Slashdot Mirror
OpenBSD 3.3 Released
An anonymous reader writes "OpenBSD 3.3 was released today, with many new features, including integration of the ProPolice stack protection technology, W^X ('write xor X') on sparc, alpha and hppa, privilege separated XFree86 and an incredible number of enhancements and stability improvements to the packet filter, pf, including address pools for reverse NAT/load balancing, ALTQ integration for network conditioning, and anchors/tables/spamd for spam tar-pitting. Information on the release can be found here and download sites are listed here. (Also, here's a handy way to speed up your DSL connection - prioritizing empty TCP ACKs and ToS low-delay traffic with OpenBSD 3.3's pf.)"
Lets not forget about the OpenBSD Song
-dk
I'm continually impressed by the amount of improvements in each new release of OpenBSD, the frequency of the releases (6 months), and the sheer amount of value that each new release brings.
If anyone hasn't tried OpenBSD yet, give it a shot - you're certain to appreciate the quality that goes into it.
...from someone *besides* Apple, OpenBSD is the bank they should look at!
Aside from maybe the esoteric trusted OSes (i.e. Trusted Solaris), is there really another "mainstream" OS people can just rely on for security?
Hell, Bill G oughtta just start waving $$$ in front of Theo and company until they all say "OK, that will do" and join MS to show them Redmond boys the Right Way (TM) to lock down an OS*!!!
* of course the Office team would no doubt open right back up any holes the new security-conscious OS team closed down...
I'm not done d/l'ing it yet! And it was slow *before* it got /.'ed!
Mix the failings of Usenet with the shortcomings of the World Wide Web and the result is slashdot.
I've been using Freebsd on my servers as of fairly recently and so far I love it. As a result, my intrest in BSD in general has grown. I was looking just today at OpenBSD and NetBSD features. OpenBSD looks fantasic and I was about to give it a whirl when I realized they don't support SMP. Now this wouldn't be an overly huge issue if it were primarily a desktop OS. I applaude all the work that has obviously gone into this project. But I will be overjoyed the day I see SMP added to the new feature list. This is NOT a troll. I think the way it stands is extremely impressive. I just want to express my sincere desire to see SMP support. =)
This is great news, or would be, if OpenBSD would actually work with our hardware. We use KVM switchs that have a mouse and keyboard plugged into a USB hub. OpenBSD just doesn't have good enough USB support to even install with a keyboard through a hub. And no, changing 'usb legacy support' in the bios does not help the problem. It is a pity. Linux kernel has the same issue, however all recent versions of Windows work fine with it.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
1. The best reason is security. Even with the best planning crackers can sometimes reach the machine in question. OpenBSD has the lowest rate of bugs and security holes of any OS out there. Any serious problems that are found are usually patched within days instead of weeks.
2. Stability. Like a rock. Even running the current branch, you will most likely not have any stability problems. Install, configure, and throw away the key. This is the first OS I've run that I can truthfully say is, besides any necessary patches, maintainence free.
3. BSD systems are much easier to maintain than Linux yet just as powerful as a full Unix. The ports system is well kept up and easy to use and the filesystem is much less cluttered than in Linux.
Very much worth a try if you have never used it.
Just to clarify that, W^X is not "write xor X", but "write xor execute". It's a new policy that OpenBSD uses to specify whether memory is writable or executable, but not both.
This helps prevent buffer overflows on the architectures that support it (sparc, sparc64, alpha, hppa) in that any memory that can be written to cannot be executable, and vice versa - so even if a buffer overflow succeeds in overwriting memory, that memory cannot be executed (or, the memory cannot be overwritten in the first place if it is executable).
Also note that W^X is also available on x86 in -current.
I have no pants and I must scream
the packet filter, pf, including address pools for reverse NAT/load balancing, ALTQ integration for network conditioning, and anchors/tables/spamd for spam tar-pitting.
Oh WOW!
My prayers for the packet filter, pf, including address pools for reverse NAT/load balancing, ALTQ integration for network conditioning, and anchors/tables/spamd for spam tar-pitting have been answered!
Thanks OpenBSD! Thanks for the World!!
Who are y oo ?
Regarding various troll-slams on OpenBSD... I dunno, I'm using OpenBSD and it's great. Nowhere to go but up, as far as I'm concerned. FreeBSD and NetBSD don't have much of a value proposition in my book compared to mainstream Linux distros, but if you want a secure webserver (or network appliance) without having to patch the thing all the damn time, OpenBSD seems a heck of a lot better than any Linux variant.
That said, I'm not dogmatic about this; it's just the conclusion I've come to based on the evidence I've seen so far.
--LP
I believe Darwin is based upon FreeBSD. While they share the same name, the same roots, and a lot of the same code, the BSD's (Free|Net|Open) are very different.
Of all the BSD's, NetBSD and OpenBSD are the most similar, and share the most code, primarily because OpenBSD forked from NetBSD not so long ago. FreeBSD has taken quite a different path to be more mainstream.
Improvements to OpenBSD should not be impossible to merge into FreeBSD/Darwin, but it's an easy or painless task either - not to mention that FreeBSD and Darwin are quite different. This isn't saying that a fair share of code isn't shared, indeed it is, but it's not a trivial task.
With the new normal FAQ upgrades also comes the new PF FAQ:
http://openbsd.org/faq/pf/index.html
spamd, a spam deferral daemon, can be used to tie up resources on a spammer's machine. spamd uses the new pf(4) table facility to redirect connections from a blacklist such as SPEWS or DIPS.
-- Probably questionable legality and ethics on that one, being a real tool in the battle against what some call 'free speech'.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I was quietly downloading the packages, and then you had to send the /. hoards after it. Now their bandwidth is shot to hell. I mean, I'm all for sharing, but I wanna get my copy before I start sharing... ;-)
ehintz
*BSD is dying to announce that it has once again improved that which was already considered perfect.
Way to go!
Saying your OS is the best because more people use it is like saying MacDonalds make the best food
That was all the fun of DOS assembler programming...
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
For those running Mac OS X, there is an application called Cocktail that will let you turn off delayed ACKs.
I prayed about it, and God said, "Don't do it!" But I thought, "I know better."
1. The best reason is security. Even with the best planning crackers can sometimes reach the machine in question. OpenBSD has the lowest rate of bugs and security holes of any OS out there. Any serious problems that are found are usually patched within days instead of weeks.
FreeBSD is a close second. The reason you hear so little about FreeBSD's security is that there is no concept of the 'default install', and thus, there's no easy way to tell what FreeBSD's security record would be if you did the default install. But, if you choose the absolute minimum, and configure it similarly to OpenBSD (which is quite easy to do, make sendmail start only on the loopback, set the same defaults for SSH, etc). It's not as secure by default, because there is no default.
Moreover, anyone who installs services they don't need deserves to get hacked. Need a mail server? You're gonna get hit with the sendmail holes. Need SSH access? You're gonna get hit with the (1) OpenSSH hole. If you don't need the services, they shouldn't be enabled. You can mitigate the threat with firewalling (or hopefully, detaching it from the real internet), but chances are, the holes are going to be in the services you run and not in the OS itself.
(You could argue that systrace can limit a lot of otherwise horrific vulnerabilities: fair enough. So does chroot() and jail())
2. Stability. Like a rock. Even running the current branch, you will most likely not have any stability problems. Install, configure, and throw away the key. This is the first OS I've run that I can truthfully say is, besides any necessary patches, maintainence free.
FreeBSD. More stable and FASTER.
3. BSD systems are much easier to maintain than Linux yet just as powerful as a full Unix. The ports system is well kept up and easy to use and the filesystem is much less cluttered than in Linux.
I agree. 'make buildworld; make buildkernel; make installkernel; reboot ; make installworld' is pretty nice too.
Mooniacs for iOS and Android
Also, good luck getting a JDK/JRE to run here. HAHAHAHAHAHA. Fuckers.
I must have good karma.Kan jeg få en pils, vær så snill?
Damn, that business with the prioritizing ACKs sounds fantastic! I have the same setup as in their example (ADSL 512Kb down/128Kb up) and always have to put upload limits on filesharing programs so they only upload at maybe 11KB or 12KB per second, 'cos if I let them hit their full 16-ish KB/sec, the downloads choke and die.
I might have to salvage some crappy old box from work and see if I can't set it up as an OpenBSD gateway..
For the ones not willing to change their OS only for the trafic shaper DSL trick, here's the link for linux: (including many other very interesting things...) Linux advanced routing and traffic control
enjoy it!
Q.
Sure: Anything that produces machine code at run time needs memory that is writable AND executable. It's not such an esoteric trick -- for example many high-performance Smalltalk and Lisp systems compile everything you type down to machine code instead of using a simple interpreter. Then there are dynamically recompiling emulators, ie. just about any high-performance emulator these days, and of course JIT-compiling Java VMs. That's quite a lot of software to disable.
Oh it isn't that bad. Pull the network plug and clean up the mess. Preserve the corrupted files for later and restore from your backup. (you DO have a backup, right?) and then use the RPM database to verify all of your binaries to make sure you weren't owned when you made the backup. Verifying the critical files against the installation media will ensure against a trojaned rpm/database.
Then once you are clean again, examine the saved files and try to figure out how they got in. Learn from your mistake and carry on.
Happened to me a couple of times, usually when I make a mistake in configuration or don't keep up with the errata. Yes I'd like to connect electrodes to the script kiddies testicles, but it really isn't something to get bent overly out of shape over either.
Democrat delenda est
This is good news for the OpenBSD community indeed, but rather than downloading, you might consider buying the CD set from a retailer near you to fund further development. Given the recent funding issues, now couldn't be a better time to support this superb open source project.
Like tinyurl, but one letter less! http://qurl.co.uk/
No its still a.out. You need to get a recent snapshot of CURRENT to get ELF.
How about "FTPing Releases" right in the middle of the front page? How hard was that? I can't believe you are able to grasp the concept of OpenBSD, develop the initiative to install it, and realize that mirrors are a good idea (not to mention you are apparently a college student) yet you cant even read a simple web page.
-- Never hit a man with glasses. Hit him with a baseball bat.