OpenBSD 3.6 Live

An anonymous reader writes "There is a mounting excitement for the upcoming OpenBSD 3.6 release, as it is the first release that supports multiprocessor systems. To celebrate the event, ONLamp.com published an interview with several developers to discuss new features, tools, and future plans."

JUST EMBRACE DEATH, TIRED *BSD USER! IT'S DEAD!

tsarkon reports America! Fuck Yeah!

America...! America...!
America, Fuck Yeah!
Coming again, to save the mother fucking day yeah
America, Fuck Yeah!
Freedom is the only way yeah,
Terrorist your game is through cause now you have to answer too,
America, Fuck Yeah!
So lick my butt, and suck on my balls,
America, Fuck Yeah!
What you going to do when we come for you now,
it's the dream that we all share; it's the hope for tomorrow

Fuck Yeah!
McDonalds, Fuck Yeah! Wal-Mart, Fuck Yeah! The Gap, Fuck Yeah! Baseball, Fuck Yeah! NFL, FUCK, YEAH! Rock and roll, Fuck Yeah! The Internet, Fuck Yeah!

Fuck Yeah!

Starbucks, Fuck Yeah! Disney world, Fuck Yeah! Porno, Fuck Yeah! Valium, Fuck Yeah! Reeboks, Fuck Yeah! Fake Tits, Fuck Yeah! Taco Bell, Fuck Yeah! Rodeos, Fuck Yeah! Bed bath and beyond (Fuck Yeah, Fuck Yeah)

Liberty, Fuck Yeah! White Slips, Fuck Yeah! The Alamo, Fuck Yeah! Band-aids, Fuck Yeah! Las Vegas, Fuck Yeah! Christmas, Fuck Yeah! Popeye, Fuck Yeah! Republicans (republicans) (Fuck Yeah, Fuck Yeah)

Fuck Yeah!

Re:tsarkon reports America! Fuck Yeah!

Hey Bud, your keyboard is stuck. That or your brain, can't tell which......

Re:tsarkon reports America! Fuck Yeah!

Where's the "Slavery, Fuck yeah!" part?

Seriously, it's in the song.

Re:tsarkon reports America! Fuck Yeah!

[_the_bascule]

Reebok are actually a British founded company. Reebok's United Kingdom-based ancestor company was founded... very brief history

*BSD obviously not dead.

[NekkidBob]

There has been so much development in all the BSD's, and a new BSD system (DragonFlyBSD) coming out, how can anyone say *BSD is dead? The OpenBSD community has even pushed some vendors to release firmware for various hardware in a more open source way. If a "dead" community can convince hardware vendors to do that, then why isn't the Linux community doing more to make vendors release more firmware/docs in an open way.

Re:*BSD obviously not dead.

[xbsd]

If a "dead" community can convince hardware vendors to [release firmware for various hardware in a more open source way], then why isn't the Linux community doing more to make vendors release more firmware/docs in an open way.

You're assuming vendors are releasing firmware because they care about the *BSD community, but most BSDs were stable (and by far more complete) systems back when Linus was asking for help in the mailing lists, yet in all these years most vendors couldn't cared less about them. Only after IBM, HP, Sun and those giants joined Linux vendors took the movement seriously.

Re:*BSD obviously not dead.

BSD was also much older than Linux when Linus was asking for help. Cut the elitiest bullshit, use what you want because you want to.

Damn

[armypuke]

SMP support on OpenBSD/i386 and OpenBSD/amd64 platforms.

I was getting my hopes up that I could finally run OpenBSD on a couple of multiprocessor Sun boxes that I have.

Damn

Re:Damn

[NekkidBob]

Well if you have enough to spare one, I'm sure a developer could use a multiproc sun box, check their wanted hardware list about donating one to further smp for sun.

Re:Damn

Why should I donate raw hardware to a dying cause of an operating system? Slackware OWNS! Slackware > *BSD!

Re:Damn

You certainly can run it on a multiprocessor sun box, It will just use only one CPU

Re:Damn

[armypuke]

Duh!!!11!one!!11!oneone

Re:Damn

[setagllib]

Slackware: No decent package management. No easy way to recompile entire system, let alone update it. rc script structure that's been deprecated for decades. Installer has a 1/3 chance of breaking installation. Releases happen very rarely and no way to keep track of progress 'in between' releases.

Any BSD (include Gentoo): Source-based package management, with binary packages on the BSDs (no central packages in Gentoo though). Updating and rebuilding is always a one-line command. Entire operating system can be kept track of within the same hour as developers commit changes (BSD) or as things get released/re-masked (Gentoo). Security gets announced and resolved in-tree (BSD) or at least patched when somebody gets around to it (Gentoo, but their excuse being they don't maintain the code, just patch it). Apart from FreeBSD and DragonFly BSD, the systems can run on unspeakable amounts of different machines, archs and configurations, some better than others, but still possible.

Granted, Bob and the Church of the SubGenius are way cooler cultural icons than daemons and penguins, but that doesn't justify it. I started my Linux life with Slackware and if it hadn't been for my investigation into FreeBSD a while later I would have left it at that, never to return.

Re:Damn

You can run NetBSD on your multiproc Sun box and get working SMP with a nearly identical underlying OS.

Re:Damn

[_the_bascule]

Any BSD (include Gentoo)

errr, and where/how is that association being made??

Apache on OpenBSD

[jpkunst]

Apache on OpenBSD always had a lot of security-related patches compared to the regular Apache (chroot for example), but it seems that Apache on OpenBSD can now be considered a real fork:

After the 1.3.29 they decided to muck with their license, introducing stupid patent terms without understanding what they turned their license (that used to be a BSD-derived one) into with that, so we cannot import new versions unless they fix their license. It is not a big loss tho'. The Apache people have mostly given up on 1.3 anyway, and all that happened over the last years was bug fixes, documention work (actually, mainly translation), and some stupid code shuffling, that only made diffs bigger without improving anything. Now that it is certain that we don't have to worry about syncing to them any more, we can start making the mess of code readable tho'.

JP

Re:Apache on OpenBSD

[jtharpla]

Indeed, they should rename it and continue to fork away, ala IPF->PF. Personally, though I know the roots were political, I have enjoyed the results. I prefer the OpenBSD-flavored Apache because of it's out-of-the-box chroot config. Somethings that would be nice to add in would be RedHat's default of having a directory of config files (easy enough to configure after the fact) and having a decent log rotation scheme. I ended up using VLogger, which is a nice Perl script that I found. Works well for hosting multiple sites.

Re:Apache on OpenBSD

Indeed, they should rename it and continue to fork away, ala IPF->PF.

"Pache"

Fact: *BSDs are growing. :-)

FreeBSD, Stealth-Growth Open Source Project
Nearly 2.5 Million Active Sites running FreeBSD

Re:Fact: *BSDs are growing. :-)

Nearly 2.5 Million Active Sites running FreeBSD

Holy crap, wow, just amazing! Man, wow!

Lets see, that's an amazing 6.7% of the web sites out there. Oh... hmmmm, OK.

Meh.

Re:Fact: *BSDs are growing. :-)

You are confusing websites for webservers there smarty man.

...because *BSDs are growing. :-)

FreeBSD, Stealth-Growth Open Source Project
Nearly 2.5 Million Active Sites running FreeBSD

Mod parent -1, Offtopic

Parent comment links to FreeBSD articles, this thread is about OpenBSD.

Re:Mod parent -1, Offtopic

I posted those links just to show BSD's growing, not to promote the use of 1 variant over another: FreeBSD can't beat OpenBSD at security, for sure (nobody can, I guess).
Anyway, ok: I'll post material that's more on-topic in the future :)

At least he's honest

[cmad_x]

FB: How does this compare with FreeBSD 4, FreeBSD 5, and DragonFlyBSD? Niklas Hallqvist: Actually I don't know. I'd expect we'd do worse in anything that is interrupt-intensive. We probably do worse even for the common case where several runnable processes exist simultaneously as well. But ... we do not aim to compete at the edge here. We want to make scalability happen without disrupting our security and robustness track record. We just have other priorities.

Well at least he's being honest, unlike *cough* other people/companies. Go OpenBSD security!

What an Interview! Wireless firmware storm brewin

I have never seen so much credible info from so many of the OpenBSD developers! I understand now a little more how they approach things. I wish I could read a similar article on the others, to see how FreeBSD and NetBSD and DragonflyBSD compare. Hopefully Oreilly will see the uptick in web hits and keep it up, with some more interview type articles.

There is a storm brewing over at the OpenBSD Journal web site at http://undeadly.org over including binary blob files in the kernel for the fariuos wireless cards. I have to agree with the premise: You vendors put your binary firmware files on all the CDs you sell with your wireless cardss, so if anyone wanted to reverse engineer yoru stuff, they just have to buy the card and they get the binary file. OpenBSD just wants to put same file in their distribution so if you plug your wireless card into an OpenBSD system it will get recognized and used. Sounds simple enough to me. The other approach is to somehow download the file (freely available on sourceforge or from the vendor, or the CD that came with your little card..) That makes it so much more involved for installing.

The short version: Some companies see the light and are cooperating, others, notably Texas Instruments http://www.ti.com have been strangely silent. Fasten your seat belts, fellow puffys.

On this note

I never really understood why many commercial vendors are developing software for linux and not BSD.

An example would be Oracle. I was comparing Linux to OpenBSD and I can't really figure out why so many people choose Linux over OpenBSD. Both have package management, good software support, and standard *nix features. OpenBSD on the other hand has features no other unix has such as secure levels and it is secure out of the box.

Why would anyone select an OS (expecially for network infrastructure) that is not secure by default?

Re:On this note

Usable performance, is one thing. Support for enterprise-grade systems, is another. Commercial support from major manufacturers still another. Finally you have a much bigger user base. Its pretty much a no-brainer really.

Re:On this note

Simple, because Linux is all about 'money' not being 'free' - ie, read the GPL... translated in layman's terms: "This code is free, but not really, so here's your restrictions..." And the second thing is, Linux is 'copying' MS in many, many ways! Linux people tend to hate MS, but they mimic and try to be windows just the same. What a joke if you ask me.

Re:On this note

[setagllib]

The other BSDs have security levels. OpenBSD has a lot of things they don't, still, a large part of which is that it randomizes practically everything, making it very difficult for even a local attacker to know what the kernel is going to do next. They also yank out any external software that isn't getting properly treated against exploits, so their base package is still as firm as possible, and even ports are treated with great care.

In practice, FreeBSD and NetBSD are about as hard to exploit remotely, but they don't take care of every possible exploit, so in theory there are still some holes. NetBSD is still a lot faster than OpenBSD (unless some miracle happened and I missed it) so a 'real world' server might benefit more, but for a stronghold of impenetrable security that doesn't need every last drop of performance, OpenBSD is the choice.

Linux is nowhere near any of this. The code is sloppy and dirty (no, nobody can argue this, don't even try, just go read some yourself) and few distributions actually take security seriously. It does happen to perform better in many synthetic tests, and definitely on SMP, but the difference for most cases is so minimal that it's hard to understand why anyone would run Linux on a server and not a BSD.

I put it down to hype. Business love to advertise their adoption of Linux and their entrance into open-source, because that's what customers want to hear, especially Linux zealots. The businesses (hell, even governments now) certainly aren't scientific about it, using an "operating system" (I still call Linux a kernel, up to you) mashed together from seemingly infinite and inconsistent projects and parents'-basement-developed hacks. The source shows this, hell even configuration shows this, but they seem to be okay with this so long as it sounds good. Or, and I wouldn't be surprised, they've never heard of BSD.

Re:On this note

I never really understood why many commercial vendors are developing software for linux and not BSD.

Why are so many commercial vendors developing software for Windows and not RSX-11???!?!???!?!??!!!?!? Someone answer meeeeeee!

Re:On this note

The point of the GPL is to keep the code open and it only applies when your distribute GPL code. I don't see how the BSD keeps the code open when any company can come along and just take it, and not give back.

The GPL is why companies are moving to Linux, why bother writting code that the competitor can use and not have to show their own code. Atleast with the GPL there is an even playing field created as far as the code goes.

Re:On this note

[Triumph+The+Insult+C]

the openbsd project isn't asking for the firmware to be opened up and licensed with a bsd license. they are simply asking for the rights to redistribute the firmware with the base os. as it stands, the license on the firmware doesn't permit that

Re:On this note

"it's hard to understand why anyone would run Linux on a server and not a BSD"

How about:

1) Much, much longer supported releases (eg RHEL's 5+ years vs F/N/OBSD's 12 months) -- this is VERY important

2) Wide and mature range of commercial support

3) Ease of updating. No messing around with CVS and having to compile stuff

Outside of basements and omg-ADSL-home-servers, these things are CRUCIAL. Go into any large company and you'll see this.

So there are some very significant and rational reasons for choosing Linux on the server.

OpenBSD 3.6 released

[dhartmei]

The official release has just happened. Here are the official announcement, the undeadly.org thread and a torrent for the i386 binaries (149MB, matching MD5 which might beat some of the mirrors). Cheers ;)

Re:OpenBSD 3.6 released

[EvilAlien]

Thanks Daniel. For some reason, the /. minions rejected my submission of a frontpage story to that effect, including plugs for the torrent (via IRC) and ordering CDs to support the project. I can only assume that the anti-BSD Linux Zealots are responsible... /me shakes his fist

Thanks to you and the rest of the crew for making sure I have something geekish to do this weekend.

Re:OpenBSD 3.6 released

[OttoM]

Most common reason for a reject is a dup. We'll see....

Re:OpenBSD 3.6 released

[Shanep]

(149MB, matching MD5 which might beat some of the mirrors). Cheers ;)

Thanks Daniel.

Just wondering, is it still safe to trust MD5? It is not now easier to create a bogus file with the same hash? I thought SHA1 would now be in use for this.

Thank you very much for pf and all your OpenBSD work btw! I've been using since 2.5 and pf is probably the most impressive part of OpenBSD as it currently stands (for me).

Re:OpenBSD 3.6 released

[tedu]

it would still have to pass the zlib crc in order to decompress. and then the attacker has to hope whatever esoteric changes they made are actually useful to them.

anyway, where are you getting the md5 from? the same ftp server where you're getting the release?

Re:OpenBSD 3.6 released

[OttoM]

MD5 is still safe for the purpose of file digests. The methods published do not allow the attacker to find a collision for a given digest value. Check this FAQ for some details.

Re:OpenBSD 3.6 released

[Shanep]

anyway, where are you getting the md5 from? the same ftp server where you're getting the release?

Good point. Funnily enough, I've brought that up a few times myself in the past. ; )

Re:OpenBSD 3.6 released

[evilviper]

anyway, where are you getting the md5 from? the same ftp server where you're getting the release?

Well, an MD5 is very small, and could easily be checked. If I was running the OpenBSD project, I'd have a machine with all the correct hashes, downloading the hash files from each server ever hour, and rasing hell if they're different. That would take care of the problem, if only the people running the project even cared.

Re:OpenBSD 3.6 released

[JamesTRexx]

Still nothing to see on the frontpage. And even the comment I had posted earlier hasn't shown up in my list of comments...
Is there some auto-ignore bit set on this section or something?

Re:OpenBSD 3.6 released

[r2q2]

I believe even though it is feasible to create a file that has the same hash as the other file its not a feasible comprimise. So MD5 is safe for now but given the paranoia when using openbsd they probally would or should provide an SHA1 hash.

Upgrade Pain

Is there an easier way to upgrade to 3.6 from 3.5 without removing all the packages?
I have a fairly amount of packages, but I would also want minimum downtime for the upgrade. Maybe a make world make install mergemaster (reboot) would work better. Any ideas?

How stable is the SMP stuff?

Re:Upgrade Pain

[OttoM]

How stable is the SMP stuff?

Quite a generic question, so let's that split up:

• Is it stable enough to be part of the release? Yes, and according to OpenBSD standards that actually means something.
• Will there be bugs? Probably.
• Will these bugs affect you? That's for you to try and decide.

Re:Upgrade Pain

Been running -CURRENT on an i386 SMP box for about 4 months now. After a few panic hiccups the first few weeks (lots of code changes, some little bug) its been stable ever since.

They have just got multiprocessor support??!!!

Why they may not be dead - this OS has been travelling around in a walking frame!

I'd keep this embrassing lack of functionality a secret.. Good god.

Re:They have just got multiprocessor support??!!!

[Shanep]

I'd keep this embrassing lack of functionality a secret.. Good god.

They had specifically avoided SMP for many security related reasons.

Maybe with HT and multicore CPU's on the horizon, SMP suddenly has become a lot more important?

The State of the Demon Address

It's an exciting era in the Berkeley Software Distribution world; indeed, things started off with a litigious bang over a decade ago, but now BSD solutions are more varied than ever before and offer the user heretofore unprecedented choice and power. So many are the options today that it's time for a roll call from the various distributions. Each of the four major BSD projects are pushing forward with development and experiencing growth, diversifying the Open Source playing field's offerings Let's take a look at what each project is up to these days.

FreeBSD

FreeBSD is in a precarious state. While it's almost hit critical mass in the corporate world, their latest growing pains have left potential adopters confused. The new FreeBSD 5 branch offers some exciting technology, generally regarded as comparable with or superior to what is offered in Linux. The FreeBSD foundation is still upgrading its FreeBSD 4.x line and suggesting its use for production environments over FreeBSD 5. The reasons for this are very simple FreeBSD 5 won't be ready for prime time until FreeBSD 5.4 or 5.5 but users are left confused and timid.

FreeBSD's last major release, which now sits highly optimized at version 4.10, works just as well as always. For systems already running with FreeBSD 4.x that see no need to adopt the new technology in FreeBSD 5 or jump to Linux, this operating system is a godsend in stability and continued support. FreeBSD 4.11 is scheduled for a February '05 release, while plans for FreeBSD 4.12 are on the backburner should FreeBSD 5 not achieve -STABLE status by the fourth quarter of 2005. But what if you need the technology available in FreeBSD 5 and don't want to jump to Linux?

FreeBSD 5, currently available at FreeBSD 5.2.1 with FreeBSD 5.3 in late beta, tantalizes the BSD world with the culmination of several year's hard work and narrow escapes. Back in the late Nineties, when WindRiver bought BSD/OS (a closed-source BSD operating system owned by the now-defunct BSDI), FreeBSD users were promised a next-generation BSD made possible by crossing the ultra-robust corporate OS with its Open Source counterpart. While WindRiver let go of its plans leaving the future of FreeBSD in peril, the realization of its goal is almost here thanks to the FreeBSD community and Apple Computer, Inc.'s contribution of FreeBSD code.

That almost is a killer, though, in that it now causes potential users to look elsewhere for modern operating system features elsewhere until FreeBSD 5 is blessed as stable. Given FreeBSD's track record and the corporate sponsors now behind its operating system, however, it has a bright future ahead of it despite these stumbling blocks. Sadly, the same can't be said for its two little brothers, NetBSD and OpenBSD.

NetBSD

NetBSD's claims to fame aren't its optimization or secure code it's instead known for running on a wider variety of platforms than any other operating system out there, including Linux. NetBSD's binary releases include support for an amazing 40 platforms and an additional 12 platforms in the source code. In other words, it runs on everything but the kitchen sink. NetBSD forked from the 386BSD/4.4 BSD merger in 1993 and continued on its own in parallel to FreeBSD since then, albeit at a slower pace. It's currently at version 2.6.1, with aggressive testing on the new NetBSD 2.0 promising fruition by the first half of 2005.

Those familiar with NetBSD swear by it, though its use in serious environments is limited. It is not secure and device driver support is paltry at best. NetBSD's true usefulness comes in providing developers of other operating systems such as FreeBSD, OpenBSD, and Linux with hardware support to base their own new ports off of. For instance, much of the code for the PowerPC FreeBSD port comes from NetBSD. OpenBSD implemented support for AMD64 by means of hefty imports from the NetBSD source tree, and Linux runs on Motorola's ColdFire processor family thanks to the work previously for NetBSD

Re:The State of the Demon Address

Who the hell wrote that?

Re:The State of the Demon Address

Either the GNAA or Trollaxor.

Props

[jazman_777]

OpenBSD showed me, security-wise, how crufty and cobbled Linux is. IPtables? Are you kidding? pf rolls it up and smokes it.

Re:Props

[Ricin]

And pf was of course modeled after Darren Reed's ipfilter which was OBSD's package filter software in the past (until there was some disagreement), and NetBSD's (still now) and optionally FreeBSD's (one of two, now three).

In fact I think iptables was somewhat modeled after ipflter. There has been an ipfilter port for RedHat around RH5 IIRC but it got abandoned.

Re:Props

[setagllib]

iptables modelled after ipfilter? I had always been under the impression it was moddled out of clay.

No user->kernel facility interface should ever be that dirty, much less a packet filter. Sure, the way it handles NAT and everything in one relatively uniform way is kinda handy, but the syntax and rigidness is disgusting. You can have a range of ports, or a list of ports, but not a list of ranges of ports. Don't even think about logging and acting on a packet in the same rule. Just pathetic.

ipfw, pf, ipfilter, they're all so much cleaner and so much more useful. With OpenBSD's new rule optimizer this is even more awesome. I still think natd/ipnat/ would be better off merging their functionality into the filter itself, even if only to make dynamic NAT rules by shell script easier.

About the artiche "The State of the Demon Address"

Here's the original link... but now the page says:
"This article has been removed because many points made within it have been deemed unfactual." :-)
That was a lousy article indeed. The *BSDs deserve much better reviews.

Re:About the artiche "The State of the Demon Addre

[Triumph+The+Insult+C]

a review typically implies that the reviewer actually used the product. after reading that 'review', it was apparent that the reviewer did nothing of the sort

binary updates

[rsax]

I know I sound like a broken record but I like to dream about the day when the BSD OSs will have binary updates. Just imagine reading your security alert emails and noticing

"Eilko Bos reported that radius authentication, as implemented by login_radius(8), was not checking the shared secret used for replies sent by the radius server. This could allow an attacker to spoof a reply granting access to the attacker."

Uh oh, OK I better grab and install the update.

# pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/020_ radius.tgz

Instead of...................

# ftp ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/comm on/020_radius.patch
# cd /usr/src
# patch -p0 # cd libexec/login_radius
# make clean
# make
# make install

Now do this on every OpenBSD, or whichever BSD, box you administer. Don't even get me started on release upgrades; ie. from 3.5 -> 3.6

Re:binary updates

[setagllib]

Don't all the BSDs offer binary snapshots anyway? NetBSD churns them out every 3 days for people/machines that can't build from source easily enough.

Binary updates would be handy, or better still, a mechanism that fetches security patches automatically, merges them into the source tree, recompiles only the bits that are needed, and installs them, then prompts you (/var/log/security would be fine even) to restart the server (or optionally does it on its own, if it's no showstopper to lose the server for a second).

It's never bothered me though. The very very few security patches the BSDs come up with get merged into the source tree, and I'm a "build from source once enough things change" kind of guy.

Sorry to be off-topic for a moment, but this has been killing me, has anyone compiled a netbsd-2-0 world without having it break on groff? I've tried everything but it seems that flex/whatever doesn't churn out .h's like it should.

Re:binary updates

[evilviper]

Now do this on every OpenBSD,

Not the case. You only need to do the compile on one, and distribute the binaries to the rest of your machines.

Don't even get me started on release upgrades; ie. from 3.5 -> 3.6

Why not? It's trivially easy. Merging old config files with new ones is the only thing you need to do maually. Config files don't change often, so it can be skipped, with little chance anything you run will have a problem.

Not like any other OS has the upgrade path perfected. You sure as hell don't dare upgrade your Windows machines. I don't know anybody that upgrades their Linux machines, at least no more than installing a few RPMs of newer programs. It's generally best to start clean with Linux.

Re:binary updates

[rsax]

Not the case. You only need to do the compile on one, and distribute the binaries to the rest of your machines.

I'm assuming you're referring to the release(8) procedure which will generate base35.tgz, etc35.tgz, comp35.tgz, misc35.tgz, man35.tgz etc.

Now how large is base35.tgz? Approximately 30 megs? It doesn't make sense to transfer 30 meg updates to numerous machines to apply an update for just a couple of files that could have been 1 or 2 megs if smaller binary updates were available. Well atleast it doesn't to me anyway. I guess beggars can't be choosers. Although right now I primarily use FreeBSD so it doesn't have the simple .tgz archives.

DISCLAIMER: I'm not a developer

I read this comment in a mailing list. Wouldn't it be awesome if /usr/src tree would be structured in a way that /usr/ports is right now? So you could apply that radius source patch to your /usr/src tree and then

# cd /usr/src/net/radius
# make package clean

Resulting in radius_version.tgz which could easily be installed using existing pkg_* tools.

Re:binary updates

[arussell]

Ok, try instead on your test/install/nfs server,
do the make clean, make make install,
then go to each server and install the moded binary over nfs on each system...

Re:binary updates

Install freebsd-update from /usr/ports/security. It will at least patch security holes in the base install.

Re:binary updates

The demand seems to be high enough; I am surprised that no users have begun their own project to release binary patches in sync with the release of source tree patches.

Now do this on every OpenBSD, or whichever BSD, box you administer. Don't even get me started on release upgrades; ie. from 3.5 -> 3.6

Doing source patching or upgrading is not too much of a headache if you have the source trees mounted over NFS. If you have to compile for multiple architectures, you can also mount the source from the NFS server to any location, create a local /usr/src, and use the 'lndir' command to create a symbolic link tree to the NFS sources.

Re:binary updates

[tedu]

no, i think he's referring to the [s]cp command.

foreach host (`cat ~/myhosts`) scp login_radius $host:/usr/libexec/auth end

Re:binary updates

[evilviper]

I'm assuming you're referring to the release(8) [openbsd.org] procedure which will generate base35.tgz, etc35.tgz, comp35.tgz, misc35.tgz, man35.tgz etc.

No, not at all. You can quite easily transfer only the changed binaries.

Make release is not necessary, although it's certainly a good way to make new patched install CDs in-between releases if you like.

Re:binary updates

[rsax]

No, not at all. You can quite easily transfer only the changed binaries.

How? Is there a sure fire way of tracking each and every binary that changes after applying a patch? Lets take this patch for example. How can I archive the resulting updated binaries?

Re:binary updates

[emidln]

A couple ideas on this. (Note: none of these are perfect, but they work very well for me.)

Update the system using cvsup or anoncvs and then go to the directory of the changed file. Run make clean && make and then take a quick peak into the Makefile. Note where the program is installed to, and then place it there.

Now, from the system root (/), run "tar -czvf binary-update.tgz /path/to/binary". Distribute the resulting tgz and unpack it in the root directory. This can be automated with scp, ssh, and a bit of ksh script. In fact, I bet the whole thing could be automated for programs since OpenBSD uses statically compiled binaries when at all possible.

Re:binary updates

Umm... Easy.

libz.a,libz_p.a,libz_pic.a are all copied over to /usr/lib. Just watch what the Makefile does when you make install and you can see what's updated. Read the Makefile if you need to,

If you're really unsure, just build the files on one machine then just make a tarball out of /usr/src/lib/libz and copy it over to your target machine, then type make install at the shell. No compilation necessary.

"Funny" things

[ulib]

>> Nearly 2.5 Million Active Sites running FreeBSD
> Holy crap, wow, just amazing! Man, wow!
> Lets see, that's an amazing 6.7% of the web sites out there. Oh... hmmmm, OK.

More properly, that should be modded "Silly" - or "Clueless GNU/Linux zealot". Time for new categories.. :) - because

- Considering the lack of media hype, it *is* indeed an amazing result.

- That link was posted in response to people cluelessly asserting that BSD's dying, and that's indeed a pretty convincing answer, I think, since that number is growing at the rate of half a million a year.

- No one suggests *BSD is the leader in the OS market. The leader is still Windows(TM). Reason? Well, too few competent people around. :)

P.S. Since OpenBSD's the proper topic, let's note that it's getting more and more attention from the specialized press. Here and here are a couple of very recent interviews with the project leader Theo de Raadt, talking about the history and philosophy of OpenBSD.

openbsd is so slow

openbsd is so slow, very unfortunate.
Giant lock smp, sorry ;(
Does not scale ;(
Big O(n) algorithm mostly ;(
Nice OS otherwise, but I much prefer NetBSD.

Re:openbsd is so slow

[setagllib]

That wasn't actually a reply to what I said at all, but I agree with you anyway, NetBSD is the one for miling performance out of machines and software. I find it usually leaves Linux in the dust too, but I haven't tried SMP.

Re:What an Interview! Wireless firmware storm brew

[setagllib]

Yeah. Unfortunately a lot of vendors are replacing wonderful Prism* chips with Ti chips that are less reliable (two such chips in the house, both flake out once every few hours, if indeed they work at all), almost completely unsupported in nixes, and just generally aren't as cool. Ti should stick to making calculators, or at the very least document the PC hardware they do taint the world with, so we nixers can make use of them.

script?

[CaptainPinko]

Never having really gone beyond the surface with any *BSD so forgive me if I sound trollish while being only naive... but: if it's that simple why not just write a script for it? I mean I agree that should be somehow built-in but it doesn't seem that troublesome. Looks like it could be scripted nicely with Perl which OpenBSD comes with by default IIRC.

Re:script?

[Shanep]

if it's that simple why not just write a script for it?

I think his point is that re-compiling from source, takes longer than just patching or even replacing a binary.

"Linux" IS secure by default

[xbsd]

Why would anyone select an OS (expecially for network infrastructure) that is not secure by default?

Linux can be secure by default! Keep in mind that there many Linux distros and you can't put'em in a single bag and benchmark'em with a single flavor of BSD. What about Trustix, Adamantis or EnGarde? There are "hardened" versions of Debian and Gentoo, etc.

Oracle is not cooperating with Debian or Red Hat, is cooperating with whoever makes up a linux distro (and that includes companies like IBM or Sun). There's way more freedom and more room for innovation in the Linux camp than working under the orders of Theo or the $18,000/year software programmer in the core team of the average BSD distro.

Re:"Linux" IS secure by default

[tedu]

There's way more freedom and more room for innovation in the Linux camp than working under the orders of Theo or the $18,000/year software programmer in the core team of the average BSD distro.

that statement demonstrates a complete lack of understanding about how openbsd, or any bsd, are developed, or even who is developing them.

Re:"Linux" IS secure by default

[xbsd]

that statement demonstrates a complete lack of understanding about how openbsd, or any bsd, are developed, or even who is developing them.

Well, am I missing something? Let's find out where the hype is. At this moment, behemoths like IBM, Sun and Novell are actively developing Linux systems. Not only contributing with millions of dollars in cash and code but actually creating Linux solutions. Others like NEC, Intel, HP and Oracle are also deeply involved. Even countries like Brasil and China are developing Linux systems intensively because Linux systems, not BSDs, are now part of a their national security agenda.

Now, let's take a look at the BSDs. Let's put'em ALL TOGETHER. If I combine the core teams, even the security teams of all the flavors COMBINED, we'll have a hard time finding programmers with stable jobs, let alone an advanced degree in the area or an industrial lab support. I know I sound quite rude, but I am trying to illustrate my point. Just check out the bios.

I am aware that Yahoo and at some extent Apple are helping out a bit. Nothing significant, as you don't even get to see what Yahoo is using and, just to make it worse, Apple took some FreeBSD and NetBSD bits (because they were more mature at that time and their license actually allowed it), combined them together, and released the result under the APSL as a "thank you" note, putting it totally out of their reach. Compare that to Novell or Red Hat, where you actually get to use the same distro that companies like Merrill Lynch (the top financial manager in the US) are using.

Re:"Linux" IS secure by default

[stab]

If I combine the core teams, even the security teams of all the flavors COMBINED, we'll have a hard time finding programmers with stable jobs, let alone an advanced degree in the area or an industrial lab support.

Are you serious? Here's a hint ... BSD has "Berkelely" in the name, and the university heritage lives on.

Re:"Linux" IS secure by default

If I combine the core teams, even the security teams of all the flavors COMBINED, we'll have a hard time finding programmers with stable jobs, let alone an advanced degree in the area or an industrial lab support. I know I sound quite rude, but I am trying to illustrate my point. Just check out the bios.

I'm going to be brutally honest with you, and I hope that this advice helps you in the future: people who have sex with animals shouldn't point out other's foibles. That's not to say that you put peanutbutter on your dick and have the dog lick it off; it's just something that I think you should consider before posting. Because while people who have sex with animals (and I'm not saying that you do) aren't necessarily "bad" people, they tend to have warped perceptions, perhaps without even being aware of it. So, while I'm not saying that you like taking it up the ass from your cockerspaniel "Checkers," while jerking your meat to "she-male" anthropomorphic penguin pictures, I AM saying that you should consider these things, and your current state of affairs before posting, as you may (or may not) be unaware of your warped views.

In closing, I know that this may seem harsh, or rude, or even arousing to you right now, but I'm just trying to illustrate my point.

Re:"Linux" IS secure by default

Now, let's take a look at the BSDs. Let's put'em ALL TOGETHER. If I combine the core teams, even the security teams of all the flavors COMBINED, we'll have a hard time finding programmers with stable jobs, let alone an advanced degree in the area or an industrial lab support.

That's so true.

They read two books and they think they are software engineers. Then they become "consultants". Their portfolio appears next to the picture of the cats.

Don't forget to give them a PAYPAL tip at their website.

Re:"Linux" IS secure by default

This Spade-speak should have been moderated.
It's not funny, and only informs us that its author wants to project degrading fantasies onto the adult world. Please, step away from the keyboard,
finish your Lex Luthor costume and go menace your
neighbors for candy.

Re:"Linux" IS secure by default

[xbsd]

I guess only in Slashdot this kind of stuff can be considered "funny".

Still missing something...

[JamesTRexx]

Just checked the manual pages again, but I'm still missing the ifconfig functionality of changing the macaddress of a nic. I need this for the connection to my cablemodem, otherwise no dhcp address for me.
I know about the sea.c patch for it, but I don't want to compile it for every upgrade. This is the only reason why I'm using FreeBSD for my firewall.

There is always a storm brewin in Calgary

From what I remember:
o Initial boot from NetBSD
o IPFilter gets the boot
o Sun won't give Ultra III docs
o DARPA pulls funding right before a Hackathon
o Wireless vendors slowly get a clue about blobs

Gee, did I miss any? Funny thing, the code they produce rocks. I have a dns server that has been up for 1369 days, that is 3.7 years! OpenBSD, Bind, rock solid. Of course I should upgrade it, but it never crashes. The Windows DNS guys reboot every 6 days or so.

If having a controversy brings them focus, at least I love the stuff they write.