OpenBSD turns on a number of security features by default that FreeBSD avoids for really early backward binary compatibility (or just plain laziness). The newest feature in OpenBSD 5.5 is PIE-by-default executables on major platforms. Even Microsoft Windows implements more than FreeBSD! See Theo deRaadt's talk slides http://tech.yandex.com/events/ruBSD/2013/talks/103 for some more examples.
Capsicum, POSIX and NFS4 ACLs are all about adding complexity to allow for greater administrative policy enforcement. To put the OpenBSD point of view into perspective with a modern example, this is exactly the kind of policy that makes NSA admins rest easy at night and exactly the kind of security that allows Edward Snowden to secretly make out with 200,000 top secret documents. Real security means the software *does*what*it*promises* which a large and complex administrative policy enforcement system can almost never do.
In OpenBSD, security means that you eliminate bugs so that the most basic promise is held true. Adding complexity almost always does the opposite. We are talking about two completely different ideas of "security" here. This is not to say that ACL systems have no place, but rather, the systems that are smaller, easier to audit and easier to implement are going to find a place in OpenBSD long before the large and unwieldy systems could ever be incorporated.
That being said, FreeBSD 10 was the first FreeBSD system to distribute signed packages. OpenBSD 5.5 will be the first version of OpenBSD that distributes a signed base, signed firmware and signed packages. The code is small, the benefit is clear, and the implementation (at least in OpenBSD) is obvious.
Slow and secure are not necessarily related. There are cases where OpenBSD is 1-2% slower because of some specific security feature, such as 100% PIE executables, but the real slow downs are from old BSD code which is slowly being reworked to be fast and efficient. There are only so many people and so many minutes in a day to make these improvements.
The general idea on Slashdot that OpenBSD is slow because it's secure is just plain WRONG. It's slow (less and less so, I might add) because it takes time to speed it up and that is a priority for some, not all, developers.
Signing with pkg_add+signify was designed to add negligible time to the package building process. It was carefully incorporated to this end. And, works quite nicely.
You don't have a fucking clue what you're talking about.
You are wrong on all counts, from making life "too difficult for end users" (OpenBSD is one of the easiest systems to setup routing/firewalling on) to "never embraced the most recent release of anything" (the ports tree is much quicker than most Linux distros) to the idea that OpenBSD's signing tool was designed to be small solely to fit on a floppy. That's not true. It's designed to be small because THERE'S NO REASON FOR IT TO BE LARGE AND HARD TO UNDERSTAND. That's a recipe for disaster.
The "general usability of the system" is actually one of the top priorities. Sane defaults, few knobs, easy installer. Of course, if "usable" means "GUI that my grandmother could use" then maybe it doesn't fit your definition. But, "usable" for anyone who has any CLI experience whatsoever means that OpenBSD is going to be quicker to install, and easier to get up and running for a particular purpose than almost any other system available.
Nobody uses OpenBSD outright? Wow. I could have swore that over 80 computers in my immediate vicinity at home and work run..hmm..What is that called? OpenBSD?? Yeah, I think that's what they run.
If you get packages from an official FTP/HTTP site or CD, then chances are, your biggest adversary is 1. someone who can perform DNS poisoning or 2. the NSA. Guess which one helped spur this into action, at least in some small way?
FreeBSD 10 is the first to offer signed packages, and it is just coming out now. OpenBSD 5.5 isn't that far away.
I've had experience with charter schools in Coos Bay and Redmond, Oregon. Both have been a sort of alternative place for kids who don't fit in to the social mainstream. Both have been accepting of kids regardless of performance. Both have used alternative teaching styles, both have been free from district funding and district control for the most part. And it comes down to the desires of teachers and parents, and the kind of environment they want to create and participate in. They aren't particularly better or worse than the mainstream schools, and they take away less funding from the local district because they receive federal dollars. That can't go on forever, the whole experiment seems fragile. But it has been better for our family to have more options, because hey I'm sitting here posting on Slashdot at 7 AM, and frankly, our family doesn't fit it with the social mainstream (if you want to summarize it that way).
I have no idea if the quality of education is better, but at least in my experience, there is no elitism, if anything the 'alternative' charter schools are generally looked down upon. But so are the regular schools anymore. All I can say for sure is that some of our kids like attending the charter schools more because of the curriculum, the teachers and the attitudes, while others don't. And that is what it comes down to, is the kids getting the best experience, which I certainly didn't in school.
The charters are renting old school district properties in Redmond, (as well as many other services from them) the net effect being that the local school district gets more money per non-chjarter student at least while federal funding is in place.
In my experience, charter schools in Oregon have only one prequalification: you have to get in early enough before the classes are full. Otherwise, the main difference is that the schools are not closely managed by their local school district, because they receive federal funding and not state/district funding. And in our situations, this has been a generally positive experience.
Slashdot Mirror
OpenBSD has usability as a very high goal. I'd say it's more usable out of the box than FreeBSD, but that depends on what makes it usable for you...
OpenBSD turns on a number of security features by default that FreeBSD avoids for really early backward binary compatibility (or just plain laziness). The newest feature in OpenBSD 5.5 is PIE-by-default executables on major platforms. Even Microsoft Windows implements more than FreeBSD! See Theo deRaadt's talk slides http://tech.yandex.com/events/ruBSD/2013/talks/103 for some more examples.
Capsicum, POSIX and NFS4 ACLs are all about adding complexity to allow for greater administrative policy enforcement. To put the OpenBSD point of view into perspective with a modern example, this is exactly the kind of policy that makes NSA admins rest easy at night and exactly the kind of security that allows Edward Snowden to secretly make out with 200,000 top secret documents. Real security means the software *does*what*it*promises* which a large and complex administrative policy enforcement system can almost never do.
In OpenBSD, security means that you eliminate bugs so that the most basic promise is held true. Adding complexity almost always does the opposite. We are talking about two completely different ideas of "security" here. This is not to say that ACL systems have no place, but rather, the systems that are smaller, easier to audit and easier to implement are going to find a place in OpenBSD long before the large and unwieldy systems could ever be incorporated.
That being said, FreeBSD 10 was the first FreeBSD system to distribute signed packages. OpenBSD 5.5 will be the first version of OpenBSD that distributes a signed base, signed firmware and signed packages. The code is small, the benefit is clear, and the implementation (at least in OpenBSD) is obvious.
It's already part of the -current snapshots. It will be a feature in 5.5 for base, packages and firmware.
Slow and secure are not necessarily related. There are cases where OpenBSD is 1-2% slower because of some specific security feature, such as 100% PIE executables, but the real slow downs are from old BSD code which is slowly being reworked to be fast and efficient. There are only so many people and so many minutes in a day to make these improvements.
The general idea on Slashdot that OpenBSD is slow because it's secure is just plain WRONG. It's slow (less and less so, I might add) because it takes time to speed it up and that is a priority for some, not all, developers.
Amen brother.
I suspect you'll be very happy with the pre-release for OpenBSD 5.5. For amd64,
ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/
and signed packages:
ftp://ftp.openbsd.org/pub/OpenBSd/snapshots/packages/amd64/
It's also quite nice on the desktop, with Intel and Radeon KMS from the Linux 3.8 series.
You do have to download the source...
Or Windows 8.1 which requires, well, a LOT of floppies.
http://blog.dk.sg/2013/10/25/upgrading-to-windows-8-1-using-3-5-floppy-disks/
Signing with pkg_add+signify was designed to add negligible time to the package building process. It was carefully incorporated to this end. And, works quite nicely.
Indeed, arc4random is ChaCha20-based in OpenBSD 5.5.
You're thinking about FreeBSD.
You don't have a fucking clue what you're talking about.
You are wrong on all counts, from making life "too difficult for end users" (OpenBSD is one of the easiest systems to setup routing/firewalling on) to "never embraced the most recent release of anything" (the ports tree is much quicker than most Linux distros) to the idea that OpenBSD's signing tool was designed to be small solely to fit on a floppy. That's not true. It's designed to be small because THERE'S NO REASON FOR IT TO BE LARGE AND HARD TO UNDERSTAND. That's a recipe for disaster.
The "general usability of the system" is actually one of the top priorities. Sane defaults, few knobs, easy installer. Of course, if "usable" means "GUI that my grandmother could use" then maybe it doesn't fit your definition. But, "usable" for anyone who has any CLI experience whatsoever means that OpenBSD is going to be quicker to install, and easier to get up and running for a particular purpose than almost any other system available.
It's about discipline more than supporting old hardware. Maybe you've heard of it?
Nobody uses OpenBSD outright? Wow. I could have swore that over 80 computers in my immediate vicinity at home and work run..hmm..What is that called? OpenBSD?? Yeah, I think that's what they run.
This is as much a form of discipline as it is to support older hardware. Discipline, something you may not be familiar with.
Please explain how floppy support is degrading security. I'd like to see this one.
You're wrong. Using binary packages IS the recommended way to go in OpenBSD land.
If you get packages from an official FTP/HTTP site or CD, then chances are, your biggest adversary is 1. someone who can perform DNS poisoning or 2. the NSA. Guess which one helped spur this into action, at least in some small way?
FreeBSD 10 is the first to offer signed packages, and it is just coming out now. OpenBSD 5.5 isn't that far away.
https://lists.freebsd.org/pipermail/freebsd-pkg/2013-October/000107.html
Yeah, because using a large and unwieldy package would have made it so much more useful, trustworthy, right?
I've had experience with charter schools in Coos Bay and Redmond, Oregon. Both have been a sort of alternative place for kids who don't fit in to the social mainstream. Both have been accepting of kids regardless of performance. Both have used alternative teaching styles, both have been free from district funding and district control for the most part. And it comes down to the desires of teachers and parents, and the kind of environment they want to create and participate in. They aren't particularly better or worse than the mainstream schools, and they take away less funding from the local district because they receive federal dollars. That can't go on forever, the whole experiment seems fragile. But it has been better for our family to have more options, because hey I'm sitting here posting on Slashdot at 7 AM, and frankly, our family doesn't fit it with the social mainstream (if you want to summarize it that way).
I have no idea if the quality of education is better, but at least in my experience, there is no elitism, if anything the 'alternative' charter schools are generally looked down upon. But so are the regular schools anymore. All I can say for sure is that some of our kids like attending the charter schools more because of the curriculum, the teachers and the attitudes, while others don't. And that is what it comes down to, is the kids getting the best experience, which I certainly didn't in school.
The charters are renting old school district properties in Redmond, (as well as many other services from them) the net effect being that the local school district gets more money per non-chjarter student at least while federal funding is in place.
I haven't seen low-performing students turned away, rather, parents who sign up too late are on a waiting list. That's about it.
In my experience, charter schools in Oregon have only one prequalification: you have to get in early enough before the classes are full. Otherwise, the main difference is that the schools are not closely managed by their local school district, because they receive federal funding and not state/district funding. And in our situations, this has been a generally positive experience.
I'm not sure if I'm grasping the full significance of this post. But, I like it.