OpenBSD 3.9 Released

An anonymous reader writes "OpenBSD 3.9 was released this morning and is now available for download from the OpenBSD mirror sites. Among the new features is integrated framework for monitoring hardware sensors, a BSD licensed driver for nvidia nforce ethernet, and loads of new drivers and bug fixes. Of course you can still purchase the CD-ROM set which includes support for five platforms: i386, amd64, macppc, sparc, sparc64, and also includes the complete blob free source tree and prebuilt packages for many architectures. As always your contributions help to continue the devlopment of this great opeating system."

A new twist on the old Soviet Russia joke

[Ohreally_factor]

BSD confirms it. Netcraft is dead.

Re:A new twist on the old Soviet Russia joke

[CRCulver]

We have all come to know and love the "BSD is dying" jokes, but I'm noticing so much publishing going on in the BSD world, with O'Reilly offering a BSD security guide and Addison-Wesley releasing a guide to BSD's design. Clearly enough people are using it and continuing to get the most out of it if it is still profitable for tech publishers to offer documentation. If BSD were really sinking, we'd start noticing more BSD-to-Linux migration guides.

Contributions will help all opeating systems.

[Whiney+Mac+Fanboy]

As always your contributions help to continue the devlopment of this great opeating system."

That sentence about should read:

As always your contributions help to continue the devlopment of all opeating systems.

Apple's security relies on openSSH, Microsoft service's for Unix are openBSD tools, there's traces of it all over linux. In short openBSD has made everyone's lives better - you should contribute to openBSD if you're a computer user of any sort!

Thanks Theo - for releasing your work under a BSD license, you've allowed us all to benefit from it.

Dodos rejoice

[Rosco+P.+Coltrane]

which includes support for five platforms: i386, amd64, macppc, sparc, sparc64

at least you'll be able to do something with your old mac when Apple is done switching and pulls the plug on ppc support for good...

Rock Solid Already

Actually the CDs have been shipped for those that preordered, I got mine a couple fo weeks ago. The best thing, it just installs like a dream. I tried setting it up inside a VMware Workstation, took all of about 5 minutes from the CD.

I also made my first donation to OpenBSD for a long time, to keep it going, since I use OpenSSH every day, infact my job depends on it.

Re:Rock Solid Already

[pimpimpim]

I've always had the easiest installs with openbsd, on a rather exotic motherboard with via C3 processor, I got my sound, video, IBM rapid access keyboard with all extra keys, etc working directly from install. I never had this with any linux version I tried. For the things I want to do: edit files, run a (web)server, listen to music, watch videos, OpenBSD gives me more than enough.

So to me, OpenBSD is just a Good Thing (R) from a practical point of view. I don't bother to have the latest version of everything, but I'm happy when things "just work" ;) and you can trust that they are solid and safe.

Have my CDs already

[grub]

Installed on an AMD64X2-3800. zoom Had to compile -current for something but I'm in the minority.

Order the CDs and make a donation today, you cheap bastards!

It's number one on our underfunded TO DO list...

[jpellino]

"help to continue the devlopment of this great opeating system."

1. Spel checkr.
2. Full LRF support.
3. There is no third thing.
4. Universal Binary.

Torrents!

[Gandalf360]

Before the weight of the collective slashdot effect kills the main BSD servers, check out the bit torrents that are located here: http://openbsd.somedomain.net/

Re:Torrents!

[rbrito]

First of all, I am not a user of *BSD, although I do appreciate their goals. I am a Debian user and have been one for quite some time now.

One fact to appreciate about Debian is that it is loosing its ties to the Linux kernel and becoming more and more general, now including even BSD efforts (like the kfreebsd5 port).

So, even though I am a Debian user, I have this secret appreciation for all the work that the BSD people have done and continue to do and I am downloading the OpenBSD release from the torrent site listed in the parent post (that is http://openbsd.somedomain.net/).

We all know that these smaller projects don't have big companies supporting them financially and one thing that other people could do to help visibility (and, in the long term, more users, and, perhaps, even commercial support) is to promote OpenBSD.

This starts with being kind on their servers and helping with the serving of the release for others, keeping your torrent clients open and serving others. Please, do help others "free" their machines with Free Software.

I'm doing my small share helping others to "get their foot wet" with the support for the torrent.

Regards, Rogério Brito.

Re:nvidia nforce ethernet

[Saven+Marek]

> If the theological debates could be set aside

THEOlogical debates. in an open bsd story. hahahahaha. geddit?

oh ok. sorry.

Re:architectures?

[The+Tyrant]

OpenBSD has excelent Sparc support, and I for one am very happy about it, Sparcs make excelent firewalls and servers for small environments, mine currently has a quad fast ethernet card in the back thus meaning I dont need an extra hub in the server cupboard (just the four rooms it connects to) and combined with OpenBSD's excelent packet filter and rock solid security (which is even stronger on sparc since it can take advantage of quirks of the archetecture to defend against some attacks better) it makes an ideal server for me, runs nicely and doesn't even push the sparc that hard.

Joke or otherwise, Sparcs are awesome machines (for some roles), and OpenBSD is an awesome system.

Re:Not to disagree with you...

[Whiney+Mac+Fanboy]

Not to disagree ith you but I'm a longtime Ubuntu user (since Jan 2005) and I'd like to ask: what, among the things you've listed, couldn't have been done without Linux?

Go to the Ubuntu packages pages & search for openbsd Two pages of results! And that's barely scrathing the surface.

Furthermore, as someone else in this thread mentions, openBSD audits their code more thoroughly prior to inclusion in their system. Many packages used in Ubuntu (apache, x.org, etc etc etc) have bug fixes contributed back from the openBSD port.

You're thinking I'm saying that openBSD can do something linux can't - I'm not really, its more like openBSD is the cranky old uncle of the free-unix family, telling all the youngsters to lock their doors & not walk around at night :-)

Re:Not to disagree with you...

"longtime...(since Jan 2005)"

LOL! This statement is just sooo linux. So you use Ubuntu, like the hordes who jumped on Gentoo when it was cool (and on Red Hat and Mandrake long before that.) The overwhelming majority of users who yell 'Linux!' at everybody are switching distros everytime a new one comes out. That's why so much effort goes in to semi-locking-in users by the package management system, a la YAST2. Keep your Ubuntu CD for another year AC, I'll bet even money you have a different distro on your machine.

Of course, this is not to disparage the Ubuntu project; it's one of the more noble to come along in a while. But so is Slackware, because for more than ten years it's been dedicated to making a distro that just gets the damn work done. That's noble too, by the way.

Re:Not to disagree with you...

[TheRaven64]

This article, covering the release of 3.9 includes some discussion of the ways in which users of other operating systems benefit from the continued health of the OpenBSD project, including the views of one of the OpenBSD devs.

Re:architectures?

[TheRaven64]

Take a look at the OpenBSD rack in Theo's basement, and you will see how popular SPARC32 kit is with the devs - I counted 5 machines in total.

Only OpenBSD supported my wireless card

[dildo]

After two weeks of attempting to get the various crappy beta-quality drivers to work on linux, I switched to OpenBSD to find that it supported my wireless card perfectly. (I have a PPC machine, so ndiswrapper was not an option.)

Installing was also easy. If you have a little patience and are not afraid of a text-only install, starting OpenBSD was very easy.

I like this operating system. The man files are comprehensive and well written, and even a person with limited technical experience (me) was able to get everything working fairly quickly.

Re:architectures?

rock solid security (which is even stronger on sparc since it can take advantage of quirks of the archetecture to defend against some attacks better)

With sparc64 you can use the sparc quirks and also the security mechanisms intentionally built into the sparc64's, which the sparc's lack.

sparc64 seems to be the best platform of all to employ the highest security with OpenBSD.

What a shame Sun are such a bunch of a-holes with their pseudo "open source friendly" stance. They open up the specs and design to their CPU's, but they have REFUSED FOR YEARS to provide programming info for the chipsets in their UltraSPARC III's and beyond. And even today with their new "open source friendliness", they STILL REFUSE to provide programming info for those chipsets.

Seriously, how much are OpenBSD *really* going to hurt Sun by allowing me and a few thousand people around the World from running OpenBSD on a cheap Sun Blade 1000 from eBay? It's a sad state of affairs really. Sun take OpenSSH, modify it into their SunSSH and then HARM OPENSSH DEVELOPMENT by forcing the OpenSSH devs to have to compile on some 450MHz 4MB L2 UltraSPARC II at best.

The divide between the fastest sparc64 a BSD can run and a top Opteron system is absolutely huge now. And now that Sun are shipping Opterons in the workstation class, surely they could open the chipset info now? C'mon Sun!

Very cool feature (new)

[Atlantic+Wall]

3.9 adds Zaurus remote control (zrc) support.
info: http://www.openbsd.org/cgi-bin/man.cgi?query=zrc&s ektion=4&arch=zaurus

Re:architectures?

[sunwukong]

What about Niagara?

Unfortunately, last I heard, Sun was being their usual selves and hiding key architectural details (e.g., chipset stuff) that are holding up the porting effort.

That was about a month or so ago -- hopefully Sun have decided to open up by now ...

Source updates on a minimal system?

[Just+Some+Guy]

Frankly, this is crap. 10GB drive and you can't maintain a source tree???

I could maintain a lot of stuff in 10GB, but given the sensitive nature of most OpenBSD installations (such as firewalls, etc.), GCC is not among the things I want to have around.

According to the FAQ, three file sets are required for installation:

• bsd
• baseXX.tgz
• etcXX.tgz

Although that gets you a complete running system, it doesn't leave you with one that can self-host source updates. Given that I run exactly one OpenBSD machine at the office, I don't want to have a separate build server sitting around just to keep it updated. So, even though I have the hardware to support the process, and the technical skills to do so, it's still a major pain in the neck.

Oh, and to those saying I should just install snapshots, the FAQ says:

Between formal releases of OpenBSD, snapshots are made available through the FTP sites. As the name implies, these are builds of whatever code is in the tree at the instant the builder grabbed a copy of the code for that particular platform. Remember, on some platforms, it may be DAYS before the snapshot build is completed and put out for distribution. There is no promise that the snapshots are completely functional, or even install.

Elsewhere on the site are other discouraging words:

• /pub/OpenBSD/snapshots/
  For our major architectures, we tend to build mini releases of unknown stability and quality about every month or so. This is where we place those test releases.

Ain't no way I'm going to tell my boss that my security update process involves "mini releases of unknown stability and quality". That is why I'd like to see "baseXX-r1.tgz" at ftp.openbsd.bsd (and it's mirrors) that holds nothing but the 3 or 4 binaries I'd need to upgrade on a stock system to bring it up to date. I'm not stupid or broke - just very time-challenged. I'd be happy to pay for a subscription to such a service were one available.

Re:Source updates on a minimal system?

[smithtodda]

Jacek Artymiak explicitly states (no less than three times) in his book, Building Firewalls with OpenBSD and PF, Second Edition, that you shouldn't install source code and a compiler on your pf box (firewall). To quote him from page 71, "There is just too much possible risk" in doing so. While he doesn't go into the minutiae of the consequences, one can guess that if the pf box were compromised, you are giving the attacker everything he/she needs to own your box. I recommend you read his book and refer to pages 71, 72, and 101 for his statements on this scenario.

Re:Source updates on a minimal system?

[evilviper]

I could maintain a lot of stuff in 10GB, but given the sensitive nature of most OpenBSD installations (such as firewalls, etc.), GCC is not among the things I want to have around.

Kill this goddammed myth already...

Removing programs from your hard drive can't POSSIBLY make your machine any more secure. Taking the SUID/SGID bit off can, but that's a bit different, and programs like GCC aren't SUID, anyhow.

It's absolutely ridiculous to assume an intruder NEEDS you to install GCC for him. He can quite easily install OpenBSD on his own hardware and compile the code there, transfering the binary to your box. Or he can install whatever dev tools he wants, once he has root on your box.

Please, point out a single POSSIBLE way that having GCC on your machine COULD make your machine SLIGHLY less secure. JUST ONE!

Re:Source updates on a minimal system?

[Just+Some+Guy]

It's absolutely ridiculous to assume an intruder NEEDS you to install GCC for him. He can quite easily install OpenBSD on his own hardware and compile the code there, transfering the binary to your box. Or he can install whatever dev tools he wants, once he has root on your box.

I'm first going on the assumption that the attacker only has regular user access. If he has root, then all is lost (well, not completely, but still...). Regular users, though, might find it a bit annoying to not have any includes available when trying to compile 1337_rootkit.c. They'd have to install their own tarball, link against those headers, etc.

Would that stop a determined cracker? No! But it's an extra layer of hassle that you're making them jump through, and if it takes them an extra five minutes to figure out, then maybe that's enough. Again, it's not a solution, but a layer. It's like filtering MAC addresses: you don't use that as your sole line of defense, but it's a nice idea in addition to your other methods.

And philosophically, an ideal system is one that does not one whit more than it was designed to do. You could install X and ircd on a firewall, too, but if those don't help it fulfill its deployment goals then why do it?

BSD licensed nve driver?

[toadlife]

"a BSD licensed driver for nvidia nforce ethernet"

PLEASE, for love of Beastie, port this over to FreeBSD. The existing nve driver in FreeBSD is a POS.

Re:Rackmount firewall hardware recommendations?

[darkuncle]

eRacks and Hawk are two of the commonly-suggested vendors that sell machines with hardware specifically chosen for OpenBSD compat (and will even pre-install, if that's your thing). I'd suggest any 1U generic box built in the last 5 years with 512-1024MB of RAM. Good NICs are going to be more important than CPU (fxp(4) is a good choice; see the misc@openbsd.org archives, since this question comes up regularly). Either of the above vendors (or others; check Google for "openbsd rackmount server") should be able to get you a 1U box with a good quad-port card in it (use the built-in port(s) for the management channel). Get a pair of identical machines and set up carp(4) so they can do failover and you should be set. You can terminate VPNs using isakmpd(8) or you can just use OpenSSH (supports tunneling any arbitrary traffic, including layer 2 stuff, as of v4.3).

Re:Rackmount firewall hardware recommendations?

[darkuncle]

for a really secure wireless connection, you may want to take a look at authpf(8), and use ssh to tunnel all your traffic (at least between your laptop and the gateway).

Re:architectures?

[Spit]

I'm glad they support Sparc, as Solaris is no longer supported and Linux has some serious problems on Sparc systems. The old Sparc hardware is very reliable and neat and OpenBSD makes a nice replacement for Solaris.