OpenBSD 3.9 Released

An anonymous reader writes "OpenBSD 3.9 was released this morning and is now available for download from the OpenBSD mirror sites. Among the new features is integrated framework for monitoring hardware sensors, a BSD licensed driver for nvidia nforce ethernet, and loads of new drivers and bug fixes. Of course you can still purchase the CD-ROM set which includes support for five platforms: i386, amd64, macppc, sparc, sparc64, and also includes the complete blob free source tree and prebuilt packages for many architectures. As always your contributions help to continue the devlopment of this great opeating system."

A new twist on the old Soviet Russia joke

[Ohreally_factor]

BSD confirms it. Netcraft is dead.

Re:A new twist on the old Soviet Russia joke

[CRCulver]

We have all come to know and love the "BSD is dying" jokes, but I'm noticing so much publishing going on in the BSD world, with O'Reilly offering a BSD security guide and Addison-Wesley releasing a guide to BSD's design. Clearly enough people are using it and continuing to get the most out of it if it is still profitable for tech publishers to offer documentation. If BSD were really sinking, we'd start noticing more BSD-to-Linux migration guides.

Re:A new twist on the old Soviet Russia joke

In the on-topic case of OpenBSD, it is going to stay in semi-widespread usage for the visible future, because it has carved out a niche that does not at this have time have matching-reputation security competitors. Plus the appeal stemming its developers devotion to detail (read quality) and the BSD-esque free-software ideals have been slowly swelling its user base -- particularly among uber-geeks (mostly broke uber-geeks it would seem)..

Theo's idolizing of Wowbagger may have held it back a bit, but you can't say the man doesn't have vision ...

Re:A new twist on the old Soviet Russia joke

[Brandybuck]

Is there even *one* BSD-to-Linux migration guide?

Re:A new twist on the old Soviet Russia joke

Developers confirm that. FreeBSD is full of binary blobs.

Contributions will help all opeating systems.

[Whiney+Mac+Fanboy]

As always your contributions help to continue the devlopment of this great opeating system."

That sentence about should read:

As always your contributions help to continue the devlopment of all opeating systems.

Apple's security relies on openSSH, Microsoft service's for Unix are openBSD tools, there's traces of it all over linux. In short openBSD has made everyone's lives better - you should contribute to openBSD if you're a computer user of any sort!

Thanks Theo - for releasing your work under a BSD license, you've allowed us all to benefit from it.

Re:Contributions will help all opeating systems.

I believe the sentencs should read,

As always, your contributions help to continue the development of all operating systems.

If you are going to fix it, you might as well fix the spelling. Good point though.

Re:Contributions will help all opeating systems.

Too true! As a port maintainer, I have have found several bugs as result of OpenBSD's rigorous memory handling. I subsequently patched those bugs and upstreamed those patches. So users of the same software on other OS's benefit from the good work going on in OpenBSD land.

Re:Contributions will help all opeating systems.

[omeg]

And don't forget the comma after "always".

Re:Contributions will help all opeating systems.

[trewornan]

As a port maintainer I wonder if you know whether OpenOffice has been added to the ports. I've managed to get it working (after a fashion) on previous releases but it's never been stable.

Dodos rejoice

[Rosco+P.+Coltrane]

which includes support for five platforms: i386, amd64, macppc, sparc, sparc64

at least you'll be able to do something with your old mac when Apple is done switching and pulls the plug on ppc support for good...

Re:Dodos rejoice

[FrostedWheat]

which includes support for five platforms: i386, amd64, macppc, sparc, sparc64

So, is this going to make OpenBSD a new target for viruses? Someone better tell Theo!

Re:Dodos rejoice

[nra1871]

at least you'll be able to do something with your old mac when Apple is done switching and pulls the plug on ppc support for good...

Why would your computer just stop working once it is no longer supported?

Re:Dodos rejoice

They said that OpenBSD 4.0 will support Intel based Macs too...

Re:Dodos rejoice

[Fulkkari]

That is hardly going to happen any time soon. There is really no reason for them to stop supporting PPC, as there will be many PPC users still after 5 years. That being said, there will be a time when your PPC won't run the newest OS X anymore. Still, I am sure that the most recent version available will still be ahead of OpenBSD, when it comes to desktop use. If you are talking about servers, then you might have a point...

Re:Dodos rejoice

[RLiegh]

It's too late. I've been told they've already had one remote hole in the default install; more are bound to pour in any day now!

Rock Solid Already

Actually the CDs have been shipped for those that preordered, I got mine a couple fo weeks ago. The best thing, it just installs like a dream. I tried setting it up inside a VMware Workstation, took all of about 5 minutes from the CD.

I also made my first donation to OpenBSD for a long time, to keep it going, since I use OpenSSH every day, infact my job depends on it.

Re:Rock Solid Already

[little+baby+Blobby]

I tried setting it up inside a VMware Workstation, took all of about 5 minutes from the CD.

Thanks for the informative post. I was wanting to put this version to the test, but didn't have a spare machine to use right now. With the free VMWare player, you always have a spare machine for testing purposes.

Re:Rock Solid Already

[pimpimpim]

I've always had the easiest installs with openbsd, on a rather exotic motherboard with via C3 processor, I got my sound, video, IBM rapid access keyboard with all extra keys, etc working directly from install. I never had this with any linux version I tried. For the things I want to do: edit files, run a (web)server, listen to music, watch videos, OpenBSD gives me more than enough.

So to me, OpenBSD is just a Good Thing (R) from a practical point of view. I don't bother to have the latest version of everything, but I'm happy when things "just work" ;) and you can trust that they are solid and safe.

Have my CDs already

[grub]

Installed on an AMD64X2-3800. zoom Had to compile -current for something but I'm in the minority.

Order the CDs and make a donation today, you cheap bastards!

It's number one on our underfunded TO DO list...

[jpellino]

"help to continue the devlopment of this great opeating system."

1. Spel checkr.
2. Full LRF support.
3. There is no third thing.
4. Universal Binary.

Bout' Time!

[kabars_edge]

.....what do we have to wait on now.

Re:Bout' Time!

I am awaiting OpenBSD-4.0, as Theo as been dropping small hints that 4.0 is going to be THE best release ever, --check mailing-list archives--

Re:Bout' Time!

[Jester6641]

vista? sorry. had to. going back to work now.

Torrents!

[Gandalf360]

Before the weight of the collective slashdot effect kills the main BSD servers, check out the bit torrents that are located here: http://openbsd.somedomain.net/

Re:Torrents!

[rbrito]

First of all, I am not a user of *BSD, although I do appreciate their goals. I am a Debian user and have been one for quite some time now.

One fact to appreciate about Debian is that it is loosing its ties to the Linux kernel and becoming more and more general, now including even BSD efforts (like the kfreebsd5 port).

So, even though I am a Debian user, I have this secret appreciation for all the work that the BSD people have done and continue to do and I am downloading the OpenBSD release from the torrent site listed in the parent post (that is http://openbsd.somedomain.net/).

We all know that these smaller projects don't have big companies supporting them financially and one thing that other people could do to help visibility (and, in the long term, more users, and, perhaps, even commercial support) is to promote OpenBSD.

This starts with being kind on their servers and helping with the serving of the release for others, keeping your torrent clients open and serving others. Please, do help others "free" their machines with Free Software.

I'm doing my small share helping others to "get their foot wet" with the support for the torrent.

Regards, Rogério Brito.

architectures?

[Gothmolly]

sparc, as well as sparc64? I know it's über to have an old Sparcstation IPX running Sendmail under your desk, but seriously, isn't it time to let sparc die? If its ANY work at all to maintain outside of the sparc64 tree, let it go. Also, I for one, welcome our ppc overlords, as my G3 running YDL (at the moment) is an excellent combination. PPC is not nearly as dead as Sparc, or as *BSD, for that matter. (joke, not a troll!)

Re:architectures?

[The+Tyrant]

OpenBSD has excelent Sparc support, and I for one am very happy about it, Sparcs make excelent firewalls and servers for small environments, mine currently has a quad fast ethernet card in the back thus meaning I dont need an extra hub in the server cupboard (just the four rooms it connects to) and combined with OpenBSD's excelent packet filter and rock solid security (which is even stronger on sparc since it can take advantage of quirks of the archetecture to defend against some attacks better) it makes an ideal server for me, runs nicely and doesn't even push the sparc that hard.

Joke or otherwise, Sparcs are awesome machines (for some roles), and OpenBSD is an awesome system.

Re:architectures?

[grub]

Keeping loads of various architectures 'live' helps the developers spot odd bugs in the common that may compile Just Fine on x86 but cause glitches on esoteric platforms. Thus weird bugs get cleaned up.

Re:architectures?

[grub]

I should Preview ;)
s/common/common code/g

Re:architectures?

[TheRaven64]

Take a look at the OpenBSD rack in Theo's basement, and you will see how popular SPARC32 kit is with the devs - I counted 5 machines in total.

Re:architectures?

rock solid security (which is even stronger on sparc since it can take advantage of quirks of the archetecture to defend against some attacks better)

With sparc64 you can use the sparc quirks and also the security mechanisms intentionally built into the sparc64's, which the sparc's lack.

sparc64 seems to be the best platform of all to employ the highest security with OpenBSD.

What a shame Sun are such a bunch of a-holes with their pseudo "open source friendly" stance. They open up the specs and design to their CPU's, but they have REFUSED FOR YEARS to provide programming info for the chipsets in their UltraSPARC III's and beyond. And even today with their new "open source friendliness", they STILL REFUSE to provide programming info for those chipsets.

Seriously, how much are OpenBSD *really* going to hurt Sun by allowing me and a few thousand people around the World from running OpenBSD on a cheap Sun Blade 1000 from eBay? It's a sad state of affairs really. Sun take OpenSSH, modify it into their SunSSH and then HARM OPENSSH DEVELOPMENT by forcing the OpenSSH devs to have to compile on some 450MHz 4MB L2 UltraSPARC II at best.

The divide between the fastest sparc64 a BSD can run and a top Opteron system is absolutely huge now. And now that Sun are shipping Opterons in the workstation class, surely they could open the chipset info now? C'mon Sun!

Re:architectures?

[sunwukong]

What about Niagara?

Unfortunately, last I heard, Sun was being their usual selves and hiding key architectural details (e.g., chipset stuff) that are holding up the porting effort.

That was about a month or so ago -- hopefully Sun have decided to open up by now ...

Re:architectures?

[Spit]

I'm glad they support Sparc, as Solaris is no longer supported and Linux has some serious problems on Sparc systems. The old Sparc hardware is very reliable and neat and OpenBSD makes a nice replacement for Solaris.

Re:architectures?

[Billly+Gates]

Wasn't Theo the maintainer of the sparc port of NetBSD before he forked it to start OpenBSD? I wonder if he likes it because he is the most familiar with it?

Re:nvidia nforce ethernet

[Saven+Marek]

> If the theological debates could be set aside

THEOlogical debates. in an open bsd story. hahahahaha. geddit?

oh ok. sorry.

Re:Opiating system

[ickoonite]

I suggest a spellchecker, it bears worth repeating.

I suggest a decent command of English. "It bears worth repeating." What is that?

iqu :|

Re:Opiating system

[DenmaFat]

humor?

Re:Not to disagree with you...

[Whiney+Mac+Fanboy]

Not to disagree ith you but I'm a longtime Ubuntu user (since Jan 2005) and I'd like to ask: what, among the things you've listed, couldn't have been done without Linux?

Go to the Ubuntu packages pages & search for openbsd Two pages of results! And that's barely scrathing the surface.

Furthermore, as someone else in this thread mentions, openBSD audits their code more thoroughly prior to inclusion in their system. Many packages used in Ubuntu (apache, x.org, etc etc etc) have bug fixes contributed back from the openBSD port.

You're thinking I'm saying that openBSD can do something linux can't - I'm not really, its more like openBSD is the cranky old uncle of the free-unix family, telling all the youngsters to lock their doors & not walk around at night :-)

Here is what's new

[h_benderson]

See http://www.onlamp.com/pub/a/bsd/2006/04/27/openbsd -3_9.html for an interview discussing what is new in OpenBSD 3.9.

The abstract:

Federico Biancuzzi interviewed OpenBSD's team of Blob-Busters and discussed new features of OpenBSD 3.9 along with freedom (and quality!) threats.

Re:nvidia nforce ethernet

[smittyoneeach]

Yeah, I thought about that pun when I was writing the original post, but if I made dumb jokes instead of a point, people would think I was merely trying to stall, man. Bdump-bump (tch).

Re:Not to disagree with you...

Hey nubi. 1 1/2 years is a _short_ time. GCC and X-Windows have been around much longer than Linux, so go read up on your UNIX history.

Re:Not to disagree with you...

"longtime...(since Jan 2005)"

LOL! This statement is just sooo linux. So you use Ubuntu, like the hordes who jumped on Gentoo when it was cool (and on Red Hat and Mandrake long before that.) The overwhelming majority of users who yell 'Linux!' at everybody are switching distros everytime a new one comes out. That's why so much effort goes in to semi-locking-in users by the package management system, a la YAST2. Keep your Ubuntu CD for another year AC, I'll bet even money you have a different distro on your machine.

Of course, this is not to disparage the Ubuntu project; it's one of the more noble to come along in a while. But so is Slackware, because for more than ten years it's been dedicated to making a distro that just gets the damn work done. That's noble too, by the way.

power management features

Check out the new apmd, it does automatic throttling of cpu power based on system load and laptop battery. Cool stuff!
Unfortunately, my laptop is ACPI-only (no APM in the BIOS) and it doesn't look like they finished the ACPI code yet. But at least obsd now supports the AMD K8 PowerNow feature, so at least I can limp along for the time being.

Re:power management features

Nikolay Sturm and Bob Beck talked about apmd and how it chooses how much and how often change the CPU frequency...

Re:Not to disagree with you...

[TheRaven64]

This article, covering the release of 3.9 includes some discussion of the ways in which users of other operating systems benefit from the continued health of the OpenBSD project, including the views of one of the OpenBSD devs.

Binary Updates Yet?

I ran an OpenBSD box for a while and I really loved it, EXCEPT for the fact that all the bug fixes were source only. Downloading, patching, and recompiling was a pain (as opposed to say... yum update or apt-get update), and it crimped my diskspace to maintain a source tree (it was an old box with a 10gb drive) so the box became another linux machine (CentOS).

I'd go back to OpenBSD in a second, if they have binary updates available. I really liked the fact that OpenBSD was minimal (not a lot of cruft and bloat), secure, and correct, but the source patching was just too much for me to keep up with.

Re:Binary Updates Yet?

Use the "upgrade" option and install a snapshot that contains the fixes you want. I keep about all my machines current this way.

Re:Binary Updates Yet?

Frankly, this is crap. 10GB drive and you can't maintain a source tree???

I have one machine running OpenBSD with a 3.2GB drive and one with a 4GB drive and both maintain a source tree on them and I do my updates from source. It's not that hard, nor does it take up huge amounts of space. /usr/src on an OpenBSD box currently takes around 600M, I usually allocate 1GB to /usr/src. /usr/obj, which is needed to build from source, I usually allocate between 300M and 700M depending on how much space the box has and what architecture I'm running. I did however recently discover that sparc64 needs 1GB of space in /usr/obj in order to build successfully.

Anyway, so worst case on i386 /usr/src and /usr/obj cost me around 1.5GB. Big deal. And on a 10GB drive, I'd have more space than I knew what to do with. In fact, when I install OpenBSD on anything with more than 8GB of space, I start having a hard time using all the space on the drive. YMMV of course, but 1.5GB dedicated to a source tree is a small price to pay as far as I'm concerned.

Re:Binary Updates Yet?

I am the original poster. My partition scheme didn't give me that much space on /usr because I had put more (perhaps too much) into /usr/local (so I could compile and install apps), /var (for logs, mail spool, and htdocs), and /home (for user space). Thinking back on it, I probably should have put more into /usr, if that is what OpenBSD is going to require. But my point is still valid, the source patching is a bit of a pain.

I don't know why they don't offer binary updates, unless it is to conserve bandwidth. I just reviewed their faq about patching, and they don't explain why.

Re:Binary Updates Yet?

[synthespian]

There's TEPATCHE for binary updates.http://www.gwolf.org/soft/tepatche/
I don't see Theo and all supporting binary updates. And this, I think, because of the security goal. But I may be wrong. For instance, remember when Debian's servers were cracked (about 1 1/2 year ago, AFAIK)? What if you installed a binary with malicious code?

But in fact, why don't they officially support binary updates? What's the "official" answer on this issue?

At least, that seems like a reasonable motivation. OTOH, system administrators probably will automate their own process of applying patches. There's the XML for vulnerabilities for non-base software (http://www.vuxml.org/openbsd/index.html, also.

Re:Binary Updates Yet?

[synthespian]

Ooops, sorry. Tepatche is not about binary updates.

Re:Binary Updates Yet?

[Just+Some+Guy]

What if you installed a binary with malicious code?

Given that none of the install packages on the main or mirror sites are signed, there's no more exposure from downloading a (possibly hacked) binary patch than from downloading a (possible hacked) installer. And if they adopted the practice of signing the installer, then they could also sign the patches.

I don't buy the idea that it's harder to securely distribute patches than it is the base system. Furthermore, I don't recall ever hearing any of the OpenBSD guys make that claim.

Re:nvidia nforce ethernet

Wow, I thought having open drivers was one of the main thrusts of OpenBSD.
Thanks, moderators!

Unofficial install ISO-s

[ens0niq]

From OSNews:

"Some unofficial (and of course unsupported by OpenBSD team) install ISOs:

http://hup.hu/node/24625"

Re:Unofficial install ISO-s

"Some unofficial (and of course unsupported by OpenBSD team) install ISOs:

I have always been totally perplexed by people who download and use OpenBSD ISO's (besides the official OpenBSD installer-only ISO's). It completely goes against what OpenBSD is about and defeats the whole reason for using OpenBSD.

You use OpenBSD because you are concerned about security and then go and run some random binary provided by some random people on the net who you know little about? People who don't have the long-term reputation which Theo and the OpenBSD team have?

I hope you really can trust md5 and you better check the sums of each of the files on those CD's. I'd rather buy an official CD as the best option or otherwise download the appropriate files from an OpenBSD ftp server, check those sums and burn your own bootable OpenBSD CD, as a WORST CASE!

Re:Not to disagree with you...

[...]its more like openBSD is the cranky old uncle of the free-unix family, telling all the youngsters to lock their doors & not walk around at night

Cranky yes, but OpenBSD is the new kid on the block as far as Linux/*BSD.

Multilib/multiarch development on OpenBSD

[GebsBeard]

Anybody know if OpenBSD 3.9 supports 32 and 64 bit development on the x64/AMD64 platform? I installed OpenBSD 3.8 and it only seemed to support 32 bit development on the i386 distro and 64 bit development on the x64 distro... but not both on the x64 distro. Any ideas?

Re:Multilib/multiarch development on OpenBSD

All 64 bit platforms are native 64 bit.

Re:Multilib/multiarch development on OpenBSD

[Geekboy(Wizard)]

if you write sane code, it will work on everything. distribute source code and you don't have to worry about it.

on the other hand, the lack of support for 32-bit binaries on the amd64, is intentional. it ain't gonna happen. it requires a massive amount of technical work, for a tiny benefit. if you can call running binary-only blob a benefit (hint: its not).

Re:Multilib/multiarch development on OpenBSD

[GebsBeard]

Anybody else got an opinion? Geekboy says its impossible. Meanwhile I have Ubuntu, FC5, SuSE and FreeBSD (all AMD64) up and running in my network in 32/64 bit multiarch form. I actually like testing my code before releasing it (in whatever form). If anyone knows how to do it in OpenBSD please let me know. Thanks.

Re:Multilib/multiarch development on OpenBSD

[Geekboy(Wizard)]

I'm not saying its impossible. I'm saying the code isn't written, and WON'T be accepted. There's a difference.

Re:Multilib/multiarch development on OpenBSD

[GebsBeard]

That's too bad. It dooms anyone who wants to support and test on both 32- and 64- bit to multiboot which is a half-baked solution and total PITA.

Re:Multilib/multiarch development on OpenBSD

[Nimrangul]

Better a pain in the ass for idiots who can't just code portably than the people who matter.

Re:Multilib/multiarch development on OpenBSD

[GebsBeard]

My code runs on 10 OSes, identically on all of them. The reason is because it is tested. There are numerous small differences between the various Unices that make careful testing a must. Anyone who has done any sort of portable coding will tell you the same thing. You need to quit talking out of your ass.

Re:Opiating system

[Alterion]

... well if you are going to be like that what's an opiating system?.. does it get you high while you read your e-mail or something?

Re:nvidia nforce ethernet

Jonathan Gray said some interesting things about their contacts with nVIDIA...

Mod parent up!!

I need an answer for this question too.. :)

Re:nvidia nforce ethernet

A more detailed version is in the kerneltrap interview.

Only OpenBSD supported my wireless card

[dildo]

After two weeks of attempting to get the various crappy beta-quality drivers to work on linux, I switched to OpenBSD to find that it supported my wireless card perfectly. (I have a PPC machine, so ndiswrapper was not an option.)

Installing was also easy. If you have a little patience and are not afraid of a text-only install, starting OpenBSD was very easy.

I like this operating system. The man files are comprehensive and well written, and even a person with limited technical experience (me) was able to get everything working fairly quickly.

Re:Only OpenBSD supported my wireless card

[ickoonite]

Hear hear.

I've had numerous similar experiences with it over the years, and its elegant simplicity is always what wins me over in the end. Linux casts a wide net, and tries to be all things to all people, with the consequence that with things like driver support, it so frequently ends up being an ugly hack. Whereas with OpenBSD, if the hardware is supported, it works beautifully - wireless is a particularly good example of this.

I know that elsewhere on these pages I have likened OpenBSD (as a UNIX) to Mac OS X (as a desktop operating system) - both have an air of refinement and polish (even in text mode) that other OSes just lack. OpenBSD's install is a particularly good case in point - it is not particularly user-friendly in the conventional sense, but used in conjunction with the - as you say - excellent documentation, it makes light work of the task.

Long may it continue.

iqu :)

Re:Only OpenBSD supported my wireless card

[tokul]

> The man files are comprehensive and well written

I guess we are reading different manual files. I do have trouble understanding
'man 3 setlocale' and info about blowfish crypt format. Blowfish crypt differs
and setlocale does not work as documented.

Re:Only OpenBSD supported my wireless card

[peacefinder]

See this article:

In OpenBSD, the UNIX manual pages are considered authoritative. If a program or function call does not behave exactly as the manual describes, this is considered a bug. This is reflected in the development process, which does not allow any code that result in a user-visible change to be committed to the tree without an accompanying update to the documentation.

So if something in the base install does not work as documented, report it. Bug reporting instructions are here.

Re:Only OpenBSD supported my wireless card

[evilviper]

IMHO, the best idea OpenBSD brings to the table is that drivers for ALL supported hardware are included, and will be automatically enabled on boot-up. That means you can take a hard drive with OpenBSD on it, from one system to another, and not need to do any reconfiguration at all. It will automatically use the highest ATA mode possible, probing the new USB2 card for devices, etc.

The exceptions being X11 (if you're using it), and your IP addresses (if you aren't using DHCP, PPP, PPPoE, etc).

Swap soundcards, and the new one will be working on boot-up, just like nothing ever happened. It doesn't need crazy and buggy hacks like many Linux distros use. It's all in the kernel. FreeBSD is close, but it still requires you to manually choose your soundcard.

Installing was also easy. If you have a little patience and are not afraid of a text-only install, starting OpenBSD was very easy.

It's easy, so long as you don't want to dual-boot. Then it gets complicated.

Re:Only OpenBSD supported my wireless card

[fialar]

I wish it supported my D-Link DWL-G650. For some reason it's stuck in 802.11b mode and won't use 802.11g! Damned Atheros!

Re:Only OpenBSD supported my wireless card

[Slashcrap]

Swap soundcards, and the new one will be working on boot-up, just like nothing ever happened. It doesn't need crazy and buggy hacks like many Linux distros use.

Oh man, that's awesome! I've always wanted an OS that loaded drivers for every single peripheral ever made just in case I ever plugged one of them in.

It must be great for security as well - imagine if someone found a really nasty security hole in an obscure and seldom used driver. On Linux that wouldn't get fixed because nobody would have it loaded and so nobody would be vulnerable. But on OpenBSD it would get fixed a lot more quicky because everyone would potentially be vulnerable. You can't get much more pro-active than that.

And thank God they have avoided crazy and buggy hacks like loadable modules and only loading drivers you actually need.

I'm switching to BSD immediately because I am always moving my HDD from one machine to another and having my soundcard work automatically when I do that is a major plus.

Re:Only OpenBSD supported my wireless card

[evilviper]

I've always wanted an OS that loaded drivers for every single peripheral ever made just in case I ever plugged one of them in.

Although they are part of the kernel, they really aren't loaded, in the Linux sense of the term.

That's one of the main reasons why compiling your own kernel in Linux is a day-to-day thing, while it's almost never done in the BSD world, despite it being quicker, simpler, etc.

But on OpenBSD it would get fixed a lot more quicky because everyone would potentially be vulnerable.

No, that's just crap, and you have no idea what you're talking about.

And thank God they have avoided crazy and buggy hacks like loadable modules and only loading drivers you actually need.

Although you're trying to flame, you're absolutely right. Loadable modules are a massive security hole, as well as being buggy, a huge hassle, etc.

I'm switching to BSD immediately because I am always moving my HDD from one machine to another and having my soundcard work automatically when I do that is a major plus.

Removable hard drives are wonderful. IDE, Firewire, USB2, etc. I move harddrives around constantly, and having to manually reconfigure everything is a really massive hassle, and seriously buggy with the unstable and bloated Linux tools that try to fake the real PnP support the BSDs have had from the beginning.

But hey, I don't expect you to understand. I know brain-cells don't grow on trees, and some have far more than others...

Very cool feature (new)

[Atlantic+Wall]

3.9 adds Zaurus remote control (zrc) support.
info: http://www.openbsd.org/cgi-bin/man.cgi?query=zrc&s ektion=4&arch=zaurus

Re:do it via a snapshot

The short answer: run a snapshot after patches are announced. If your system is not that important, and you are just testing it, upgrading to the latest snapshot gets you the latest patched version of the OS. I have done this over and over, so for me, it is blazing fast. If you don't want to learn how to update to the latest snapshot (and it doesn't take any more room than what your install took), maybe you won't be happy with OpenBSD.

Of course, now I don't worry about announced vulnerabilities, because I have to spend so much time running IE to do the MS upsdates on all of the Windows boxes. I fear a MS vulnerability much more than an OBSD vulnerability.

OpenBSD

[papason]

Seems it's time for dumping # Sendmail 8.13.4, with libmilter
and Bind 9.3.1 (+ patches) for qmail and djbdns :-)

-Dee

Re:OpenBSD

[udippel]

RTFM, and tell DJB to offer a non-braindead licence.
And then you might see what you want.
Or, even better, ask DJB why he doesn't put his code to Free && Open.

Re:OpenBSD

[Geekboy(Wizard)]

1) qmail and djbdns don't have licenses, they have rants
2) the license rants are not free for openbsd to use
3) there is nothing wrong with sendmail and bind
4) nothing prevents you from downloading and installing qmail and djbdns

Re:VMWare screen resolution

And How do you change the screen resolution in VMWare Workstation to anything else? After I insalled 3.9 Shift+Ctl+Plus didn't change anything or cycle through the different resolutions.

OpenBSD and OpenOffice...

[arthas]

I think you have to run Ooo in Linux emulation mode (add kern.emul.linux=1 to /etc/sysctl.conf and pkg_add relevant packages (see OpenBSD FAQ)). This is absolutely the best (and only) way to run Ooo in OBSD for now...

One problem is that Ooo contains lots of bugs, especially those related to memory handling. These bugs cause problems with e.g. OpenBSD's new malloc(3) call. Some porting and bugfixing work has actually been done by some OpenBSD developers but as far as I know that particular port is nowhere near production quality. Apparently more developers/coders/testing guinea pigs (with proper bug reporting skills) are needed. Some information about the OpenBSD port of Ooo is available in this presentation.

off topic

[LurkerXXX]

Why are you wasting time in IE doing MS updates? That's what WSUS is for.

Most of my OpenBSD boxes are IP-less firewalls, so usually I don't really worry about patching them until the next release comes out.

Source updates on a minimal system?

[Just+Some+Guy]

Frankly, this is crap. 10GB drive and you can't maintain a source tree???

I could maintain a lot of stuff in 10GB, but given the sensitive nature of most OpenBSD installations (such as firewalls, etc.), GCC is not among the things I want to have around.

According to the FAQ, three file sets are required for installation:

• bsd
• baseXX.tgz
• etcXX.tgz

Although that gets you a complete running system, it doesn't leave you with one that can self-host source updates. Given that I run exactly one OpenBSD machine at the office, I don't want to have a separate build server sitting around just to keep it updated. So, even though I have the hardware to support the process, and the technical skills to do so, it's still a major pain in the neck.

Oh, and to those saying I should just install snapshots, the FAQ says:

Between formal releases of OpenBSD, snapshots are made available through the FTP sites. As the name implies, these are builds of whatever code is in the tree at the instant the builder grabbed a copy of the code for that particular platform. Remember, on some platforms, it may be DAYS before the snapshot build is completed and put out for distribution. There is no promise that the snapshots are completely functional, or even install.

Elsewhere on the site are other discouraging words:

• /pub/OpenBSD/snapshots/
  For our major architectures, we tend to build mini releases of unknown stability and quality about every month or so. This is where we place those test releases.

Ain't no way I'm going to tell my boss that my security update process involves "mini releases of unknown stability and quality". That is why I'd like to see "baseXX-r1.tgz" at ftp.openbsd.bsd (and it's mirrors) that holds nothing but the 3 or 4 binaries I'd need to upgrade on a stock system to bring it up to date. I'm not stupid or broke - just very time-challenged. I'd be happy to pay for a subscription to such a service were one available.

Re:Source updates on a minimal system?

[compass46]

Anyone recomending you install a snapshot on a production machine is an idiot.

There is binpatch out there but it requires you to have a build machine and roll the patches yourself. I'm not aware of anyone one rolling updates and making them available publicly. Be a nice contribution for someone with a little time to do it.

Re:Source updates on a minimal system?

[pkplex]

What a load of bollocks?

Ive got a number of systems with just 6gb or less of hdd space, and I have plenty of room to build the tree. You only need around 1500Mb spare on /usr.

And even if you use some sort of ancient hardware with really minimal hdd space, you can still build patches on another machine and install them. Perhaps have a look at http://openbsdbinpatch.sourceforge.net/

Re:Source updates on a minimal system?

[Just+Some+Guy]

Ive got a number of systems with just 6gb or less of hdd space, and I have plenty of room to build the tree. You only need around 1500Mb spare on /usr.

So you missed the entire point of my post, that I don't want GCC on my firewall, and that I don't want to maintain a build machine for the sole purpose of keeping that firewall server up to date? Re-read what I said.

Re:Source updates on a minimal system?

[pkplex]

Yeah I noticed the 'I dont want to maintain a build machine part' after I posted. But why not GCC? What is so wrong with that?

Re:Source updates on a minimal system?

[smithtodda]

Providing a compiler on your firewall greatly lessens the security.

Re:Source updates on a minimal system?

[pkplex]

Care to explain how, exactly?

Re:Source updates on a minimal system?

[smithtodda]

Jacek Artymiak explicitly states (no less than three times) in his book, Building Firewalls with OpenBSD and PF, Second Edition, that you shouldn't install source code and a compiler on your pf box (firewall). To quote him from page 71, "There is just too much possible risk" in doing so. While he doesn't go into the minutiae of the consequences, one can guess that if the pf box were compromised, you are giving the attacker everything he/she needs to own your box. I recommend you read his book and refer to pages 71, 72, and 101 for his statements on this scenario.

Re:Source updates on a minimal system?

[pkplex]

So the openbsd developers dont seem to mind the compilers and src in their OS, but a guy in a book thinks its bad without explaining why?

If a box is compromised, then its comprimsed. That a compiler is not installed on the system is not going to help that, is it?

Re:Source updates on a minimal system?

[evilviper]

I could maintain a lot of stuff in 10GB, but given the sensitive nature of most OpenBSD installations (such as firewalls, etc.), GCC is not among the things I want to have around.

Kill this goddammed myth already...

Removing programs from your hard drive can't POSSIBLY make your machine any more secure. Taking the SUID/SGID bit off can, but that's a bit different, and programs like GCC aren't SUID, anyhow.

It's absolutely ridiculous to assume an intruder NEEDS you to install GCC for him. He can quite easily install OpenBSD on his own hardware and compile the code there, transfering the binary to your box. Or he can install whatever dev tools he wants, once he has root on your box.

Please, point out a single POSSIBLE way that having GCC on your machine COULD make your machine SLIGHLY less secure. JUST ONE!

Re:Source updates on a minimal system?

[Brandybuck]

Putting a compiler on a secured system is like hanging a crowbar next to your door. Nothing is stopping a criminal from bringing his own crowbar, but it's still stupid to hang one outside your door. Don't make things easy for the bad guy.

Re:Source updates on a minimal system?

[Pienjo]

Need I remind you that the pf machine has been compromised already before the availability of a compiler even makes a difference? It's not about not putting a crowbar outside the door, it's about not having one in the garage either.

The original statement doesn't make sense. Removing a compiler from a firewall offers no protection. A compiler in itself cannot be used to escape privilege, and while it can be used to build a tool which can, it's not the only way to upload a program to a to-be-further-compromised host. A shellscript can generate a binary - would you suggest removing /bin/sh too?

Re:Source updates on a minimal system?

[Just+Some+Guy]

It's absolutely ridiculous to assume an intruder NEEDS you to install GCC for him. He can quite easily install OpenBSD on his own hardware and compile the code there, transfering the binary to your box. Or he can install whatever dev tools he wants, once he has root on your box.

I'm first going on the assumption that the attacker only has regular user access. If he has root, then all is lost (well, not completely, but still...). Regular users, though, might find it a bit annoying to not have any includes available when trying to compile 1337_rootkit.c. They'd have to install their own tarball, link against those headers, etc.

Would that stop a determined cracker? No! But it's an extra layer of hassle that you're making them jump through, and if it takes them an extra five minutes to figure out, then maybe that's enough. Again, it's not a solution, but a layer. It's like filtering MAC addresses: you don't use that as your sole line of defense, but it's a nice idea in addition to your other methods.

And philosophically, an ideal system is one that does not one whit more than it was designed to do. You could install X and ircd on a firewall, too, but if those don't help it fulfill its deployment goals then why do it?

Re:Source updates on a minimal system?

[Brandybuck]

It's about inconveniencing the bad guy. Look at it this way, a deadbolt on my door won't stop a determined intruder from entering my home. But it WILL cause the casual burglar to seek easier prey.

I don't see why this is causing you such anguish and pain. What I install or don't install on my system is none of your business.

Re:Source updates on a minimal system?

[evilviper]

Would that stop a determined cracker? No! But it's an extra layer of hassle that you're making them jump through, and if it takes them an extra five minutes to figure out, then maybe that's enough.

If you're talking about some script kiddie, that's exploiting a large number of machines, they've already compiled all the code they need, and just transfer the binaries to the individual machines.

If you're talking about a one-off attack by someone determined to get root on your box, as you said, you're equally screwed.

It's like filtering MAC addresses: you don't use that as your sole line of defense, but it's a nice idea in addition to your other methods.

MAC address filtering can be a significant line of defense, if you're also monitoring the network for anomolies, such as duplicate MACs. Removing GCC doesn't come anywhere close. It would hardly slow anyone down.

And philosophically, an ideal system is one that does not one whit more than it was designed to do. You could install X and ircd on a firewall, too, but if those don't help it fulfill its deployment goals then why do it?

I can understand if there are space considerations (I have OpenBSD 3.8 running on a 32MB Flash card myself), but otherwise, throw any programs on there which might come in handy.

Daemons and X11 do not qualify, as they both require additional privlidges. Although X11 may be acceptable if only used over network connection, and nothing needs to be SUID or have direct, user, hardware access.

Re:Not to disagree with you...

[Vyvyan+Basterd]

Not really. OpenBSD is a straight descendent of 4.4BSD which was way before Linux.

in other related BSD news

The noob and desktop friendly PC-BSD hit 1.0 release recently.

Re:in other related BSD news

NO YOU!!

Rackmount firewall hardware recommendations?

[Just+Some+Guy]

This article (and release) are excellent timing for me. My latest project is building a firewall to replace our SonicWALL with an OpenBSD system. I need to make a hardware recommendation for something that can:

• Support at least four NICs (WAN, LAN, DMZ, wireless), with gig-eth between the LAN and DMZ.
• Terminate three or four OpenVPN tunnels over a 3 Mbit connection.
• Run Snort (not strictly necessary, but would be a nice bonus).
• Ideally fit in 1U of rack.

I'm having a hard time with this. This will be my first rack-mount server, and I really don't know much about what's available in this space. I've seen threads from a couple of years ago about this exact subject, but hardware recommendations from '04 aren't very helpful today.

Cost is a factor to some extent, but extreme reliability isn't a strong requirement (since we can always throw in a big-box temporary replacement on short notice). In other words, we're not looking for something that fell off the truck, but quad-redundant power supplies aren't a selling point for us.

How 'bout it, Slashdotters? Seen any sweet packet-pushing hardware that a small office can afford?

Re:Rackmount firewall hardware recommendations?

And for the wireless-ly paranoid, 3.9 includes freeradius-1.1.1 in their ports tree! I'll probably purchase a wireless Squeezebox soon and it has built-in support for WPA/WPA2. With freeradius in the ports tree now, installation (and probably maintenance) of a WPA/WPA2 server should be a breeze!

I also hope to purchase a notebook soon. I'll be able to wander around inside (and outside) my apartment with a "secure" wireless connection thanks to OpenBSD. It's "secure" because it's better than a WEP or PSK WPA solution, but still not perfect (there's no such thing as "perfect").

I suppose I should make a donation. I use Gentoo on the desktop (both GNU/Linux and OpenBSD? Blasphemy!). I should probably make a donation to them also...

Re:Rackmount firewall hardware recommendations?

[darkuncle]

eRacks and Hawk are two of the commonly-suggested vendors that sell machines with hardware specifically chosen for OpenBSD compat (and will even pre-install, if that's your thing). I'd suggest any 1U generic box built in the last 5 years with 512-1024MB of RAM. Good NICs are going to be more important than CPU (fxp(4) is a good choice; see the misc@openbsd.org archives, since this question comes up regularly). Either of the above vendors (or others; check Google for "openbsd rackmount server") should be able to get you a 1U box with a good quad-port card in it (use the built-in port(s) for the management channel). Get a pair of identical machines and set up carp(4) so they can do failover and you should be set. You can terminate VPNs using isakmpd(8) or you can just use OpenSSH (supports tunneling any arbitrary traffic, including layer 2 stuff, as of v4.3).

Re:Rackmount firewall hardware recommendations?

[darkuncle]

oh, and you may also wish to check out Soekris gear - highly secure (run the OS from a RAM filesystem, set your CF media to read-only), very small, 12W power requirements, the net4801 (for example) ships with 3 fxp(4) interfaces and a miniPCI slot that can take either a wireless card or a hardware crypto accelerator (200Mbps AES-256 at line speed with near zero CPU overhead). Search the archives for Soekris and you'll get quite a few results.

Re:Rackmount firewall hardware recommendations?

[darkuncle]

for a really secure wireless connection, you may want to take a look at authpf(8), and use ssh to tunnel all your traffic (at least between your laptop and the gateway).

BSD licensed nve driver?

[toadlife]

"a BSD licensed driver for nvidia nforce ethernet"

PLEASE, for love of Beastie, port this over to FreeBSD. The existing nve driver in FreeBSD is a POS.

Re:BSD licensed nve driver?

The existing FreeBSD driver is wrapper around a binary blob from nVidea is it not? Not really worth compromising opensource principles for eh?

Re:BSD licensed nve driver?

I don't give a shit about open source principals. I just want a driver that doesn't suck.

Re:BSD licensed nve driver?

[LizardKing]

There's a proper (binary blobless) driver for FreeBSD as well as the wrapper, but it isn't as capable or reliable as the OpenBSD one.

worth donating

if you want to support the project, you should considering donating via a Recurring PayPal Donation (http://www.openbsd.org/donations.html) to help the project in a consistent basis. Donating 10$ a month can't be that much considering what you get from it...

Question for the OpenBSD gurus:

[someonehasmyname]

Can I finally use carp on a transparent bridge?

The carp man page says something about not needing an IP anymore if you specify carpdev, but I haven't found any relevant examples. I'm in the middle of setting up two 3.9 boxes to try making it work.

Re:Question for the OpenBSD gurus:

Hmmm, I'd like to know more about this too!

Re:Question for the OpenBSD gurus:

[smithtodda]

Does the first question on this page (a recent OnLamp OpenBSD interview) touch on your question?

http://www.onlamp.com/pub/a/bsd/2006/04/27/openbsd -3_9.html?page=3

Linux compiler?

[Santana]

How is 'since Jan 2005' a long time :) This must be a joke, but just in case...

There's no such thing as 'the Linux compiler' (hint: GCC is a GNU tool, Linux is a kernel and NOT a GNU project). Neither GNOME nor the X Window System are 'Linux contributions'. GNOME is a GNU project born for giving an alternative to KDE (because Qt was not free at the time) and XFree86 predates Linux.

binpatch

[Santana]

If you can afford another OpenBSD box for building patches you can use binpatch.

Re:Not to disagree with you...

4.4BSD was released in 1993 (lite in 94). Linux was released in 1991.

Of course, 4.4BSD descended from earlier BSDs, which predate Linux. But 4.4 certainly was not "way before Linux."

Re:nvidia nforce ethernet

[azmaveth]

Ever see the address for Theo's personal website?

http://www.theos.com/

Was supposedly contrived from "Theo's dot com", but I'm sure he realized that "Theos" is greek for "God."

hooray for OpenBSD

[Cymeth]

damn I love this little os..

or as:

[KwKSilver]

The OS