it safe. The responsibility is now yours to maintain security on that chunk of the OS, but everything is a trade-off, especially in host security.

BIND 8/9 will eventually make it into a future release. 99% of us do not need it, however, and so having a well-known and secure BIND 4 implementation has more value for the rest of us.

Re:Still won't boot above 8 Gig

[c13v3rm0nk3y]

Well, this is a hardship only because you want to dual-boot, I'm guessing. Otherwise, you just partition and mount so that / is on the first 8Gb slice.

There are third-party boot managers that do magic to allow booting to happen from almost anywhere, for almost any OS. I don't know if it works with OBSD or not.

I've only run OBSD stand-alone on headless edge boxes, so I've never worried my pretty little head about the 8Gb limit. I'm assuming most folks who pay for the CDs every 6 months or so feel the same way. Well, that and the stickers. The stickers rule.

yes, we need SMP

[mainmain]

BSD is great, but it's just not going to make inroads into the server market without SMP. It's fine for us amateurs with racks at home and 384k upload at best, but for business that really need to crank it up, OpenBSD falls short.

What's great about Open over Free (and most Linux distros) is simply that one can go from zero to installed, up and running in no time flat. The need to secure the OS is minimal (though as another said, why portmap and why inetd?), which also greatly reduces time to production. And no worries about all of those "extra" packages that one doesn't want installed that get installed whether you like it or not, and then having to find a way to yank them out.

That said, yes, I pre-ordered my CDs.

Jud.

Re:yes, we need SMP

[bmajik]

There's little reason for SMP in openbsd

1) It makes security that much harder. Think /tmp race conditions are bad ? How about race conditions in the kernel ? How about the fact that not even Intel is consistent in their docs on how two x86 chips re-order operations and maintain cache coherence in some situations.

2) 99% of the software on openBSD is fork/exec anyway. You might as well use assymmetric multi-processing, or, better yet, buy 3 uni-proc boxes for the price of a dual proc box, and partition your load accordingly.

The real Release notes:

[fries]

... couldn't make it through the 'Lameness filter'.

Please go to http://deadly.org where they did make it through.

if you have the bandwidth for isos you have it for

[waspleg]

1.44 floppy net-based installs, which is what i usually use and i've been using openbsd since 2.5

just because there are no "Official" iso's does not mean that they are not available from "Unofficial" sources just look around but you really should support hte project if you can

(the t-shirts/posters/stickers are all cool and the later can only be found w/ the official cdrom distribution)

my personal server (which is used primarily for NAT and personal ftp) has been running OpenBSD for years and it's certainly hte most elegant and simply designed UNIX based system that I've ever used and is far more intuitive and secure than Linux (which i have also dealt with since '95 and presently have a debian desktop machine running under my desk so no flames please) by default.. anyway my $.02

here is a link to the floppy internet based install instructions: http://www.openbsd.org/faq/faq4.html#Media

Signed files? MD5s?

[piranha(jpl)]

I appreciate OpenBSD a lot; I use it on one system at home, and plan to do two more OpenBSD installations. There are some really cool things, like systrace, that aren't available for Linux yet.

That said, how can I trust that my copy of the "world's most secure operating system" hasn't been tampered with? OpenBSD does not sign their files with PGP, GnuPG, or OpenSSL (yes, the latter has been suggested on lists). OpenSSH does. Why can't OpenBSD?

The ports tree, the kernel source, and the rest of the base source (ports.tar.gz, srcsys.tar.gz, and src.tar.gz) don't even have published MD5 hashes (but the archetecture-specific binaries do). The source matters, because (aside from using potentially unstable snapshots binaries) you need the source to apply security patches as security issues are discovered.

For an OS with such a focus on cryptography "because we can", I don't see it being used where it counts. (I've written to the misc list, and only received one response. I've filed a bug report and have received none.)