Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD 3.3 Released

Posted by timothy on from the darpa-funding-be-damned dept.

An anonymous reader writes "OpenBSD 3.3 was released today, with many new features, including integration of the ProPolice stack protection technology, W^X ('write xor X') on sparc, alpha and hppa, privilege separated XFree86 and an incredible number of enhancements and stability improvements to the packet filter, pf, including address pools for reverse NAT/load balancing, ALTQ integration for network conditioning, and anchors/tables/spamd for spam tar-pitting. Information on the release can be found here and download sites are listed here. (Also, here's a handy way to speed up your DSL connection - prioritizing empty TCP ACKs and ToS low-delay traffic with OpenBSD 3.3's pf.)"

19 of 347 comments (clear)

  1. OpenBSD = Coordinated Innovation by coene · · Score: 5, Insightful

    I'm continually impressed by the amount of improvements in each new release of OpenBSD, the frequency of the releases (6 months), and the sheer amount of value that each new release brings.

    If anyone hasn't tried OpenBSD yet, give it a shot - you're certain to appreciate the quality that goes into it.

    1. Re:OpenBSD = Coordinated Innovation by JungleBoy · · Score: 3, Insightful

      I hope OpenBSD has gotten easier to use and install. Its not for the faint of heard. Last time I used it (2.something) post install configuration was non existant. it was like:

      "Here's some iron ore, build a truck"

      I can vi ascii files, but getting X running was an absolute chore, it was reminiscent of Slackware back in the 1.4 kernel days.

      --
      "You never know when some crazed rodent with cold feet might be running loose in your pants."
      -Calvin
    2. Re:OpenBSD = Coordinated Innovation by Stonent1 · · Score: 2, Insightful

      I hope OpenBSD has gotten easier to use and install. Its not for the faint of heard. Last time I used it (2.something) post install configuration was non existant. it was like: "Here's some iron ore, build a truck"

      I dunno, I've always found it quite easy. You've got about 5 or so tgz files that it downloads (I always do ftp installs) and decompresses them. I find it simple and clean.

    3. Re:OpenBSD = Coordinated Innovation by rifter · · Score: 2, Insightful

      They didn't have

      man afterboot

      then? (Incidentally one of the best man pages you'll ever read. Everyone should have one).

      And did they not have xf86config ?

      Seems unlikely, but then I have only ever used 2.8+ IIRC.

      The biggest hurdle for most people is getting around the idea of BSD "slices." But it makes sense and there are good reasons they did it that way. The installer and help are very good, actually. I would have to say OpenBSD has some of the best docs of any system out there, period.

    4. Re:OpenBSD = Coordinated Innovation by RLiegh · · Score: 2, Insightful

      I think that -regardless of OS- most /.'er would agree with that sentiment.

      However, there's a difference between being able to do things the hard way, and having no option other than to do things the hard way.

    5. Re:OpenBSD = Coordinated Innovation by Arandir · · Score: 2, Insightful

      My problem is not that's there's a single easily overlooked line in the FAQ that mentions an "afterboot". My problem is with the previous poster's attitude.

      "man afterboot" is hardly a common UNIX way of finding out about necessary post installation tasks. To expect everyone to know that it's there, even after reading every word of the FAQ, is assuming too much. It's all in the attitude. A simple "your answer can be found in 'man afterboot'" is much better than "I don't know what to tell you if you can't do that much without more hand-holding."

      --
      A Government Is a Body of People, Usually Notably Ungoverned
  2. Re:If Microsoft wants to steal... by Anonymous Coward · · Score: 3, Insightful

    Not really.

    Bearing in mind that security is, code flaws aside, one side of a balance between security and user features, OpenBSD, from what I can tell, more than pays the price for its security in lack of features. For example, Outlook is notorious for its security flaws. Most of these seem to stem from all sorts of abilities to run code embedded in emails. Did MS coders do this because they were stupid and forgot not to code in this feature? No, they did it because it is indeed a feature, when not abused.

    Obviously a lot of vulnerabilities just stem from coding flaws but, ultimately, a more secure OS is going to be harder to use. MS has chosen the balance they prefer and, apparently, have chosen correctly, from a business perspective.

  3. OpenBSD just makes sense... by LinuxParanoid · · Score: 5, Insightful


    Regarding various troll-slams on OpenBSD... I dunno, I'm using OpenBSD and it's great. Nowhere to go but up, as far as I'm concerned. FreeBSD and NetBSD don't have much of a value proposition in my book compared to mainstream Linux distros, but if you want a secure webserver (or network appliance) without having to patch the thing all the damn time, OpenBSD seems a heck of a lot better than any Linux variant.

    That said, I'm not dogmatic about this; it's just the conclusion I've come to based on the evidence I've seen so far.

    --LP

  4. Re:and still no SMP =( by dr4ma · · Score: 5, Insightful

    OpenBSD is built around being secure, not on high performance multiprocessor support for hosting huge database servers.

    look at /. servers, the web server is a PIII 600MHz and the database server is a quad Xeon 550MHz system.

    Newer desktop systems are equal to the quad box minus the extra cache on the xeons.

    So, IMHO SMP support is not a huge deal and should not be for most sub 1000 user companys.

    --
    Privacy? Not in this lifetime.
  5. Re:would be nice by coene · · Score: 4, Insightful

    The primary install kernel (RAMDISK) does not have support for USB Human Interface Devices (HID). Use PS/2. I know it's a limitation, I've run up against it too. Once you get the OS installed, it will work with the USB KVM fine.

    Or, you could add USB HID support to the RAMDISK kernel on a spare box, and cd /usr/src/distrib && make, and install using the new floppy image.

  6. Re:Interesting feature - spamd by schwap · · Score: 4, Insightful
    - Probably questionable legality and ethics on that one, being a real tool in the battle against what some call 'free speech'.

    Probably 'Free Speech,' but the activity consumes the finite resources of a computer that costs the operator money in electricity, bandwidth, maintenance and access by customers and/or employees.

    There is nothing about 'free speech' that allows one entity to force another to be the carrier or reciever of the idea or message.

  7. Re:Why? by b0r1s · · Score: 4, Insightful

    1. The best reason is security. Even with the best planning crackers can sometimes reach the machine in question. OpenBSD has the lowest rate of bugs and security holes of any OS out there. Any serious problems that are found are usually patched within days instead of weeks.

    FreeBSD is a close second. The reason you hear so little about FreeBSD's security is that there is no concept of the 'default install', and thus, there's no easy way to tell what FreeBSD's security record would be if you did the default install. But, if you choose the absolute minimum, and configure it similarly to OpenBSD (which is quite easy to do, make sendmail start only on the loopback, set the same defaults for SSH, etc). It's not as secure by default, because there is no default.

    Moreover, anyone who installs services they don't need deserves to get hacked. Need a mail server? You're gonna get hit with the sendmail holes. Need SSH access? You're gonna get hit with the (1) OpenSSH hole. If you don't need the services, they shouldn't be enabled. You can mitigate the threat with firewalling (or hopefully, detaching it from the real internet), but chances are, the holes are going to be in the services you run and not in the OS itself.

    (You could argue that systrace can limit a lot of otherwise horrific vulnerabilities: fair enough. So does chroot() and jail())

    2. Stability. Like a rock. Even running the current branch, you will most likely not have any stability problems. Install, configure, and throw away the key. This is the first OS I've run that I can truthfully say is, besides any necessary patches, maintainence free.

    FreeBSD. More stable and FASTER.

    3. BSD systems are much easier to maintain than Linux yet just as powerful as a full Unix. The ports system is well kept up and easy to use and the filesystem is much less cluttered than in Linux.

    I agree. 'make buildworld; make buildkernel; make installkernel; reboot ; make installworld' is pretty nice too.

    --
    Mooniacs for iOS and Android
  8. Re:If Microsoft wants to steal... by Anonymous Coward · · Score: 1, Insightful

    The MS coders(or possibly some other people) were stupid and forgot to contemplate the security risks of their features. This is a design flaw, and not necessarily a coding flaw. However, it most certainly is a flaw. Masking it under the word feature is dismissive.

  9. Re:Interesting feature - spamd by skillet-thief · · Score: 2, Insightful
    There is nothing about 'free speech' that allows one entity to force another to be the carrier or reciever of the idea or message.

    They are free to speak, we are free to not listen or to not pass their messages on.

    --

    Congratulations! Now we are the Evil Empire

  10. Show your support! by terrencefw · · Score: 3, Insightful

    This is good news for the OpenBSD community indeed, but rather than downloading, you might consider buying the CD set from a retailer near you to fund further development. Given the recent funding issues, now couldn't be a better time to support this superb open source project.

    --
    Like tinyurl, but one letter less! http://qurl.co.uk/
  11. Re:Getting 0wn3d by runderwo · · Score: 4, Insightful
    Ironically, the skript kiddie hasn't been too careful, and he has left the PHP shell unpassworded and unprotected on his system. Running a uname -a through it shows that he's running a vulnerable kernel.
    Erm, careful. What makes you think this isn't some other innocent person's box that the kiddie owned in the first place, perhaps as a cover while building up a botnet by owning other boxes? After all, it has the same vulnerability he's trying to exploit on yours. He probably just got to it first.

    It's too easy to get on the wrong side of the law these days, and you might have a wrong target to boot. I wouldn't risk it.

    --
    LRC, the best-read libertarian site on the web
  12. Re:and still no SMP =( by pmz · · Score: 4, Insightful

    OpenBSD looks fantasic and I was about to give it a whirl when I realized they don't support SMP.

    Consider what OpenBSD excels at and consider these questions:

    Does a firewall really need two 2GHz CPUs?

    How about a router, modest fileserver, or e-mail server?

    Considering the complexity that SMP would probably add to the kernel (race conditions, data integrity, etc.), it may be counter-productive towards the goal of uncompromising security.

    For bigger servers (4 or more CPUs) just run Solaris, FreeBSD, or Linux behind OpenBSD-based infrastructure. I think this is a tasty compromise.

    --
    Healthcare article at Kuro5hin
  13. Re:Interesting feature - spamd by pmz · · Score: 2, Insightful

    They are free to speak, we are free to not listen or to not pass their messages on.

    When "speech" becomes effectively a Denial of Service attack, freedom of speech ends, IMO.

    Examples:

    SPAM -- literally reducing peoples' ability to communicate effectively. This hurts individuals and businesses. The cost to the recipient is real.

    Loud Music -- that bass pumping out of my asshole neighbor's house is not protected speech. It distrupts my family, my quality of life, my own attempts at speech, and is, like SPAM, bad for society.

    Grafitti -- it is vandalism and not art.

    There are the other classic examples like yelling "fire" when there isn't one. Burning a cross in someone's yard is, also, definitely not free speech.

    People who piss on other people's lives using Free Speech as an excuse are among the lowest examples of humanity. They deserve no sympathy.

    --
    Healthcare article at Kuro5hin
  14. Re:Getting 0wn3d by jjackson · · Score: 2, Insightful

    You've got to be kidding me.

    Unless you spend all day chatting on IRC or playing UT2k3/NWN on your box and that is the best you can put it to use, having your system compromised can be very serious.

    Personally, I use my computers for my online banking, my business billing/invoicing system, not to mention the fact that I have quite a bit of sensitive personal and business information stored in spread sheets and oo.org documents.

    This type of thinking (getting hacked is no big deal, so I will be lazy about security) is a very good portion why we have so damn many Internet Worms floating around and why the Internet is a playground for script kiddies in the first place.

    If you don't care about what happens to your box, do me a favor and disconnect it from the same world wide network that my boxes are connected to, please. I really don't what you contributing to the next time my company gets hit with a DoS or something similiar.