OpenBSD 5.5 Released

ConstantineM (965345) writes "Just as per the schedule, OpenBSD 5.5 was released today, May 1, 2014. The theme of the 5.5 release is Wrap in Time, which represents a significant achievement of changing time_t to int64_t on all platforms, as well as ensuring that all of the 8k+ OpenBSD ports still continue to build and work properly, thus doing all the heavy lifting and paving the way for all other operating systems to make the transition to 64-bit time an easier task down the line. Signed releases and packages and the new signify utility are another big selling point of 5.5, as well as OpenSSH 6.6, which includes lots of DJB crypto like chacha20-poly1305, plus lots of other goodies."

YAY for BSD

[CheshireDragon]

Even though I've never used it...

Re:YAY for BSD

Fire up a VM and try it out, OpenBSD is a really nice OS to work with IMO.

Re:YAY for BSD

[i+kan+reed]

Yep, that's pretty much what 99.7% of people can contribute to this discussion(maybe 95% of slashdotters specifically, but still).

You can kinda go "Yay open source operating system that creates a bit of systemic competitive pressure to keep updating other open source operating systems through some really bizarre application of economics towards a system built around entirely free exchange"

It gets real abstract.

Re: YAY for BSD

[the_humeister]

If not for the lack of ZFS, I would use OpenBSD. Instead my fileserver is running FreeBSD 10.

Re:YAY for BSD

[QuietLagoon]

And there you go with the problem with it. OpenBSD has no holes in the install...

Regardless of how you use an operating system, if the OS foundation is not secure, then anything you put on top of it cannot be secure.

At least OpenBSD provides the secure foundation upon which you can build what you'd like. The security of what you build on top of OpenBSD is your responsibility.

Re:YAY for BSD

[Kremmy]

There's a little bit of header, a little bit of license, BSD...

It's the silent protagonist in the technological world - they build and refine the technology that seeps into all other operating systems.
The code is licensed so liberally that Stallman's arguments literally boil down to "everyone can use it so it's not free".
If you dig into the credits portion of almost any software, it's there.
We all use BSD.

Re:YAY for BSD

[wonkey_monkey]

It gets real abstract.

Well, which is it?

Re:YAY for BSD

Stallman has never called the BSD license non-free. You're either delusional or a liar.
All free software licenses are wonderful for us users. Copyleft ones are also wonderful for free software as a whole.

Re: YAY for BSD

How to update Open BSD: insert CD, boot CD, select update. Wait a few minutes. Upgrade ports. Wait a few minutes. You are done.

No CD? Copy base files to machine through SSH. Install files. Reboot. Upgrade ports. Wait a few minutes. You are done.

Any other questions?

Re: YAY for BSD

[unixisc]

Which file system do they use?

Re: YAY for BSD

You got it. I've updated remote (read: "in other countries") OpenBSD machines for over a decade. There is still the anxiety of waiting for the system to boot, but I don't recall ever having it blow up on me.

Re:YAY for BSD

[CODiNE]

The former latter.

Re:YAY for BSD

[metrix007]

Yeah, no. Heartbleed showed how meaningless theire claims of a secure default install are in this day and age.

It used to mean something against Windows Servers and Linux Distros that had everything enabled by default, but not so much these days.

All these years, and they hadn't even audited openssl, a key core component of the default install.

Re: YAY for BSD

[rubycodez]

openbsd has the Unix FFS (up to about 1TB volume size) and FFS2 (up to 8 zettabytes volume size)

Re:YAY for BSD

The code is licensed so liberally that Stallman's arguments literally boil down to "everyone can use it so it's not free".

Given that Stallman's main organisation, the Free Software Foundation, almost actively supports the BSD license, declaring it a Free Software License compatible with the GPL, I wonder what it is that drives you to say such a thing. A feeling that since the truth normally supports Richard, it's worth spreading almost any lie in the hope of discrediting him?

Re:YAY for BSD

[rubycodez]

it is a joke, you're funny

you could have made a backup copy of fstab before dicking with it. or followed the excellent OpenBSD documentation and made backup root partition.

Re:YAY for BSD

[rubycodez]

you sure? your printer doesn't have have controller running BSD? or network appliance?

Re:YAY for BSD

[Arker]

"The code is licensed so liberally that Stallman's arguments literally boil down to "everyone can use it so it's not free"."

Stallman has always acknowledged it as Free and continues to do so.

Dont be a troll.

Re:YAY for BSD

[Dan+Ost]

I was under the impression that OpenBSD did not enable heartbeats by default and, as such, was not vulnerable to Heartbleed by default.

Am I wrong?

Re:YAY for BSD

[Kremmy]

That is EXACTLY what he is saying given his comments regarding LLVM.
Referring to this post in particular.
His stance is a demonization of liberally licensed code, to a very unfortunate degree.
I am absolutely not trolling when I say that man has given up freedom for ideology.

Re: YAY for BSD

[unixisc]

So FFS2 - how does it compare w/ ZFS, aside from license (which I'm assuming here is ISC, right?)

Re:YAY for BSD

[davester666]

OMG. Lesbians are recommending the use of OpenBSD. I have just got to install it, just to be like lesbians.

Re:YAY for BSD

OpenBSD have software in place that wouldn't allow the Heartbleed bug to work in the first place. As soon as a Heartbleed event occurred, the OpenSSL software would immediately terminate in OpenBSD.

Re: YAY for BSD

[TheRaven64]

FFS2 is basically the original Berkeley FFS (also known as UFS, but there are at least half a dozen incompatible filesystems called UFS, so that just gets confusing) with some extensions. It basically just increases the size of various fields in the inode data structure so that various limits are much larger. I'm not familiar with the OpenBSD implementation, but on FreeBSD it also supports soft updates (where metadata and data writes are sequenced so that the filesystem is aways consistent, although fsck may be required to clean up) and journalling. Aside from that, it's a fairly conventional inode-based FS. If you want snapshots, FreeBSD provides them at the block layer via GEOM (I don't know what the OpenBSD equivalent is).

In contrast, ZFS rearranges all of the layering. At the lowest level, you have a set of physical devices that are combined into a single virtual device. On top of this is a layer that's responsible for storing objects and providing a transactional copy-on-right interface to the underlying storage. On top of this, you layer something that looks like a POSIX filesystem, or something that looks like a block device (or, in theory, something that looks like an SQL database or whatever).

For the user, this means that a load of things are easy with ZFS that are hard with UFS:

• Creating snapshots with ZFS is a O(1) operation.
• Creating new filesystems with ZFS is about has hard as creating directories.
• Filesystems all have block-level checksums, can have multiple copies of files (if they're used for important stuff) on a single volume.
• Compression and deduplication can be enabled on a per-filesystem basis. With UFS, there's no deduplication (although it would be possible to write a block-level dedup implementation for GEOM), and compression is handled at the block device layer.
• You can delegate the rights to create and modify filesystem properties into jails safely with ZFS (not relevant to OpenBSD, as it lacks jails).

Re:YAY for BSD

[TheRaven64]

Not true. It would have done if OpenSSL hadn't used a custom allocator, but the use of the custom allocator bypassed the policy in OpenBSD's malloc() that aggressively returns unused pages to the OS and causes this kind of fault. And why does OpenSSL have this custom allocator? Because without it people complain that malloc() implementations like the one in OpenBSD are too slow...

Re:YAY for BSD

[Arker]

"That is EXACTLY what he is saying given his comments regarding LLVM.
Referring to this post in particular."

I suggest you re-read his post. If your opinion has not corrected by then, you might need to seek remedial help in Reading or English. "EXACTLY" and "not at all" are not synonyms, and this is actually not at all what he is saying in that post.

Re:YAY for BSD

[metrix007]

Honestly I'm not sure. If heartbleeds are not enabled that's great.

It still lessons their claim since they missed a vulnerability from 2011 in the base install. No doubt there are others.

Re:YAY for BSD

[Arker]

Q. Where in that does he say the BSD license is not Free?

A. Nowhere.

"What is the correct interpretation of his comment that BSD devs basically avoid talking about freedom if it doesn't mean it isn't truly free?"

That despite being Free they do not share the values and goals of copyleft, do not recognise or care about the need for copyleft.

Free Software: https://www.gnu.org/philosophy/free-sw.html

Copyleft: https://www.gnu.org/copyleft/

List of Free Software Licenses: https://www.gnu.org/licenses/license-list.html

All of these licenses are recognised as Free. Yet there are still differences between them, and reasons to prefer one over another.

Free software is the superset, copyleft is the subset. Which is to say all copyleft software is Free, but not all Free software is copyleft.

The Free Software foundation exists to promote Free Software. It also promotes copyleft specifically (in most but not all circumstances) because that type of Free Software not only means Freedom for users today, but helps to ensure that future users will still have Freedom tomorrow.

LLVM is Free, but it's not copyleft. And if you care about Freedom down the line, not just your Freedom here today but the future of it in 5 or 10 or 20 years, that could be very significant. That's why he's worried.

Re: YAY for BSD

[rubycodez]

OpenBSD does have soft updates which are optionally enabled at mount time. It also has software RAID 0 or 1, and 1 allows more than two volumes to be mirrored, kind of like a hot spare that doesn't need rebuild time.

So it's not as full featured as ZFS, though compared to most linux filesystems the FFS and FFS2 are extremely robust at surviving unexpected power failure.

Re:YAY for BSD

[Kremmy]

I don't consider this a special case. As you've just said, people have been trying to replace GCC for ages. There are a lot of motivations for that, many of which coming down to a distaste for the GPL. There have been hard criticisms for a long time. I've personally run into some of the stranger code malformation issues affecting certain versions while compiling my own code. I think they may have been bit by the same hubris that affects the rest of the software organizations, which leads us to crap like Metro and Unity. I'm really pleased with LLVM shaking up this particular tree - it REALLY needed it, monopolies are bad for EVERYONE and GCC had been the free compiler monopoly for how long?

Re: YAY for BSD

[evilviper]

Creating snapshots with ZFS is a O(1) operation.

That doesn't relate to any of the (layering) changes you listed. That's a simple byproduct of ZFS being a copy-on-write (CoW) file system, unlike most other popular file systems. But there are other CoW file systems out there, which similarly have O(1) snapshots.

Re:YAY for BSD

[evilviper]

...until you put a typo in /etc/fstab when you're not used to plain old vi, and get to discover the joys of learning ed. Without a man page because that was in /usr too.

Some reason you can't just manually run "mount" from the command-line to mount the /usr partition, and get vi and man pages back?

And is there some reason you couldn't just visit the website to access the man pages?

http://www.openbsd.org/cgi-bin...

Re:YAY for BSD

[evilviper]

No, the manual is on the file system, and they're far better than the crap documentation you get from Linux or other Unixes. It just also happens to be available, in a convenient location on the web.

*Ahem*

oblig

Re:*Ahem*

[ledow]

Except we're not on 64-bit.

The full announcement tells you that a load of things had to be converted to unsigned 32-bit because that's all you could do.

And they can conceivably affect things in your children's lifetimes (if not before, with long date calculations like mortgages etc.).

Fact is, however, that system support for 64-bit time only means your taskbar clock will go up that far. It means nothing in terms of your application actually supporting and calculating things correctly once we get anywhere near 2038.

Conceivably, those places offering 30-year mortgages etc. were handling those dates several years ago. They involve a lot of money so likely they are okay.

But whether your we get everything like your phone, satnav, car, embedded devices etc. all onto full 64-bit time OS and 64-bit time applications BEFORE they're predicted-end-of-life would go through 2038 - that's a different question entirely.

Re:*Ahem*

[fnj]

Making time_t an int64_t instead of an int32_t has absolutely NOTHING to do with whether the architecture is 32 or 64 bits. An application that does time manipulations NOT using time_t is a stupid, broken application.

Missing libReSSL, as expected

Before anyone asks, no, this new version of OpenBSD (version 5.5) does not include libReSSL yet.
That's not how OpenBSD operates. Neat announcements made even a month before an OpenBSD release do not usually appear in the very next OpenBSD release. There are cutoffs/deadlines, and the OpenBSD group is far more interesting in ensuring reliability than flashy new code that is only partially ready.
If you check the libReSSL.org website, libReSSL is planning to be included in OpenBSD 5.6, which I expect will be released on November 1, 2014. The OpenBSD group has a solid track record of making their official releases publicly available by the expected date.
To see an overview on what did get included in this version (like signed packages), see the release notes (which is pointed to by the first hyperlink of this Slashdot news story).

Next release...

[msauve]

The next release is scheduled for a few years prior to Sunday, 4 December 292,277,026,596.

Re:Next release...

[unixisc]

I was gonna ask - which year would people have to look out for now?

Re:Next release...

[fnj]

[time between releases is] just really prolonged compared to other *nix distros

Horse shit. It's exactly the same timing as Ubuntu and Fedora and much qicker than Debian and Redhat Enterprise.

Re: *BSD is dying

[ConstantineM]

http://meta.unix.stackexchange...

Re:Why not try it?

[i+kan+reed]

Why do we not like scripts? Honest question.

Re:Why not try it?

How do you even change the ip address from the command line?

"ip addr add $IP_NUM dev $IP_DEV"

Or, if you like, you can use ifconfig, even though that's obsolete.

They'll collect your nerd card on the way out, troll.

Re:Why not try it?

[Jakeula]

What an odd measure of the quality of an OS. Like changing your IP from the command line is something that speaks to how well Linux has been developed. And you can change your IP from the command line. ifconfig does this just fine, even if its not the preferred method. you can also do something like this: sudo ip addr add xxx.xxx.xxx.xxx
but I guess I just fed a troll, so jokes on me.

USB Installer!

[Dimwit]

There's a USB installation image for i386 and amd64! Finally! Dear lord, it's been years. That's as big a deal as the time_t thing for me.

Re:USB Installer!

A more flexible way to create an OpenBSD flash installer:
http://blog.breeno.net/2014/02/creating-flexible-openbsd-usb-installer.html

NetBSD time_t

I use OpenBSD almost exclusively, but in all fairness NetBSD was the first to move to a 64-bit time_t on all its platforms.

Also, there's no chance that Linux would ever make such a jump. They'll invent something complex and annoying to maintain backward compatibility with all the proprietary crapware. OpenBSD and NetBSD can do it because they're not afraid to make everybody recompile their software.

(For people who don't understand the issue: on NetBSD and OpenBSD time_t is now 64-bits, even on 32-bit platforms. So the 2038 problem is non-existent going forward, even for 32-bit software.)

Re:NetBSD time_t

[unixisc]

I think you got it the other way around - it's Linux that's unafraid to break backwards compatibility, while the BSDs are pretty religious about that point

Re:NetBSD time_t

[rubycodez]

but this openbsd release is a "flag day" release, meaning it *will* break old binaries, they need to be recompiled.

Re:NetBSD time_t

[TheRaven64]

On x86, you can (now) use the x32 ABI to get the same effect. The problem comes when you need to run one or two 64-bit binaries. Now they are pulling in a different libc and so on and the extra i-cache churn from multiple copies of the same library can quickly offset the reduced d-cache churn from smaller pointers (main memory usage is largely irrelevant: it's rarely a bottleneck and the average 5-10% saving from reduced pointer size is in the noise).

Re:Why not try it?

[jones_supa]

They break easily and are slow to interpret.

Re:Damn OpenBSD

[jones_supa]

You should call yourself lucky. I just made the finishing touches to my Y2K survival basement.

Not quite

[ArchieBunker]

Wasn't that easy on my BeagleBone Black board http://derekmolloy.ie/set-ip-a...

How anyone is supposed to figure that out is beyond me. Is a script calling ifconfig too good for you people?

Re:Why not try it?

[ArchieBunker]

Its not one script anymore. Its one script hundreds of lines long that calls other scripts to finally accomplish something you could do with seconds and ifconfig. Don't get me started with the mess systemd is.

So how does it perform?

I have used OpenBSD a number of times over the years but when I have tried to use it as a high performance server it falls on its face. Has it gotten any better?

Re:So how does it perform?

OpenBSD is not meant to be the fastest or most scalable OS in the world -- just the safest. The right tool for the job. You use OpenBSD as a firewall in front of your high performance server, which can then run whatever OS you choose. I wouldn't trust anything else. More specifically, the bare bones, well documented, best practice coded, continuously audited, secure by default approach means you can deploy an OpenBSD firewall router with minimal effort and minimal worry. Save the worry and effort for the potentially less secure OS's that are running behind the firewall.

Can I relax now?

[NMBob]

Does this mean I don't have to worry about Tuesday January 19, 2038 at 03:14:07 UTC anymore? What's the new date/time when things will crash and burn?

Re:Can I relax now?

[Jurily]

Using a signed 64-bit value introduces a new wraparound date that is over twenty times greater than the estimated age of the universe: approximately 292 billion years from now, at 15:30:08 on Sunday, 4 December 292,277,026,596.

Re:Can I relax now?

[NMBob]

Yeah, but isn't it going to take like 10^500 (or is it 10^800?) years for all of the baryons to fizzle out? Rats. More code to write.

Everyone forgot the most important bit!

[ConstantineM]

5.5 base signify pubkey: RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h
5.5 fw signify pubkey: RWTdVOhdk5qyNktv0iGV6OpaVfogGxTYc1bbkaUhFlExmclYvpJR/opO
5.5 pkg signify pubkey: RWQQC1M9dhm/tja/ktitJs/QVI1kGTQr7W7jtUmdZ4uTp+4yZJ6RRHb5

Re:Why not try it?

[i+kan+reed]

Break easy compared to machine code in some specific way?

Re:Why not try it?

[metrix007]

You use the same tools the scripts use. Ifconfig.

Choose a better distro and things wont be so obfuscated.

Re:Why not try it?

[just_another_sean]

/sbin/ifconfig

It's not just for listing!

Re:Heartbleed not fixed in 5.5 by default

[rubycodez]

patching openbsd is usually this dance:

1. wget or whatever to download the patch
2. best practice, use "signify" to check signature
3. cd /usr/src and apply patch with patch -p0 my_patch.txt
4. make obj; make; make install

Re:Why not try it?

[jones_supa]

Not in any specific way. For example when a called subprogram returns an unexpected result, or a result in an unexpected format. Also when the script interpreter is upgraded, it might break something. Heck, sometimes the problem is caused by something silly like a space in a file name.

Re:Heartbleed not fixed in 5.5 by default

[rubycodez]

oh, slashdot filter knocked out the < sign; nice going for a supposed geek tech forum eh?

Re:Why not try it?

[i+kan+reed]

That is to say: it's software.

/. IS a geek tech forum

[ConstantineM]

patch -p0 < 005_openssl.patch.sig

Signed packages!

[aNonnyMouseCowered]

No, the biggest thing for me is the signed packages. For a security-focused distribution, the lack of signed packages seemed quite ironic.

Re:Heartbleed not fixed in 5.5 by default

[machine321]

A third party has created an auto-update app.

https://stable.mtier.org/

Wayland

[unixisc]

Does OBSD include support for Wayland in 5.5? Is it stated for a future version, or have they decided to stay w/ X11?

Re:Wayland

[iggymanz]

no it doesn't, just X

so far wayland has less features than X, but who knows about the future

Re:Why not try it?

[jones_supa]

Not really. Machine code is more robust and, as I said, faster. There might still be other good reasons to use scripts, I'm not denying that. They are easier to maintain, for example.

Re:Damn OpenBSD

[TheRaven64]

Pretty much all 64-bit systems have used 64-bit time_t forever, so the Y2038 problem is only an issue if people are still using 32-bit platforms in 24 years. Given that even ARM is now 64-bit, that seems quite unlikely (none of those old mainframes that were a problem for Y2K have this problem and most databases use 64-bit time values because people care about dates further in the past than can be expressed with a 32-bit UNIX time_t). Of course, Google has just released a new Java implementation for Android that does a load of void* to int32_t casts all over the place and is going to be almost a total rewrite to port to a 64-bit architecture, so you can't always trust big software companies not to be complete idiots...

Re:You are correct

[TheRaven64]

Especially anything that used threads. Going from a strongly ordered x86, where basically anything is sequentially consistent for free, to the extremely weakly ordered Alpha, where things are only visible between threads with explicit barriers breaks a lot of stuff where people only tested on x86. ARM has a similar problem.

Re:Why not try it?

Good thing we have systemd to bring all of that Windows goodness to Linux.

Re:Heartbleed not fixed in 5.5 by default

[iggymanz]

some caveats, that only does i386 and amd64. the package manager in openbsd automatically updates packages anyway, as for the openbsd binaries despite what that mtier.org says it's very simple and fast to update, in less than four minutes I had applied all outstanding patches to a system I brought up today.

Re:Heartbleed not fixed in 5.5 by default

[iggymanz]

by "automatic" I mean you type in pkg_add -u and it then updates all packages that have updates

Re:Why not try it?

[evilviper]

You use the same tools the scripts use. Ifconfig.

Nope, doesn't work on Linux. NetworkManager or some other daemon will come along and overwrite your manual ifconfig change in short order.