Slashdot Mirror
OpenBSD 4.8 Released
Mortimer.CA writes "The release of OpenBSD 4.8 has been announced. Highlights include ACPI suspend/resume, better hardware support, OpenBGPD/OpenOSPFD/routing daemon improvements, inclusion of OpenSSH 5.5, etc. Nothing revolutionary, just the usual steady improving of the system. A detailed ChangeLog is available, as usual. Work, of course, has already started on the next release, which should be ready in May, according to the steady six-month release cycle."
Their targeted users have no problem with the installation. If you aren't comfortable with the installation tools, you probably wouldn't be comfortable with OpenBSD. A pretty installation method is looking for a solution to a problem that doesn't exist.
You're taking some random blog article linked to by Thom Holwerda at OSNews seriously? Those are your three strikes, and you're out, my friend.
Look, the OpenBSD team knows exactly what they're doing. They're some of the brightest minds in the field. They have many years of experience with real-world security. They've been around long enough to know that there are something things that sound totally fantastic in theory, but in practice they're a complete failure.
Many advanced security approaches fall directly into this theoretically-great-but-actually-quite-shitty category. They end up being difficult to implement, and end up being full of security flaws and other holes. They end up causing the very things they're supposed to avoid! Thankfully, the OpenBSD developers know this, and smartly stick with a model that's been proven successful over the couse of 40 years.
Oh, the problem exists, I can assure you of that. The problem however lies between the keyboard and the chair.
That's not a very ergonomic position to use a computer in.
Someone forgot the infamous song release for 4.8 to be included in article details: El Puffiachi
The release song doesn't even have lyrics :-(
How good can the release be then, I ask!
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
To spare this section of all the trolls (yeah right!), I have incorporated every *BSD troll into this one message. Thank you.
The *BSD Wailing Song
What's left for me to see
In my ship I sailed so far
What can the answer be
Don't know what the questions are.
And after all I've done
Still I cannot feel the sun
Tell me save me
In the end our lost souls must repent.
I must know it is for certain
Can it be the final curtain
As long as the wind will blow
I'll be searching high and low.
Who knows what's really true
They say the end is so near
Why are we all so cruel
We just fill ourselves with fear.
And heaven and hell will turn
All that we love shall burn
Hear me trust me
In the end our lost sould must repent.
I must know it is for certain
Can it be the final curtain
As long as the wind will blow
I'll be searching high and low
Final curtain
Final curtain
pressed to bsd lips
bsd drink up
I don't want to start a holy war here, but what is the deal with you BSD fanatics? I've been sitting here at my freelance gig in front of a BSD box (a PIII 800 w/512 Megs of RAM) for about 20 minutes now while it attempts to copy a 17 Meg file from one folder on the hard drive to another folder. 20 minutes. At home, on my Pentium Pro 200 running NT 4, which by all standards should be a lot slower than this BSD box, the same operation would take about 2 minutes. If that.
In addition, during this file transfer, Netscape will not work. And everything else has ground to a halt. Even Emacs Lite is straining to keep up as I type this.
I won't bore you with the laundry list of other problems that I've encountered while working on various BSD machines, but suffice it to say there have been many, not the least of which is I've never seen a BSD box that has run faster than its Windows counterpart, despite the BSD machines faster chip architecture. My 486/66 with 8 megs of ram runs faster than this 800 mhz machine at times. From a productivity standpoint, I don't get how people can claim that BSD is a "superior" machine.
BSD addicts, flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use a BSD over other faster, cheaper, more stable systems.
It is common knowledge that *BSD is dying. Almost everyone knows that ever hapless *BSD is mired in an irrecoverable and mortifying tangle of fatal trouble. It is perhaps anybody's guess as to which *BSD is the worst off of an admittedly suffering *BSD community. The numbers continue to decline for *BSD but FreeBSD may be hurting the most. Look at the numbers. The erosion of user base for FreeBSD continues in a head spinning downward spiral.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of BSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major marketing surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among hobbyist dilettante dabblers. In truth, for all practical purposes *BSD is already dead. It is a dead man walking.
Fact: *BSD is dying
It doesn't matter, no matter how many time you try to recesitate *BSD, it's just does
I've only installed OpenBSD twice, both successfully, but their fdsik version was very nice.
Different from Microsoft and Linux fdisk programs? Yes! Because you're not running/installing neither Windows nor Linux. Neither of these are identical systems.
The OpenBSD fdisk is quite possibly better, and without a doubt far better documented, and not just in the excellent up to date man pages but also in official faq's and installation procedures available on the OpenBSD webpages. Stuff one should read.
Who would read/read on Microsoft information when installing Linux?
Who would read/rely on Solaris information when installing Windows?
Who would read/rely on Linux information when installing OpenBSD?
If you're having trouble with OpenBSD fdisk or more likely OpenBSD installation peculiarities and requirements that other operating systems either don't have or gloss over then I would recommend reading the OpenBSD documentation, it's all there, yes the issues that can trap someone entirely new too, usually even emphasized.
A Windows poweruser or superuser can be and often is a total newbie on Linux.
A Linux poweruser or superuser can be and often is a total newbie on OpenBSD.
Don't assume different things to be the same.
They have suspend/resume now?
I guess this will be the Year of the OpenBSD Netbook!!
I'm curious. Having never used a BSD-based system, how are upgrades managed? I understand that instead of installing packages, one uses ports. My impression of that is that you run a file in a ports directory and it compiles the software and installs it. Correct me if I'm wrong.
Ports are meant for building packages. Users should only use packages normally. You can update your packages after you upgraded your base system with "pkg_add -ui -D update -D updatedepends"
But how does one upgrade from, say, OpenBSD 4.7 to 4.8?
OpenBSD has excellent docs and FAQ's: http://openbsd.org/faq/upgrade48.html
IIRC you can suffix a quantity with M or G to specify size in megabytes or gigabytes.
ports are just a way to build packages for 3rd party (i.e. not in the base system) software.
unlike a lot of operating systems, openbsd includes apache, bind, and other common network servers in the base install.
there's no automated upgrade procedure that works well for the openbsd base system at all; but there's a manual procedure, which is well documented, for upgrading between major versions
as someone has tried to upgrade many major linux distributions in various environments, i can tell you that manually is the ONLY way to do a proper system upgrade on a critical system; and many complex package management systems can hinder such an effort
openbsd people seem to shy away from binary packages for the most part, and most people that upgrade end up using a full source tree of the system to do so. in fact, openbsd is a bit unique in that they don't have an official binary patch mechanism. security patches to the base system are also generally intended to be done on a virgin openbsd source tree.
it's a weird way of doing things, for the average administrator, but it's a niche operating system, so if you don't like doing things the slow (but reliable) way, openbsd is not for you.
The OpenBSD installer can auto-partition your disk for you. No calculations needed if you don't want to.
I hope they didn't break something when adding the ACPI features. From my experience, it is one devil of a specification. Just half an hour ago, I couldn't browse anything on my Ubuntu Lucid because I had changed one ACPI related setting in Bios, and XP failed to boot at all. I wonder how far-reaching and bizarre effects it has on other OSs, and in other scenarios.
indeed. that's just how badass openbsd is. you guys don't even get to see the htttps protocol in action for another 5 years.
Hey buddy, can i bum a karma? ~}CinderellaManson{~
OpenBSD's claims are based on clean code, well-written documentation and sensible defaults, not a baked-in or bolt-on MAC system (which in this case stands for Mandatory Access Controls.)
Because it can be bolted-on, it's not really a criticism of the OS itself. To be fair, jails gets you 90% of the way there - MAC systems were hot stuff on multi-user systems, but most Unix installations these days are single-seat workstations or back-end servers in the new "appliance" model which don't have any human users at all apart from the admin. Applications can be effectively protected from each other with jails... so an elaborate MAC system is kind of a waste of time in most cases. Maybe in a few specialized file-server scenarios, it might come in handy... but it's pointless for a box running a LAMP stack.
Oh, wait, OpenBSD doesn't run jails, and the devs tell you to screw off and die whenever they're asked about it.
I suppose they still have clean code and sensible defaults. You just need to buy a new server every time you want to isolate applications from each other.
But this isn't actually a security issue, this is a developers-up-their-own-fundament issue.
From the article, about a "secure operating system":
> Generally, this would be taken to mean an operating system that was designed with security in mind, and provides various methods and tools to implement security polices and limits on the system.
Sadly most naive users still believe that security is about setting fine grained permissions, roles, resources and tagging system objects in general. In practice 1) security exploits simply bypass or reconfigure such validations or policies for their own purpose, and 2) getting a really good "fine grained" configuration and reconfiguration is pretty difficult, time consuming, and prone to error (i.e. to increase the vulnerability.)
i'd disagree that there's no reason why we can't have a system that's truly open, secure and easy to use because people can't even agree what those words mean.
This is a joke. I am joking. Joke joke joke.
Nice Troll. I'll bite.
Nor does an OpenBSD user excel on either Linux or Windows - they are three different worlds. You do not state, but imply, that someone that knows BSD knows those other systems. You either do so through intention (dishonesty) or through lack of thinking your argument out (ignorance), either one isn't particularly good.
I have three Linux machines (Slackware/Ubuntu) and one OpenBSD machine at home, all of them work very well. I also have two additional Windows machines at home, and I use one at work (sigh). I know all three systems pretty well. What's your point?
And, just to add an important precision: I administer Linux (Red Hat/SuSE), Solaris, AIX and HPUX machines at work. I know all of these systems pretty well.
The problem that the *BSD versions have for large acceptance is why? The big draw of it - security from the ground up - isn't really useful in most places.
Go ahead and tell that to the security engineers that audit the servers on a regular basis at work. Go ahead, I dare you. This is the best way to be out of a job pretty fscking quickly. OpenBSD is not perfect, but, when it comes to security, any serious person is going to consider it.
You need that at your firewall and router (usually one in the same for small to medium companies or a home network) and those are better handled by a hardware/software stack that is specifically designed for that.
In other words: trust us, we are from ______________ [insert big company name here]. No, thank you. I have been burned by vendors too many times.
Cisco solutions are a better combination of performance and costs. The OpenBSD box is never going to perform as well as the Cisco 28xx series and is no more secure so why go that way?
Mwa ha ha ha ha ha! Thanks, I needed the laugh.
Performance blows for general purpose hardware compared to specialized ones today.
You obviously have no idea what you are talking about. None.
Ten years ago they rocked, routers and firewalls on general purpose hardware was the the higher end of the market - today purchase a solution from Cisco if you really need it.
[More drivel follows]
A few points:
A) If you are trying to worship at the altar of Cisco, please find some other place for it. Cisco's hardware is uninteresting and overly expensive for what it does.
B) Even Cisco uses OpenSSH - which comes from OpenBSD. I really wonder why?
C) Why buy an overpriced Cisco XXXX, when a simple PC with 4 network cards and OpenBSD can do the job for half the price and three times the performance?
Crawl back under your bridge, little troll, and try to learn a bit about the real world before tooting your Cisco horn.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Upgrade to OpenBSD 4.7 to 4.8 is as simple as booting the machine on the CD, and selecting (U)pgrade instead of (I)nstall.
Make sure you make a backup of your /etc/ directory beforehand and you are good to go. The upgrade process should keep your configuration intact, but it never hurts to be a bit cautious.
I'll note that i have been upgrading the same machine from OpenBSD 3.9 all the way to 4.8 without major problems.
Unless you have a very good reason to, do not use ports: use (pre-compiled) packages. Upgrading packages is as simple as typing: 'pkg_add' with the correct options. See here for more details: http://openbsd.org/faq/faq15.html#PkgUpdate
That's all there is to it. OpenBSD is a very simple operating system to use, and one that is a pleasure to upgrade and maintain.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
I think having to mess around with cylinders and whatnot is a bit silly these days, when we have "disks" which don't have anything resembling cylinders internally starting to become mainstream. It's a bit dated to say the least
You can say "the targeted users have no problem with it", and that's fine, but that pool of targeted users is bound to shrink over time (again that's fine, but many would see that as a bad thing, worth some compromises to avoid)
// MD_Update(&m,buf,j);
Make sure you make a backup of your /etc/ directory beforehand and you are good to go. The upgrade process should keep your configuration intact, but it never hurts to be a bit cautious.
For /etc upgrades, there's sysmerge.
In fact, you can run sysmerge -x xetcNN.tgz -s etcNN.tgz and answer the friendly prompts before booting into the installer for the upgrade. Then after you've done the base system upgrade, set your PKG_PATH to something sensible and run pkg_add -u to upgrade your packages. Time needed is mainly a function of how good your connectivity to the packages mirror is.
-- That grumpy BSD guy - http://bsdly.blogspot.com/
I can't believe you got modded up. MAC is not bolted on at all, it is a kernel patch. This means you end up with a different kernel, where MAC is implemented from the ground up.
Equating MAC to jails also shows you simply don't understand what MAC is.
The industry is slowly heading in implementing MAC in some form, because DAC (Discretionary Access Control, the current standard) is simply inadequate. It's not all SELinux, Microsoft have Windows Integrity Levels where low privileged processes can't write to higher level processes, Ubuntu has AppArmor etc. The industry is heading in this direction because we realize that allowing all programs to have the full set of permissions equal to the user it is running as is not ideal.
The OpenBSD team stand out in their flat our rejection of the very idea, considering it to be too complex (does not have to bee, see SMACK, Tomoko or AppArmor), or horribly understanding it to the point they equate it with an ACL. IIRC Theo has said in several interviews it is basically security theater and not useful, which is just ignorant. Given they tend to actually ignore security vulnerabilities and argue rather than admit and fix them, the project doesn't seem that security focused to me.
Sorry, but I will take a fairly secure system that grants me the granularity to protect myself in the case of an attack, as opposed to a system which claims awesome security because it comes with almost no current software and nothing running by default.
If you ignore ACs because they are anonymous - you're an idiot.
I've been using OpenBSD since 3.3, and I don't think I've ever specified anything in cylinders when setting up. The BSD disk label tool accepts arguments in size, example 20M, 20G, 20T etc.
Oolite: Elite-like game. For Mac, Linux and Windows
OpenBSD performance is not something they advertise, for good reason. If there's a trade between security and performance, they'll take security. The most noticeable example is the malloc() implementation. This is much more aggressive than any other that I've seen at returning memory to the kernel. This means that there are a lot more system calls being made by OpenBSD libc in any program that calls free() a lot and a lot more page churn (meaning more TLB misses). This hurts performance (about a 5-20% hit, depending on your benchmark), but it means that use-after-free bugs tend to crash early, rather than becoming exploitable. If you're doing HPC, OpenBSD probably isn't the system for you, but they never claimed it was.
I am TheRaven on Soylent News
And there's a very good example of this. Windows NT has had fine-grained ACLs on every single kernel object (not just files - mutexes, sockets, processes - everything that the kernel is responsible for) since its creation. Until relatively recently, UNIX systems had a very coarse-grained security system; use/group/all permissions on files, no permissions on anything that wasn't a file (although a lot of things are in UNIX), one magic user that can bypass everything. Guess which one had more vulnerabilities.
To make matters more interesting, compare the Windows NT kernel with a Linux kernel - for pretty much any time period you pick, the NT kernel will have fewer security advisories. Nothing is bypassing these fancy security mechanisms, they're just not being used. In a lot of cases, Windows users were running as the highest-privileged used and running their apps with this privilege, in spite of the fact that the kernel supports much better policies.
A door is only a security mechanism if you remember (and understand how) to close and lock it.
I am TheRaven on Soylent News
I haven't installed OpenBSD since around 3.8 (I've just done in-place updates since then), but you didn't have to specify C/H/S values for partition sizes. Values like 512M and 4.5G worked just fine.
I am TheRaven on Soylent News
OpenBSD has gone down the userspace sound daemon route, with aucat. This is much simpler than something like portaudio and provides userspace sound mixing. I generally prefer the FreeBSD approach (fully working OSS 4 compatible, with high-performance low-latency kernel sound mixing), but the OpenBSD approach (like everything else in OpenBSD) trades a little performance for a lot more security.
I am TheRaven on Soylent News
I had no problems installing Debian potato. Still, I prefer today's installer. Your point being?
The opinions of 4Front are completely irrelevant to FreeBSD - their implementation of OSS 4 is independent of 4Front. 4Front does ship an OSS 4 implementation for FreeBSD, but it lacks per-channel volume control and AC-3 pass through while playing analogue audio, both of which are supported in the FreeBSD version.
I am TheRaven on Soylent News
If your webserver is compromised in a jail, can the webpages still be defaced? Yep. Not with a proper MAC policy.
For varying definitions of compromised, you mean? If the Sysadmin has deployed a detailed MAC policy.
Running third party software that the OpenBSD team did not audit themselves which gets pwned? Far less likely with MAC. If the machine is exploited, minimal damage can be done.
This is a good argument, but it's really hard to just say "Far less likely with MAC". This is always going to be the System Administrators responsibility. In fact all aspects of system security are going to be delegated to the system's managers almost immediately. This is the point where YOU need to decide if OpenBSD will suit your needs or become to complex to manage for your particular task.
Need to restrict access from root to satisfy legal or policy requirements? Not possible with the outdated root = god model. It is possible with MAC.
This is goofy, I'm not sure I can think of a *nix system that doesn't allow you to disable root. On the other hand, I believe this is correct, with the exception that I don't believe there are any legal governance bodies in operation currently defining a proper MAC policy and implementation. Meaning that you could never prove OpenBSD was actually capable of meeting them or not, neither can you prove that SELinux meets these requirements. We only know that it did not happen while that government body was in place.
Want to restrict the permission a process has, instead of automatically granting it the same full permissions your user account has? Not possible on OpenBSD, possible with MAC. No, systrace doesn't cut it.
Setuid, of course systrace will run right over setuid, but anyone who can set policy on a MAC system is a point of priviledge elevation as well.
Hey buddy, can i bum a karma? ~}CinderellaManson{~