Slashdot Mirror
Bug Busters! OpenBSD 5.1 Released
An anonymous reader writes "Today the 5.1 release of OpenBSD has surfaced. As usual, it includes improved hardware support, but also OpenSSH 6.0 and over 7000 ports, with major performance and stability improvements in the package build process (and some really cool stickers). Here's the changelog, the download page, and the CD-ordering page. "
Netcaft is dead....
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
OpenBSD ports are a set of makefiles that will build packages, not OS 'ports' like you are thinking.
Sent from my PDP-11
Given that OpenSSH alone is the most used FOSS program, and there is virtually no corporate contributions, I think Theo just has lost patience for people who come on the lists and complain.
There was a brief time, four or five years ago, when something (expat maybe?) was mistakenly placed in xbase, so you had to install the xbase set for a whole bunch of ports/packages. That situation didn't last. And even then, you didn't have to run X.
What has changed since the beginning that made OpenBSD less relevant?
c++;
This is true, but the base install is pretty limited, so it's hard to compare, really.
(I think it's been three holes since the dawn of OpenBSD, by the way).
That said I still use it on some of my outward-facing stuff. PF is great. The pre-chrooted httpd is nice. Some other parts, not so much, though... can't think of a good example right now, but once in a while I run into things that amaze me with backwards-ness compared to my linux boxes.
Oh, and the documentation is a work of art compared to linux. That's a really nice feature.
Sent from my PDP-11
This is true, but the base install is pretty limited, so it's hard to compare, really.
That's not a bug: it's a feature. I know you already know that, but I mention it for the benefit of people not already familiar with OpenBSD. OpenBSD installs almost nothing by default, to the point that many systems don't even have man pages or a compiler. Fewer things installed = few things to break = fewer attack vectors = fewer things to maintain.
That also means that it's trivially easy to deploy a task-specific server that runs almost nothing not directly related to performing that task. For example, here are all the processes running after booting a particular mail gateway:
So we have init (boots the system; makes sure things are running that are supposed to be); the system event logger; the firewall event logger; an NTP daemon to keep the time set correctly; the SSH daemon I used to connect into it; Sendmail (the OpenBSD-hardened version); the scheduled task manager; my shell process; and the program that listens for console logins. There's just not a lot you can strip away from that.
Here's the list of open sockets that an external user can connect to:
So SMTP (25 and 587) and SSH are listening. Again, that's as minimal as you can feasibly get. Well, I suppose you could axe everything firewall related, since the only open ports are to services that are deliberately exposed to the Internet already, but security comes in layers.
It's obviously possible to build secure systems with other OSes, but OpenBSD goes a long way toward making it easy. "Secure by default" is a wonderful starting point!
Oh, and pf has the most beautiful firewall rule syntax of any system I've ever used.
Dewey, what part of this looks like authorities should be involved?
The OS I'm using has 65536 ports.
And if you're running Windows, there's a good chance they're all in use.
Dewey, what part of this looks like authorities should be involved?
...the base install is pretty limited...
The base install is painstakingly audited. They look for all bugs, even ones that have no apparent means of exploitation. This has often resulted in OpenBSD being unaffected by holes discovered in other systems. The same degree of assurance cannot be extended to thousands of ports, however, so a line is drawn around the base install.
That being said, I've heard that Theo expects that one should be able to 'cd /usr/ports' and 'make install' - to build and install every port in the tree - without error. What other OS has the balls to pull that off?
OpenBSD installs almost nothing by default, to the point that many systems don't even have man pages or a compiler.
The standard install includes everything required by the Single UNIX Specification, including man pages and a compiler. You can choose not to install them, but that typically only happens on small embedded systems with 16-64MB of Flash.
Fewer things installed = few things to break = fewer attack vectors = fewer things to maintain
It also means you don't get the situation like Ubuntu where every time I turn on the system I have running Ubuntu it wants to install 200+MB of updates for stuff I never use and don't want installed.
I am TheRaven on Soylent News
Theo just has lost patience for people
That's simply not true. Theo has lost patience with whiners who want someone else to do their thinking for him.
I've got polite, helpful responses personally from Theo. I was trying to build a module (despite all the dire warnings how not to do this or ask questions and how unsupported it is) so I could hack on the drivers for a moderately exotic piece of hardware. I posted questions. He was one of the people with a response.
It turns out that if you know that the mailing list doesn't suffer fools, you work that little bit harder to write a sensible mail.
You double check everything and make sure you read the docs. This catches many of the bugs initially and then you don't need to post in the first place. If it doesn't fix the problem, it gives the mailing list inhabitants a good indication of what the problem is.
To me it seems unbelievible rude to ask some of the world experts for a bit of their time to help without bothering to check the things that you need help on. I just don't understand how most other people don't also see this as rude.
SJW n. One who posts facts.