OpenBSD 3.4 Released

tedu writes "We just couldn't wait another 2 days, so now you can enjoy OpenBSD 3.4 a little early and protect yourself from ghosts and goblins. More details at the OpenBSD website and official announcement. Remember to please use a mirror."

What he/she really meant is...

"Remember to please use a mirror."

Re:What he/she really meant is...

I tried it, but I still see no reflection.

Vlad.

Re:What he/she really meant is...

[marcovje]

That list doesn't list the mirrors of the ISO image, since OpenBSD only sells CDs, and does not provide an ISO.

I found a home grown one using Google:

http://news.jump.net.uk/openbsd-i386-3.4.iso

Re:What he/she really meant is...

[LordHunter317]

DO NOT USE OpenBSD ISOs you randomly find on the Internet. During the 3.3 release, many people downloaded ISOS, only to find out that they were trojaned. This is not a safe, nor supported way, of installing OpenBSD.

If you want the CDs so bad, buy them. They're only $40.

Re:What he/she really meant is...

OBSD doesn't need us using mirrors, It's the most secure, stable OS in th.......

[Error Connection Timed Out :180seconds]

Re:What he/she really meant is...

[roka]

or build them yourself

Re:What he/she really meant is...

[marcovje]

They are $40, while I spend my time to get apps tow work with OpenBSD. And tomorrow every other open source team starts to do the same trick. I think _not_.

Exit OpenBSD

The trojan problem can be solved very easily. Let OpenBSD provide ISO's and md5sum them.

Re:What he/she really meant is...

[IM6100]

Funny how Microsoft says the same thing about Windows XP isos....

Re:What he/she really meant is...

[rosie_bhjp]

OpenBSD is an operating system designed with code correctness and security as its primary goals. Downloading the ISO off kazaa or any other untrusted source pretty much negates the whole security aspect. Then misc@ gets filled with posts of OMG OBSD SUXORZZZ!!!1!! I GOT HAXORED!!! Well yeah ya dipshit what did you think was gonna happen?

The same is true for XP. If you don't feel like plunking down the $150 for a proper copy of XP then dont run it, or at least don't bitch when you get trojaned.

Re:What he/she really meant is...

[molnarcs]

This mirror (OFFICIAL, check mirror list on openbsd site) has the ISOs. GOOD ADVICE btw!

Re:What he/she really meant is...

I just want to be remembered as a person who loved God, who served others more than he served himself, who was trying to grow in maturity and stability. I want to have more victories than defeats, yet here I am, almost 35, and I fail on a regular basis. My involement with BSD has been no different. It seems that I'm a magnet for failed enterprises like BSD. Some investement advice for you -- look at my portfolio, then you'll know what stock not to buy. Spend your $40 if that floats your boat, otherwise most nerds would better off downloading OpenBSD from the net.

Re:What he/she really meant is...

DO NOT USE OpenBSD ISOs you randomly find on the Internet. During the 3.3 release, many people downloaded ISOS, only to find out that they were trojaned.

Good advice, but do you have evidence of this? With the heavy trolling in the BSD section, it's good to "show your homework" so to speak.

Re:What he/she really meant is...

[mirabilos]

On the other hand,
* their website does not support SSL (https)
* their FTP servers, where you can get the
CTM base {,split} files and deltas, does not
support SSL (sftp)
* their SSH servers' fingerprints aren't published,
or even (better) a skeleton known_hosts file
included on the CD
* they don't provide signed RMD160 sums of the
files on the CD (signed with pgp 2.6.3i{a,n},
so even people like me that don't trust newer
pgp/gpg versions can verify these)

The MirOS project does most of these. Plus, we
do provide a bootloader which is capable of
handling hard discs larger than 8 GB in size.

Re:What he/she really meant is...

Are these official ISOs or are they some unofficial hack cooked up by only God knows who???

I would be very suspicious of ANY software orgiginating from an ".hu" domain. Do a Google search and you will quickly see why. The ".hu" domains are presently the number one source for trojans and viruses. Don't take my word for it, check Yahoo news or Google.

Re:What he/she really meant is...

[IM6100]

There are easy ways of 'signing' the ISO and keeping the 'signature', i.e. an MD5 sum, on a secured website and/or just widely distributing it.

OpenBSD is selling a product, it's that simple, and it's acceptable for them to do so. However, the way that they do so detracts and even diminishes the security a little (widely distributing a way to 'validate' a downloaded version would enhance security)

Re:What he/she really meant is...

[mirabilos]

I must say I will prove you wrong. Actually, it
happens to be truth that MirOS cannot die:

MirOS BSD and MirPorts is nothing else than MirBSD,
which is defined as ``the contents of _my_ /usr/src
and /usr/ports and thus cannot die by definitionem.

MirOS Linux isn't even a pure BSD, so it's not
dead either.

Actually I think I proved you wrong. Jane.

Re:What he/she really meant is...

There is no such thing as "official" ISO's from OpenBSD - I would simply make one myself, ftp install or better yet, buy an "official" cd, support the project and get cool stickers at the same time.

Re:What he/she really meant is...

[ItaloSuave]

Well, I am 49 and have nothing to show for it, so "count your blessings", Mister, and get on with your life. Plenty to look forward to in the next ten years, I can assure you!

Re:What he/she really meant is...

Tulsa Oklahoma? Only two things come out of Oklahoma. Steers and Queers. Well I don't see no horns on you boy so you got to be queer.

Re:What he/she really meant is...

[mirabilos]

In case you mean me, I'm no stinking US American.

Re:What he/she really meant is...

no, you're just a stinking idiot.

Re:What he/she really meant is...

I bought 3.0 a long time ago and after the transaction my credit card was compromised. Only time that's ever happened. Go figure.

Re:What he/she really meant is...

That's too much work for a fumble fingers like me.

Re:What he/she really meant is...

[Syberghost]

The OpenBSD hackers' credo:

Information wants to be $40.

shocking concern

[t0ny]

Remember to please use a mirror

Since when does Slashdot care about overloading webservers?

Re:shocking concern

And here I thought it was a comment about personal grooming...

Re:shocking concern

[loraksus]

Please. We "care" every single time a new link gets posted. It takes work to pick out the master link and set opera to refresh every second - especially when the editors post mirrors.

That said, I thought freebsd was dying ;)

Re:shocking concern

[chadm1967]

Okay, actually, this is OpenBSD......

It's not funny when it's done right. It's extremely not funny when you do it wrong.

Re:shocking concern

Bones: It's dead, Jim.

OpenBSD performance facts

OpenBSD 3.4 was a real stinker in these tests. The installation routine sucks, the disk performance sucks, the kernel was unstable, and in the network scalability department it was even outperformed by it's father, NetBSD. OpenBSD also gets points deducted for the sabotage they did to their IPv6 stack. If you are using OpenBSD, you should move away now.

Re:OpenBSD performance facts

[Krunch]

Read more about it here.

Re:OpenBSD performance facts

[quigonn]

And you think the discussion on the OpenBSD side was less biased? Well, I'll just show you some of the comments from misc@openbsd.org about the article:

"Because as Lars pointed out before, benchmarks are seldom little more than a great way to use numbers to prove your point. Especially coming from this overtly pro-linux, anti-openbsd in the flesh little devil Felix. The benchmarks he provides serve little more than to feed his
pro-linux ego and no real interest in improving OpenBSD, and neither do your (collectively) rantings as to this being proof that OpenBSD is broken. [...] The intuitive way to meet this attitude is to benchmark now the security advantages of OpenBSD where it outperforms Linux."

"Leitner is a linux bigot, he's very anti-openbsd (obvious to anyone who's ever read his rantings), the tests shows OpenBSD in a bad light, draw your own conclusions."

"I have better things to do than testing networking performance of operating systems. I'm very busy already. I've chosen OpenBSD as my server OS, because security is my main concern. I like it a lot. So far, nothing I've read has convinced me to install something else. I took time however to discredit (rightfully I think) this guy's test, because it struck me as being very unjust."

"Theo could easily rewrite OpenBSD to thrash these other OSes, real things like multiprocessor support are a real drag for them, so OpenBSD could be heaps faster. But who cares how many binds/second can be done, this isn't real "work", so what does it prove?"

I especially like the last one. :-) It shows the real attitude of most OpenBSD fanboys. Later, in the newsgroup de.alt.sysadmin.recovery, Felix summarized what kind of emails he got from the different projects. Some of the Linux people found it interesting, FreeBSD seems to have been quite friendly too (a few asked about benchmarking 4.8), the NetBSD people immediately explained why the mmap benchmark measured a worst case situation in NetBSD, and immediately started improving NetBSD performance-wise. But about OpenBSD he wrote that he only got only two emails that were not insulting. Some people even explained to him that the 1024 cylinder limit he mentioned in the article doesn't exist (it does! I know one person that tried to fix it, but his patches were not taken because he used intel syntax instead of AT&T syntax in some assembler files), and some people said that OpenBSD doesn't crash as he described. So far, the crash could be reproduced and is in the OpenBSD bugtracking system.

Re:OpenBSD performance facts

And of course you are completely unbiased. I note you did not give a sampling of the many posts that acknowledge OpenBSD is never going to be the best performing OS out there. And it is pretty obvious the developers trade off performance for security (in both their effort and their designs). Are Linux and FreeBSD better performers? Do they scale better than OpenBSD? Yes. Of course they do. Is it a big deal? Well, that depends on what you want to do doesn't it?

Re:OpenBSD performance facts

[Krunch]

<hoponpopa> the difference between netbsd, freebsd, and openbsd, as an insider is freebsd is interested in getting things done, and doesn't mind hurting people who get in their way.
<hoponpop> netbsd is interested in making sure nothing gets done, and doesn't mind hurting people who try to accomplish things.
<hoponpop> openbsd is interested in looking good, and doesn't hurt anyone in their own little community, but look out everybody else!

I don't know if this quote reflects the reality but the only *BSD I ever used is OpenBSD for my firewall/gateway. It runs fine for some months now and I can't see any reason why I should change to Linux or another *BSD (I love pf).

Re:OpenBSD performance facts

[Caligari]

Instead of judging the entire OpenBSD community by a couple of random emails on misc@ (which is the mailing list specifically for stupid questions and answers), why don't you report what the tech@ people were saying?

If you did, you would how the ACTUAL OpenBSD developers responded to fefe's benchmarks.

For example, here is what Ted Unangst (a very major committer to OpenBSD) replied to requests for help improving performance:

"apply the patch below to your mmap benchmark. a real application is unlikely to use pread and mmap. openbsd uses a separate cache for read and mmap calls. while it seems you are attempting to time only a page fault with cached data, that is not happening on openbsd.

the results for all other OS should remain the same, but OpenBSD improves dramatically. the adjusted benchmark is a much closer match to application behavior in reality."
Which was followed by above-mentioned patch.

I don't think it's fair for you to judge an entire operating system community based on the contents of a few selected emails. By doing so, you are being just as biased as you say the others are.

Re:OpenBSD performance facts

Switch to Linux if you want to get hacked.

I, for one, would never expose a Linux box to the Internet any more I would a Windows box.

Re:OpenBSD performance facts

[mirabilos]

Hey, I know you :)

You're actually reading comments on /.
You must be bored then :)

Re:OpenBSD performance facts

[mcroot]

Perhaps I'm being a little too demanding. But if you can't properly operate the disk partitioning tools for an OS, maybe you aren't really qualified to be doing benchmarks on it.

Most of the comments about Felix being an idiot have good reason for doing so. He went out of his way to trash talk OpenBSD, and most of the problems he encountered were as a direct result of his inability to RTFM. Why should the OpenBSD community have any patience for someone who bechmarks first and ask's questions later ?

Re:OpenBSD performance facts

The big deal is that Linux and FreeBSD are real operating systems.
OpenBSD is merely a toy in Theo's playpen.

Re:OpenBSD performance facts

"a toy in Theo's playpen."

I guess you can only be expected to understand the larger world from the context of your own experience.

Re:OpenBSD performance facts

[ajr_trm]

It runs fine for some months now and I can't see any reason why I should change to Linux or another *BSD (I love pf).

You can use pf with FreeBSD pf_freebsd-1.0_7 as well as ipf and ipfw. For me the reason for using OpenBSD for firewalls in the past was that it had altq integrated in kernel and that time if you wanted to use altq with FreeBSD you had to apply patches for "release" kernel version. Now altq is in FreeBSD kernel too.

Rubbish

[imtheguru]

Server is working just fine.

Re:Uhoh

[Pingular]

It appears I was wrong! From Netcraft:
OS: Solaris Server: Apache/1.3.27 (Unix) PHP/4.3.1 mod_perl/1.27

no, no, you don't understand...

[jusdisgi]

...perfect code is irrelevant to security! Didn't you hear me?!

-Bill

Re:no, no, you don't understand...

The truth is, perfect code *should* be irrelevant to security.
I've been working with IT-security for 6 years, and the thing is, it doesn't matter how good of a programmer you are, eventually, you will fuck up; that's why security should be in the design, not the code, mostly in the design of the OS.
VMS is a good example of this, there where a lot of shoddy code in VMS, but it's really secure -- by design!

First design, then langue, least important is, or if done properly at least, the code itself.

Re:no, no, you don't understand...

hahahaha!

I wish i had modpoints.

Re:no, no, you don't understand...

[segment]

Man oh man would I hate to have you in my shop. Hopefully you have no intentions of pursuing your CISSP or something similar. Code should be the upmost since it is the foundation. Let's go into a different subject for analogy shall we... You build a 4 story house made of the toughest concrete money can buy. You use the strongest nails, wood through the walls, and to bind it all together. Foundation oh no don't worry let's use rubber bands, hell all that 'security' we used on the walls and ultra 31337 concrete will support the house forget the foundation...

Yea, I'm with you, if a hurricane comes crawling it won't do nothing because I used superconcrete 5.0... Don't you think that house can just be lifted as one piece and thrown.

Re:no, no, you don't understand...

I don't really care to be in your shop, if you can't understand such simple things.
Basically, come back and talk when you have worked for many years with VMS and OS/400.

Re:no, no, you don't understand...

Gee, another arrogant, short-sighted asshole in the industry! Big surprise!

Yeah, buddy.. I'm sure you NEVER fuck up code anywhere.

Let's look at the two situations:

You have an underlying system that is secure by design. You miss a check in your code, but everything's ok because the system caught the overflow and prevented it.

Now in YOUR situation: The underlying system isn't secure by design (because all the coders programming on top of it are perfect and don't need that, right?). Someone fucks up (it WILL happen eventually) and you don't notice till the system gets rooted or crashes hard. Nice.. Boy, I'd Loooove to work in YOUR shop. Not.

Re:no, no, you don't understand...

[platipusrc]

I think a better analogy for you would be something like this:

design of project : design of house

programming language : materials of house

coding : putting together the house

the coding wouldn't be the foundation, it would be the putting together of the materials of the entire house. If you have a good design and materials, a slight mistake somewhere shouldn't bring down the whole house.

Re:no, no, you don't understand...

Damn, you did do it. Double mad props!

-B

Re:no, no, you don't understand...

[jusdisgi]

Hey, jackass...that was a JOKE! Didn't you read the story 4 hours before this one quoting Bill Gates as saying exactly what I just said? I mean, my name is not Bill. ...hence the +5 Funny.

Re:no, no, you don't understand...

FreeBSD is *not* free guys! It never was! At least not in the true sense of the word. It is rather an attempt by some programmers to whore themselves out so that their code can be as popular as possible and as widely used as possible, with only an afterthought given to the ideals of truly free software.

I love BSD. It's so easy for any Evil Corporation to take it, modify it, redistribute it under a draconian closed-source license, charge an arm-and-a-leg for it, and REAP THE REWARDS! Even if 99% of the code is untouched. Muahahaha!

Guys, wake up. BSD is not free software. It never was. Well it is free, but it's not designed to stay free due to its overly permissive license. Any true supporter of free software would shun it and stick with GNU/Linux these days.

BSD comes with a lot of GNU utils. Heck, BSD wouldn't exist without GNU gcc. They *owe* the GNU project, and would do well to switch their license to the FSF's GPL.

(Let me make a piece of software. Call it RedWM, the Red Window Manager, and within it offer only shades of burgundy and not any real Red. That's an analogy for how misnamed FreeBSD truly is!)

Re:no, no, you don't understand...

Hey lighten up, fella. That dude is a Negro. They don't have the same brain power that you or I have. Negroes are not fully human. They are a distant relative to be sure, but they are less evolved than humans. Have you ever noticed how similar Negroes are to the apes in a zoo. It's no coincidence.

Re:no, no, you don't understand...

[jusdisgi]

Wait...how is that not free? I don't get it...I mean, sure, the license doesn't force other people to keep *derivative works* free, but so what? Does that somehow restrict you? Does the fact that Microsoft can use BSD code in Windows (and does) somehow infringe upon the freedom of the BSD I run? No. The software has still been made available on extremely permissive terms...it's still free software.

In fact, it's more free than GPL software....the GPL places lots of restrictions on distribution, impairing the user or developer's freedoms.

In other words, just because bsd-style licensors let people relicense the software doesn't mean the original software, while bsd-licensed, isn't free. It's the fact that *it* (and not necessarily anything added to it by other parties) was available at least once under that license...that's what makes it free.

BTW, yeah, I have an openbsd firewall, and two freebsd servers. And a bunch of linux desktops, including the one I work on all day. As it happens, I personally like the GPL approach better, mostly because of ideological issues with the software industry. But I can see both sides...lots of folks don't see any reason to keep people from commercializing their work. It's their work; I say let 'em.

Re:no, no, you don't understand...

Let's get real for a minute.

Outside of a few socially backward dweebs, no one, but no one, uses BSD.

Yes it's dead. The BSD zealots need to wake up and smell the coffee.
They also need to shower, brush their teeth, lose 100 lbs, and get a life.

Re:no, no, you don't understand...

[jusdisgi]

Ordinarily I would just let this go. But this guy is such a total cocksucker, I think I'll feel just a bit less disgusted if I dismantle his post.

"They don't have the same brain power that you or I have."

--Right. Like the brain power to detect dripping sarcasm in the parent post, as neither of you did? Or to notice its obvious relation to the story 4 down from this one? Or like the brain power required to see the fact that Blacks/Whites/Asians/etc. are actually *different species*? Man, that one even has the entirety of the scientific community fooled; you must be fucking brilliant!

"They are a distant relative to be sure, but they are less evolved than humans."

--What about my friend, a white man, his wife, who is black, and their daughter? Is she black, or white? And if she's black, does that make her a "distant relative" to her father? And while we're at it, doesn't the child by definition have to be "more evolved" than the parent? I mean, the child receives the full evolution inherent in the parent's genes, plus one more random resequencing.

"Have you ever noticed how similar Negroes are to the apes in a zoo."

--Have you ever noticed how questions tend to end with question marks? However, if you want to find out who's the more apeish, let's compare:

1)They say that, given infinite time, a thousand monkeys with typewriters would write A Song Flung Up to Heaven by Maya Angelou.

2)By contrast, one braindead monkey could come up with your post while eating bugs out of your mother's hair.

"by Anonymous Coward"

--Got that right. Could have said "by Anonymous white-trash bitch who's daddy should have pulled out and left him as a cumstain on the backseat of his pinto."

Re:no, no, you don't understand...

[duffbeer703]

Holy cow! Where have you been all of these years! Has anyone ever told you that you are a true-blue absolutely amazing genius!

Code is the implementation of design, fucktard. No matter what your UML diagram says, one or more bugs in critical parts of a design can lead to a security breach...

Re:no, no, you don't understand...

Hey, dumbass, as you don't understand one bit about security, don't argue with those who do.

Your so called understanding of design is frightening, hope you never work on system level stuff.

Re:Uhoh

[stefanjo]

Nothing strange about that.

http://www.openbsd.org/faq/faq8.html#wwwsolaris

Will they make a tablet PC?

I for one, would like security on my Tablet, so will they make a Tablet version of OpenBSD?

Re:A message from Theo

Its our new motto for OpenBSD.

That should be "Only 3 remote root exploits in the default install, IN SEVEN YEARS!!" I think they forgot to update their website though to acknowledge the fact that OpenSSH had a nice big gaping remote exploit a couple months ago.

OpenBSD is INSECURE, try Cryptech RAP BSD

How can anyone trust an operating system like OpenBSD when its insecure, come on it still has a root account, You obvoously haven't used Cryptech Radicacally Advanced PowerBSD. This operating system uses the "swallow the key" principle. Once installed, you are pernemently in a sandbox, with NO WAY to get root access becasue THERE IS NONE, For extra security the Installation CDROM has a built in Self destruct mechanism. Once It installs it scans a special diode embedded into the disk and destroys the CDROM. No one has managed to hack a Cryptech RAP BSD box, and I have ran one connected to the Internet on a high volume site (10,000,000 hits a month) which publishes controversail material. Noone out of the THOUSANDS of kiddies have manged to get in so far, and good riddance.

Re:OpenBSD is INSECURE, try Cryptech RAP BSD

[bo0ork]

Oh my, how can someone moderate a joke "informative"? Cryptech Radicacally Advanced PowerBSD -- C.R.A.P. And misspelt crap, as well.

Re:OpenBSD is INSECURE, try Cryptech RAP BSD

[udippel]

How could someone *ever* mod this to 'informative', with a score of *one* ?

Tastes *are* different; but maximum here might be a 5 for *funny*. And this is what it's supposed to be, 65 years after the Invasion From Mars.
Cryptech RAP BAD (in short CRAP BAD) is a possible contender. The best part is the diode for self-destruction and the controversail material.

Seems, CRAP BSD comes without spell-checker !?

Re:OpenBSD is INSECURE, try Cryptech RAP BSD

Mac OS X doesn't come with a root account by default. You actually have to create one after the OS installs if you want one. :-P

OpenBSD song

[Malcolm+Scott]

And make sure you listen to the release song too. It's great :-)

Re:OpenBSD song

men the music is fuking great, the way it deals with the novel about the Darpa funding

He says "Give me your freedom,
I'll grasp it and pass it to brass
who can hash it for weapons of massive distraction.
And hand me the bastards that brashly amassed from the cash
happy faction of oily and gassy co-action".
No! Don't hand em dick, grab a stick, keep attacking for freedom
and hack till the King cometh back and leave em'

heeh

The Sheriff came a callin' for the spikey one
And took back all the booty
Puff intended for the poor
The Arch-a-thon went on despite the mighty roar

the chorus its amazing, that tune will be in my head for a long long time, makes anyone cry with the purity of the words.

And the rap is so cool too. I wonder how they got eminem to perform for them!?

"they call it BBBBeeee SSSSeeeee Deeeeeee......"

Re:OpenBSD song

Sort of proves what we knew all along: OpenBSD is Ghey

Re:A message from Theo

[Krunch]

From http://openbsd.org/errata33.html

All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is unclear whether or not this bug is exploitable.

No exploit was publicly availiable before it has been fixed (AFAIK).

Thoughts on security

[arvindn]

From the release notes:

Thousands of occurrences of unsafe library calls such as strcpy(), strcat() and sprintf() have been changed to the safer alternatives strlcpy(), strlcat(), and snprintf() or asprintf() in one of the most intensive audits yet performed by the OpenBSD project. The kernel is now completely free of these functions, as is most of the userland source tree.

That's certainly a good thing, but it raises the question of why they were there in the first place. I mean, everyone's known for ages that these are unsecure, and the manpage lists it a bug etc. Of course its a pain to keep track of the length of each string (making them fixed size is not always feasible), but I would have expected that in kernel level code convenience would take the back seat.

Note: this is purely an academic question, it is not my intention to critisize anyone, but just to learn why these things happen, not being a very experienced programmer myself.

Re:Thoughts on security

Hmm. That bit about "library calls" parses like bull sh*t,

"The kernel is now completely free of these functions . . ."

Whoever wrote that "library calls" are used by the kernel is severely mixed up.

Re:Thoughts on security

[OttoM]

The kernel has its own set of library functions, aptly named "the kernel library". This kernel library included strcpy() and strcat(), but not aymore.

Re:Thoughts on security

[__past__]

That's certainly a good thing, but it raises the question of why they were there in the first place. I mean, everyone's known for ages that these are unsecure, and the manpage lists it a bug etc.

You realize that OpenBSD is not a clean-room reimplementation of Unix? Most of the code is probably simply ages old, probably older than strlcpy and friends, or the OpenBSD project itself. Obviously, there was a time where programmers thought gets would be a useful function...

Re:Thoughts on security

[donhav]

A openBSD release contains far, far more than just the kernel its all the userland as well. IE: things like grep and diff and csh. There are hundreds of these programs. The OpenBSd team puts a lot of effort into making the whole release secure not just the kernel.

Re:Thoughts on security

[dmiller]

Note thst strcpy() and friends _can_ be used safely, and the usage of the ones in the tree before the removal had been audited at least once. For example, the following construct is safe (assuming you check the malloc return):

len = strlen(foo) + 1;
bar = malloc(len);
strcpy(bar, foo);

But is was easier to just banish them from the tree entirely, so that it is easier to grep for potentially unsafe ones when new code is imported.

Re:Thoughts on security

[Pierre]

what we're not supposed to use strcpy?

Re:Thoughts on security

[hey]

I can't think of any way to use gets() safely.

s = malloc(INFINITY);
gets(s);

Re:Thoughts on security

[sphealey]

That's certainly a good thing, but it raises the question of why they were there in the first place. I mean, everyone's known for ages that these are unsecure, and the manpage lists it a bug etc.

Two factors. First, there is a difference between "dangerous" and "unsafe". Explosives are dangerous but they are used safely on construction sites every day.

Second, there is also danger in changing code that is known to work. I read a quote once from the IBM guy responsible for the core of IBM's MVS mainframe OS: "old code is good code". If it is known to be working, even if it uses dangerous tools, it is better to leave it be while you study the situation carefully and replace the dangerous (but not necessarily unsafe) tools in a controlled manner.

sPh

Re:Thoughts on security

[zangdesign]

Considering the times we live in now, where every little asshat is trying to get into your computer by any means possible, sometimes for no better reason than because they can, it is probably best to remove the old code that may be exploited.

At least until they make hacking punishable by instant death.

Re:Thoughts on security

[damballah]

Does the linux kernel still have those occurences of strcpy(), etc?

Re:Thoughts on security

[^BR]

Too lazy (or too dumb) to use grep(1)?

Yes there are (a lot of them). It does not means that there are security holes because of it it's just that's it's way easier to make a safety error using strcpy() than using strlcpy(). And in fact a systematic effort to eliminate those is the occasion to revisit some code long forgotten and to fix other things on the way...

% grep -r -l strcpy linux-2.6.0-test9
linux-2.6.0-test9/drivers/i2c/busses/i2c-ibm_iic.c
linux-2.6.0-test9/drivers/net/8139too.c
linux-2.6.0-test9/drivers/net/sk98lin/skproc.c
linux-2.6.0-test9/drivers/net/sk98lin/skge.c
linux-2.6.0-test9/drivers/net/sk98lin/skvpd.c
linux-2.6.0-test9/drivers/net/tulip/de4x5.c
linux-2.6.0-test9/drivers/net/tulip/xircom_tulip_c b.c
linux-2.6.0-test9/drivers/net/tulip/winbond-840.c
linux-2.6.0-test9/drivers/net/tulip/tulip_core.c
linux-2.6.0-test9/drivers/net/tulip/xircom_cb.c
linux-2.6.0-test9/drivers/net/tulip/de2104x.c
linux-2.6.0-test9/drivers/net/tulip/dmfe.c
linux-2.6.0-test9/drivers/net/wireless/wl3501_cs.c
linux-2.6.0-test9/drivers/net/wireless/airo.c
linux-2.6.0-test9/drivers/net/wireless/atmel.c
linux-2.6.0-test9/drivers/net/wireless/ray_cs.c
linux-2.6.0-test9/drivers/net/wireless/atmel_cs.c
linux-2.6.0-test9/drivers/net/wireless/wavelan_cs. c
[ ... plenty more ... ]

Re:Thoughts on security

"Too lazy (or too dumb) to use grep(1)?"

Figures that someone would be an asshole about this. Perhaps the guy doesn't use Linux and it's a pain in the ass to go download all the source, uncompress it, and then grep it out when there's someone that already knows the answer to this simple question?

Sheesh, grow up.

Re:Thoughts on security

yeah dude, you might want to check the return value of malloc there.

#define YOU bar
#define DONKEY NULL

like this:

YOU == DONKEY

Re:Thoughts on security

You realize that OpenBSD is not a clean-room reimplementation of Unix?

SCO will probably claim they own it as well :)

Re:Thoughts on security

Too bad gets() wasn't in the list from the release notes.

Still, it's very difficult to use sprintf safely except in trivial cases.

Re:Thoughts on security

Please do tell us why a kernel couldn't call up into a user space library?

You're not nearly as clever as you think you are.

Re:Thoughts on security

yeah dude, you might want to actually read the post there.

Re:Thoughts on security

For example, the following construct is safe (assuming you check the malloc return):
len = strlen(foo) + 1;
bar = malloc(len);
strcpy(bar, foo);

It's unsafe if foo is not null-terminated. You'd have to track that string back to whereever it was initialized/input, and make sure it got null-terminated (be sure to check for off-by-one errors).

Re:Thoughts on security

A toxin released by the bacteria that cause traveller's diarrhea and chronic diarrhea in developing countries may also slow the growth of colorectal cancer, researchers said Monday. The protective effect of the toxin from the E. coli bacterium responsible for traveller's diarrhea may explain why rates of colorectal cancer are lowest in countries with the highest rates of infection with the bacteria.

Re:Thoughts on security

It's unsafe if foo is not null-terminated. You'd have to track that string back to whereever it was initialized/input, and make sure it got null-terminated (be sure to check for off-by-one errors).

If it's not null terminated, it's not a string (by C's definition). Anyway, strlcpy() is the same way. From the FreeBSD manpage: "Also note that strlcpy() and strlcat() only operate on true ``C'' strings. This means that for strlcpy() src must be NUL-terminated".

At some point, you have to put constraints on what you do. free() could be considered unsafe if you do silly things like char *x; free(x); Just the same, strlcpy() (and strcpy() as used in the grandparent post) could be considered unsafe if you don't pass a string. So we say, "you must pass a valid pointer that was acquired from malloc()/calloc()/realloc() to free()", and we say "you must pass a string to strcpy()/strlcpy()".

Re:Thoughts on security

[dmiller]

You are right, but you can use width specifiers, e.g. sprintf(bar, "(%.10s)\n", foo);

Re:Thoughts on security

[multi+io]

I can't think of any way to use gets() safely.

You just have to ensure externally that stdin fulfils specific constraints (EOF or '\0' among the next N characters, for some known N). This may well be possible, for example if you've redirected stdin to a trusted file with known contents, or your program is at the receiving end of an internal pipe in a larger system of trusted interoperating programs you've all written yourself, so you know exactly how stdin looks.

Re:Thoughts on security

[tmp_user]

> Most of the code is probably simply ages old, probably older than strlcpy and friends, or the OpenBSD project itself.

Considering that Todd Miller and Theo de Raadt implemented strl* in 1996 ( http://www.courtesan.com/todd/papers/strlcpy.html ) and OpenBSD was forked from NetBSD in '95 (which is quite old itself ( http://netbsd.org/Misc/history.html )) I'd say that that's an understatement...

Re:Thoughts on security

Theo ain't shit, walking, flying, or crawling.

He ain't shit.

Re:Thoughts on security

When it come to insight, Bones said it best: It's dead, Jim

Re:Thoughts on security

Outside of a few socially backward dweebs, no one, but no one, uses BSD.

Yes it's dead. The BSD zealots need to wake up and smell the coffee.
They also need to shower, brush their teeth, lose 100 lbs, and get a life.

Re:Thoughts on security

A tourist bus skidded off a mountain road and fell into a gorge in western India, killing 22 people and injuring 30 others, Press Trust of India news agency said Sunday. The accident occurred just before midnight Saturday on a mountain road near Mahabaleshwar, a hill resort 95 miles southeast of Bombay, said PTI quoting police. The driver of the bus was negotiating a bend in the road when he lost control of the vehicle which skidded and crashed into a gorge, nearly 200 feet below. Residents of nearby villages and authorities found 22 bodies. BSD was among the dead.

mod parent down

[Krunch]

All it says is "BSD is dying".

Re:A message from Theo

No, it is:

RTFMA.

Warning!

This is a troll honeypot. I'd like to warn my fellow trolls: This article is just a simulation to get your IP-address, MAC-adresses and your trolling license number. Congress just passed a law that gives ISPs the right to surgically remove the testicles of newsgroup-posters when it is obvious that an allergic reaction to a mix of certain hormones is causing them to write annoying messages against their will. I sent this info to slashdot three days ago, but they're holding back the article to catch as many trolls as they can. Please trust me and stay away for at least 6 months. I will post again, when it is safe, and I will then lead the davastating counterstrike against the slashdot facilities. At this time just wait and reform our troops.

The Brainbug.

Re:Warning!

OK, the plan didn't work. When I tried to scare away the trolls from the site, I was shot by friendly fire. Nice job, mods.

Why the delay?

[stu_coates]

Looks like the announcement has been delayed a little as I've had the OpenBSD3.4 CDs for over a week now, ordered from the OpenBSD online store!

Re:Why the delay?

aren't you just special.

i hope you choke.

Re:Why the delay?

[Krunch]

I think people who order the CD get it before it is availiable from FTP. The FTP release was set for November 1 but it was changed to October 30. http://deadly.org/article.php3?sid=20031030183459& mode=flat

Re:Why the delay?

[ryanr]

Me too. I had pre-ordered 3.4 a month or so ago when the idiots were crowing about the OpenSSH patches, as a way to support the OpenBSD project. I think they showed up last weekend.

Buy the CDs people, and support the project. Plus, you get the OpenBSD songs in full Redbook glory, and stickers!

Re:Why the delay?

Larry Wall is not a computer scientist so he designed an ugly mish-mash of a language that is write-only. It is almost impossible to decipher a Perl script 6 months after it has been written.

What is even more ironic is that Larry fancies himself some sort of "linguist" or "English" major. He went to college and read a couple books on Shakespeare so now he thinks he is some kind of language expert. Well it doesn't work that way.

Take a look at Perl. Does it look like it was designed by anyone who knew anything about the English language? No, it doesn't. It honest-to-God looks like it was designed by someone who was an Egyptian hieroglyphics major who spent all his free time watching Star Trek -- in other words, someone completely disconnected with reality.

Re:Why the delay?

[puff+the+barbarian]

and stickers!

Sadly, my OBSD3.4 CD set included no stickers. Did anyone else get deprived of their stickers?

Er...

... how did this get voted "informative"?

From the changelog

[debilo]

Remove unlicensed MATH_EMULATE code (written by some guy named Torvalds) from the kernel, leaving only the GNU emulation code for the moment.

Gotta love that.

Re:From the changelog

So is it zealotry, or do they really have a superior replacement?

Zealotry would mean they didn't bother to ask that "guy named Torvalds" if he'd be willing to put a compatible license on it. They just went "oo! Linux bad! Kill! Kill!"

Now, if they had a superior replacement, that would be a different story, but the way their changelog is worded, it doesn't look like it to me.

Re:From the changelog

You don't understand the *bsd license.

It is 100% incompatible with the GPL.

Code can not be released under both.

It doesn't matter how good or bad the Torald's code is. That has nothing to do with it.

Shortcut description: bsd code is truly free as in free-for-any-use-just-put-our-notice-on-it but gpl code is only free as in free-but-only-if-you-give-us-any-changes-and-any-o ther-code-that-interacts-too-closely-with-ours.

Re:OpenBSD is crap, heres why - vermillion

Feeling better now?

Re:Hey euro-peons

here in "europe", we've already been through fascism. we'll see you if you ever get out the other side.

Unfortunately

[Ryvar]

Unlike 3.3, which made it months before a single security-related patch was issued, 3.4 LAUNCHES with 3 such patches.

That said, it's such a huge release in terms of changes made (x86 Write or eXecute memory pages, for one) that it's more than worth the upgrade.

As with most such fundamental updates to OBSD, though, I expect this release to be significantly patchier than the last couple.

--Ryv

Re:Unfortunately

[braddeicide]

Its been released with patches cause its already a month old before its released onto ftp

Re:Unfortunately

[KrispyKringle]

I only see one security patch and two reliability patches. And all of these patches are for vulnerabilities affecting 3.3, which are so recent they simply had not been fixed in the 3.4 release. I don't see that as a very big deal. When you first install RedHat from CD, even if you just downloaded the ISO, you better well patch from the Internet.

Re:How RedHat's Linux Can Defeat Micr$oft's Windoz

[DaEMoN128]

I am pretty sure that TCP/IP was developed by the millitary. They needed a better protocol. What you said is true though, BSD and Microsoft did develop the implementations that they use in thier OS's at the same time. I think both tcp and ip have been around since the 70's though (just in use at DoD and not majorly on arpa net, but I could be wrong). Am I correct, or am I making my self look terribly stupid here. PS. Dont Feed The Trolls! :)

Europe is living through fascism it now

"here in "europe", we've already been through fascism. we'll see you if you ever get out the other side"

Europe is living through it now, while America is fighting against fascism.

Anti-semitism is alive and well in today's Vichy France and Nazi Germany. The governments in much of Europe control and run too much of private matters, such as health care and media.

Re:Europe is living through fascism it now

what's the link with the motorolla linux phones ?

Re:Europe is living through fascism it now

offtopic, someone mod this down.

Re:Europe is living through fascism it now

World Peace could reasonably be capitalized. The sentence you quoted uses it like an ideal. Your version of it treats it like an actual thing, and would better be said as "the biggest threat to the world's peace."

Re:Europe is living through fascism it now

[Theatetus]

Because in English abstract nouns usually do not receive the definite article [see Mosse -- accent aigu on the "e" but I'm too lazy to look up the escape code -- for a good history of that]. Hence "Man" referring to humanity in general (compare "l'homme" or "ho anthropos"), or in this case "World Peace" referring to the idea of peace in the world.

Re:Europe is living through fascism it now

Hey, what's wrong with state-controlled health care? As a centr-european I can tell you I
really like it...

Re:Europe is living through fascism it now

As a European I believe the study should actually be entitiled Europeans believe organised fundementalist religions pose the biggest threat to world peace. Which includes your current monkey in charge, George W. Bush.

Re:Europe is living through fascism it now

You think George Bush is a fundie? Wow, you people really are living under a rock.

Re:Europe is living through fascism it now

Eurotrash, your "civilization" is sinking into the swamps. The Muslims own you motherfuckers. Bow down and worship Allah, you teabagging poof. Put the scarf on your head and bow down to Allah.

Binary format changed to ELF

[snake_dad]

Be careful when upgrading from older versions of OpenBSD, the upgrade procedure for i386 is a little bit more complicated than usual. As noted here and here. There's a document describing a possible upgrade path available from 3.3 to 3.4.

As I was lucky enough to run into this on a relatively new install I could just do a complete reinstall, but not reading the upgrade instructions can get you in a lot of trouble this time... :)

Re:Binary format changed to ELF

I'm a bit stunned that they were using a.out until now. What could possibly keep them from using ELF in the past? Was it because of security concerns?

Re:Binary format changed to ELF

[stefanjo]

If I remember correctly it was because prior to the adding of W^X there were no need to switch to ELF. I could be wrong though.

Re:Binary format changed to ELF

[^BR]

Well, unlike under Linux, OpenBSD had shared libs in a.out already so there was no ELF features that where really needed. The main reason for going to ELF was that binutils are only well maintained for ELF and the cost of the change was inferior to the cost of maintaining a.out in binutils. And ELF binaries made W^X way easier.

Re:Binary format changed to ELF

The GNU project indirectly dictates what binary format OpenBSD must use. Since OpenBSD depends on GNU gcc and g++, and since a.out is no longer supported by GNU, OpenBSD had only one choice: follow GNU or be left behind.

Anyone who has tried to do up-to-date C++ developement on OpenBSD will welcome this change. C++ on OpenBSD has always been kludgy because of the way constructors/destructors and exceptions had to be dealt with. And the state of debuggers on OpenBSD was woefully inadequate for dealing with modern programming languages like C++. Thankfully OpenBSD is unable to support SMP or things would have been much more hairy from a debugging prespective.

This move to ELF is the first step in getting OpenBSD into the 21st Century, development wise.

Re:Binary format changed to ELF

This move to ELF is the first step in getting OpenBSD into the 21st Century, development wise

I would say its more like the first step in getting OpenBSD into the 20th Century, really.

Re:Binary format changed to ELF

Linux had an a.out dynamic loader for years before they switched to ELF.

Not sure where you're getting your 'info.'

Re:How RedHat's Linux Can Defeat Micr$oft's Windoz

YHBT
YHL
HAND

Re:How RedHat's Linux Can Defeat Micr$oft's Windoz

You're wrong. TCP/IP was developed by Berkely and later included in AT&T Unix. Microsoft's TCP/IP is derived from the Berkely (BSD) version.

Mirror Operators, Report!

Does anyone who runs a mirror care to describe the traffic hit that comes with the rush to download 3.4? I remember seeing the stats for the FreeBSD Walnut Creek server handling tons of traffic whenever the next version of something it was serving was released. Generally it was RedHat, ironically.

While I order CDs to support the project, I run snapshots for many things, and being close to a mirror (OC-3 linking our sites), it takes minutes to install via ftp.

Re:Mirror Operators, Report!

[marcovje]

There is no spike. OpenBSD as only OSS OS doesn't provide ISO's, you need to do your own final release building step, this to keep CD sales up

Everybody downloads it homegrown ISO's from non official mirrors.

Re:Mirror Operators, Report!

[Homology]

There is no spike. OpenBSD as only OSS OS doesn't provide ISO's, you need to do your own final release building step, this to keep CD sales up

SuSE does the same, actually.

Re:Mirror Operators, Report!

[marcovje]

Which is why I don't use SUSE either.

Re:Mirror Operators, Report!

OpenBSD as only OSS OS doesn't provide ISO's, you need to do your own final release building step, this to keep CD sales up

Which is wrong. I just downloaded a floppy disk image, made a floppy, and installed 3.4 over the net using the _single_ floppy. done. Now if I want to _patch_ my new system, I can get the source, and apply the patches, compile and install the changes. No ISOs needed anywhere.

OpenBSD is the only _single_ floppy based install of the *BSD crowd, and maybe Linux for all I know. You need a network connection, and that's it. They use CD sales as the way to fund continued development.

Re:Mirror Operators, Report!

fund development? wtf?

What keeps those Linux kernel hackers going? I don't see kernel.org charging $$ for a "full" kernel distributuion.

Re:Mirror Operators, Report!

I don't see kernel.org charging $$ for a "full" kernel distributuion.

This site is operated by the Kernel.Org Organization, Inc., a nonprofit corporation, with support from the following sponsors.

So if OpenBSD had HP, ISC, and others providing support, it might be run a different way. As it is, you can already download a "full kernel distribution" from any of the mirrors for free.

Yes,

it will be called the "Tombstone".

Re:Yes,

I thought for things to be modded funny, they'd at least have to be SLIGHTLY original, guess not.
Let me try... In soviet russia, Linux is dieing!
Hahaha thats sure to get me a +5 rating

I've had the CD for over a week

Ummm...this is really old news...I've purchased the CD at my local computer book store over a week ago.

TDz.

Re:I've had the CD for over a week

Of course, the 3.4 branch existed in cvs over a month ago. The news is the "official" release date of 11/1.

Re:OpenBSD is crap, heres why - vermillion

Theo, you are a jerk

And a Canadian, too.

Hearts of Iron and alternate history

I've been playing Hearts of Iron all day. It's a WWII strategy game on a grand strategical level. Interestingly, I managed to get Italy to ally with me (I'm playing UK) in 1937 instead of Germany.

Let's see how it turns out. That way I could relocate the UK Mediterranean Navy to the Atlantic and when the Germany attacks France, they'll end up fighting on the Italian front as well.

Re:Pot, meet kettle. Kettle, pot.

Go on and look at Bush as the leader of the US. I think the joke's on you...

Some representatives from the national security services will arrive shortly to discuss this with you. Don't move, the drones are overhead already.

I think his question

[mindstrm]

was more like
"Given the ferocity with which the OpenBSD nazis fix things like this in their code wouldn't this sort of thing, in the kernel, be one of the first things they did?"

Indeed, I thought this was done quite a while ago...

Re:I think his question

[__past__]

Maybe they were busy with their "security by repeated assertion" strategy before.

Don't worry about the ghosts and goblins...

[awarnack]

It's the DAEMONS you have to worry about... (it had to be said, right? RIGHT???)

Re:A message from Theo

Elegy For *BSD

I am a *BSD user
and I try hard to be brave
That is a tall order
*BSD's foot is in the grave.

I tap at my toy keyboard
and whistle a happy tune
but keeping happy's so hard,
*BSD died so soon.

Each day I wake and softly sob
Nightfall finds me crying
Not only am I a zit faced slob
but *BSD is dying.

Re:How RedHat's Linux Can Defeat Micr$oft's Windoz

[marcovje]

TCP/IP was developped for 4.3 BSD NET/2 release funded by a governmental DARPA grant.

All other OSes borrowed from it, and Microsoft didn't steal it, since Microsoft pays taxes too.

Has OpenBSD fixed its terrible network performance

as a story on Slashdot recently highlighted.

Re:How RedHat's Linux Can Defeat Micr$oft's Windoz

TCP/IP was developed by Berkely under contract with DARPA (Defense Advanced Research Projects Agency), as an upgrade to DARPAnet to improve on our ability to have the computer network survive a disaster (aka, Nuclear War). DARPA, of course, how now been renamed just "ARPA" to bring it out of the strictly military realm.

Microsoft was working on MSDOS upgrades and maybe Windows 286 at the time. So, don't even *include* Microsoft in the history of TCP/IP.

TCP/IP

[ndavidg]

From a University of Texas CS instructor's web site:

The Transmission Control Protocol was first formally specified in December of 1974 by Vint Cerf, Yogen Dalal and Carl Sunshine.

The link can be found here:

http://www.cs.utexas.edu/users/chris/think/Early_D ays_Of_TCP/index.shtml

And supporting documentation will be found here:

http://www.cs.utexas.edu/users/chris/think/Early_D ays_Of_TCP/Annotated_Bibliography/index.shtml

Re:TCP/IP

[Vint+Cerf]

You know, I think you're right.

Re:TCP/IP

[ndavidg]

It's nice to have an unbiased opinion agree.

Re:TCP/IP

Very funny. Are you related to Bennett Cerf?

Just a thought ...

[Scholasticus]

Since everyone else is doing it now, why isn't there a *.torrent file for this release of OpenBSD?

Hmm a troll?

[Tagren]

It was a joke if ya didn't get that...

Re:Hmm a troll?

yeah the BSD moderators can't tolerate a good laugh or two..

Um ....

This is 2 days old ....

Re:FreeBSD isn't dead

Please go use some Linux and clean up so you stop smelling your own funk, M-kay

WRONG

You can relicense the code. Look at the numerous projects out there that are avaliable under multiple licenses.

Re:WRONG

But then what's the point of releasing it under the GPL? One could alyways take the BSDL instead and bypass the restrictions.

Re:WRONG

The point is, if you were nice enough, you might be able to convince Linus to re-relase a sliver of his code (in this case the math emulation code in question) under the BSD license.

Via C3 support

[Gothmolly]

1.6 Gbit/sec of AES-128? Damn, I gotta get me one of these!

Re:Via C3 support

[Homology]

1.6 Gbit/sec of AES-128? Damn, I gotta get me one of these!

This is before optimization is done, and according to Theo, this is what they are doing right now. The chip is capable of 12.5 Gbit.

Re:To: OpenBSD team From: Security Exploits

[ryanr]

1 point for sarcasm, -2 points for not knowing that the p designation refers to the portable version of OpenSSH, not patch release.

what I really want to know..

is how you got past the all-caps lameness filter. Way to go!

Guess what...

[^BR]

I don't use Linux, I use OpenBSD. And I took the pain of downloading the Linux kernel just to give an accurate answer to this guy...

Like he could have done, unless he doesn't have broadband...

Re:Guess what...

[damballah]

Thanks for being so understanding, I don't have broadband. I figure that it would be common knowledge whether linux used safe calls to these functions or not...I didn't ask you to go through the sources, btw. You put yourself through that.

Re:A message from Theo

[ryanr]

At most 2, if the first one found is shown to be exploitable at some point. The other one was in the portable (i.e. non-OpenBSD) version of OpenSSH only.

Re:Just a thought ... Go buy the official CD's

Because OpenBSD does not offer any iso images for download. The official iso images are copyrighted by Theo and can only be gotten by buying the CD's or by pirating them. Or course you could make your own homebrew iso images, that's perfectly legal, and then distribute them as torrent files. But the OpenBSD project depends on CD sales to fund the continued development of the OS. Go buy the official CD's.

Re:OpenBSD has worst reputation...

...and you have the worst reputation for not knowing anything about benchmarking.

OpenBSD is heavily optimised for security; and added security has the con of having an adverse effect on performance. now, im certainly not saying OpenBSD is slow in any way... all im saying is, it will never have the performance potential of FreeBSD. Add to that, Fefe's "benchmarks" are about scalabiliy, and are suspect at best.

Re:OpenBSD has worst reputation...

OpenBSD is heavily optimised for security

That's what they are saying... But can that be a good reason for breaking existing code (e.g. IPv6)?

Ports, Not Kernel

[KrispyKringle]

The quote was that "running it over the source and ports trees revealed over a hundred" uses. Now, you may be right to criticize the source tree occurrences--after all, what about that long, long time spent reviewing and auditing all the existing code (three years, if I remember right)--but the ports tree is specifically described as often unaudited and out of date. The ports tree is entirely third-party applications, and the OpenBSD project takes no responsibility for them. Things are hit or miss, and this is just a case of them hitting the mark and fixing a problem that wasn't really theirs anyway.

OpenBSD makes a distinction between ports and packages; packages are recommended because they are maintained actively and more thoroughly audited; ports are sort of `use at your own risk'.

Re:To: OpenBSD team From: Security Exploits

[SuperBanana]

1 point for sarcasm, -2 points for not knowing that the p designation refers to the portable version of OpenSSH, not patch release.

Zero points for not being able to pull your head out of your ass and laugh, and for chrissakes, it was NOT a troll, it was a JOKE. Jesus you OpenBSD people are touchy.

Re:How RedHat's Linux Can Defeat Micr$oft's Windoz

Actually thanks to great loopholes Microsoft doesn't actually pay taxes...

Re:Just a thought ... Go buy the official CD's

I'll go download the FreeBSD ISO's instead.

Re:Just a thought ... Go buy the official CD's

and the same BSD zealots claim the BSD license is "more free" than the GPL

Re:To: OpenBSD team From: Security Exploits

Jesus you OpenBSD people are touchy.

How true.. Just hang out on the mailing lists and see the sort of crap replies and overreactions those guys have to everything.

Re:How RedHat's Linux Can Defeat Micr$oft's Windoz

..as an upgrade to DARPAnet to improve on our ability to have the computer network survive a disaster (aka, Nuclear War).

NO

Please stop spreading this urban myth. DARPANet was not created to survive a nuclear war. Packet switching was not invented to solve the problem of survivable networks. Stop it.

TCP/IP was simply developed because the original NCP was poorly designed and limited the growth of the DARPANet quite badly. The NCP to TCP/IP switch over is analogous to the IPv4 to IPv6 switch over.

go hack those SELinux boxes then...

The ones that have the root passwd posted on port 80. And yes, the sshd is open and root can login. Still nobody has hacked those machines. And hey, they're actually running services, unlike the obsd "secure by default" but only because all the ports are closed up in the default install...
Switch to obsd if you want to deal with big developers egos. Switch to Linux if you want to actually get shit done.

C'mon OBSD!!

[devphaeton]

Can't you hurry up? Look at the front page of bsd.slashdot.org....

Freebsd released 4.9 before your 3.4!!!

(j/k)

On a side note, reading the 2nd or 3rd post about trojaned obsd ISOs floating around the web is really sad and upsetting. I love the open sharing of software and source code around the internet, but i always fear that someday it will be to a point that *everything* has been tampered with, essentially creating a need to look through more source code than anyone has time for. Sure we can solve this with technology (such as with MD5 Checksums) but as we create smarter verification, the internet will create smarter shitheads. I'd hate to think that it will eventually degrade into a win-some/lose-some cat-and-mouse game.

I actually lost some sleep few months back when the GNU folks announced that their main ftp site got compromised. I realise that servers get cracked every day, but when it's gnu/linux/bsd/oss folks it feels personal.

I'm not well acquainted with any $krYp+ KyddI3z, cr4x0rz or know what they use, but i'll be willing to bet that their OS and many of their tools are based on software from those they are attacking.

Assholes.

Re:C'mon OBSD!!

Agree, but in this case the solution is easy... don't install OpenBSD ISOs as they were certainly NOT released officially. Buy the CDs or install via ftp or http from an official OpenBSD mirror.

And in case you think I'm bullshitting...

Here's the page with login info:
http://selinux.dev.gentoo.org/
Good luck there Mr. "Linux is about as secure as Windows".

Re:OpenBSD song tsarkon reports on openbsd

This isn't a boy band, or a high school rock group! It is supposed to be a rendition of UNIX. This garage band mentality as applied to UNIX is not fun to watch, nor is it funny.

On several occasions OpenBSD has proven to be unusable due to its horrific performance.

I don't particularly care for the incoherent mess that is Linux, but there is no compelling reason I see to not deal with Linux over this when considering performance.

OpenBSD is amateurish because security without performance is purely academic and is has no value, commercial or otherwise.

I'll be sticking with FreeBSD. I tend to like the coders and the project to have serious goals and real commercial value.

For all you fanboys out there, get a job doing something else. Sipping on a latte in a net cafe on your laptop running OpenBSD furiously sucking down the battery isn't cool. Working for a place without an air conditioner unit is also just as lame, because using deprecated PC equipment running an attempt at BSD isn't cool either. And of course, the last possibly is that you neither have a job making latte, nor work at a garage ISP, you are probably unemployed. I'd like to suggest you stay that way so the rest of us can make progress without another fumbling retard in mix.

You. Your pathetic OpenBSD. Low low/no paid existence. Hahahahahaha.

Re:OpenBSD song tsarkon reports - reviled

you are a pathetic loon tune fat sexless greasy fucking DORK.

you also suck, you suck at your job, and you wouldnt know if you sucked in the sack unless a blowup doll could do a tell all.

and i know you order yoda buttplugs, you fucking queer.

Spoken like a true Linux user/MS Hater

I really hope this was a joke post, cause I am pissing myself laughing over here...

Re:A message from Theo

[mirabilos]

The two bugs you mention, weren't actually bugs
in OpenBSD.

* one was a bug in PAM and most GNU vendors
* one is a bug, but can't be exploited due to
W^X, propolice, NXSTACK, NXHEAP and friends.

Heck, I've tried the gobbles exploit again
against OpenBSD-2.9-OpenSSH where it worked
back then. It failed to run due to these four.

OpenBSD benchmarked

Recently there has been some benchmarks comparing OpenBSD to other software. Unfortunately OpenBSD had its hair mussed by the operating systems performance test suite. On the bright side, if you don't know your shortcomings, you can't fix 'em. In the long term this stumble will be a plus because now at least now we know what needs fixing.

Fefe has written a very interesting article about the current state of art in system performance and how OpenBSD stacks up. Plenty of good insights there for the technically savvy reader. Sad to say, this latest release of OpenBSD 3.4 has not yet addressed the problems, but future releases will hopefully be in a better postion to deal with these shortcomings.

Re:Has OpenBSD fixed its terrible network performa

Theo has said that he is not interested in network performance or even competing with other systems performance-wise. He went on to say that his main concern is buffer overruns. That is where the bulk of the OpenBSD development work is being directed.

Re:Just a thought ... Go buy the official CD's

Free as in beer has nothing to do with freedom...

Theo is trying to make *a living* here. Its called being realistic!

And yes, the BSD license is more free than the GPL

And no, I am not a zealot, you are just a troll.

Re:To: OpenBSD team From: Security Exploits

[ryanr]

Heh, rather amusing since you're guilty of exactly the thing you accuse me of. :)

Re:A message from Theo

Bones said it best:It's dead, Jim.

Re:Just a thought ... Go buy the official CD's

:cough: hypocrisy :cough:

you just proved my point exactly

Re:A message from Theo

You, know, outside of a few socially backward dweebs, no one, but no one, uses BSD.

Yes it's dead. The BSD zealots need to wake up and smell the coffee.
They also need to shower, brush their teeth, lose 100 lbs, and get a life.

Re:To: OpenBSD team From: Security Exploits

I fail to see how what you said in reply to him could possibly even remotely even be interpreted as a joke.

Just admit that you missed the joke and move on.

Re:How RedHat's Linux Can Defeat Micr$oft's Windoz

Everything reminds me of you so much. When we pass by Chilis I remember you sitting across from me eating your favorite salad. You always told the waiter to take off the little white crunchy things ... because you hated them. And when we drive by billboards that say An Army of One, it makes me remember you in your military uniform. How you always made a crunching sound when you walked, and how you shined your big boots every night before you went to bed. I miss seeing that all the time. Little things that I took for granted when you were here seem priceless now.

One thing that I regret is when you wanted to open my car door for me, but I always got it myself. I wish I would have let you do it. And when you wanted to hold my hand, I sometimes would pull away because I didn't want people to see me holding my daddy's hand ... I feel so ashamed that I cared what people thought of me walking down the parking lot holding your hand. But now I would give anything just to feel the warmth of your hand holding mine.

Re:A message from Theo

Do bugs really matter when it's dead anyway? I don't think so.

Re:OpenBSD song tsarkon reports on openbsd

retard fuck off

i see you have freetime on your callcenter day job to answer slashdot

fuck the rest! they call it BSD!

Re:Just a thought ... Go buy the official CD's

The license IS more free. Your comment has nothing to with the license.

Getting the distribution is of course completely free. You are apparently just too lazy to get and install anything other than an ISO.

Re:OpenBSD song tsarkon reports on openbsd

Hi.

When backward people don't understand something, they lash out at that something, often blaming it's behavior on demons or other supernatural things.

When looking at my wisdom with your primitive mind you may feel anger, hate and fear. But it's ok. Pull up a chair and learn something, my little stupid subject. You have a lot to learn about using computers as tools, clearly. Now you might be having fun being Theo's bitch, but you are a bad employee, and idiot, and fairly useless and most likely not employed at the moment. You are a sad person, Mr. Small Penis man.

Now go grab your antonio banderas blow up doll and fill your mind with some serotonin after that orgasmic release. You'll need it after reading this ad realizing you are below me, at the bottom of the food chain, and a poor fat sexless greasy nerd idiot that cant even function at any level physically, with your frail girly body with little T-rex barney arms.