What's New in OpenBSD 4.2?

blackbearnh writes "OpenBSD 4.2 was released today, and has a host of new features. O'Reilly's ONLamp site has a pretty thorough overview of the release. 'Even though security is still there, this release comes with some amazing performance improvements: basic benchmarks showed PF being twice as fast, a rewrite of the TLB shootdown code for i386 and amd64 cut the time to do a full package build by 20 percent (mostly because all the forks in configure scripts have become much cheaper), and the improved frequency scaling on MP systems can help save nearly 20 percent of battery power. And then the new features: FFS2, support for the Advanced Host Controller Interface, IP balancing in CARP, layer 7 manipulation with hoststated, Xenocara, and more!'"

Where to get it...

[KingSkippus]

Since the submitter didn't bother linking to their site (!!?), if you want to try out some of these amazing new features and improvements instead of just reading about them, you should head over to the OpenBSD 4.2 page and snag a copy!

Re:Where to get it...

[notamisfit]

I didn't see anything about it in the interview, but it looks like they've made install ISO's available for the various platforms (install42.iso in each directory). Might give it a spin if I can find a machine for it -- I gave 4.1 a try (and even bought a CD set) and was mostly impressed.

Re:Where to get it...

It should also be mentioned that buying a CD set helps fund the project. The price is low and the value high. You can get it here (many local resellers too).
---
AC using OpenBSD 4.2/i386 and GNOME 2.18 (*hides*) ;-)

Re:Where to get it...

I think I'll wait until those evil linux developers rip the BSD copyright from the headers and relicense the lot under GPLv3. /ducks

Re:Where to get it...

[eneville]

oh darn. now i'll have to find something else to post on my blog, rather than "this is how to make a openbsd iso"... drat. i guess they realise that the cd sales happen with or without the iso download.

Re:Where to get it...

[sootman]

Woah, woah, woah, wait... there's links on the Internet now?!??!

Re:Where to get it...

[DrSkwid]

The isos have been around for a long time. They are just stubs, you have to download the tgz package files separately.

OpenBSD installs quicker than the other OSes I've installed this past few years (FreeBSD, Windows, Various Linux distros, Plan9 from Bell Labs)

Re:Where to get it...

[Juggler+cant+juggle]

These are new ISOs with base sets in.

Re:Where to get it...

[DrSkwid]

so they are, my mistake, I'd remembered cdboot.iso

Jun-ichiro "itojun" Hagino

[eldavojohn]

It should probably be noted (as one of the articles states) that this release is dedicated to a man who passed away a few days ago. From another article on KernelTrap:

"Jun-ichiro 'itojun' Itoh Hagino passed away on October 29, 2007 at the age of 37. "To those in the BSD communities he was simply Itojun, best known in his role as IPv6 KAME project core researcher. Itojun did the vast majority of the work to get IPv6 into the BSD network stacks. He was also instrumental in moving IPv6 forward in all aspects through his participation in IETF protocol design meetings. Itojun was helpful to everyone around him, and dedicated to his work. He believed and worked toward making technology available to everyone. He will be missed, and always remembered." Truly unfortunate for the open source community, the networking community & all of Itojun's family. It's a shame to see someone so promising go at a young age.

Re:Jun-ichiro "itojun" Hagino

It says a lot about the kinds of people who post here when things like this happen, a man dies, and some random jackass makes a crack about it. Fuck you, you little shit, itojun was a good man. He put a huge amount of his life's work into the KAME project, and through it provided the world with IPv6, that's a significant accomplishment. What have you done? Made a jab about a dead man.

Re:Jun-ichiro "itojun" Hagino

He died almost instantly in a car accident. Stupid driver wasn't looking where he was going and plowed straight into him. It could happen to any one of us.

He was a damn fine fellow and it's a real shame to see him gone. RIP.

Re:Jun-ichiro "itojun" Hagino

[nacturation]

And if you want to learn about IPv6 he has a good series of videos.

I need to try BSD

[Stamen]

I use OS X on my workstations, because I think it's the best *nix workstation at the moment, but I use Linux, exclusively on the server. I really need to try BSD. I really enjoy ports on OS X, so I'm sure I'd like it in BSD.

The only problem I run into on OS X is some of the GNU tools aren't there, and the BSD version of stuff like ls and such are different. But you can port install that stuff, so really that issue is mute. I think I'll fire up a virtual server and try out BSD

Re:I need to try BSD

[ByOhTek]

One of the first things I do on FreeBSD after installing bash and portupgrade...

portupgrade -Nf sysutils/gnutools
echo "
alias ls='gls --color=always'
alias cp='gcp'
alias mv='gmv'
" >> ~/.bashrc

Something similar will probably work on OpenBSD

(oh, and for those who need their [modified] meems... OpenBSD is Undead, netcraft confirms it!)

Re:I need to try BSD

[notamisfit]

Hmmm, I just learned to get used to no color, no longopts, and readable man pages. Crazy, innit? (Although, IMNSHO, zsh kicks the shit out of bash for usability).

Re:I need to try BSD

[Stamen]

colorls is in ports for gnubies, Can't you just turn on color with ls -G like in OS X? No need for gnu ls. The only reason I'd want gnu stuff is to be consistent with the Linux servers, so I could have 1 set of scripts. Personally, I don't install gnu tools in OS X, I use ls - G, and curl instead of wget, etc.

Re:I need to try BSD

[Just+Some+Guy]

With 'ls', at least, you can skip a step. Replace:

alias ls='gls --color=always'

with:

alias ls='ls -G'

What GNU extensions to you use to 'cp' and 'mv' so often to alias them? In a decade of using Linux and FreeBSD interchangeably, I've never noticed a significant difference in those very basic tools.

Re:I need to try BSD

[cromar]

Out of curiosity, which commands in GNU tools are different/missing from OS X? (I guess I am showing a bit of ignorance of GNU/Linux... on Slashdot no less! Ouch :)

Re:I need to try BSD

[Stamen]

Hey, wait a second... But you're dead... I saw the car go off the cliff myself... It can't be, it just can't... Dad, is that you?

Re:I need to try BSD

[inode_buddha]

Hey now, I'm a grammar/english type myself. True, the mis-usage hurts the eyes, but still I would maintain that the question is not one of being a useless heap of shit. Rather, I say that the question is "Does the otherwise useless heap of shit have a kernel of corn in it?"

Re:I need to try BSD

[ByOhTek]

actually, I'm quite aware of the -G option.

I got the gnu tools, because I have a habit of thinking about how I want to view the director[y|ies] after type out the directories...

the BSD ls won't do what I want with
ls ~/ -lh

but the GNU tools will.

Re:I need to try BSD

[ByOhTek]

or I could just use -G rather than run a port just to get colors. I get the gnu tools because they act quite different, and work better for the way I think and process what I want to do.

As for bash, I prefer it to CSH/KSH, just a personal preference. None of them are scary - some people just work better with some tools than others.

Re:I need to try BSD

[ByOhTek]

Actually, the GNU tools are nice if you have the habit of typing out the [OPTIONS] after the files/directories.

i.e.
ls ~/ -lh

(I think of the dir first, then what I want to do with it.) I just specified the --color=always because it can be taken away easy enough, and -G doesn't do the same thing in GNU ls that it does in BSD.

Re:I need to try BSD

[QuoteMstr]

The only thing I miss in OpenBSD 4.1's ksh (versus bash) is bang-expansion. !$ is particularly useful.

That said, I don't see why bash or bloated or scary. It's got quite a few nice features, but nothing that's not necessary, and it runs plenty fast. And scary? It's just a shell.

Re:I need to try BSD

[archen]

Yeah, it's sort of strange but I always install gnuls myself (and bash) myself. The main reason being that gnuls compacts directory listings while bsd ls tends to use more white spacing. That ended up being annoying in some directories because it meant the difference between a page full of text or more so you end up scrolling.

That is one of the nice things about bsd though. I mean if you don't like something like 'ls' then you're free to use another one.

Re:I need to try BSD

[LuSiDe]

I got the gnu tools, because I have a habit of thinking about how I want to view the director[y|ies] after type out the directories...

Bad habit. Think about it: would you do the same with rm, mv, cp? No. So, get rid of your habit.

Re:I need to try BSD

[gblfxt]

you dont need to try BSD, your already using it, OS X = BSD

Re:I need to try BSD

[DrSkwid]

> some of the GNU tools aren't there

That's called a feature

Re:I need to try BSD

[ralph.corderoy]

--color=always is a really bad idea. You're shoving terminal escape codes to set the colours down any pipe to which you connect ls's stdout, e.g. `ls | awk 'length >= 3 && length = 5''. This is why --color=auto exists.

Re:I need to try BSD

[ByOhTek]

actually, I do

cp a/ b -rfv

all the time

Re:I need to try BSD

[grub]

Bahaha! Damn my mod points expired. Good one!

Re:I need to try BSD

[Guido+del+Confuso]

I personally put my options before my arguments (e.g. "ls -l ~/public_html" ), but I can see one very good argument for putting the options after the arguments. Specifically, if you type, for example,

rm -rf /tmp/*

you run the risk (however remote) of accidentally hitting enter after typing the first / and causing some serious damage to your system. Or you might be trying to remove something in /etc and end up wiping out the whole directory with one misstroke.

By putting the -rf at the end, you practically eliminate that risk.

Re:I need to try BSD

[setagllib]

Or by using the 'interactive' option, -i. DragonFly goes so far as to improve it (-I) and make it a default alias for login shells.

Love!

[antifoidulus]

Remember, Theo de Raadt loves each and every one of you, he includes love in each copy of OpenBSD! Well, love or an incredible hatred of the x86 platform and everything not OpenBSD.

Re:Love!

[Spit]

I don't much care what he thinks of me, but it's obvious that OpenBSD is a labour of love. It shows.

Huh?

[LotsOfPhil]

What's BSD?

Re:Huh?

[king-manic]

What's BSD? A LSD precursor.

Re:Huh?

[ByOhTek]

The first thing I thought of when you said that was the FreeBSD 5 installer.

My next thought was "It's so true..."

Re:Huh?

[marcello_dl]

I'd ask "what's google" next.

Re:Huh?

[4D6963]

What's BSD?

It stands for Bisexual Satanic Daemon. That's a service for Linux that filters packets from the internet and replaces the text from web pages with random extracts from the Satanic Bible and random occurences of '666', and replaces images with obscene pornographic depictions.

You can just ask Google if you don't believe me.

Re:Huh?

[UnknownSoldier]

Ah Berkeley,
known for LSD and BSD.
Coincidence? You decide :)

Re:Huh?

[that+this+is+not+und]

I think of Berkeley as being known for Donald Knuth and BSD.

Re:Huh?

[gblfxt]

BSD is what makes OS X a real operating system

Re:Huh?

[Daffy+Duck]

Hmmm. Do you also think of Italy as being known for Jerry Lewis and bullfighting?

Knuth's at Stanford.

4.2BSD

[m2943]

Ah, that brings back memories of 4.2BSD, the first BSD with real Internet support.

(OpenBSD 4.2 seems somewhat less exciting to me.)

How dissapointing- they didn't include Xen

[LukeCrawford]

Christoph Egger did a OpenBSD Xen port (based on the NetBSD xen stuff) see: http://hg.recoil.org/openbsd-xen-sys.hg It looked pretty promising. It's too bad they aren't going to support that platform. I've got lots of customers who'd really like a OpenBSD option.

Re:How dissapointing- they didn't include Xen

[e9th]

Theo has strong feelings about virtualization.

Re:How dissapointing- they didn't include Xen

[Antique+Geekmeister]

Getting Theo to accept a tool, or set of tools, that are not built to the OpenBSD standard of incredible efficiency and cleanness of code is extremely unlikely: I don't think Xen is there yet.

Mind you, that cleanness of code and incredible efficiency comes at the cost of having a usable interface and key features that push people away from OpenBSD into something that will actually do the job they need done, and will do it now.

Re:How dissapointing- they didn't include Xen

[LukeCrawford]

Xen is an improvement over the chroot jail; a rather large one. Theo does have a point in that virtualization is much less secure than just giving every user/app their own box, but often giving everyone their own box is not financially feasable.

OpenBSD has some good features for making it more secure to share one box amongst many users, but that model is difficult if your users want to run services on ports below 1024 without your help, among other things.

Re:How dissapointing- they didn't include Xen

[hdparm]

chroot was not written to enhance security. It became a 'security' tool in the hands of inapt sysadmins.

Re:How dissapointing- they didn't include Xen

[__aaxwdb6741]

I'm a unix admin at a company with about 50/50 Windows/BSD servers. I just had a discussion today with one of our Windows admins about FreeBSD and "usability", after I told him about how to restart a service and when to look in /etc/rc.d and /usr/local/etc/rc.d.
He couldn't understand why we didn't make it "easy" for people to administer FreeBSD boxes, why there wasn't a gui for this stuff, and why you couldn't just write "service apache restart", like you can do on some Linux distributions.
After a long, heated discussion I told him "It's so that stupid people don't try to administer our boxes. We don't want stupid users". Not the best answer, but he rejected the explanation that administrating a FreeBSD box is much easier than a windows one, exactly because you're _never_ just guessing what you have to do to get a job done.

Re:How dissapointing- they didn't include Xen

[cstdenis]

FreeBSD (And I think the other BSDs) have the jail command which gives you something between a chroot and virtualization -- almost virtualization from the process' point of view.

Re:How dissapointing- they didn't include Xen

[TheOrquithVagrant]

You know, from a standpoint of security-conscious virtualization, having the OpenBSD team go through the Xen hypervisor code and making OpenBSD work as Dom0 would be a Really Good Thing.

Request for information

[cdn-programmer]

I've filed a bug report on this but at this point I'm not even sure its a bug... could be a hardware issue..

If anyone is running Adaptec SCSI 2940 controllers with more than one SCSI hard drive and it works then I'd like to know... if anyone is having problems I'd like to know.

The issue is that I have one 2940 fast narrow card and it won't boot... says there is no O/S. In the same machine... swap that card out to a 2940 fast wide and it boots just fine. Perhaps this is a firmware card issue. I have so far only tested these two cards... I plan to go get a handfull more.

Next issue. With the fast wide all seems 100%. Then I start an rsync from another machine and within seconds I get a kernel panic. There is a bug report here: http://paste.lisp.org/display/49908#1

Is OpenBSD bug report # 5616

I'm not at this point asking anyone to debug this. I want to know if others have a similar setup and it works.

This machine is a Pentium I, with two fast narrow SCSI disks and in this case an AHA 2940 FW card. There is nothing else on the bus.

O/S version was 4.1 and now I can try the new version. Since OpenBSD is such a great O/S I sure would like to get to the bottom of this without wasting people's time. If we have a problem we need to know about it and potentially fix it. If its an isolated issue then I need to know this so I can shelve the hardware if in fact it is flakey hardware.

Note: With that fast wide controller... dd if=/dev/sd1 of=/dev/sd1 bs=2048 will run 100% and never glitch at all. But try that rsync on the system.. kernel panics 100% of the time within seconds.

Re:Request for information

[kv9]

The issue is that I have one 2940 fast narrow card and it won't boot... says there is no O/S. In the same machine... swap that card out to a 2940 fast wide and it boots just fine. Perhaps this is a firmware card issue. I have so far only tested these two cards... I plan to go get a handfull more. I use a couple of 2940 narrow and wide "in production" under NetBSD (without problems) and sadly I cannot test this issue under Open. however, I do have anecdotal evidence of the situation you are describing being true (friends with same config as yours tried and failed to boot OpenBSD on the thing -- install works fine and so do other operating systems).

Re:Request for information

[Secret+Rabbit]

Maybe, just maybe, it'd be better to send a mail to one of the OpenBSD mailing lists. Perhaps then, you'll actually get some help.

Just a thought.

Re:Request for information

[cdn-programmer]

I have the adaptec hardware manuals for the 2940 and other cards. Yes I have heard about bugginess.

I'm not a kernel guru and I've not written or even looked at drivers. It takes so much time to even get into this that for me I'd have to be granted another lifetime before I can get seriously involved.

One question that comes to mind is that I've personally never run into an issue with linux on similar h/w and with the same cards. Linux drivers are OSS so it would seem that any issues the linux and other *nix people might need to address are going to yield solutions for all operating systems.

If so, then for these pesky thankless driver issues perhaps a closer working relationship is in order. Perhaps driver writers could define a common group of functions which could be linked into all drivers regardless of the OS that hosts the driver. Again, since I don't write drivers I simply don't know. But why re-invent the wheel if it can be avoided. I would think an openBSD style license would be appropriate for such an undertaking.

Re:Request for information

[Antique+Geekmeister]

Welcome to the (lack of) driver support for OpenBSD.

Re:Request for information

[kv9]

Welcome to the (lack of) driver support for OpenBSD. driver support exists as long as the OS installs. it's just a boot problem. bugs exist everywhere, yes?

Re:Request for information

[Antique+Geekmeister]

No. There are stacks of hardware that are in use in the open source world that do not work well under OpenBSD, if at all. 3d graphics cards, anyone? USB->serial adapters? Wacom graphics tablets? External USB DVD burners? I've seen reports of all of them failing with OpenBSD, where they work well under Linux, even with live Linux CD's.

Unless there's been a huge influx of driver support, which seems unlikely with Theo in charge and insulting polite GPL developers, I see it stuck in supporting network security applicances, not desktop use.

Re:Request for information

[kv9]

3d graphics cards, anyone? USB->serial adapters? Wacom graphics tablets? External USB DVD burners? I've seen reports of all of them failing with OpenBSD, where they work well under Linux, even with live Linux CD's. all these have no purpose in a server orientated OS. OpenBSD supports lots of hardware and people that check if their hardware is supported before whining are known to be running it as a workstation (not a "desktop"). OBSD is exciting because of its PF goodness, various other network magics and security, not because it supports the latest tablets.

Unless there's been a huge influx of driver support, which seems unlikely with Theo in charge and insulting polite GPL developers judge a man by his deeds, not his attitude.

I see it stuck in supporting network security applicances, not desktop use. I don't see that as "stuck". not everyone is trying to make the next point-click-drool Noobuntu, you know?

Re:Request for information

[Antique+Geekmeister]

Unfortunately, that "purity of essence" approach prevents it from operating on laptops for network probing applications, or on relatively new hardware platforms. So you get fascinating network purity, that runs twice as fast, on hardware that's 3-5 years old and therefore half the speed. Getting the "packetfilter" tools improved is great, but when you can't use it with the latest Broadcom drivers because key parts of the drivers were GPL licensed and Theo threw a hissy fit when the actual author noticed and tried to work it out, all that speed is wasted. And without good GUI's, or at least more usable interfaces, for systems people who are not quite so experienced, those tools will not be broadly used.

That's not a good investment of engineering time.

Re:Request for information

[kv9]

So you get fascinating network purity, that runs twice as fast, on hardware that's 3-5 years old and therefore half the speed. Getting the "packetfilter" tools improved is great, but when you can't use it with the latest Broadcom drivers because key parts of the drivers were GPL licensed and Theo threw a hissy fit when the actual author noticed and tried to work it out, all that speed is wasted. it runs twice as fast on new hardware too. Broadcom does not make all of the network adapters in existence. I'm sure they will fix that in the next hackathon as usual. how hard is it to use hardware that is supported by your operating system?

And without good GUI's, or at least more usable interfaces, for systems people who are not quite so experienced, those tools will not be broadly used. That's not a good investment of engineering time. let me try an analogy (and forget about my sig for a minute) because this is slashdot anyway: not many people can figure out rocket engines; are they not a good investment of engineering time?

Re:Request for information

[Antique+Geekmeister]

No, it runs twice as fast on the limited amount of hardware that it runs on. Broadcom is hardly the only GigE or high-end network component manufacturer, but they're extremely common. And hardware manufacturers go out of business or discard product lines on a regular basis, so you can't necessarily rely on those old, known good device manufacturers to still be available in a few years time.

To extend your analogy, a rocket engine that is beautiful and fuel efficient but has to be aimed by getting out and rebolting the fins is not a good use of engineering time, no. The configuration tools I've seen for OpenBSD were limited. Is there a better management tool for packetfilter in the last few years? Because a filtering tool that is 20% faster doesn't matter if I can't hand off configuring it to reasonably competent engineer and go do more useful work.

Re:Request for information

[kv9]

Is there a better management tool for packetfilter in the last few years? yes, it's called vi.

Because a filtering tool that is 20% faster doesn't matter if I can't hand off configuring it to reasonably competent engineer and go do more useful work. an engineer which can't edit some simple rules in a text file is not remotely competent. do your network jocks configure Cisco equipment thru a GUI?

Re:Request for information

[Antique+Geekmeister]

Ahh. Ogg have better tool for making bearskins. Is called flatter rock. Ogg need to upgrade tool for bearskins? Use bigger rock! Makes flatter bearskin!

There are reasons people learned to use knives and other tools to skin bears, for the same reason we use good good GUI's or tools for editing sensitive configuration files. It leaves us time to stop chipping rocks into the shape we want and get on with our lives.

Re:Request for information

[kv9]

Ahh. Ogg have better tool for making bearskins. Is called flatter rock. Ogg need to upgrade tool for bearskins? Use bigger rock! Makes flatter bearskin!

if we are to properly use your analogy, a GUI is a plastic knife and vi is the swiss army knife.

you still did not answer my question. do you configure Cisco equipment with a GUI? wrangle Oracle with a GUI or sqlplus? manage your servers with VNC or good old ssh?

you have one fucked up view of progress. sure a GUI is suited for video editing, 3D modeling or browsing the WWW and such but not modifying simple configuration plain text files. the right tool for the right job, you know?

so if it doesn't have a GUI and you can't use it because it's "arcane" or too hard to figure out, then leave it to people that actually know what they are doing. that's the way $DEITY intended.

eternal november will never end.

Re:Request for information

[Antique+Geekmeister]

I've done deep Cisco work directly in IOS, and loath the Oracle work I've done for its painful interfaces. I throw them out as fast as possible for interfaces that let me get on with my work.

VNC is unnecessary, and its password handling and user authentication is a security issue. SSH with X capability provides a superior interface. However, when you need console access to a remote server, look at how many of the remote KVM devices are actually VNC wrapped into a web access utility, so I don't discard it completely.

I've done quite a lot of work with the command line, thank you very much. When life was too restricted to use vi, I've worked directly with ed and other more primitive tools, so I'd suggest you not compare your stone rock skill with *me*, thank you very much. Ogg know how to use rock, Ogg know how to chip rock, Ogg know how to chip rocks into arrowheads and shoot tiger from tree where is safe.

Re:Request for information

[kv9]

I've done deep Cisco work directly in IOS, and loath the Oracle work I've done for its painful interfaces. I throw them out as fast as possible for interfaces that let me get on with my work. I too have tried to throw out IOS for an interface that lets me get on with my work but was never able to figure out where I plug the mouse.

Re:Request for information

[scottv67]

do your network jocks configure Cisco equipment thru a GUI?

1. Well, ASDM is not a bad tool to have around when working with the ASA's

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/usrguide.html

2. The Altiga VPN concentrator is 100% GUI - there is no CLI.

3. I manage a wireless network that has close to 400 APs. The WLSE (with its GUI) is much easier to use that telnet'ing to each AP. As soon as we upgrade to LWAPP, GUI administration for our wireless network will be SOP.

Re:Request for information

[scottv67]

I've done deep Cisco work directly in IOS

What does that mean? Did you telnet to a switch, login, enter 'enable' and then 'config t'?
Everybody does that.

Re:Request for information

[Antique+Geekmeister]

Not everybody does that. But no, I've gone quite a bit further than that. Unfortunately, I'd get into NDA material pretty fast if I went into details.

Good Desktop OS

[LM741N]

I know OpenBSD is renowned as a secure system, but it also is a good desktop OS. In fact, I bet it recognizes more devices than my Windoze Vista. I was pleasantly surprised the last time I tried out OpenBSD on my laptop. My only complaint is that the ports are not as comprehensive as FreeBSD. But then, maybe I should be a maintainer for one and stop complaining, lol.

Re:Good Desktop OS

[bigstrat2003]

In fact, I bet it recognizes more devices than my Windoze Vista. I'll take that bet. Vista's device recognition is pretty damn solid, and is, in all likelihood, going to move from "solid" to "really good" with SP1. Now, I don't know OpenBSD's device recognition rate, but, I know that Linux still isn't as good as Windows, and it would stand to reason that OpenBSD, being less popular than Linux, will have even worse support in that department.

Now to be able to afford a zillion hardware configurations to test both OSes on... ;)

Re:Good Desktop OS

[deftcoder]

It's unfortunate how so many people hear "BSD" they jump immediately to firewalls and servers.

I'm sure having video drivers would change that.

I would use OpenBSD on my dual core laptop w/ nvidia 7900 gs instead of Debian Linux if there was a way to use the (non-free) official nvidia drivers.

For now, it is only used by me as a server OS though. PF rules!

Stable branch, still from source only?

[BlueParrot]

One of the things that has put me of OpenBSD is the need to compile from source if you want to use the stable branch. I realise this is partially due to limited resources and priorities, but I would argue that this is probably one area where there is room for improvement.

In any case they have done a lot of good work. Copyleft vs OSS ideology disputes aside. ; )

Re:Stable branch, still from source only?

[Dan+Ost]

How long does it take to build the world now days?

I haven't played with OBSD for a couple of years, but I remember starting a build at night and having it done when I got up the next morning (on hardware that was, even then, considered old). I can't imagine that things haven't improved since then.

Re:Stable branch, still from source only?

[e9th]

I do all my builds on a 4 yr old box (1.7 GHz Celeron, 256MB, ATA disks). The kernel takes about 20 mins, userland about 2.5 hours. In my case, the CPU is the bottleneck.

Re:Stable branch, still from source only?

[kv9]

One of the things that has put me of OpenBSD is the need to compile from source if you want to use the stable branch. I realise this is partially due to limited resources and priorities, but I would argue that this is probably one area where there is room for improvement. no you do not. stop spreading FUD. there are binary sets for multiple archs in every release. this also goes for the ports. it is clearly stated in the FAQ that if you want stable you should use binary packages. the only time when you have to compile is when you make changes to the kernel (or are tracking -current system or ports).

Re:Stable branch, still from source only?

[kv9]

How long does it take to build the world now days? ~10 mins for the kernel and about an hour for the userland (2xP3/933, 512M, 2x10K). and considerably more on weaker hardware (as expected).

Re:Stable branch, still from source only?

[kestasjk]

In the BSDs there are 3 kinds of CVS branches: RELEASE, STABLE, and CURRENT. CURRENT is the latest developers release with tried&untested patches, at the bleeding edge. STABLE is also a developers release, but it is supposed to contain new stuff that has been tested in CURRENT and doesn't seem to break anything. RELEASE are the milestones like 4.2, where everything is tried&tested and only security patches are added to it, to create a stable platform.

It's annoying that STABLE is actually less stable than RELEASE, it's the source of a lot of confusion; but if you're not interested in compiling from source it's unlikely you have any reason to be running the STABLE branch.

Re:Stable branch, still from source only?

[Antique+Geekmeister]

You're building X windows, various window managers, and the more useful X GU's like Firefox in less than an hour? Or is that a relatively small "userland" you're using there?

Re:Stable branch, still from source only?

[kv9]

You're building X windows, various window managers, and the more useful X GU's like Firefox in less than an hour? userland without X (I don't use OpenBSD as a workstation). Firefox and such is not in the base source sets and you don't have to build it because it's available thru ports as a binary package.

Re:Stable branch, still from source only?

[notamisfit]

That's FreeBSD's release engineering, not "BSD"'s. OpenBSD's -CURRENT works about the same, but their "-STABLE" is an errata branch, getting bugfixes and security updates. New releases are always cut from -CURRENT, so an extra branch for minor releases isn't needed.

pf

One of the things I love about OpenBSD is pf. It blows away iptables. Not only in functionality, but in the syntax language as well. You don't have to have a cheat sheet for pf like iptables, which lessens the chances for mistakes IMHO. Iptables syntax is extremely painful to work with in comparison.

Re:pf

[Sancho]

I love pf quite a bit--it's one of the reasons I prefer FreeBSD to Linux. That said, it's simply not true to state that it has more functionality than Netfilter (what most Linux users call iptables.) Netfilter has lots of modules that let you do a ton of really absurd and esoteric networking. pf can do a lot of stuff, and it's blazingly fast and simple, but it's not nearly as extensible or functional (when you consider the Netfilter mods.)

Package auditing?

[saleenS281]

So have they included any sort of package auditing yet? Something along the lines of portaudit in freebsd? For those of us who don't enjoy upgrading just to upgrade, and don't want to have to monitor mailing lists to see everytime a package has an issue, is there any automated package auditing?

Re:Package auditing?

[Noryungi]

Do you even know what you are talking about?

OpenBSD indicates all changes to its Ports/Packages on the following page.

If you have configured your OpenBSD machine properly, all that is needed to upgrade an installed package is to enter sudo pkg_add -vv -i -u package_name. No fuss, no muss, and it only takes a few minutes to upgrade all the installed programs to the latest version. No need to read mailing lists or web pages.

Finally, if you can't be bothered to read mailing lists and/or web pages to make sure your system is secure, I don't think you should be using OpenBSD in the first place. Stay with Windows, it's probably where you belong.

Re:Package auditing?

[saleenS281]

Ok Theo. Making administration easier is definitely a *BAD THING*. Who could POSSIBLY want easy to use utilities that can be scripted to scan the system, and then the requisite repo to see if there's any vulnerable packages installed. I should definitely memorize every package on all 250 of the systems I admin to make sure that they're properly patched.

Maybe when you grow up and get a real job you'll understand that manually checking systems is not an acceptable solution. Hard to understand why openbsd doesn't get donations or widespread adoption with attitudes like that!

Never got the hang of patching it

[Just+Some+Guy]

One thing I never really figured out with OpenBSD is why errata patches are handled the way they are. Why doesn't OpenBSD offer binary updates? For example, here are the instructions to fix errata entry 009 ("Fix possible heap overflow in file(1), aka CVE-2007-1536."):

Apply by doing:
cd /usr/src
patch -p0 < 009_file.patch

And then rebuild and install file:
cd usr.bin/file
make obj
make cleandir
make depend
make
make install

Given that I installed from binary packages as do most users, and I might not even have a compiler installed, the startup cost of following those steps is fairly substantial. It seems like it would be easier for someone at OpenBSD to run those commands, see which files changed, wrap them up into a tarball, and distribute those - at least for the most popular architecture or two.

Now, I'm not saying they should do this or that they owe it to us end users to do it. I just mean that it'd be amazingly convenient with a seemingly minimal amount of extra work. Am I wrong about what would be involved?

Re:Never got the hang of patching it

It would be a pain to devote one of each arch's build machines to -stable instead of -current. It is also generally considered a stock response that an administrator should be doing the patches, so that they understand what's happening in their machine. http://blog.bsdjournal.net/ is the site of a guy who maintains some stable builds, perhaps you could try and get him to work more closely with the OpenBSD project and get those to become official binaries updates, but it seems unlikely.

Re:Never got the hang of patching it

[rsax]

I completely agree. FreeBSD started offering official binary security updates. Maybe one day OpenBSD will do the same. Until then give Radmind a shot. It works beautifully for any BSD OS.

Re:Never got the hang of patching it

[Dan+Ost]

It's my understanding that the OBSD developer community is small enough that they can't tackle everything that they'd like to do between releases. This means that any new work to be done has to displace something else on the TODO list.

I actually think this is a good thing. This keeps development focus on improvements that benefit the whole OBSD community rather than on developer's pet projects.

Re:Never got the hang of patching it

[Just+Some+Guy]

It would be a pain to devote one of each arch's build machines to -stable instead of -current.

Assuming FreeBSD's tools with a few options over OpenBSD's for simplicity:

1. On release day, do a clean install onto a donated Pentium set aside for such a purpose.
2. When a patch comes out, follow its instructions.
3. Run:

   # cd /
   # find . -newermt '10 minutes ago' | tar -cvzT - -f /tmp/binarypatch009.tar.gz

4. Copy that tarball to the website for mass downloading.

It is also generally considered a stock response that an administrator should be doing the patches, so that they understand what's happening in their machine.

I don't know what's on the machine in the first place beyond what the OpenBSD folks said is there; I certainly haven't audited it myself. At any rate, the output of

# cd /; tar xvzf /tmp/binarypatch009.tar.gz

on the machine being patched is a lot more grokable for most people than the output of a long patch/compile/install session.

I'm not saying that my way is "right", but it just seems like an easy step that would be greatly appreciated by a huge amount of people who otherwise just ignore patches until the next release comes along.

Re:Never got the hang of patching it

[Just+Some+Guy]

But the problem is you don't really know if Theo is the one who made the binary.

I don't really know if Theo is the one who compiled the ISO I just downloaded and installed, either. At some point there's a leap of trust.

Re:Never got the hang of patching it

[funky+womble]

a donated Pentium

hah. You're seriously underestimating the work involved. An OpenBSD release covers around a dozen machine architectures: one donated Pentium won't cut it. And besides the machines, also needed would be additional power, cooling, another rack, *space to put all of this*, before you even start on the non-trivial amounts of time (necessarily that of a trusted developer) to prepare and test things out.

Re:Never got the hang of patching it

[Just+Some+Guy]

You're seriously underestimating the work involved. An OpenBSD release covers around a dozen machine architectures: one donated Pentium won't cut it.

I mentioned earlier that it'd be for the most popular couple of architectures. We already do this at my company for our OpenBSD machines: maintain an old beater that does nothing but track changes to -stable and package them for other local machines. It'd just be nice if there were an official parallel.

before you even start on the non-trivial amounts of time (necessarily that of a trusted developer) to prepare and test things out.

Seriously, though, why would it take more testing than rolling out just the patches? If I have foo.c and its resulting foo, and you give me foo.patch, both of us should end up with bit-identical new copies of foo afterward. Why not just give me foo so that it only has to be built on one machine instead of a million?

Re:Never got the hang of patching it

[Tweekster]

If i recall correctly, didnt the openbsd team make replacement for GNUPGP? Honestly i cant remember, but i thought they did. they would be able to sign then using that

but even if they didnt. Signed binaries, just like the signed source packages. The downfall of openbsd. People trust the source, because a team audited.

Re:*BSD is dying

[zeromorph]

trolling is a stupid sport. copy&past trolling is even more boring.

let me be the first to say: "old post!"

I can run it on ALL of my hardware

[thomasdz]

PPC Mac, random Intel boxes, and most importantly, my collection of VAX systems can all be running the same code.
That's why I like it and use it.

what is new? the answer is...

[lordholm]

There is a new song, as far as I am concerned, that is one of the more exciting features in OpenBSD 4.2. :)

Oh boy!

[rabel]

basic benchmarks showed PF being twice as fast, a rewrite of the TLB shootdown code for i386 and amd64 cut the time to do a full package build by 20 percent (mostly because all the forks in configure scripts have become much cheaper)

And the bifflespaf WTF has more pargodoogen XRR! But what about the Garblerackin' snarkenlugey 533p?

Yeah, yeah, I know, it's /. so this is to be expected, but this is getting ridiculous.

Re:Oh boy!

[yukk]

basic benchmarks showed PF being twice as fast, a rewrite of the TLB shootdown code for i386 and amd64 cut the time to do a full package build by 20 percent (mostly because all the forks in configure scripts have become much cheaper) And the bifflespaf WTF has more pargodoogen XRR! But what about the Garblerackin' snarkenlugey 533p?
I think you mean : "The badabadabingabanger button on the raidorama cuttin' on the systematicalifornication and a license application is a fishybomination and a random allocation got a copywritten melanoma sasafrazzin' wireless device".

Re:Oh boy!

[strikethree]

PF == Packet Filter, akin to iptables in Linux.

TLB == Translation Lookaside Buffer, this is a special table of values that a cpu creates to manage memory in such a way as to cause all processes to think they are the only process that exist..

So, PF being twice as fast means that OpenBSD can do intelligent things with network packets twice as fast as before.

TLB stuff being faster means that each time a process is switched out, it takes less time to do so. Do recall that fork() creates a new process, so the TLB needs to be flushed and rebuilt.

I hope this clears up any lack of understanding that you may have had... this was going to be a, "holy cow, you don't know this stuff, you don't belong here post", but I changed my mind after I hit reply.

strike

Because...

[emil]

...the OpenBSD philosophy is security through openness. When you receive a security patch as source code, you can see exactly what is being done. If the patch were to include a binary image, verification would be slightly more difficult.

There have been binary patch projects (I used to use one at openbsd.org.mx), but since I have resigned myself to installing a compiler and the whole of the OS source code into /usr/src, I find the binary patches to be superfluous.

OpenBSD does cling to some of the other BSD behaviors in lieu of POSIX. Default use of the long-deprecated C-Shell and old-style "ps" behavior ("ps aux" rather than "ps -ef") come to mind.

Having everything in /usr/src is really the UNIX way from the days of old. It's a shame that we moved away from this practice.

Re:Because...

[Just+Some+Guy]

Therefore, if you have to trust someone to provide you with binaries for the initial software load, are they suddenly not trustworthy enough to provide you with binaries for security updates?

My point exactly. Thank you for saying it so clearly.

sp1?

[farkus888]

I am thinking some of the optimizations to pf and the network stack are pretty cool but I think I will be waiting for sp1 when they have worked out all the bugs and security holes before I upgrade my machine.

Re:sp1?

[bigmouth_strikes]

Somewhere in Calgary, Theo de Raadts head just exploded...

But what is the cute code name?

[frank_adrian314159]

All the popular distros have them! How about "Demonic Deadyet"?

I'm just strollin'

[FoolsGold]

The only reason I clicked on this article is 'cos I really dig the red stylesheet for BSD news here. Reminds me of strawberries.

I assume BSD has other, more useful features though.

Common device driver layer Re:Good Desktop OS

[cdn-programmer]

I posted this on another thread... I was thinking of a less ambition approach... just common driver bug handling layer.

I wonder if it is possible for all OSS software driver writers to coordinate their efforts and develop a common driver model for all OSS operating systems.

Personally I have written hardware drivers... many years ago I wrote in assembler video drivers for ega/vga cards. After months of digging and gobs of work my conclusion is this is a thankless job... but it is a critically important job and one that those who are involved with should take a great deal of pride in their contributions.

So I ask... is it feasible to create a common device driver layer so that problems solved for one OS can be solved for all?

Re:Common device driver layer Re:Good Desktop OS

[Antique+Geekmeister]

I'm afraid not for practical as well as political reasons:

1) Theo de Raadt, historically, does not play nice with others in the free software community. That shoots down OpenBSD right there.
2) The license issues are very serious: the BSD licenses allow developers to build on other's work and proprietize it, the GPL insists that it remain available to all customers. That's a big, big deal with the proprietary information and NDA's on new hardware.

Re:Common device driver layer Re:Good Desktop OS

[cdn-programmer]

I respect the licensing issues. I probably do not appreciate all of these issues. It would seem to me that a _portion_ of the device driver layer could be released under say a BSD style license. This would allow certain portions to be available to all including the GPL people. A BSD driver is available to GPL users. Its just that anyone can take the BSD portion and incorporate it into their own proprietary products. So what if they do? This would not preclude the GPL people from using it.

The only issue is that if proprietary modifications are made they will not necessarily be available to the GPL people. SO.. a few bits and pieces get lost. If a GPL developer wants to add something then whatever he adds cannot be subtracted from the what is available to the GPL community and this is what we want to accomplish anyways. By making it available to the BSD community, nothing is subtracted from the GPL community.

What I think happens is that GPL people gain the services of the BSD community because then BSD people can use it.

At issue is the bigger problem of hiding behind politics and re-inventing the wheel when it isn't necessary. All I'm talking about is a portion of the device driver layer anyways. Anyone wanting to contribute under GPL terms still can at the next higher level.

Furthermore... if you analyse it... any proprietary additions were never going to make it into the OSS community anyways. So at a driver level, I suppose a GPL developer can say you can't use it... but this doesn't stop anyone from reading it. After reading it they can follow in the footsteps anyways.

In this sense all the GPL does in my view is create a minor hurdle for a proprietary developer to overcome. Meanwhile OpenBSD is an excellent product and has a very dedicated group of developers and all I'm asking is if there is a way to pool some of the talents.

Re:Common device driver layer Re:Good Desktop OS

[Antique+Geekmeister]

Oh, my goodness. You need to go look at the Broadcom driver issue, where GPL code was apparently included directly in a BSD driver.

    http://threadgmane.org/gmane.linux.kernel.wireless.general/1558

Theo ranted at the actual copyright owner, who'd been extremely open and polite and had offered up-front to consider dual-licensing:

> No, your message offered that he can come begging, because that is the best that thieves may do.
>
> Come little dog, come beg for forgiveness.

You can't expect people to work well with that: this is why Theo lost his write access to the NetBSD CVS repositories, and it's a big reason people don't develop for OpenBSD. The direct result is a lack of, or loss of, drivers for OpenBSD.

Re:Common device driver layer Re:Good Desktop OS

[Noryungi]

2) The license issues are very serious: the BSD licenses allow developers to build on other's work and proprietize it, the GPL insists that it remain available to all customers. That's a big, big deal with the proprietary information and NDA's on new hardware.

Except, of course, that OpenBSD is against binary blobs and NDAs, while some (not all) Linux programmers don't mind. This has been very well documented in the past.

I am always amazed when people who know nothing about OpenBSD or licenses talk about them, and simply propagate the received idea: 'BSD Bad, GPL Good'. But, hey, this is Slashdot, right?

Besides, Linux programmers haven't been exactly shy about appropriating OpenBSD BSD-licensed code and re-licensing it under the GPL. Which is OK under the BSD license, except those morons have removed all mention of the OpenBSD project in the copyright notice, which is considered as very rude, indeed.

Re:Common device driver layer Re:Good Desktop OS

[Antique+Geekmeister]

The binary blobs are a problem: they're a nasty compromise. Even the cites you provide, however, do not say the Linux developers don't mind! Where do you get this?

And that doesn't refute the difference between the BSD and GPL licenses where BSD permits those software programs to be proprietized and closed. So it's OK if a BSD developer does it, but not OK if an upstream hardware vendor does it? That's.... unfortunately common among the BSD fans I've worked with.

Re:Common device driver layer Re:Good Desktop OS

[cdn-programmer]

your link is borken.

Very good point. I'm getting good discussion on my main post as well and I'm surprised it got mod'ed up.

So it appears the goose can fly but some of its legs are missing. Somehow we need to overcome the politics. I don't know what the solution is.

Would the issues be overcome with a different license orientated just to the driver layer? Writing drivers is thankless work. There are some who enjoy doing this of course and the work is vital. Its a pity their work can't be used because of politics. Surely a solution can be found or created.

BSD License

[Danathar]

And since this is all BSD licensed code you are free to take the code, put it in your proprietary "net security appliance" making any improvements of course without giving one single improvement back.

There are SO many 1U security "black boxes" that obviously rip off OpenBSD for 95% of their product it's just pathetic. I don't recall many of them touting that they used OpenBSD or ever hearing some of the "cool" features they SAY they have ever being contributed back to the main code repository for OpenBSD.

Re:BSD License

And the world is better for it.

Re:BSD License

[Slashcrap]

And since this is all BSD licensed code you are free to take the code, put it in your proprietary "net security appliance" making any improvements of course without giving one single improvement back.

There are SO many 1U security "black boxes" that obviously rip off OpenBSD for 95% of their product it's just pathetic. I don't recall many of them touting that they used OpenBSD or ever hearing some of the "cool" features they SAY they have ever being contributed back to the main code repository for OpenBSD. Yes, I used to work for a company that did exactly this. They had a range of VPN gateways which were basically OpenBSD with a user interface. And while I'm not saying that they never contributed anything back, it definitely wasn't a priority.

On the other hand, they also have a great deal of Linux based products. And whenever they need to fix any Linux bugs or add features, they always contribute them back. Doing otherwise would be a breach of the license and expose them to legal liabilities.

The point is that as a rule, large corporations aren't going to do anything that they aren't legally obliged to do. You would probably call RMS a political zealot and an unrealistic idealist. But at the end of the day he's not the one that expects commercial enterprises to change their nature and act altruistically just because it would be nice. If they give those "cool" features back, they're also giving them to their competitors. Which is probably not a career extending move for the person responsible.

If these realities offend you so much, I would suggest that you avoid releasing any software under the BSD license.

Re:BSD License

[RanCossack]

I thought Theo de Raadt said that BSD-licensed code couldn't be relicensed, as doing so breaks copyright law. Even if that's not what the license says (I always thought BSD was the non-viral one?), given that OpenBSD's founder claims it is, I'd be careful before trying any of that were I in your shoes.

Re:BSD License

[chriscappuccio]

A firewall company who uses openbsd doesn't have to relicense it to use it in their own product. They only need to offer attribution to the original authors of the code. All these companies do is offer a more user-friendly interface, and while it is certainly poor taste not to contribute back to the project, they aren't really doing anything fascinating or worthy of integration back into openbsd. The few that do work worth of integration back into the system often do contribute at least money to the project but rarely code. The code submissions are generally not easy to integrate because they are tailored towards the companies needs and not the openbsd design or style goals. Yes more companies that use openbsd should contribute more money back to the project. Other than money to keep the project going and help it move faster, most have nothing else of interest. It would be easy to put them out of business just by offering more user-friendly packages of openbsd with more easy to use front ends and more VPN clients and such. The ones who really add value and actually do something wouldn't have much to worry about but the rest could easily get replaced if a free project was well known and well marketed enough to reach the consultants and the IT workers who are buying these other products.

If all these companies serve to do is to put OpenBSD into the hands of people to use it more easily, and the people know it's OpenBSD underneath, that's just slightly better than nothing.

Re:BSD License

[Teckla]

There are SO many 1U security "black boxes" that obviously rip off OpenBSD for 95% of their product it's just pathetic.

They are not ripping off OpenBSD. They are using BSD licensed code within the letter and spirit of the license. Sheesh.

Re:BSD License

[Danathar]

So is taking the BSD licensing code and adding GPL restrictions (or adding freedoms..depending on your perspective) to them, but Theo seems to think that's more evil than than a company taking the code proprietary.

Re:BSD License

[Tweekster]

You mean they use it exactly as the license allows?

it isnt ripping off if you are not only allowed, but encourage to do just that.

Re:BSD License

[Tweekster]

So basically the BSD license is more free, as long as someone doesnt use all the benefits of the license (using it in a close sourced product, one of the benefits touted of the BSD license mind you)

Re:BSD License

[Tweekster]

Sounds like he is pretty evil himself, using a license he doesn't even believe in.

Re:BSD License

[Danathar]

Yes, they are using it as the license allows. I'm just dumping on the fact that the same people who take a crap on the GPL get all tied up and angry when somebody takes their BSD code and puts GPL restrictions on it (Which the BSD license allows) but don't say a freaking single word when somebody takes their code and adds proprietary restrictions and closes the source.

Re:Different can be better.

[QuoteMstr]

cite on the security hole in man? A little bit of googling couldn't turn it up. man has no special privileges and it doesn't listen on the network. How can it have a security problem?

As for GNU stuff bloatware -- You remind of "ed is the standard editor". Sheesh. bash uses a heck of a lot less memory than xterm, coming in at around 400k unshared.

OpenBSD rustiness

[Average]

The only problem I have ever had with OpenBSD was rustiness. I tend to have Linux on things that are close at hand and and I'm playing with regularly. I've used OpenBSD on boxes that are install-and-forget. I had a primary box for me at a colo running OpenBSD 2.9 until just this summer (a few days short of 6 years). I had to panic on the day of the OpenSSH vulnerability... and that was it. Just kept working. So, when I decided to replace it, I had to brush of on some of OpenBSDs uniquenesses from Linux.

Not that they're bad uniquenesses. Good ones mostly. And, I think the old saw still holds true. Linux is for people who don't like Windows. BSD is for people who actually love UNIX. I use both.

They deserve a bigger check than they gotten from me so far.

Re:An Added bonus

[Sneakernets]

Where's the BEEF
Where's the BEEF
Where's the BEEF
IN YOUR HEAD

This is nice and all, but -does it run

[RLiegh]

...kqemu?

Re:provide a decent bug report, you moron

[cdn-programmer]

The purpose of the bug report is to see if its a problem with flakey hardware.

In order to track something like this down I'd have to set the machine up with a serial I/F to another machine and set it up on the net so that it can be properly debugged. I offered to do this. Theo declined. He simply said "no thanks".

I searched the OpenBSD archive of bug reports and found nothing related to the problem. Clearly there are problems however. Those cards work properly in other operating systems. The short of it is that if OpenBSD lacks driver support then I can't use it.

Re:Yes, I am going to hell

[grub]

Hahaha, purely fucking tasteless joke but I laughed out loud. :)