OpenBSD 4.1 Released

← Back to Stories (view on slashdot.org)

Posted by kdawson on Tuesday May 1, 2007 @07:42PM from the hot-bits dept.

adstro writes to quote from the BSD mailing list: "We are pleased to announce the official release of OpenBSD 4.1. This is our 21st release on CD-ROM (and 22nd via FTP). We remain proud of OpenBSD's record of ten years with only two remote holes in the default install. As in our previous releases, 4.1 provides significant improvements, including new features, in nearly all areas of the system."

31 of 218 comments (clear)

Just curious... by darnok · 2007-05-01 19:49 · Score: 5, Interesting

My OpenBSD firewall box is several years old now (version 3.x), just keeps working and probably will until the 8yo hardware finally dies. Although I'm interested in the features in 4.1, and congratulate the developers on what'll doubtless be another good release, ultimately I'll probably stick with my existing setup. I *love* OpenBSD, for precisely one reason; it does what it's supposed to, and in my experience it *never* fails. However, I'm very unlikely to upgrade to any new version; why change something that works perfectly?

For those of you using OpenBSD, how many of you are in a similar situation?
1. Re:Just curious... by Yvanhoe · 2007-05-01 21:06 · Score: 4, Insightful
  
  You wonder? You wonder? Of course it has security implications. I think you are missing this :
  We remain proud of OpenBSD's record of ten years with only two remote holes in the default install. and the fact that openBSD doesn't use the linux/windows "security" paradigm of "write software quickly, find security bugs, fix them ASAP". Their strategy is instead to be secure out of the box, at the price of a slower pace of development and less features.
  
  I am quite happy with linux right now. But I know that the day I will run a critical application/server, I will either use openBSD or maybe a stable debian but not a recent linux.
  
  --
  The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
2. Re:Just curious... by asninn · 2007-05-01 21:14 · Score: 2, Insightful
  
  However, I'm very unlikely to upgrade to any new version; why change something that works perfectly?
  
  Because holes continue to be found in every version and because old versions do not receive fixes anymore. There's only been two remote holes, of course, but there's an emphasis on both "remote" *and* "holes" here - and also an emphasis on "root", which unfortunately isn't even included in the slogan.
  
  In other words, if you don't upgrade unless/until a new remote root exploit is found, you still have to worry about local users rooting your box (and don't forget that there typically are users like "www" etc. even when no actual person besides you has an account on the box; not a big problem for a firewall, most likely, but servers in general aren't automatically safe), and you still have to worry about remote priviledge escalation, remote denials of service and the like, too.
  
  That's not to say that OpenBSD is not a very secure system, but the slogan is somewhat misleading (it's marketing, after all!), and not keeping a system up to date with security patches is never a good idea.
  
  --
  butter the donkey
3. Re:Just curious... by udippel · 2007-05-01 23:40 · Score: 4, Insightful
  
  And in this case, I'm not using that as a sarcastic reference to a low number, there really have only been two.
  
  Hmm, sorry, two what ? Two remotely exploitable holes in the default install, or two users running the default install ?
  (For those not in the know: the default install has - drums rolling - ssh enabled. And SMTP on 127.0.0.1. That's it. Over. No http, no ftp, no pop, nothing else.)
  
  Don't get me wrong, I'm a great OpenBSD fan and run it on my 3 production machines. Still, personally I consider that statement about the two holes more embarassing than impressive.
4. Re:Just curious... by melstav · 2007-05-02 00:48 · Score: 2, Interesting
  
  Except that, as was pointed out to me by several people when I tried to dispute the (at the time) "only one remote vulnerability ..." claim, once you change a config file, you no longer have a default install.
  
  The example I used was that the version of sendmail they had been distributing had a vulnerability that could be exploited to allow someone to allow the execution of arbitrary code with elevated privileges. The response I got was that, because they pre-configure sendmail to only accept connections from the local host, it's not a remote vulnerability -- it's a local one, and thus doesn't count.
  
  I'm sorry, but if all I have to do to "default install" to have a remotely exploitable vulnerability is reconfigure a service that is installed and running in the default install to accept connections from remote computers, I think the claim is disingenuous.
  
  I'm not saying that I have a problem with OpenBSD -- I use it on my firewall boxen and love it. I just have issues with some of their advertising.
5. Re:Just curious... by raddan · 2007-05-02 01:11 · Score: 2, Interesting
  
  I would do the same, but we are affected by some of OpenBSD's recent patches. While it's true that there are only 2 remote holes in the default install in 10 years, there are other bugs like denial of service, database corruption, and local privilege escalation that would have affected us. I've backported a few easy patches to some of the machines that are difficult to take down for maintenance, but in general we make the effort to upgrade every other release.
  
  OpenBSD is great because maintenance is much easier. I don't have to worry, for example, about a broken libc after an 'emerge world' like I do on my linux boxen at home. That's an extremely painful lesson to learn.
  
  BTW, if you love the OS as much as you say you do, shell out the 50 clams to buy a CD set. If donating doesn't give you that warm, fuzzy feeling, at least the cool stickers will. The latest set comes with a wireframe Puffy. Awesome.
6. Re:Just curious... by Noryungi · 2007-05-02 01:22 · Score: 3, Interesting
  
  In other words, if you don't upgrade unless/until a new remote root exploit is found, you still have to worry about local users rooting your box (and don't forget that there typically are users like "www" etc. even when no actual person besides you has an account on the box; not a big problem for a firewall, most likely, but servers in general aren't automatically safe), and you still have to worry about remote priviledge escalation, remote denials of service and the like, too.
  
  True, but you should also read about PrivSep, W^X, security levels, systrace and other important security mechanisms that mitigates those risks (while not entirely eliminating them). All of these (and more) make a well-configured OpenBSD machine a very tough nut to crack. So to speak.
  
  To me, the best thing about OpenBSD is not that it is perfectly secure (that can't be achieved) but that security is taken seriously and all this mechanisms are activated by default. The excellent documentation, especially manual pages vs the GNU unreadable info pages mess, and reactive developper community are also big pluses in my book.
  
  --
  The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Yea, but... by Heembo · 2007-05-01 19:53 · Score: 4, Funny

Yea, but does it run Linux? Oh wait....

--
Horns are really just a broken halo.
1. Re:Yea, but... by LizardKing · 2007-05-01 21:06 · Score: 2, Informative
  
  To which the stock answer is, yes OpenBSD does run Linux - Linunx binaries at any rate (linux_compat(8)). I don't know about OpenBSD, but on NetBSD this works very well. Before a native JDK 1.4.2 was available for NetBSD I ran the Linux binaries of it under emulation.
2. Re:Yea, but... by TheRaven64 · 2007-05-02 00:03 · Score: 4, Interesting
  
  Sysjail has a nice feature, where you can run everything inside the jail via a foreign system call framework. This means you can set up a sysjail on OpenBSD containing a complete Linux-compiled userland, and users can access it without ever being aware that it's not Linux unless they try to load a kernel module (or use a system call that isn't emulated).
  
  --
  I am TheRaven on Soylent News
2 remote holes in default install by timmarhy · 2007-05-01 20:00 · Score: 2, Funny

so does this mean when i install my bick OS which defaults to turning off your NIC's, i will be able to claim my security is better then anyones?

--
If you mod me down, I will become more powerful than you can imagine....
Downloads by dleigh · 2007-05-01 20:01 · Score: 4, Interesting

Why not a link to the .iso download page in the article?
(Yes, that was annoyed sarcasm). I'd rather donate to the project and download an image than get one shipped, I can't believe OpenBSD is still refusing to provide Official ISOs.
1. Re:Downloads by geminidomino · 2007-05-01 20:02 · Score: 2, Insightful
  
  That's the one thing that's hindered my using it, too.
  
  Keeping in mind who we're dealing with, though, I don't see it changing any time soon.
2. Re:Downloads by astrashe · 2007-05-01 20:05 · Score: 4, Informative
  
  You can download a very small minimal iso and do a net install. I did it this evening -- the core system is pretty small, and comes down quickly. It's not as inconvenient as you might think.
3. Re:Downloads by Anonymous Coward · 2007-05-01 20:08 · Score: 5, Informative
  
  Why don't people understand that the world of ISOs isn't practical
  for EVERYTHING? They're not "refusing" anything, the OpenBSD people
  provide an easy manner to obtain and install OpenBSD via ftp.
  
  For beginners, and for people who don't understand try looking here:
  
  http://www.openbsd101.com/
  
  The above site is Linux user friendly.
4. Re:Downloads by evilviper · 2007-05-01 20:44 · Score: 4, Informative
  
  Why not a link to the .iso download page in the article?
  
  For the same reason Linux kernels, and any other files aren't directly linked in /. articles.
  
  Just for you: ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.1/i386/cd 41.iso
  I can't believe OpenBSD is still refusing to provide Official ISOs.
  
  Creating an ISO is positively trivial. The file system layout is exactly the same as the FTP tree. Just be sure to make it bootable with mkisofs -b, or whatever "bootable" check-box your Win32 CD burner program has...
  
  Not to mention that there are dozens of different ways to install, and a bootable CD is rarely the most convenient. FTP install is quite handy.
  
  It's only for non-x86 systems that creating bootable CDs is somewhat difficult. And even there, I'd much rather create my own multiple system CD than download an x86 ISO, an Alpha ISO, a Sparc ISO, and burn each to several different (mostly-empty) CDs.
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
5. Re:Downloads by LizardKing · 2007-05-01 21:25 · Score: 2, Insightful
  
  Why don't you download the floppy boot images, do a net install and save having to waste a CDR?
  
  The reason official downloadable ISO images are not available is to encourage people to buy the prepackaged CDs. The revenue from these sales is a significant reason why OpenBSD continues to flourish, as people like Theo de Raadt have an income that allows them to work full time on the project. Hopefully this will prevent a monoculture of Linux on servers, which in some respects would be as bad as the monoculture of Windows on the desktop. Personally I don't need CDs, but if I was using OpenBSD (rather than a certain other BSD) then I would be doing net installs from a server on my own network, and making a donation.
6. Re:Downloads by kestasjk · 2007-05-01 22:08 · Score: 2, Informative
  
  Creating an ISO is positively trivial. The file system layout is exactly the same as the FTP tree. Just be sure to make it bootable with mkisofs -b, or whatever "bootable" check-box your Win32 CD burner program has... If that's too challenging you can also burn the minimal ISO, and burn the install files to another CD. Boot up off the minimal ISO, then use the second CD as the source for the installation tarballs.
  
  --
  // MD_Update(&m,buf,j);
7. Re:Downloads by turing_m · 2007-05-01 22:15 · Score: 2, Informative
  
  Or you could download everything in the ftp directory on another computer, host it locally, and install from there. Quicker and you don't waste a CDR.
  
  --
  If I have seen further it is by stealing the Intellectual Property of giants.
8. Re:Downloads by turing_m · 2007-05-01 22:19 · Score: 2, Interesting
  
  They have no users? They are currently on #52 in the page hit rank on distrowatch. Right below linspire.
  
  --
  If I have seen further it is by stealing the Intellectual Property of giants.
9. Re:Downloads by mindstormpt · 2007-05-01 22:44 · Score: 2, Informative
  
  Not that BSD tools helps output is any useful anyway.
  
  On the other hand their manpages actually say something.
10. Re:Downloads by kernelpanicked · 2007-05-01 23:53 · Score: 3, Insightful
  
  Ummm no. Nobody said "targeted at Linux users." Don't know where you got that BS from. Here are a few tips though.
  
  1. --help? What the fuck is up with GNU and the ridiculous long options. Try reading the man pages which actually provide information on a BSD system as well as examples. By the way, every command, device, and config file has one on OpenBSD.
  
  2. Korn shell is nearly a drop in replacement for bash and in some ways a damn sight nicer.
  
  3. export PAGER=less. And you call yourself a command line user? For shame.
  
  --
  Ubuntu: If at first you don't succeed, blindly slap a sudo in front of it
11. Re:Downloads by LizardKing · 2007-05-02 04:14 · Score: 2, Interesting
  
  BSD is dead. As long as they have the antique command line tools.
  
  Well Linux, and every other Unix like OS including Mac OS X, are dead then as they also include "antique" command line tools. In fact Windows must be dead as well, as it includes command line tools, albeit piss-poor ones.
  
  Think whatever you want, but I cannot live w/o GNU command line. bash alone isn't sufficient - text-tools, file-tools are also important.
  
  Last time I checked, the ksh that comes with the BSDs can do everything bash can. The BSDs include all the command line tools that the GNU file and text tool packages have, after all they're clones of the Unix ones found in BSD, plus with the BSDs the manpages are actually complete and usually include examples. With the GNU tools you are often faced with an incomplete or out of date manpage that refers you to some difficult to navigate or search "info" pages.
  
  e.g. BSD's moronic find requires directory name - while GNU one picks current directory by default. All GNU tools support --help and --version - try to find common help displaying option in BSD variants. Not that BSD tools helps output is any useful anyway.
  
  Wow, GNU find extends POSIX with one extra feature that I've never used in over a decade of using it. As for --help, that's what manpages are for (sorry, I forgot that your GNU manpages are incomplete), and --version, how often do you need to know what version of find you're using?!?
  
  Also BSD's ps suck big time.
  
  Hmm, last I checked the output of both ps on Linux and NetBSD looked remarkably similar. Note that what you probably consider "GNU ps" is actually "Linux ps", as the implementation of such a command tends to be very closely tied to the kernel it's running on.
  
  The stupid insistence on using 'more' instead of 'less' isn't helping either.
  
  Oh dear, never heard of the PAGER command line variable? I guess your particular brand of Linux just happens to default it to /bin/less. Funnily enough, so does /etc/skel/.profile on my BSD machines.
  
  Also, it might surprise you, 'vi' is no more. Everybody had forgotten what it is - for good - and are using 'vim' instead. But the fact remain: BSD has no sane decent text editor preinstalled. Because POSIX 'vi' cannot be called 'sane' nor 'decent'.
  
  nvi, the default vi on BSDs has more features than the minimum required POSIX - see the Solaris implentation for something approaching that minimalism! Personally I find vim to be a mess, and have had it crash on me a number of times. However, the approach taken with the BSDs is that a minimum is included in the base install and ports or packages can be added to create the "perfect" environment. That said, OpenBSD includes a minimal emacs workalike in the base install which may be more to your taste.
  
  Constructive note. BSD should align themselves with Debian or Gentoo.
  
  God no. Gentoo is grinding to a halt as it's an unstable mess, while Debian reflects the whole GNU mentality of replacing things with new, no less buggy implementations every so often, with no interface consistency and way too many esoteric features. Having fought with aptitude and had it crash far too many times, I'm more than happy with the BSD ports systems instead.
OpenBSD 4.1 Release Song by Anonymous Coward · 2007-05-01 20:22 · Score: 5, Interesting

You mustn't exclude the OpenBSD 4.1 Release song from this article!

http://www.openbsd.org/lyrics.html
ftp://ftp.openbsd.org/pub/OpenBSD/songs/song41.mp3
1. Re:OpenBSD 4.1 Release Song by chriscappuccio · 2007-05-02 09:00 · Score: 2, Informative
  
  They didn't show it very well in the cartoon, but the linux pengiun "stealing" the documentation is analogous to signing an NDA, as nobody else gets to see the documentation (the whole point of the NDA)
  
  And then for signing the NDA, he gets "stabbed" by the real thieves and he "dies" (what happens to devices when there's no documentation)
Re:who cares? by Anonymous Coward · 2007-05-01 20:57 · Score: 2, Funny

Well, if that is the case then I must be that kid in the movies because I see dead OSs on lots of my servers.
3 Years and Counting by p0 · 2007-05-01 21:26 · Score: 2, Informative

I setup an OpenBSD box about 3 years ago. It has multiple gigE's and processes a reasonably tough load of network traffic 24 hours a day, even today. It has never ever crashed! it is not just crash proof, it simply doesn't give any other problems of any kind whatsover, heck I dont even know what to write in this darned comment!

Thanks for this. OpenBSD is rock solid!

--
This is my sig. There are thousands more, but this one is mine.
But... by Arielholic · 2007-05-01 21:38 · Score: 5, Funny

But.... does it have UAC?
No ISO policy by PhotoGuy · 2007-05-01 23:00 · Score: 3, Informative

While I hear great things about OpenBSD, and realize it is for a niche market where stability and security are the number one concern, it seems to me that more people would check it out and use it, if not for this policy:

"The OpenBSD project does not make the ISO images used to master the official CDs available for download. The reason is simply that we would like you to buy the CD sets to help fund ongoing OpenBSD development. The official OpenBSD CD-ROM layout is copyright Theo de Raadt. Theo does not permit people to redistribute images of the official OpenBSD CDs. As an incentive for people to buy the CD set, some extras are included in the package as well (artwork, stickers etc).

Note that only the CD layout is copyrighted, OpenBSD itself is free. Nothing precludes someone else from downloading OpenBSD and making their own CD. If for some reason you want to download a CD image, try searching the mailing list archives for possible sources. Of course, any OpenBSD ISO images available on the Internet either violate Theo de Raadt's copyright or are not official images. The source of an unofficial image may or may not be trustworthy; it is up to you to determine this for yourself."

Now, FTP installs are pretty slick in these days of prevalent high speed; still, it seems a bit silly and arbitrary to intentionally restrict ISO distribution, to try and sell a few discs. The people who are willing to pay, would buy regardless of a free ISO being available (corporations and IT departments like having the official discs, and such).

I guess more than anything, this policy stikes me as a bit of "attitude", which turns me off the distribution, more than the mild inconvenience of not having ISO's readily available.

--
Love many, trust a few, do harm to none.
1. Re:No ISO policy by DaMattster · 2007-05-01 23:23 · Score: 4, Informative
  
  I understand your frustration with the policy and the attitude that it might imply but let me show you the other side of the story. The OpenBSD team works very hard to produce these releases and get little support in the form of donations from large companies that use pieces of the operating system. Theo De Raadt asked Sun for a donation for one of his hackathons and was not even given the time of day. He was not even answered which is tantamount to a 'no.' Given that OpenBSD provided extensive assistance to Sun in the integration of OpenSSH and voluntarily reported bugs in Sun's version (as well as others), I think it really would have been no skin off of Sun's back to provide a donation. The principle form of income for the project to function comes from sales of OpenBSD CD-ROMS. You could still make your own ISO, but please keep in mind the hard work of this project. Honestly, 50.00 is a drop in the bucket and you help keep the future of a good project stable.
2. Re:No ISO policy by LittleLebowskiUrbanA · 2007-05-02 00:08 · Score: 4, Insightful
  
  Have you priced the official disks? Have you ever used OpenSSH? If so, have you ever given anything back to the creators and maintainers of OpenSSH (OpenBSD)?
  
  This attitude pisses me off. If you were actually using OpenBSD, you'd be willing to fork over a few buck to get the disks. But you're not using it. The amount of time spent to produce such a high quality OS is worth the money in my book.
  
  The other thing that pisses me off is that OpenBSD doesn't have a millionaire patron. But they do have Sun, Cisco, etc shipping their software (OpenSSH) withouth even bothering to contribute to the foundation. Kinda cheap, huh? Maybe that's why they charge for their install disks.
  
  You clearly know nothing about OpenBSD.
  
  --
  This guy is way out there