OpenBSD 4.8 Released

Mortimer.CA writes "The release of OpenBSD 4.8 has been announced. Highlights include ACPI suspend/resume, better hardware support, OpenBGPD/OpenOSPFD/routing daemon improvements, inclusion of OpenSSH 5.5, etc. Nothing revolutionary, just the usual steady improving of the system. A detailed ChangeLog is available, as usual. Work, of course, has already started on the next release, which should be ready in May, according to the steady six-month release cycle."

Awesome.

[cinderellamanson]

Kickass.

BSD Troll-in-One

Can someone please repost the BSD troll-in-one? Or is it dead?

Re:BSD Troll-in-One

To spare this section of all the trolls (yeah right!), I have incorporated every *BSD troll into this one message. Thank you.

The *BSD Wailing Song

What's left for me to see
In my ship I sailed so far
What can the answer be
Don't know what the questions are.
And after all I've done
Still I cannot feel the sun
Tell me save me
In the end our lost souls must repent.
I must know it is for certain
Can it be the final curtain
As long as the wind will blow
I'll be searching high and low.
Who knows what's really true
They say the end is so near
Why are we all so cruel
We just fill ourselves with fear.
And heaven and hell will turn
All that we love shall burn
Hear me trust me
In the end our lost sould must repent.
I must know it is for certain
Can it be the final curtain
As long as the wind will blow
I'll be searching high and low
Final curtain
Final curtain

• flask of ripe urine
  pressed to bsd lips
  bsd drink up

I don't want to start a holy war here, but what is the deal with you BSD fanatics? I've been sitting here at my freelance gig in front of a BSD box (a PIII 800 w/512 Megs of RAM) for about 20 minutes now while it attempts to copy a 17 Meg file from one folder on the hard drive to another folder. 20 minutes. At home, on my Pentium Pro 200 running NT 4, which by all standards should be a lot slower than this BSD box, the same operation would take about 2 minutes. If that.

In addition, during this file transfer, Netscape will not work. And everything else has ground to a halt. Even Emacs Lite is straining to keep up as I type this.

I won't bore you with the laundry list of other problems that I've encountered while working on various BSD machines, but suffice it to say there have been many, not the least of which is I've never seen a BSD box that has run faster than its Windows counterpart, despite the BSD machines faster chip architecture. My 486/66 with 8 megs of ram runs faster than this 800 mhz machine at times. From a productivity standpoint, I don't get how people can claim that BSD is a "superior" machine.

BSD addicts, flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use a BSD over other faster, cheaper, more stable systems.

It is common knowledge that *BSD is dying. Almost everyone knows that ever hapless *BSD is mired in an irrecoverable and mortifying tangle of fatal trouble. It is perhaps anybody's guess as to which *BSD is the worst off of an admittedly suffering *BSD community. The numbers continue to decline for *BSD but FreeBSD may be hurting the most. Look at the numbers. The erosion of user base for FreeBSD continues in a head spinning downward spiral.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of BSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major marketing surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among hobbyist dilettante dabblers. In truth, for all practical purposes *BSD is already dead. It is a dead man walking.

Fact: *BSD is dying

It doesn't matter, no matter how many time you try to recesitate *BSD, it's just does

Re:BSD Troll-in-One

1 word. Troll.

Re:BSD Troll-in-One

As a FreeBSD fanboi I just wanted to say...

3) Storing your *BSD distro install CD in formaldehyde will preserve the necrotic tissues from further rot.

...that made me laugh.

Re:BSD Troll-in-One

[DrXym]

A classic rant that is largely nonsense but does have a smidgen of truth. BSD's largest failing is that Linux was better at pushing people's buttons than BSD was. Linux has always felt dynamic, pragmatic and aggressive in pursuing new functionality whereas BSD is more laid back and feels like it is trying to preserve some archetypal Unix at the expense of progress. Over time that has meant that Linux has stolen an insurmountable lead. I think its very hard for something as large as BSD (in its most common open source forms) to "die". Instead its user base diminishes to a gnarly stump and then it carries on in this state indefinitely, barely ticking over, supporting a minimal user base but still alive. Look at GNU Hurd as an example of a project which isn't dead either but is certainly moribund. I think if supporters of BSD or Hurd wish to bring their OS to a wider audience they need to look at what made Linux a success and try to emulate it. Or continue bumping along the bottom indefinitely. One saving grace for BSD is its licence and what it means for commercial vendors. The Apples & Googles of this world see BSD as a means to develop open source code without being "infected" by the GPL. For example Android is virtually all BSD based in user land and it's not hard to envisage that even the kernel could be swapped if it came to it.

Re:BSD Troll-in-One

Yeah, but does it do Word?

Re:BSD Troll-in-One

[jabjoe]

I think the BSD licence is why the BSD OS is where it is.

Re:BSD Troll-in-One

[The+Wild+Norseman]

Even Emacs Lite is straining to keep up as I type this.

The Internet was straining to keep up as you posted that.

(but it was a funny read!)

Re:BSD Troll-in-One

Please, tell us how you really feel about *BSD

fdisk

[tenco]

Does their installation fdisk still suck?

Re:fdisk

[cinderellamanson]

lol, how's that?

Re:fdisk

[ashkar]

Their targeted users have no problem with the installation. If you aren't comfortable with the installation tools, you probably wouldn't be comfortable with OpenBSD. A pretty installation method is looking for a solution to a problem that doesn't exist.

Re:fdisk

[Narcocide]

Oh, the problem exists, I can assure you of that. The problem however lies between the keyboard and the chair.

Re:fdisk

[contra_mundi]

Oh, the problem exists, I can assure you of that. The problem however lies between the keyboard and the chair.

That's not a very ergonomic position to use a computer in.

Re:fdisk

[cinderellamanson]

lol, how's that?

lol, how's that?

your a fuckhead

lol, how's that?

lol, how's that?

your a fuckhead

I thought it was funny, unny, ny.

Re:fdisk

I've only installed OpenBSD twice, both successfully, but their fdsik version was very nice.

Different from Microsoft and Linux fdisk programs? Yes! Because you're not running/installing neither Windows nor Linux. Neither of these are identical systems.

The OpenBSD fdisk is quite possibly better, and without a doubt far better documented, and not just in the excellent up to date man pages but also in official faq's and installation procedures available on the OpenBSD webpages. Stuff one should read.

Who would read/read on Microsoft information when installing Linux?
Who would read/rely on Solaris information when installing Windows?
Who would read/rely on Linux information when installing OpenBSD?

If you're having trouble with OpenBSD fdisk or more likely OpenBSD installation peculiarities and requirements that other operating systems either don't have or gloss over then I would recommend reading the OpenBSD documentation, it's all there, yes the issues that can trap someone entirely new too, usually even emphasized.

A Windows poweruser or superuser can be and often is a total newbie on Linux.
A Linux poweruser or superuser can be and often is a total newbie on OpenBSD.

Don't assume different things to be the same.

Re:fdisk

[tenco]

I just think it's ridicolous that I have to compute partition/disklabel sizes in sectors myself while sitting at a computer. I own a computer because it can compute for me not because I want to compute for it.

Re:fdisk

Are you trying to say my zipper is down? Cause I checked like 10 minutes ago and It's all good.

Re:fdisk

[cinderellamanson]

I'm not exactly sure if I'm offended by this or not.

Re:fdisk

[Ex+Machina]

IIRC you can suffix a quantity with M or G to specify size in megabytes or gigabytes.

Re:fdisk

[Nimey]

THIS. A thousand times this. Linux cfdisk from 1999 was friendlier than that, without holding your hand overmuch.

Re:fdisk

[cinderellamanson]

In 4.6 you can autopartition the disk. I'm not sure about before that.

Try htttp://www.openbsd101.com/

Re:fdisk

[contra_mundi]

In 4.6 you can autopartition the disk. I'm not sure about before that.

Try htttp://www.openbsd101.com/

Is that the bleeding-edge Hyper Turbo Text Transfer Protocol?

Re:fdisk

[the_brobdingnagian]

The OpenBSD installer can auto-partition your disk for you. No calculations needed if you don't want to.

Re:fdisk

[101percent]

You don't. I've had my 4.8 CD set for a week now. It auto-partitioned everything fully utilizing my entire disk space, / /home /tmp /var /usr and various /usr/*

Re:fdisk

Couldn't decide if I wanted to rate Funny or Insightful =/

Re:fdisk

[cinderellamanson]

indeed. that's just how badass openbsd is. you guys don't even get to see the htttps protocol in action for another 5 years.

Re:fdisk

because it only works with IPV16

Re:fdisk

How the frak is this insightful? -5 arrogant. Having to type in exact byte offsets for every partition to fix a STUPID default partition suggestion IS a problem.

Re:fdisk

Once again, no one who uses the OS finds the installation a problem. It's not for you, that's cool.

Re:fdisk

[bm_luethke]

Nor does an OpenBSD user excel on either Linux or Windows - they are three different worlds. You do not state, but imply, that someone that knows BSD knows those other systems. You either do so through intention (dishonesty) or through lack of thinking your argument out (ignorance), either one isn't particularly good.

The problem that the *BSD versions have for large acceptance is why? The big draw of it - security from the ground up - isn't really useful in most places. You need that at your firewall and router (usually one in the same for small to medium companies or a home network) and those are better handled by a hardware/software stack that is specifically designed for that. I've always been somewhat surprised at how few use this over other solutions, but as long as they work and are cheaper than rolling my own - I guess I do not care. My guess is that the savings from using a truly secure OS would not be passed on but would ends up with corp X getting a larger profit and that is their business, not mine.

For larger companies - again why? Cisco solutions are a better combination of performance and costs. The OpenBSD box is never going to perform as well as the Cisco 28xx series and is no more secure so why go that way? You aren't going to be able to pull from a cheaper OpenBSD admin group and save costs there - chances are they wil cost more than a Cisco Certified engineer.

The draw is going to be towards equipment manufacturers - I've never understood why some use Linux over one of the *BSD groups - or for those few that really need the flexibility that a custom configured gateway device in a secure environment is important. Performance blows for general purpose hardware compared to specialized ones today. Ten years ago they rocked, routers and firewalls on general purpose hardware was the the higher end of the market - today purchase a solution from Cisco if you really need it.

The other end is if some OEM picks it up and runs with it as a base system - that is following the Apple Mac-OS model. I would *love* to see a truly secure kernel and basic system available on the desktop for most personal use. Indeed Apple could have been that in a general sense, but they have their own issues regarding walled gardens and control of the "user experience". Nothing wrong with those, but also not my choice as I do not like their idea of a "user experience". The market is still ripe for a truly secure and open platform that is fairly simply to use. No reason we can't have all of those, just as we currently stand pick any two.

Re:fdisk

[rastilin]

Is that because people who find it a problem end up using something else?

Re:fdisk

Yes.

Re:fdisk

[kiddygrinder]

i'd disagree that there's no reason why we can't have a system that's truly open, secure and easy to use because people can't even agree what those words mean.

Re:fdisk

Go grab PC-BSD then. It's very simple to setup and probably just as secure if you spend the time to lock it down.

Re:fdisk

Uhh, I run a BSD box AS a firewall, router and server.

Re:fdisk

[ph0enix]

It's very simple: when it asks you "Use (W)hole disk or (E)dit the MBR? [whole]", just hit to get the default, and you'll never have to use the fdisk tool at all.

Disklabel layout of the various filesystems is now auto-configured by default to a generic layout suitable for the size of disk you're installing on.

Re:fdisk

[Noryungi]

Nice Troll. I'll bite.

Nor does an OpenBSD user excel on either Linux or Windows - they are three different worlds. You do not state, but imply, that someone that knows BSD knows those other systems. You either do so through intention (dishonesty) or through lack of thinking your argument out (ignorance), either one isn't particularly good.

I have three Linux machines (Slackware/Ubuntu) and one OpenBSD machine at home, all of them work very well. I also have two additional Windows machines at home, and I use one at work (sigh). I know all three systems pretty well. What's your point?

And, just to add an important precision: I administer Linux (Red Hat/SuSE), Solaris, AIX and HPUX machines at work. I know all of these systems pretty well.

The problem that the *BSD versions have for large acceptance is why? The big draw of it - security from the ground up - isn't really useful in most places.

Go ahead and tell that to the security engineers that audit the servers on a regular basis at work. Go ahead, I dare you. This is the best way to be out of a job pretty fscking quickly. OpenBSD is not perfect, but, when it comes to security, any serious person is going to consider it.

You need that at your firewall and router (usually one in the same for small to medium companies or a home network) and those are better handled by a hardware/software stack that is specifically designed for that.

In other words: trust us, we are from ______________ [insert big company name here]. No, thank you. I have been burned by vendors too many times.

Cisco solutions are a better combination of performance and costs. The OpenBSD box is never going to perform as well as the Cisco 28xx series and is no more secure so why go that way?

Mwa ha ha ha ha ha! Thanks, I needed the laugh.

Performance blows for general purpose hardware compared to specialized ones today.

You obviously have no idea what you are talking about. None.

Ten years ago they rocked, routers and firewalls on general purpose hardware was the the higher end of the market - today purchase a solution from Cisco if you really need it.

[More drivel follows]

A few points:
A) If you are trying to worship at the altar of Cisco, please find some other place for it. Cisco's hardware is uninteresting and overly expensive for what it does.
B) Even Cisco uses OpenSSH - which comes from OpenBSD. I really wonder why?
C) Why buy an overpriced Cisco XXXX, when a simple PC with 4 network cards and OpenBSD can do the job for half the price and three times the performance?

Crawl back under your bridge, little troll, and try to learn a bit about the real world before tooting your Cisco horn.

Re:fdisk

Yes. For very related reasons it's one of the most secure O/Ses.

By the time your grandma has figured out how to install it, she's not going to be clicking OK on just anything.

For one, she still might not have managed to get a GUI up yet ;).

p.s. MSDOS has zero remote roots in the default install, most of the world has moved away from using it.

Re:fdisk

[kestasjk]

I think having to mess around with cylinders and whatnot is a bit silly these days, when we have "disks" which don't have anything resembling cylinders internally starting to become mainstream. It's a bit dated to say the least

You can say "the targeted users have no problem with it", and that's fine, but that pool of targeted users is bound to shrink over time (again that's fine, but many would see that as a bad thing, worth some compromises to avoid)

Re:fdisk

[jimicus]

Disks always did have cylinders, it's just that they don't mean cylinder in the sense of "a whole bunch of toilet roll tubes taped together".

Having said that, it hasn't been necessary to describe disks in C/H/S parlance in years.

Re:fdisk

between the keyboard and chair?

Chairs, you say. 'Developers, developers, developers' comes to mind. So in your view, the problem lies with the developers?

Re:fdisk

[badger.foo]

There's a series of pictures at http://bsdly.blogspot.com/2010/01/goodness-of-men-and-machinery.html that tell you what the installer looked like in January. IIRC no huge changes have happened to it since then. But do try 4.8 or a recent snapshot (they come with installNN.iso files these days)

Re:fdisk

[badran]

Agreed. It looks like GP was comparing a current Cisco XXXX with a PII (Pentium 2) with 64MB or ram in closet.

Re:fdisk

[Alioth]

I've been using OpenBSD since 3.3, and I don't think I've ever specified anything in cylinders when setting up. The BSD disk label tool accepts arguments in size, example 20M, 20G, 20T etc.

Re:fdisk

[icebraining]

Throwing the whole DMZ concept away. Firewalls should be protected from both the Internet as well as the servers, so they can protect your LAN even if the servers get hacked.

Re:fdisk

Why should I read the entire documentation and faq and manpages just for partitioning my disk?

Following this argument I have to read the whole documentation for every tool/program/script I want to use.
I can spent my time for other, more important activities just by using a software with a more describing interface.
That's why we develop software: not everyone wants to know - and has to know - all the gory details.

Re:fdisk

[TheRaven64]

Users don't matter to an open source project. It's not like an off-the-shelf product where users means paying users, which means people who are contributing money. An open source project needs contributors. They don't have to be contributing code, they can be contributing money, hardware, documentation, or even (detailed) bug reports. These people are useful - they provide something of value to a project.

People who are just users are irrelevant. They get something for free, and that's a nice side effect of the open source model, but unless you are contributing something then don't expect the project to care about you.

I don't speak for the OpenBSD team, but I really don't care about feature requests when they come from non-contributors. There are ten times as many potential features as I have time to implement. If, on the other hand, someone is providing something of value to me, then their issues get priority.

Re:fdisk

[TheRaven64]

I haven't installed OpenBSD since around 3.8 (I've just done in-place updates since then), but you didn't have to specify C/H/S values for partition sizes. Values like 512M and 4.5G worked just fine.

Re:fdisk

Are those decimal (1,000,000) or binary (1,048,576) megabytes?

Re:fdisk

[RichiH]

I had no problems installing Debian potato. Still, I prefer today's installer. Your point being?

Re:fdisk

Strange, there are no "cylinders" in SSDs or RAID. BSD people still living in the dark ages on toy machines then?

Re:fdisk

Funny, but the targeted group of users I hang around with like to learn new things if they're confronted with something new. Perhaps the targeted group of users you hang around with does not.

Re:fdisk

The installer creates a partition layout automatically. You don't have to manually do it unless you want to, and even then you don't need fdisk.

Re:fdisk

[MikeBabcock]

I am a targetted OpenBSD user. I create Linux-based firewall router boxes regularly for clients. I would love to use OpenBSD instead but the installation process is too complex to wrap up easily for a customer. I can have a customer pop in a Linux CD remotely and VNC-install it from my desk for them over a VPN link.

Good installers are not a bad thing.

Re:fdisk

[Sean]

Yes, fdisk still sucks if you're trying to multiboot, but in today's age of virtualization who does that anymore? OpenBSD's fdisk has a Use [W]hole Disk option during the install and a -I option from the shell to make partitioning just as easy as Linux or Windows.

OpenBSD has the most intuitive installer of any OS.

Re:fdisk

[Just+Some+Guy]

Are those decimal (1,000,000) or binary (1,048,576) megabytes?

The real kind that computers use.

Re:fdisk

[Ying+Hu]

Thank you. That was a good answer.

Re:fdisk

lol, how's that?

lol, how's that?

your a fuckhead

my a fuckhead?

Re:fdisk

[kestasjk]

You're saying the OpenBSD team shouldn't alter fdisk because dealing in hard disk cylinders is "learning something new"?

Re:fdisk

Following this argument I have to read the whole documentation for every tool/program/script I want to use.

In many ways the quote sums up the OpenBSD way quite nicely. If one sees strength, enjoyment, and fulfillment in doing so then OpenBSD is almost certainly a good match. If one doesn't then there's no shame in using any other operating system that one finds more to ones liking.

In fact one shouldn't limit oneself to documentation, many OpenBSD users read the code too, some even test it (still talking about users and not developers! Admittedly the difference between the two is often smaller in OpenBSD than elsewhere).

Remember that OpenBSD is written primarily for the benefit of the writers themselves: they create the system they want to exist for their own sake. If you like to use it then do so, if you don't there's not much of a point. OpenBSD is not supposed to be the ultimate answer to everything for everybody (although I would say it can be, but not without effort) or not necessarily even everything for anybody at all (which is why contrary to some other replies in this thread most OpenBSD users are proficient at many operating systems in general be it the mundane like Windows or the somewhat esoteric like BeOS because they tend to use all sorts of systems).

OSNews? Thom Holwerda? Seriously?

You're taking some random blog article linked to by Thom Holwerda at OSNews seriously? Those are your three strikes, and you're out, my friend.

Look, the OpenBSD team knows exactly what they're doing. They're some of the brightest minds in the field. They have many years of experience with real-world security. They've been around long enough to know that there are something things that sound totally fantastic in theory, but in practice they're a complete failure.

Many advanced security approaches fall directly into this theoretically-great-but-actually-quite-shitty category. They end up being difficult to implement, and end up being full of security flaws and other holes. They end up causing the very things they're supposed to avoid! Thankfully, the OpenBSD developers know this, and smartly stick with a model that's been proven successful over the couse of 40 years.

Re:OSNews? Thom Holwerda? Seriously?

[cinderellamanson]

I think i just died laughing. hoot!

Re:OSNews? Thom Holwerda? Seriously?

[Sancho]

Insightful? Really?

The point of the article is that while the base system may indeed be very secure, it is practically useless. When needing to perform real world functions, the ironclad security of the base install is not all that useful. It's true that providing a good base on which to build your platform is important, however it's not nearly as important as one might think.

For example, if you need to build a web server, you might pick OpenBSD because of its "secure-by-default" mantra. But what does that really buy you? You still need to run web server software, which is going to be the vector for any attack. Is lighttpd any more secure on OpenBSD than on Linux? No. All you get with OpenBSD is that it's far less likely that there will be a local security exploit to chain with the lighttpd remote exploit. But with SELinux, you can get an even higher level of security. With SELinux, you need not only a local privilege escalation, but a hole in SELinux as well.

I would argue that OpenBSD may be secure by design, but SELinux is, in practice, more secure.

I would be absolutely ecstatic if OpenBSD implemented something more like SELinux in terms of privilege separation.

Re:OSNews? Thom Holwerda? Seriously?

[cinderellamanson]

Nah, if hacked root on slashdot.org, SELinux isn't going to give two bits of a flea's shit if I banned your account.

Re:OSNews? Thom Holwerda? Seriously?

[machine321]

The point of the article is that while the base system may indeed be very secure, it is practically useless.

1998 called, they want their rationalization back. Besides, just about everyone turns off SELinux when they want to actually get work done.

Is lighttpd any more secure on OpenBSD than on Linux? No.

Good thing they have an audited, privsep, chrooted version of Apache, then.

With SELinux, you need not only a local privilege escalation, but a hole in SELinux as well.

Bullshit.

I would argue that OpenBSD may be secure by design, but SELinux is, in practice, more secure.

Adding complexity rarely increases reliability.

I would be absolutely ecstatic if OpenBSD implemented something more like SELinux in terms of privilege separation.

The Stephanie project worked towards doing just that, but it appears the project died several years ago.

Re:OSNews? Thom Holwerda? Seriously?

[yup2000]

I agree and that's why I use it for internet facing machines I don't want have to worry about!
Just look at the 4.7 release. There were 7 patches for the kernel & userland 2 of which were categorized as security. The best someone attacking the system could do is cause a daemon to crash or possibly cause a panic. During the same 6 month time frame linux quite a few more security issues crop up including one that could be used to get root on a box. ouch.

Re:OSNews? Thom Holwerda? Seriously?

[Sancho]

You lost me at the highlighted "bullshit." If you want to have an intelligent conversation, try not being rude.

Re:OSNews? Thom Holwerda? Seriously?

I would be absolutely ecstatic if OpenBSD implemented something more like SELinux in terms of privilege separation.

Do you mean something so poorly documented and implemented when it was first released that most admins would rather just disable it (even today) than deal with it? That's the current state of SELinux. No thanks. I remember fighting with it endlessly when it was first foisted on us.

Re:OSNews? Thom Holwerda? Seriously?

Besides he highlighted a flaw in a policy that only shipped with RHEL, not a flaw in SELinux itself.

Re:OSNews? Thom Holwerda? Seriously?

[cbhacking]

You're forgetting the difficulty of a successful exploit in the first place. OpenBSD was the first OS to implement ASLR, for example (http://en.wikipedia.org/wiki/ASLR). Linux only has fairly weak ASLR built in. There are a few other differences. Yes, the value of things like SELinux or AppArmor is considerable, and it would be great if OpenBSD implemented such a sandboxing capability, but your argument that the security of the OS itself isn't also very important is incorrect.

Re:OSNews? Thom Holwerda? Seriously?

[DiegoBravo]

I'm not trying to be rude, but you lost me at your first mention of SELinux.

Re:OSNews? Thom Holwerda? Seriously?

[onefriedrice]

But with SELinux, you can get an even higher level of security. With SELinux, you need not only a local privilege escalation, but a hole in SELinux as well.

It's not like a hole in SELinux is uncommon, unfortunately. Linux and GNU make for a very good base operating system, but so does BSD. Right off the bat, BSD has the advantage of being a coherent system with amazing documentation. Linux seems to be compatible with more hardware, and many people are more comfortable with the GNU userland. BSD arguably has better licensing terms (depending on your perspective). So each has its advantages and disadvantages, but SELinux I would not even bother listing as a significant advantage for Linux, especially when compared against OpenBSD.

Re:OSNews? Thom Holwerda? Seriously?

Why flamebait while trying to sound reasonable? Better licensing terms your ass.

Re:OSNews? Thom Holwerda? Seriously?

[metrix007]

Can you find me an example of a hole in SELinux? Even one? I don't mean a flaw in policy affecting some distros, but an actual flaw in the subsystem?

Re:OSNews? Thom Holwerda? Seriously?

[nocomment]

Can you find me an example of a hole in SELinux? Even one? I don't mean a flaw in policy affecting some distros, but an actual flaw in the subsystem?

http://linux.slashdot.org/story/10/09/20/0217204/Linux-Kernel-Exploit-Busily-Rooting-64-Bit-Machines?from=rss

Re:OSNews? Thom Holwerda? Seriously?

[metrix007]

Yeah, that's not a flaw in SELinux. Nice try though.

Re:OSNews? Thom Holwerda? Seriously?

[hairyfeet]

I have to admit I was surprised reading this report and the attitude of the OpenBSD team to it, including trying to change the terms of what everyone considers a vulnerability. Since I'm not an OpenBSD guy and only know of them by their "secure by design" rep I gotta ask: Is this SOP with them? Is this their normal attitude? If so that is really not good and whether you hate OSNews or not I think their post deserves discussion. Because if it takes having a PoC attack in the wild before they'll do anything about a bug? I'm sorry but that is seriously not the attitude the team needs to have with so many devices in corporate settings running OpenBSD.

Re:OSNews? Thom Holwerda? Seriously?

[onefriedrice]

Can you find me an example of a hole in SELinux? Even one? I don't mean a flaw in policy affecting some distros, but an actual flaw in the subsystem?

Yes, I accept your challenge. Here is some light reading for you.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=selinux - Obviously not all listed here are flaws in SELinux itself, but there are some.
http://www.zdnet.co.uk/news/security-threats/2009/07/20/linux-exploit-gets-around-security-barrier-39688318/

So, while SELinux might be a good single layer of security (when it works), it certainly isn't impenetrable and should definitely not be viewed as the most important layer of any multi-layered security strategy. It is naive to assume that an OpenBSD system will necessarily be more or less secure without an SELinux equivalent.

Re:OSNews? Thom Holwerda? Seriously?

[Menkhaf]

Sorry man, that's not a highlight. It's a link.
I, uhm.. think you may have missed out a bit on the Internet. Here, I'll give you a link to start with: http://www.bing.com/ -- happy binge!

Besides, the mentioned "bullshit" was half way into his post. If you just read the first few words, I think he's happy.

Re:OSNews? Thom Holwerda? Seriously?

[metrix007]

Thanks, I found the mitre one pretty useful.

Most look like early DoS attacks, I would hope they have sorted that out now, and there doesn't seem to have been one since 2006. As for the rest, well SELinux runs in the kernel, so with the right kernel vulnerability yeah it can be bypassed. Considering most vulnerabilities are not kernel level but userspace....I'll gladly take that extra protection, of which no equivalent is offered on OpenBSD.

Re:OSNews? Thom Holwerda? Seriously?

[afabbro]

Thankfully, the OpenBSD developers know this, and smartly stick with a model that's been proven successful over the couse of 40 years.

What model is this? Because 40 years = 1970.

I'm sure you're not talking about Unix because Unix was never designed with security in mind and it's ridiculous to think that security was even a consideration in 1970. Arguably, security has been well retrofitted, but not until much, much later.

Re:OSNews? Thom Holwerda? Seriously?

[Anne+Thwacks]

Unix was designed with security in mind, maybe not to today's requirements, but in 1970, you knew damn well that machines were multi-user, and users tasks had to be protected agaist each other. Real world experience at the time was not of people deliberately hacking others' stuff, but of a large percentage of programs being written in assembler, and having the ability to trash things at low level in the event of fairly trivial typing errors. Hardware separation of users; activities, and management thereof were essential if any system was going to work at all.

Not long after 1970, and certainly before 1980, Unix was being used in a college envirnment, where students were known to try anything. (You did not get sent to Gitmo for making bombs in those days). It was soon discovered that grades were prone to vary if computer security was not good. (Not to mention private details of lecturers).

I first encountered Unix in 1978. Yes I do use OpenBSD for public facing internet machines handling financial transations at this very moment (not with this IP address though). No, I do not plan to switch to SE Linux any time soon.

This was writetn using Opera on Ubuntu.

Re:OSNews? Thom Holwerda? Seriously?

[TheLink]

I'm sure you're not talking about Unix because Unix was never designed with security in mind and it's ridiculous to think that security was even a consideration in 1970

Yeah it's kind of funny how people keep talking about how secure unix systems are and how superior they are when they aren't.

Unix was a watered down Multics.

http://en.wikipedia.org/wiki/Multics

Security was a major consideration in Multics in 1970 and even earlier. Unix on the other hand had different objectives.

Re:OSNews? Thom Holwerda? Seriously?

You were the one spouting nonsense, someone calls you on that, and now you get all ad-hominemmy? Right...

Re:OSNews? Thom Holwerda? Seriously?

[jimicus]

If you take a wider view, what you're describing is typical of the worst of F/OSS development attitudes across all platforms - OpenBSD is by no means unique. Many projects have taken active steps to curb such responses (such as introducing codes of conduct on mailing lists), but many haven't.

What generally happens is:

• Someone mentions on a developers' mailing list a perceived weakness of the product. They may word it perfectly politely, they may ask if there's a reason for this perceived weakness they may have missed - but ATEOTD they're still drawing that weakness to the developers' attention.
• That person gets enough flaming to toast a small buffalo - regardless of how politely the thread started. If questioned, those doing the flaming justify it by saying things like "We believe in communicating in the quickest, most direct way possible. That means we have to tell the poster he's an ignorant f*ckwit who obviously doesn't realise that what he's asking for is totally unrealistic/unnecessary/both". (The fact that every other product already has this "unrealistic" feature is ignored)
• The original poster gets the hint, and uses an alternative product. Who wants to deal with people like that if it should prove necessary further down the line? The thread eventually dies naturally and everyone forgets about it. This process may repeat itself a few times.
• Some time later - maybe months or even years a new patch is introduced. This patch adds support for the feature which was originally discussed and led to the flamewar, and the feature will be trumpeted loudly from the rooftops in the next set of release notes.

Re:OSNews? Thom Holwerda? Seriously?

"bullshit" is rude? Really? Maybe should avoid the internet, or indeed any grown up environment.

Re:OSNews? Thom Holwerda? Seriously?

[TheRaven64]

Too lazy to look it up, but there have been two widely publicised flaws in the null pointer checking part of SELinux in the past year. Both led to privilege-elevation-to-kernel-mode exploits that only worked if you had SELinux.

That's rather the point of OpenBSD's rejection of SELinux. It is a huge chunk of complex code and it runs in ring 0. It increases the attack surface considerably, and unless you spend a lot of time configuring it, provides little actual benefit.

If you want to take issue with OpenBSD security, you should bring up the fact that they managed to offend the mult developer and push him to NetBSD.

Re:OSNews? Thom Holwerda? Seriously?

[TheRaven64]

For example, if you need to build a web server, you might pick OpenBSD because of its "secure-by-default" mantra. But what does that really buy you? You still need to run web server software, which is going to be the vector for any attack.

The OpenBSD base system includes a version of Apache that has been heavily audited (fixing a lot of bugs that didn't seem to get fixed in the main branch until years later - look for 'does not affect OpenBSD' in security advisory notes) and runs in chroot by default.

Is lighttpd any more secure on OpenBSD than on Linux? No

As I recall, lighttpd runs in a chroot by default on OpenBSD, but I could be wrong. On top of this, it has (probably not a full list, just the things I remember):

• Address space randomisation, making return-to-libc attacks harder. Linux now includes a weaker version of this.
• OpenBSD's malloc() has an aggressive policy about returning memory to the kernel, which trades some performance for making it much harder to exploit use-after-free bugs.
• The OpenBSD system compiler enables stack canaries by default and they are enabled for all OpenBSD packages, making stack-smashing attacks basically impossible.
• W^X policy means that you can't map a page as both writable and executable at the same time. This is implemented even on x86, where it requires some convoluted stuff with segmentation because there is no native support in the page tables. This makes anything with a JIT compiler marginally harder to write and makes arbitrary code execution holes much harder. Linux can enforce something like this only on newer systems that have support for the NX bit in page tables.
• The network stack uses strong random numbers for a lot of TCP/IP header fields, making things like connection hijacking or SYN flood attacks harder (you said you were running a networked app, right?).

And the best thing? You don't need to configure or even understand any of these for them to work. That's what 'secure by default' means - no faffing with SELinux configuration, no optional security measures that people turn off because they're too hard to get right.

I would argue that OpenBSD may be secure by design, but SELinux is, in practice, more secure.

In practice, SELinux is usually disabled. In the few places it is enabled, it makes the attack surface larger and has led to exploitable bugs that are not present in Linux-without-SELinux.

Re:OSNews? Thom Holwerda? Seriously?

[TheRaven64]

Why is this a troll? UNIX was designed for minicomputers, with few users, all trusted. It was not designed to be networked (that came later, with BSD and the ARPA grant). It was not designed to be run on mainframes with large numbers of users, that was the domain of things like OS/360 and Multics.

It was designed for precisely one purpose: to run a game. It was then extended to be shipped on things that were little more than typesetting appliances. If you uttered the phrase 'UNIX security' in the '80s, you'd have been met with the same kind of response as if you talked about 'Windows Security' in the late '90s.

UNIX became popular for one reason: that AT&T didn't try to commercialise it, so it was very cheap. There were dozens of better operating systems around, but UNIX was cheap and ran on cheap computers.

Re:OSNews? Thom Holwerda? Seriously?

1998 called, they want their rationalization back.

I'm just curious, do you have an actual retort there? The GP's point appears to make sense to me: the security of the base system does not say anything about the security about the production system where there's actually other packages running.

Maybe there IS something wrong with it, but I don't see it. Since you appear to think it's wrong, can you explain to me why, rather than resorting pithy but ultimately meaningless statements?

Re:OSNews? Thom Holwerda? Seriously?

The point of the article is that while the base system may indeed be very secure, it is practically useless.

1998 called, they want their rationalization back. Besides, just about everyone turns off SELinux when they want to actually get work done.

Is lighttpd any more secure on OpenBSD than on Linux? No.

Good thing they have an audited, privsep, chrooted version of Apache, then.

With SELinux, you need not only a local privilege escalation, but a hole in SELinux as well.

Bullshit.

I would argue that OpenBSD may be secure by design, but SELinux is, in practice, more secure.

Adding complexity rarely increases reliability.

I would be absolutely ecstatic if OpenBSD implemented something more like SELinux in terms of privilege separation.

The Stephanie project worked towards doing just that, but it appears the project died several years ago.

Well there's a research project over at FreeBSD that may be useful:

http://www.cl.cam.ac.uk/research/security/capsicum/

Perhaps it will be ported to other operating system. From the USENIX video, it looks quite promising:

http://www.youtube.com/watch?v=raNx9L4VH2k

If the GP wants SELinux, he could always use TrustedBSD:

http://www.trustedbsd.org/sebsd.html

Re:OSNews? Thom Holwerda? Seriously?

[Jeppe+Salvesen]

Disclaimer: I've never used OpenBSD.

However, there are two angles to securing the system, and that is:

1. Fixing the code so that it does only what it is supposed to do. This includes security fixes.
2. Designing the code so that you can restrict access to resources (data etc) in a reliable way.

3. 1. Both must be addressed for a system to be both secure and usable.

      As far as I understand from the links and the discussion, OpenBSD is best-in-class at point nr 1, and pretty terrible at point nr 2. A system is no more secure than point 1 dictates (what use is there in access restrictions and services if they are full of holes?!), but the system is only as useful as point 2 allows without compromising security. It's a hard problem. And it sorta seems like OpenBSD is avoiding touching point nr 2? Am I wrong here?

Re:OSNews? Thom Holwerda? Seriously?

[Cyberax]

"1998 called, they want their rationalization back. Besides, just about everyone turns off SELinux when they want to actually get work done."

Fortunately, we have alternatives to SELinux. Personally, I use AppArmor.

Re:OSNews? Thom Holwerda? Seriously?

What's he supposed to do with the link you given him if he doesn't know what a link is?

Re:OSNews? Thom Holwerda? Seriously?

Yeah it's kind of funny how people keep talking about how secure unix systems are

Note my emphasis on the word "are", in the quote, douchebag. He came out of the gate flaming Unix security in the present tense then tried to use how Unix was written 40 years ago as some kind of corroboration. If you're going to defend your fuck buddy, at least read what he wrote.

Re:OSNews? Thom Holwerda? Seriously?

[tehcyder]

"bullshit" is rude? Really? Maybe should avoid the internet, or indeed any grown up environment.

No, "bullshit" is rude.

It's not as rude as "shut your fucking mouth before I rip out your throat and shit over your tonsils, you moronic cunt" but then again it's not exactly "I'm really sorry, but I'm afraid I beg to differ, and can provide reasoned backup for my argument."

I doubt you'd say "bullshit" to your boss or granny if you disagreed with them.

Re:OSNews? Thom Holwerda? Seriously?

If you want to take issue with OpenBSD security, you should bring up the fact that they managed to offend the mult developer and push him to NetBSD.

Who's that "mult" developer?

Re:OSNews? Thom Holwerda? Seriously?

[TheRaven64]

I can't remember his name. Mult is a system like FreeBSD jails, but with full support for recursion and resource limits from the start. It's a very clean system for sandboxing, which would have been a good fit for OpenBSD, but flames from some of the core developers on the mailing list pushed the author away.

Re:OSNews? Thom Holwerda? Seriously?

What's the matter? Unix is your religion?

Most popular unix systems are still not very secure from a design POV. There's no big difference between their security models and those of windows XP/7.

If I run a program as userX in openbsd, that program has the full privileges and access of userX.

Yes there's stuff like SELinux and AppArmor, so there's a bit of progress, but:
1) It's been 40-50 years already...
2) they involve a lot more work for the users
3) have you seen the default apparmor sandbox for firefox provided by say ubuntu? It was not very secure when I last checked it.

What would be better is if the OS creators set up a finite manageable bunch of sandbox templates, and a standard for desktop/normal apps. Then when a user attempts to run an unknown program, the program will have to either:

a) ask for permission to be run using a particular template from one of the presets.
b) ask for permission to be run using a custom template.

Depending on how locked down the OS is configured, the user or the OS (as configured by the admin) has to approve this.

In a locked down system, if the custom template for that particular program is not signed by a trusted party the program won't run.
Similarly if the preset template requested is not allowed by the admin, the program won't run.

In a not so locked down system, the hopefully savvy user would make the choice, but the OS would have a better clue of what the program's intentions and so can warn the user accordingly, since the program has to declare _upfront_ what permissions it wants.

Programs that declare a requirement for specific custom sandboxes can be more easily verified by 3rd parties.

Analogy:
The outdated security model is you have room and it has no partitions or locks, once you invite a guest into your room he has full access to whatever you have access to. Sure the guest can't get into the admin user's room, but YOUR PRECIOUS STUFF IS IN YOUR ROOM not the admin's room!
The proposed security model is, the room consists of many sub rooms that are locked, guest declares up front what sub rooms the guest would require access to (either a custom declaration or a "I want template A"). If the request seems reasonable to you, you unlock the relevant sub rooms, leaving the rest locked. So while damage can still be caused the damage is limited, and you have some idea of the potential damage BEFORE you run the program.

I think some mobile devices already use something similar to this.

Re:OSNews? Thom Holwerda? Seriously?

[cinderellamanson]

“There is no other way of guarding oneself against flattery than by letting men understand that they will not offend you by speaking the truth; but when everyone can tell you the truth, you lose their respect.” Niccolo Machiavelli

Bullshit is bullshit is bullshit.

The question is whether the link was bullshit or whether the parent post was bullshit.

Re:OSNews? Thom Holwerda? Seriously?

[shking]

For example, if you need to build a web server, you might pick OpenBSD because of its "secure-by-default" mantra. But what does that really buy you? You still need to run web server software, which is going to be the vector for any attack.

A security audited version of Apache, inside a chroot jail, is part of the standard install.

Please check your facts before posting. You'll avoid sounding like a trolling fanboi.

Re:OSNews? Thom Holwerda? Seriously?

[Sancho]

Yeah, and then I mentioned a different web server. Maybe I don't want to run ancient software.

And to avoid that internet-age-old ad-hominem 'troll' attack, I realize that Apache 1.3 was only recently EOL'd by Apache, but development on it effectively ceased long ago. Which is why I referenced a more modern web server, though you conveniently declined to quote that portion of my post.

Re:OSNews? Thom Holwerda? Seriously?

[Sancho]

In most browsers, with most configurations, the link shows bright blue. I saw the post, saw the bright blue "Bullshit", and decided it wasn't worth reading the rest unless he decided to be more civil.

Don't forget the Release Song!

Someone forgot the infamous song release for 4.8 to be included in article details: El Puffiachi

Re:Don't forget the Release Song!

Good tune

song

[buchner.johannes]

The release song doesn't even have lyrics :-(
How good can the release be then, I ask!

Re:song

[the_humeister]

The release song doesn't even have lyrics :-(
How good can the release be then, I ask!

Better than Kenny G, but a little worse than anti-lock brakes.

Re:song

Yes it does, that was probably replaced by some lame haxor. The chorus goes something like "Only 2 remote 0day root vulnerabilities you won't know about for another 5 months!"

How are upgrades handled?

I'm curious. Having never used a BSD-based system, how are upgrades managed? I understand that instead of installing packages, one uses ports. My impression of that is that you run a file in a ports directory and it compiles the software and installs it. Correct me if I'm wrong.

But how does one upgrade from, say, OpenBSD 4.7 to 4.8? Is there a script that is run that downloads and installs the appropriate files, or do you have to backup and install the new version on your system?

Re:How are upgrades handled?

[the_brobdingnagian]

I'm curious. Having never used a BSD-based system, how are upgrades managed? I understand that instead of installing packages, one uses ports. My impression of that is that you run a file in a ports directory and it compiles the software and installs it. Correct me if I'm wrong.

Ports are meant for building packages. Users should only use packages normally. You can update your packages after you upgraded your base system with "pkg_add -ui -D update -D updatedepends"

But how does one upgrade from, say, OpenBSD 4.7 to 4.8?

OpenBSD has excellent docs and FAQ's: http://openbsd.org/faq/upgrade48.html

Re:How are upgrades handled?

[resfilter]

ports are just a way to build packages for 3rd party (i.e. not in the base system) software.

unlike a lot of operating systems, openbsd includes apache, bind, and other common network servers in the base install.

there's no automated upgrade procedure that works well for the openbsd base system at all; but there's a manual procedure, which is well documented, for upgrading between major versions

as someone has tried to upgrade many major linux distributions in various environments, i can tell you that manually is the ONLY way to do a proper system upgrade on a critical system; and many complex package management systems can hinder such an effort

openbsd people seem to shy away from binary packages for the most part, and most people that upgrade end up using a full source tree of the system to do so. in fact, openbsd is a bit unique in that they don't have an official binary patch mechanism. security patches to the base system are also generally intended to be done on a virgin openbsd source tree.

it's a weird way of doing things, for the average administrator, but it's a niche operating system, so if you don't like doing things the slow (but reliable) way, openbsd is not for you.

Re:How are upgrades handled?

It's a pain in the ass is what it is. Actually for all BSD systems it is. Recompiling everything that is upgraded etc, uses lots of unnecessary disk space and CPU. Makes it all but impossible to do on low-end systems (basically you have to compile on another machine and then transfer crap over, PITA).

Re:How are upgrades handled?

[dhickman]

It's a pain in the ass is what it is. Actually for all BSD systems it is. Recompiling everything that is upgraded etc, uses lots of unnecessary disk space and CPU. Makes it all but impossible to do on low-end systems (basically you have to compile on another machine and then transfer crap over, PITA).

Yes, it is a pain, but honestly, unless you are one of my friends ( one of the openbsd guys,) who maintains a working example of every machine that can run openbsd, why would you install the new version, instead of just keeping your working version patched?

I run openbsd on firewalls/vpns/etc. The only time I ever put a new os on them is when I am replacing them.

One of the best things about openbsd is that it is simple to install, simple to configure, and simple to maintain a production level system that is unsecured by your own stupidity.

Re:How are upgrades handled?

You know how I upgraded BSD? I installed Windows.

Re:How are upgrades handled?

[Noryungi]

Upgrade to OpenBSD 4.7 to 4.8 is as simple as booting the machine on the CD, and selecting (U)pgrade instead of (I)nstall.

Make sure you make a backup of your /etc/ directory beforehand and you are good to go. The upgrade process should keep your configuration intact, but it never hurts to be a bit cautious.

I'll note that i have been upgrading the same machine from OpenBSD 3.9 all the way to 4.8 without major problems.

Unless you have a very good reason to, do not use ports: use (pre-compiled) packages. Upgrading packages is as simple as typing: 'pkg_add' with the correct options. See here for more details: http://openbsd.org/faq/faq15.html#PkgUpdate

That's all there is to it. OpenBSD is a very simple operating system to use, and one that is a pleasure to upgrade and maintain.

Re:How are upgrades handled?

[badger.foo]

Make sure you make a backup of your /etc/ directory beforehand and you are good to go. The upgrade process should keep your configuration intact, but it never hurts to be a bit cautious.

For /etc upgrades, there's sysmerge.

In fact, you can run sysmerge -x xetcNN.tgz -s etcNN.tgz and answer the friendly prompts before booting into the installer for the upgrade. Then after you've done the base system upgrade, set your PKG_PATH to something sensible and run pkg_add -u to upgrade your packages. Time needed is mainly a function of how good your connectivity to the packages mirror is.

Re:How are upgrades handled?

[orient]

I've upgraded the OS while running production, with only one reboot required. I also moved the (production) OS install to another hard drive, also while running production - with only one reboot (the community on the misc mailing list was a great help).

Re:How are upgrades handled?

[Just+Some+Guy]

why would you install the new version, instead of just keeping your working version patched?

I have two main reasons:

1. The new versions do new, cool stuff. That's why they released a new version, after all. For example, pf.conf is more pleasant to work with each time, to the point that it's been worth the 10 minutes of downtime to upgrade just for that one improvement.
2. I had to upgrade a firewall so that I could install a sufficiently recent version of the Amanda backup client on it. The version that came with that OpenBSD release didn't actually work and it wouldn't build cleanly from ports. Given the option of sitting on an old OpenBSD with a non-working backup and putting in a huge effort to backport Amanda or just upgrading the whole thing to a newer, fixed version, I took the easy way out.

Suspend/Resume?

[angus77]

They have suspend/resume now?

I guess this will be the Year of the OpenBSD Netbook!!

Re:Suspend/Resume?

[the_brobdingnagian]

Suspend/resume support has been improved enormously. I have been using it without problems on my Asus Eee PC 1000H for a while now.

Re:Suspend/Resume?

[101percent]

A super secure OS running on the most easily stolen machine.

Re:Suspend/Resume?

Nobody will steal your OpenBSD Netbook. What could they do with it???

Re:Suspend/Resume?

[Just+Some+Guy]

That's actually a great reason to use it on laptops (even if the pull of Ubuntu was too strong for me). A laptop without the password to the encrypted boot system and without any way to get it out of sleeping without knowing the login password might as well have a formatted drive for all the use it is to a thief.

Yes, you can get most of that with a properly set up Linux system. That's what I'm banking on with my own laptop here. Still, should it get stolen, I'd feel a lot better if my personal data was locked up in OpenBSD.

tl;dr

[Nimey]

too long; didn't read.

Re:tl;dr

[gratuitous_arp]

It was funny =p

contribute code

[sparetiredesire]

It is good to call attention to features that need work.

It is better to contribute code towards the solution.

ACPI features? Best of luck then

[sosaited]

I hope they didn't break something when adding the ACPI features. From my experience, it is one devil of a specification. Just half an hour ago, I couldn't browse anything on my Ubuntu Lucid because I had changed one ACPI related setting in Bios, and XP failed to boot at all. I wonder how far-reaching and bizarre effects it has on other OSs, and in other scenarios.

Re:ACPI features? Best of luck then

Not intended as a flame, but OpenBSD devs strive not to break functionality that already works when adding new functionality. This is not always the case on Linux, and adversely, Ubuntu. Your experience with Ubuntu does not hold water when talking specifically about ACPI on OpenBSD.

Re:ACPI features? Best of luck then

[TheRaven64]

This is why it's only being advertised now. They've had ACPI support for a while, but every ACPI implementation has interesting bugs. Most BIOS vendors test with Windows. A few test with Linux. None test with OpenBSD. OpenBSD therefore needs to include work-arounds for these bugs. They don't advertise the feature until they're pretty confidant that it's actually working. It's not Linux, where stuff gets pushed to the tree with a token amount of testing.

Re:ACPI features? Best of luck then

[ifrag]

Actually the pciide driver broke for me back in 4.7. As a result of the fact that 4.7 can no longer detect my hard drive (some VIA chipset iirc) I'm forced to use 4.6-stable instead. Maybe I'll check out 4.8 just to see if the driver is back to a working state for me.

Re:ACPI features? Best of luck then

[tokul]

I had changed one ACPI related setting in Bios, and XP failed to boot at all.

OpenBSD is not f... Windows. It won't freak out when you switch power management from APM to ACPI.

RE: BSD: OpenBSD 4.8 Released

Spelended!

Love is love and OpenBSD is Love.

With kind regards.

Re:Have they decided to implement security yet?

[SoupIsGood+Food]

OpenBSD's claims are based on clean code, well-written documentation and sensible defaults, not a baked-in or bolt-on MAC system (which in this case stands for Mandatory Access Controls.)

Because it can be bolted-on, it's not really a criticism of the OS itself. To be fair, jails gets you 90% of the way there - MAC systems were hot stuff on multi-user systems, but most Unix installations these days are single-seat workstations or back-end servers in the new "appliance" model which don't have any human users at all apart from the admin. Applications can be effectively protected from each other with jails... so an elaborate MAC system is kind of a waste of time in most cases. Maybe in a few specialized file-server scenarios, it might come in handy... but it's pointless for a box running a LAMP stack.

Oh, wait, OpenBSD doesn't run jails, and the devs tell you to screw off and die whenever they're asked about it.

I suppose they still have clean code and sensible defaults. You just need to buy a new server every time you want to isolate applications from each other.

But this isn't actually a security issue, this is a developers-up-their-own-fundament issue.

Re:Have they decided to implement security yet?

[DiegoBravo]

From the article, about a "secure operating system":

> Generally, this would be taken to mean an operating system that was designed with security in mind, and provides various methods and tools to implement security polices and limits on the system.

Sadly most naive users still believe that security is about setting fine grained permissions, roles, resources and tagging system objects in general. In practice 1) security exploits simply bypass or reconfigure such validations or policies for their own purpose, and 2) getting a really good "fine grained" configuration and reconfiguration is pretty difficult, time consuming, and prone to error (i.e. to increase the vulnerability.)

Audio on BSD?

How is BSD for Audio, I'm looking for a stable netbook audio workstation [Eee PC 701, 2 Gig] and all the small Linux distros I've tried have issues, and the tech help community's I've requested polite help through all seem to have an "attitude" of "do-it-yourself-lazyboy", is BSD a possible alternative?

I'd like to use it, not tinker with it all the time in an attempt to make it work, I'm looking for a Tool distro.

I come from the windows world as a super user, but Linux gives me a difficult time due to memory issues due to a brain injury, and so I need help when I can't find my own answer, and I do my best to look first, but I get either silence or hostility because I didn't find some obscure reference somewhere.

Re:Audio on BSD?

[inode_buddha]

If it's any indication, I met a BSD user at a 1998 LUG meeting, he had a full-on desktop with all the effects and audio going on a Dell laptop. So I imagine that if your hardware is supported (most likely) it should work fine. BSD has extensive documentation and lists of supported stuff. I'm a linux guy, so I really don't know more than that. Best bet is to just try it, IMHO.

Re:Audio on BSD?

[TheRaven64]

OpenBSD has gone down the userspace sound daemon route, with aucat. This is much simpler than something like portaudio and provides userspace sound mixing. I generally prefer the FreeBSD approach (fully working OSS 4 compatible, with high-performance low-latency kernel sound mixing), but the OpenBSD approach (like everything else in OpenBSD) trades a little performance for a lot more security.

Re:Audio on BSD?

[domatic]

Others would possibly have OSSv4 implementations if the company didn't have a nutjob take on what the GPL means. At least one of their developers thinks that if you run a closed source app that needs sound like say Doom3 then you have to buy one of their commercial licenses. Even RMS doesn't have such an expansive idea of what the GPL does and does not do:

http://4front-tech.com/hannublog/?p=8

The really good part is in one of the comments posted by one of the devs:

The point is that we (4Front) are the owners of the copyrights of OSS. We have the power to define the terms for usage of OSS. The terms are that you can use OSS "for free" if you use it from GPLed applications. Otherwise it will be "for a fee".

And this is for a sound stack that is supposedly distributed under GPL terms. Last time I heard, writing to /dev/dsp is not linking. Since what they publicly say is in direct contradiction to the GPL, I take it to mean that ONLY their commercial licenses have validity.

Yes, they DO have the power to "define the terms of usage of OSS" but they DO NOT have the power to rewrite the GPL. Since what they want is a trialware license then they should remove the GPL boilerplate from their downloads and substitute such a license.

Re:Audio on BSD?

[TheRaven64]

The opinions of 4Front are completely irrelevant to FreeBSD - their implementation of OSS 4 is independent of 4Front. 4Front does ship an OSS 4 implementation for FreeBSD, but it lacks per-channel volume control and AC-3 pass through while playing analogue audio, both of which are supported in the FreeBSD version.

Re:Audio on BSD?

Audio... You might try Debian GNU/Linux with OSS4.

I've been a happy Debian user for 4 years. I believe Debian is a pretty nice middle ground between "freedom or death" (Fedora), masses of clueless newbies (Ubuntu), elitist pendejos who think they know better (Arch, Gentoo), etc. It has its own issues (man, they're really patching the hell out of upstream packages, the whole system feels a little bit like a one big fork), but everything else I've tried has made me want to go back to Debian in less than a day.

The documentation is pretty nice, although in this regard I think the BSDs win single-handedly. As of the community - I rarely seek support on forums or IRC, most of the information could be pretty easily found on the web, but when I've been actually asking questions, I've almost always got satisfying answers.

You can make Debian really slim if you want. Just do a network install and install only the base system + what you really need. I have almost no Gnome packages installed (except for icons, and gtk engines), I chose apps like wmii, Chromium, wicd, pcmanfm, claws, gpicview, mpd+Sonata, instead of their more bloaty cousins, and I try to always keep the installed package count under 1000. This makes the system pretty fast and responsive even on my old ThinkPad T60 with 1GB of memory.

As of audio... You get LOTS of audio packages here. I'm an (amateur) musician myself and I find Debian's repositories FULL of really useful stuff. You should definitely look at stuff like JACK, QJackCtl, FluidSynth/QSynth, ZynAddSubFX, PhaseX, AMSynth, VMPK, Rakarrack, Jack Rack + all the LADSPA plugins, Hydrogen, Rosegarden... You know, a friend of mine heard me improvising with these tools, and he installed Debian just to have an easy access to all this goodness.

However there's one problem with Linux: ALSA, its default sound architecture - it simply sucks. Right now I'm trying out OSS4 (a saner standard), which is pretty easy to get running on Squeeze (a.k.a. Debian Testing, or what is about to become the next stable release "soon"):

$ sudo apt-get install oss4-dkms oss4-gtk

Wait for apt to finish downloading & installing, wait for DKMS to finish compiling the modules, restart the system (just to make sure), and here you go.

I've been testing OSS4 for quite a while, and the only problem I've ran into is that you need to stop all applications doing sound IO before you try suspending the machine. Otherwise they get killed without a notice. You can check if any applications might cause trouble with this command:

$ fuser /dev/{mixer,dsp,midi}*

Note the PIDs of the processes (if any), and try to stop the audio output from these programs before suspending.

If you have any more questions, I'll have a look at this thread later and try to help you out. Good luck in your search, there's never anything like an ideal solution - but we can help each other getting closer to it!

Detailed "Changelog" is worthless...

A couple of entries from this "detailed changelog":
# Fixed a bug in pkg_add(1).
# Improved acpibtn(4).

and so on. Are entries like this worth including? They're definitely not worth my time to read.

Is there nobody with the "release manager" hat at OpenBSD who cleans that up to remove useless entries like the two above?

Hrmm

[n3v]

www.openbsd.org slashdotted?

Re:Hrmm

[courcoul]

Yes, cute, we've slashdotted the OpenBSD foundation.... Well... at least they're getting the attention they so justly deserve after the unwavering effort!

Re:Have they decided to implement security yet?

I haven't noticed that the system is very clean. It seems significantly more convoluted than the NetBSD design. The last time I needed a clean and simple BSD for an old 486, I tried OpenBSD first, and the installer was ugly as sin, crashed, and when I finally got it installed, it ran like a pig. A slow pig, that is, and not a quick and athletic one. Then I tried NetBSD and installed that instead, and it was very simple and fast, just a vanilla and traditional Unix system without bells and whistles. In modern performance benchmarks as well, Linux, FreeBSD, and NetBSD are at the top, while OpenBSD really does poorly.

Re:Have they decided to implement security yet?

[metrix007]

I can't believe you got modded up. MAC is not bolted on at all, it is a kernel patch. This means you end up with a different kernel, where MAC is implemented from the ground up.

Equating MAC to jails also shows you simply don't understand what MAC is.

• If your webserver is compromised in a jail, can the webpages still be defaced? Yep. Not with a proper MAC policy.
• Running third party software that the OpenBSD team did not audit themselves which gets pwned? Far less likely with MAC. If the machine is exploited, minimal damage can be done.
• Need to restrict access from root to satisfy legal or policy requirements? Not possible with the outdated root = god model. It is possible with MAC.
• Want to restrict the permission a process has, instead of automatically granting it the same full permissions your user account has? Not possible on OpenBSD, possible with MAC. No, systrace doesn't cut it.

The industry is slowly heading in implementing MAC in some form, because DAC (Discretionary Access Control, the current standard) is simply inadequate. It's not all SELinux, Microsoft have Windows Integrity Levels where low privileged processes can't write to higher level processes, Ubuntu has AppArmor etc. The industry is heading in this direction because we realize that allowing all programs to have the full set of permissions equal to the user it is running as is not ideal.

The OpenBSD team stand out in their flat our rejection of the very idea, considering it to be too complex (does not have to bee, see SMACK, Tomoko or AppArmor), or horribly understanding it to the point they equate it with an ACL. IIRC Theo has said in several interviews it is basically security theater and not useful, which is just ignorant. Given they tend to actually ignore security vulnerabilities and argue rather than admit and fix them, the project doesn't seem that security focused to me.

Sorry, but I will take a fairly secure system that grants me the granularity to protect myself in the case of an attack, as opposed to a system which claims awesome security because it comes with almost no current software and nothing running by default.

Re:Have they decided to implement security yet?

[TheRaven64]

OpenBSD performance is not something they advertise, for good reason. If there's a trade between security and performance, they'll take security. The most noticeable example is the malloc() implementation. This is much more aggressive than any other that I've seen at returning memory to the kernel. This means that there are a lot more system calls being made by OpenBSD libc in any program that calls free() a lot and a lot more page churn (meaning more TLB misses). This hurts performance (about a 5-20% hit, depending on your benchmark), but it means that use-after-free bugs tend to crash early, rather than becoming exploitable. If you're doing HPC, OpenBSD probably isn't the system for you, but they never claimed it was.

Re:Have they decided to implement security yet?

[TheRaven64]

And there's a very good example of this. Windows NT has had fine-grained ACLs on every single kernel object (not just files - mutexes, sockets, processes - everything that the kernel is responsible for) since its creation. Until relatively recently, UNIX systems had a very coarse-grained security system; use/group/all permissions on files, no permissions on anything that wasn't a file (although a lot of things are in UNIX), one magic user that can bypass everything. Guess which one had more vulnerabilities.

To make matters more interesting, compare the Windows NT kernel with a Linux kernel - for pretty much any time period you pick, the NT kernel will have fewer security advisories. Nothing is bypassing these fancy security mechanisms, they're just not being used. In a lot of cases, Windows users were running as the highest-privileged used and running their apps with this privilege, in spite of the fact that the kernel supports much better policies.

A door is only a security mechanism if you remember (and understand how) to close and lock it.

Re:Have they decided to implement security yet?

Read again, he didn't equate MAC to jails; he said despite the ability to use MAC, it doesn't support jails, and therefore for security you'd have to implement each 'jail' as a physically separate piece of hardware.

Infunny?

[contra_mundi]

That's alright. I'll make the suggestion that /. adds the moderation ±0 Funsightful. :P

Unicode not yet supported ?

[ahavatar]

As a CJK user, I want to have Unicode supported on OpenBSD. Last time I checked, OpenBSD didn't have a support yet. Any news for I18N on OpenBSD 4.8 ?

Re:Unicode not yet supported ?

[ocipio]

Yes. http://www.undeadly.org/cgi?action=article&sid=20100729233638

Upgrading server

does openbsd has something like apt-get upgrade?

Re:Upgrading server

[Ash-Fox]

does openbsd has something like apt-get upgrade?

No, you insert the latest openbsd disc and choose upgrade instead at boot up. Upgrading while the system is running (like with apt-get) is unfortunately, a very manual process and I wouldn't recommend it due to the many mistakes one can do.

Re:Have they decided to implement security yet?

You must be the only slashdotter with a brain in the last few posts.

Re:Have they decided to implement security yet?

[cinderellamanson]

If your webserver is compromised in a jail, can the webpages still be defaced? Yep. Not with a proper MAC policy.

For varying definitions of compromised, you mean? If the Sysadmin has deployed a detailed MAC policy.

Running third party software that the OpenBSD team did not audit themselves which gets pwned? Far less likely with MAC. If the machine is exploited, minimal damage can be done.

This is a good argument, but it's really hard to just say "Far less likely with MAC". This is always going to be the System Administrators responsibility. In fact all aspects of system security are going to be delegated to the system's managers almost immediately. This is the point where YOU need to decide if OpenBSD will suit your needs or become to complex to manage for your particular task.

Need to restrict access from root to satisfy legal or policy requirements? Not possible with the outdated root = god model. It is possible with MAC.

This is goofy, I'm not sure I can think of a *nix system that doesn't allow you to disable root. On the other hand, I believe this is correct, with the exception that I don't believe there are any legal governance bodies in operation currently defining a proper MAC policy and implementation. Meaning that you could never prove OpenBSD was actually capable of meeting them or not, neither can you prove that SELinux meets these requirements. We only know that it did not happen while that government body was in place.

Want to restrict the permission a process has, instead of automatically granting it the same full permissions your user account has? Not possible on OpenBSD, possible with MAC. No, systrace doesn't cut it.

Setuid, of course systrace will run right over setuid, but anyone who can set policy on a MAC system is a point of priviledge elevation as well.

Bye Bye bce0?

[christurkel]

Disable bce(4) in i386 GENERIC and RAMDISK kernels.

Why was this removed? Makes my latop not useable with OpenBSD.

Re:Bye Bye bce0?

[ocipio]

so enable it.

It was disabled because bce(4) tends to not work with machines that have more than 1GB memory. It could be fixed if someone donated a machine with bce(4).

Re:Bye Bye bce0?

[IcePic]

Because it sucks by having hardware that cant handle memory above 1G, which means either it goes, or your 1+ G machine becomes 1G machine.
(or you start doing the ISA-bus style memory bouncing for all network drivers since any device can DMA to/from the same mbufs that the bce later should handle)

So either a massive rewrite of all other network drivers, OR, kill the driver for the broken hardware that pretends to be useful but isnt.

Ubuntu BSD

Ubuntu > BSD.... yeah baby!!!!!

Re:Have they decided to implement security yet?

[metrix007]

For varying definitions of compromised, you mean? If the Sysadmin has deployed a detailed MAC policy.

Nope, not at all. Regardless of if you use AppArmor, RSBAC, SELinux, Tomoko, SMACK or GRSecurity, it is trivial to deny write access to files from a user who owns them. It doesn't have to be a detailed MAC policy, and the only time that won't hold true is if there is a remote kernel exploit. Which...is pretty rare.

This is a good argument, but it's really hard to just say "Far less likely with MAC". This is always going to be the System Administrators responsibility. In fact all aspects of system security are going to be delegated to the system's managers almost immediately. This is the point where YOU need to decide if OpenBSD will suit your needs or become to complex to manage for your particular task.

I think you are getting away from my point by saying that all security is ultimately the administrators responsibility. I agree, and OpenBSD only provides basic unix permissions to enforce this. I am aware of the other stuff such as ALSR, but it doesn't come close to MAC. It's all based on stopping exploits, and there is very little in the way of dealing with a successful exploit.

This is goofy, I'm not sure I can think of a *nix system that doesn't allow you to disable root. On the other hand, I believe this is correct, with the exception that I don't believe there are any legal governance bodies in operation currently defining a proper MAC policy and implementation. Meaning that you could never prove OpenBSD was actually capable of meeting them or not, neither can you prove that SELinux meets these requirements. We only know that it did not happen while that government body was in place.

Any Linux system has multiple MAC implementations in the kernel, so they allow this. As does FreeBSD via TrustedBSD. It is an import step in implementing proper separation of duty.

Setuid, of course systrace will run right over setuid, but anyone who can set policy on a MAC system is a point of privilege elevation as well.

Setuid is not at all the same thing, and is arguably worse as that process then inherits the full complete rights as the user it is running as. If I want to launch a process as administrator because it needs to bind to a low port, that does not mean I want it to have write access to /etc.

Additionally, it is not true that anyone who can set policy on a MAC system is at a point of privilege elevation. Generally the user account to administer a MAC system is a standard unix account, which must be hacked in addition to the root account. The root account can do nothing to the MAC permissions and the normal user can do nothing useful except with its own files.

Re:Have they decided to implement security yet?

[cbhacking]

This should definitely be modded higher. Fine-grained security controls don't matter if nobody uses them correctly, and they introduce increased complexity in the codebase that makes more room for bugs to creep in. By comparison, OpenBSD may be much less user-friendly in most ways, but its emphasis has been "real-world" security from the beginning, with heavy code audits and good security defaults. Even if its security model isn't as advanced as some others (Linux, NT), its implementation is far better in most cases.

OpenBSD was my first *NIX

[CondeZer0]

That was more than ten years ago, and OpenBSD is still the *nix OS that remains closest to the original Unix style and spirit.

Being a BSD variant it means it already started to deviate from the Unix way long ago, but with the notable exception of Plan 9 (not surprising given that the original Unix team were responsible for Plan 9, and by the way now are working on Go), all other *nix-like systems are much, much worse.

The quality of OpenBSD code is also much better than that of any other popular OS, and its developers are usually fairly good at restraining themselves from implementing popular 'features' that simply add complexity and no real value.

In short, if you like simplicity and quality, give OpenBSD a try, I'm still very grateful it was my first exposure to *nix systems.

Re:Have they decided to implement security yet?

[cinderellamanson]

In a sentence I will say that for example.

Engarde Linux vs OpenBSD would compete along different methodologies, yet, will both likely enjoy a good degree of success.

Re:Have they decided to implement security yet?

[cinderellamanson]

Engarde Linux SELinux OpenBSD Integrated Cryptography

That is the battle you're discussing.
SELinux vs Integrated Cryptography.

I'm pretty sure they are both going to have trade offs.

Re:Have they decided to implement security yet?

[metrix007]

HI. No, that isn't what I am arguing. I am not arguing MAC vs integrated cryptography, I am saying the OpenBSD team is falling behind by continually rejecting MAC in all it's forms and need to catch up if they still want to be known as a secure operating system.

Re:Have they decided to implement security yet?

[cinderellamanson]

The *BSD Wailing Song

What's left for me to see
In my ship I sailed so far
What can the answer be
Don't know what the questions are.
And after all I've done
Still I cannot feel the sun
Tell me save me
In the end our lost souls must repent.
I must know it is for certain
Can it be the final curtain
As long as the wind will blow
I'll be searching high and low.
Who knows what's really true
They say the end is so near
Why are we all so cruel
We just fill ourselves with fear.
And heaven and hell will turn
All that we love shall burn
Hear me trust me
In the end our lost sould must repent.
I must know it is for certain
Can it be the final curtain
As long as the wind will blow
I'll be searching high and low
Final curtain
Final curtain

flask of ripe urine
pressed to bsd lips
bsd drink up

I don't want to start a holy war here, but what is the deal with you BSD fanatics? I've been sitting here at my freelance gig in front of a BSD box (a PIII 800 w/512 Megs of RAM) for about 20 minutes now while it attempts to copy a 17 Meg file from one folder on the hard drive to another folder. 20 minutes. At home, on my Pentium Pro 200 running NT 4, which by all standards should be a lot slower than this BSD box, the same operation would take about 2 minutes. If that.

In addition, during this file transfer, Netscape will not work. And everything else has ground to a halt. Even Emacs Lite is straining to keep up as I type this.

I won't bore you with the laundry list of other problems that I've encountered while working on various BSD machines, but suffice it to say there have been many, not the least of which is I've never seen a BSD box that has run faster than its Windows counterpart, despite the BSD machines faster chip architecture. My 486/66 with 8 megs of ram runs faster than this 800 mhz machine at times. From a productivity standpoint, I don't get how people can claim that BSD is a "superior" machine.

BSD addicts, flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use a BSD over other faster, cheaper, more stable systems.

It is common knowledge that *BSD is dying. Almost everyone knows that ever hapless *BSD is mired in an irrecoverable and mortifying tangle of fatal trouble. It is perhaps anybody's guess as to which *BSD is the worst off of an admittedly suffering *BSD community. The numbers continue to decline for *BSD but FreeBSD may be hurting the most. Look at the numbers. The erosion of user base for FreeBSD continues in a head spinning downward spiral.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of BSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major marketing surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among hobbyist dilettante dabblers. In truth, for all practical purposes *BSD is already dead. It is a dead man walking.

Fact: *BSD is dying

It doesn't matter, no matter how many time you try to recesitate *BSD, it's just doesn't matter. It's a plain and simple truth, *BSD is dying.

Click here [planetquake.com] to see the most appropriate case mod for a *BSD system.

If you can also print out your word processor documents on mu

Re:Have they decided to implement security yet?

[metrix007]

Wow kid, you've got issues.

*PLONK*

Re:Have they decided to implement security yet?

> Given they tend to actually ignore security vulnerabilities and argue rather than admit and fix them [coresecurity.com], the project doesn't seem that security focused to me.

Um, what? I don't know if you are intentionally lying, but you are certainly not speaking truthfully.

I read the coresecurity.com link in it's entirety, and here's what I see:
* The bug was reported to the OpenBSD devs on Feb 20th.
* The developers fixed it the bug, and tested the fix
* The OpenBSD project made the fix generally available within six days (Feb 26th).

That's pretty good turn around time.