OpenBSD 3.1 Released

Telent writes "OpenBSD 3.1 is out. I've been using a -current snapshot from April as my desktop, and this is truly an amazing release with lots of new PF tricks, improved driver support, and many other cool things. Get it from the master site at ftp.openbsd.org, or use a mirror when possible. Even the release art kicks butt. Enjoy!"

Thanks...

[L.J. Hanson (936)]

Congratulations OpenBSD team. Thanks for another great release.

MicroBSD

[chrysalis (50680)]

Has anyone looked at the MicroBSD [microbsd.net] project yet?

It's based upon an OpenBSD-current kernel (so you get PF and all the great OpenBSD stuff), with FreeBSD tools, an hardened installation, custom additions and ports, a stripped-down base, etc.

Re:MicroBSD

[Reziac (43301)]

I'd be happy to look (I like BSD and think a micro install sounds like a Good Idea), but their site has a crapload of improperly terminated tags, so it displays blank in Netscape. (IE of course doesn't care about bad tags and will render it anyway. No doubt part of why IE has those nifty frame and CSS hijack holes.)

PF for bridging.

[saintlupus (227599)]

truly an amazing release with lots of new PF tricks

I've been toying with the idea of using OpenBSD on a P75 as a wired-to-wireless network bridge. Essentially, I want to be able to have data go from my desktop machine, to this bridging computer, to a wireless AP, to the machines on the wired network that the AP is hooked up to.

Unfortunately, I've got no experience with IPF or PF, since all of my NAT needs are taken care of by a cheap-o Linksys router.

Anyone have a link for good introductory material on doing something like this?

--saint

Re:PF for bridging.

[Troodon (213660)]

Theres a good guide to setting up openbsd IPF firewalls here [openlysecure.org]

Re:PF for bridging.

[Troodon (213660)]

These might be also helpful:

OpenBSD Packet Filter [benzedrine.cx]

Re: pf and statesfull filtering on a bridge [theaimsgroup.com]

The OpenBSD Packet Filter HOWTO [deadly.org]

Re:PF for bridging.

[Publicus (415536)]

Maybe not exactly what you're looking for, but this [phpwebhosting.com] is what got me introduced to OpenBSD and ipf.

Beyond that I'd check out the documentation for IPFilter [obfuscation.org] and PF [demon.nl]. Both are very good.

Well...not quite

[TrumpetPower! (190615)]

3.1 still hasn't been officially announced:

To: Ben Goren <ben@trumpetpower.com>
Cc: misc@openbsd.org
Subject: Re: Are we there yet?
Date: Sun, 19 May 2002 11:26:07 -0600
From: "Todd C. Miller" <Todd.Miller@courtesan.com>

In message
<20020519101502.O11398@trumpetpower.com>
so spake Ben Goren (ben):

> So, are we there yet? Are we there yet? Huh? Huh? Are we there
> yet?

The files have been transferring to the main ftp mirror since last
night. Once that is done they will move to the secondary mirrors
and the email announcement will be sent out.

- todd

So, check back soon.

b&

*Now* (was: Re:Well...not quite)

[TrumpetPower! (190615)]

Okay, now it's official. Here's the announcement:

To: announce@openbsd.org
Subject: OpenBSD 3.1 Released!
Date: Sun, 19 May 2002 15:03:44 -0600
From: "Todd C. Miller" <Todd.Miller@courtesan.com>

- OpenBSD 3.1 RELEASED -

May 19, 2002.

It is our pleasure to officially announce the release of OpenBSD
3.1. This year OpenBSD turns 7 years old. In celebration of this
milestone, we invite you to enjoy our 11th release on CD-ROM (and
12th via FTP). We continue to celebrate OpenBSD's record of four
years without a remote hole in the default install. Just like all
of our previous releases, 3.1 provides significant improvements,
including new features, in nearly all areas of the system:

- Improved hardware support (http://www.OpenBSD.org/plat.html)

o Much improved support for UltraSPARC hardware. More models are
supported and X11 works on all supported models.

o Improved 802.11b support, including a host-based access point
mode for Prism chipsets (i.e. wireless bridging). It is now
possible to completely configure a wireless interface using ifconfig.

o The hardware crypto drivers now work on all PCI platforms.

o Major macppc improvements including a brand new pmap module
that cut 'make build' time by over an hour.

o Tekram TRM-S1040 based PCI SCSI controllers are now supported.

o Creative SB Live! cards are now supported.

o HiFn 7811 is now supported by the hifn driver. A long-standing
bug causing PCI aborts has also been fixed in the hifn driver.

o Kernel support for Altivec on the macppc platform.

- Major improvements in the pf packet filter:

o Significant performance improvements due to additional optimizations
based on detailed benchmarks. Filter rule evaluation cost
(which occurs for every packet that isn't passed statefully)
is reduced by about 70%.

o Stateful filtering (including address translation and redirection)
for arbitrary IP protocols other than TCP, UDP and ICMP, for
instance GRE (used for IPsec/PPTP).

o Configurable memory limits (preventing memory exhaustion).
'pfctl -m' can set an upper bound on the number of simultaneous
states or fragments.

o authpf(8), an authenticating gateway user shell, modifies filter
rules when a user logs in, controlling network access at the user
level.

o New 'fastroute', 'route-to' and 'dup-to' options allow pf to
route packets independently of the system routing table. This
can be used to e.g., implement source-based routing or to
duplicate packets to an IDS or logging host.

o Parser improvements allow further reduction of rule set complexity
('no nat', rdr port ranges, and more).

o Rule labels simplify usage of counters for accounting ('pass in
from any to any port www label http_requests').

o The 'no-route' keyword in filter rules matches packets with non-
routable addresses. E.g., 'block in quick from no-route to any'
blocks packets from non-routable source addresses.

o tcpdump(8) expressions can filter pf logs on pf-specific fields.
E.g. 'tcpdump -i pflog0 action block' prints only blocked packets.

o Additional ioctls for adding and removing state entries (used by
proxies, authpf(8) and pfctl(8)).

- Ever-improving security (http://www.OpenBSD.org/security.html)

o More fixes for potential signal handler races. Work is ongoing in
this area to fix the signal handlers in all programs, not just
privileged ones.

o sshd now supports a privilege separation mode where all incoming
network traffic takes place in an unprivileged process.

o A number of memory leaks that could lead to denial of service
attacks have been plugged.

o Several other security issues fixed throughout the system, many
of which were identified by members of the OpenBSD team themselves.
Please see http://www.OpenBSD.org/errata30.html for more details
on what was fixed.

- New subsystems included with 3.1

o A version of the venerable spell program is now included.

o Generic macros for manipulating splay trees and red-black trees.

o Support for extended attributes in the filesystem.

- Many other bugs fixed (http://www.OpenBSD.org/plus30.html)

- The "ports" tree is greatly improved (http://www.OpenBSD.org/ports.html)

o The 3.1 CD-ROMs ship with many more pre-built packages for the
common architectures. The FTP site contains hundreds more
packages (for the important architectures) which we could not
fit onto the CD-ROMs.

- Many subsystems improved and updated since the last release:

o A long-standing bug in the i386 MBR that caused a hang on boot
with some machines has been fixed.

o Better sizing of kernel buffers, based on amount physical memory.

o Other memory-related limits are tunable without recompiling a
lernel via config -e.

o Improved behavior of the virtual memory system in low-memory
situations.

o ALTQ is supported by more ethernet drivers and now works on
bridged interfaces.

o Loadable kernel modules are now supported on ELF platforms.

o The 2 gigabyte file size limit has been removed from mmap(2),
vnd(4), savecore(8), dump(8), restore(8), and rcp(1).

o XFree86 updated to 4.2.0.

o sendmail updated to 8.12.2.

o Latest KAME IPv6

o KTH Heimdal-0.4e

o OpenSSH 3.2

If you'd like to see a list of what has changed between OpenBSD 3.0
and 3.1, look at

http://www.OpenBSD.org/plus31.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.

This is our twelfth OpenBSD release, and the eleventh release which
is available on CD-ROM. Our releases have been spaced six months
apart, and we plan to continue this timing.

- SECURITY AND ERRATA

We provide patches for known security threats and other important
issues discovered after each CD release. As usual, between the
creation of the OpenBSD 3.1 FTP/CD-ROM binaries and the actual 3.1
release date, our team found and fixed some new reliability problems
(note: most are minor, and in subsystems that are not enabled by
default). Our continued research into security means we will find
new security problems and we always provide patches as soon as
possible. Therefore, we advise regular visits to

http://www.OpenBSD.org/security.html
and
http://www.OpenBSD.org/errata.html

Security patch announcements are sent to the security-announce@OpenBSD.org
mailing list. For information on OpenBSD mailing lists, please see:

http://www.OpenBSD.org/mail.html

- CD-ROM SALES

OpenBSD 3.1 is also available on CD-ROM. The 3-CD set costs $40USD
(EUR 45) and is available via mail order and from a number of
contacts around the world. The set includes a colorful booklet
which carefully explains the installation of OpenBSD. A new set
of cute little stickers are also included (sorry, but our FTP mirror
sites do not support STP, the Sticker Transfer Protocol). As an
added bonus, the second CD contains an exclusive audio track by Ty
Semaka, http://www.thedevils.com/.

Profits from CD sales are the primary income source for the OpenBSD
project in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 3.1 CD-ROMs are bootable on the following six platforms:
o i386
o alpha
o sparc
o sparc64 (UltraSPARC)
o macppc
o hp300*

* The m68k-based platforms, including hp300, are located on a fourth
CD that is not included in the official CD-ROM package. You can
download the ISO image for the fourth CD as described below.

(Other platforms must boot from floppy, network, or other method).

For more information on ordering CD-ROMs, see:

http://www.OpenBSD.org/orders.html

The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from. For our default mail order, go directly to:

https://https.OpenBSD.org/cgi-bin/order

or, for European orders:

https://https.OpenBSD.org/cgi-bin/order.eu

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts. As well, donations to the project are highly
appreciated, as described in more detail at:

http://www.OpenBSD.org/goals.html#funding

Due to space restrictions and our desire not to raise the cost of
the CD-ROM, the Motorola 68k-based platforms are located on a
fourth CD that is not included in the official CD-ROM package.
An ISO image for this CD may be downloaded from:

ftp://ftp.openbsd.org/pub/OpenBSD-ISO/3.1-CD4.iso

This CD contains the amiga, hp300, mac68k and mvme68k install sets
as well as the m68k packages. The CD is bootable on the hp300.
Note that not all ftp mirrors will carry the CD image.

- T-SHIRT SALES

The project continues to expand its funding base by selling t-shirts
and polo shirts. And our users like them too. We have a variety
of shirts available, with the new and old designs, from our web
ordering system at:

https://https.OpenBSD.org/cgi-bin/order

The new 3.1 t-shirt is not available at this time but will be
available shortly.

- FTP INSTALLS -

If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP. Typically you need a single small piece of boot
media (e.g., a boot floppy) and then the rest of the files can be
installed from a number of locations, including directly off the
Internet. Follow this simple set of instructions to ensure that
you find all of the documentation you will need while performing
an install via FTP. With the CD-ROMs, the necessary documentation
is easier to find.

1) Read either of the following two files for a list of ftp
mirrors which provide OpenBSD, then choose one near you:

http://www.OpenBSD.org/ftp.html
ftp://ftp.OpenBSD.org/pub/OpenBSD/3.1/ftplist

2) Connect to that ftp mirror site and go into the directory
pub/OpenBSD/3.1/ which contains these files and directories.
This is a list of what you will see:

Changelogs/ alpha/ macppc/ sparc64/
HARDWARE amiga/ mvme68k/ src.tar.gz
PACKAGES ftplist packages/ srcsys.tar.gz
PORTS hp300/ ports.tar.gz tools/
README i386/ root.mail vax/
XF4.tar.gz mac68k/ sparc/

It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.

README - generic README
HARDWARE - list of hardware we support
PORTS - description of our "ports" tree
PACKAGES - description of pre-compiled packages
root.mail - a copy of root's mail at initial login.
(This is really worthwhile reading).

3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
for example, i386. This is a list of what you will see:

CKSUM INSTALL.os2br comp31.tgz man31.tgz
INSTALL.ata INSTALL.pt etc31.tgz misc31.tgz
INSTALL.chs MD5 floppy31.fs xbase31.tgz
INSTALL.dbr base31.tgz floppyB31.fs xfont31.tgz
INSTALL.i386 bsd floppyC31.fs xserv31.tgz
INSTALL.linux bsd.rd game31.tgz xshare31.tgz
INSTALL.mbr cdrom31.fs index.txt

If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
and the appropriate floppy*.fs file. Consult the INSTALL.i386
file if you don't know which of the floppy images you need (or
simply fetch all of them).

5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.i386. INSTALL.i386 may tell you that you
need to fetch other files.

6) Just in case, take a peek at:

http://www.OpenBSD.org/errata.html

This is the page where we talk about the mistakes we made while
creating the 3.1 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.

Note: If you end up needing to write a raw floppy using Windows,
you can use "fdimage.exe" located in the pub/OpenBSD/3.1/tools
directory to do so.

- XFree86 FOR MOST ARCHITECTURES -

XFree86 has been integrated more closely into the system. This
release contains XFree86 4.2.0. Most of our architectures ship
with XFree86, including sparc, sparc64 and macppc. During installation,
you can install XFree86 quite easily. Be sure to try out xdm(1)
and see how we have customized it for OpenBSD.

On the i386 platform a few older X servers are included from XFree86
3.3.6. These can be used for cards that are not supported by XFree86
4.2.0 or where XFree86 4.2.0 support is buggy. Please read the
/usr/X11R6/README file for post-installation information.

- PORTS TREE -

The OpenBSD ports tree contains automated instructions for building
third party software. The software has been verified to build and
run on the various OpenBSD architectures. The 3.1 ports collection,
including many of the distribution files, is included on the 3-CD
set. Please see PORTS file for more information.

Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD. Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see PACKAGES, below).

- BINARY PACKAGES WE PROVIDE -

A large number of binary packages are provided. Please see PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/PACKAGES) for more details.

- SYSTEM SOURCE CODE -

The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/README)
file explains how to deal with these source files. For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/3.1/ directory:

XF4.tar.gz ports.tar.gz src.tar.gz srcsys.tar.gz

- THANKS -

OpenBSD 3.1 includes artwork and CD artistic layout by Ty Semaka,
who also is featured in an audio track on the OpenBSD 3.1 CD set.
Ports tree and package building by Christian Weisgerber, David Lebel,
Marc Espie, Peter Valchev and Miod Vallat.
System builds by Theo de Raadt, Niklas Hallqvist, Todd Fries and Bob Beck.
ISO-9660 filesystem layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who pre-ordered the 3.1 CD-ROM or bought our previous
CD-ROMs. Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

Aaron Campbell, Angelos D. Keromytis, Anil Madhavapeddy, Artur Grabowski,
Ben Lindstrom, Bob Beck, Brad Smith, Brandon Creighton, Brian Caswell,
Brian Somers, Bruno Rohee, Camiel Dobbelaar, Chris Cappuccio,
Christian Weisgerber, Constantine Sapuntzakis, Dale Rahn, Damien Miller,
Dan Harnett, Daniel Hartmeier, David B Terrell, David Lebel,
David Leonard, Dug Song, Eric Jackson, Federico G. Schwindt,
Grigoriy Orlov, Hakan Olsson, Hans Insulander, Heikki Korpela,
Horacio Menezo Ganau, Hugh Graham, Ian Darwin, Jakob Schlyter,
Jan-Uwe Finck, Jason Ish, Jason Peel, Jason Wright, Jean-Baptiste Marchand,
Jean-Jacques Bernard-Gundol, Jim Rees, Joshua Stein,
Jun-ichiro itojun Hagino, Kenjiro Cho, Kenneth R Westerback,
Kevin Lo, Kevin Steves, Kjell Wooding, Louis Bertrand, Marc Espie,
Marco S Hyman, Mark Grimes, Markus Friedl, Mats O Jansson, Matt Behrens,
Matt Smart, Matthew Jacob, Matthieu Herrb, Michael Shalayeff,
Michael T. Stolarchuk, Mike Frantzen, Mike Pechkin, Miod Vallat
Nathan Binkert, Nick Holland, Niels Provos, Niklas Hallqvist,
Oleg Safiullin, Paul Janzen, Peter Galbavy, Peter Stromberg,
Peter Valchev, Reinhard J. Sammer, Shell Hin-lik Hung, Steve Murphree,
Thierry Deval, Theo de Raadt, Thorsten Lockert, Tobias Weingartner,
Todd C. Miller, Todd T. Fries, Wim Vandeputte.

If you want to order this new 3CDset:

[Anonymous Coward]

Just go to https://https.openbsd.org/cgi-bin/order [openbsd.org] for international orders or for European orders https://https.openbsd.org/cgi-bin/order.eu [openbsd.org]

The new artwork really ROCKS! [openbsd.org]

Don't forget...

[Daniel Wood (531906)]

the lyrics! [openbsd.org] No OpenBSD 3.x release would be complete without release art and lyrics!

Can't fight the Systemagic, Über tragic, Can't fight the Systemagic....

Already have mine

[Martin Foster (4949)]

I got the released CD through the mail a few days ago. Could be because I live near where the main distributor is based.

This allowed me to spend the weekend upgrading the servers over to 3.1. The process was painless, the pre-compiled packages from ports allowed me to speed a few things up and within seconds I had everything patched against the errata and ready to go.

I would like to point out that this is the first release where ports.tar.gz works without a problem. Normally I am forced to download ports or even src.tar.gz because they refuse to be decompressed.

However, I am not looking forward my 2.9 firewall to 3.1. Since OpenBSD 3.x releases no longer support IPF, I need to have the new FP ruleset in place before I do anything serious on that machine.

minus sendmail

[LiquidPC (306414)]

It would be nice if an OS would take sendmail out of their default install and try something else more secure and with better config files, such as postfix. For an OS all about "security," you'd think they'd get rid of sendmail. Maybe we can look forward to this in 3.2?

Re:minus sendmail

[sporty (27564)]

Sendmail has had a bad history. Granted. Sendmail is not so insecure anymore. And configuration of sendmail defaults will please most people.

Re:minus sendmail

[coene (554338)]

Although not a question that should be modded to +5 as its been answered before -- again and again, in this case its good so that people can learn why Sendmail is in OpenBSD.

First, Sendmail is a GREAT MTA when used properly. The way it is installed, and the way it interoperates with the system is very secure. You dont see OpenBSD machines being used as spam gateways or getting hacked due to sendmail. Its almost secure plug-and-play.

Why people think that sendmail is automatically insecure is beyond me. OpenBSD is NOT MEANT to be an "OS for dummies" (like many Linux distrobutions are trying to be). OpenBSD is meant for users who know what they are doing, and are experienced enough not to make the stupid mistakes that will get them hacked/exploited. As long as you dont do something incredibly stupid, 99% of the time the architecture OpenBSD will take care of the rest. This includes getting sendmail up and running.

Re:minus sendmail

[__past__ (542467)]

First, Sendmail is a GREAT MTA when used properly. The way it is installed, and the way it interoperates with the system is very secure.

However, wouldn't it be more sane to report any patches upstream, and make a nice port of it, whith all patches and sane configuration? The benefit is even more obvious in the case of BIND - while one might argue that a Unix system without an MTA isn't complete, it is hardly true that every Unix box needs BIND, so why not make it optional?

Re:minus sendmail

[slamb (119285)]

Why people think that sendmail is automatically insecure is beyond me.

Sendmail is fundamentally insecure. It is a single, monolithic process running as root - not necessary for most of its operations. A single buffer overflow would completely compromise the machine running sendmail. It was originally written with little regard to security and has a long lifespan, accumulating cruft. It should be no surprise that it has had several [securityfocus.com] vulnerabilities over the years. (That seems to be just 2001 ones. I'm sure there have been problems between 1988 and 2001; I just don't care enough to find them right now.)

In contrast, Postfix is broken apart into several different processes. Each executes at the minimum privelege necessary to do its job. A process running as an unprivileged user inside a chroot() jail containing no setuid binaries is a minimum risk to the system. The entire system was constructed with a focus on security - both eliminating vulnerabilities like buffer overflows and minimizing their impact should they occur. It has, by comparison, an unblemished security record [securityfocus.com].

For more information on why Postfix's security is completely superior to sendmail's, please see this page [postfix.org].

Re:minus sendmail

[slamb (119285)]

That seems to be just 2001 ones. I'm sure there have been problems between 1988 and 2001; I just don't care enough to find them right now.

Okay, I'm bored today. here [securityfocus.com] are some more. These two lists together may still not be exhaustive, but they are definitely long enough to prove my point that sendmail's security track record is very bad.

Re:minus sendmail

[bpalmer (568917)]

Sendmail in OpenBSD hasn't run as root since 2.9 [openbsd.org].

Theo and team seem confident in Sendmail's security. They've spent upwards of 30 hours going through the source and reporting bugs. That's why it's included in the default install. Keep in mind that you can easily disable sendmail and go to postfix or another mail transfer agent through the ports tree if you don't trust Theo's judgement. An email regarding the why's of using Sendmail versus another MTA are here. [geocrawler.com]

I implement sendmail all the time, and I work in an IT security shop. Set up properly, it's rock solid. My pen-tester co-workers have the same knee-jerk reaction to sendmail that you have. They heard somewhere that sendmail is insecure... Funny though, not one of them has been able to penetrate any of my OpenBSD boxes, through sendmail or any other avenue. These are guys that walk through firewalls and IIS webservers in moments. They're so good at this, that we give a money back guarantee, we don't get in, it's free. If OpenBSD gets popular, we might start losing money.

Re:minus sendmail

[slamb (119285)]

Sendmail in OpenBSD hasn't run as root since 2.9 [openbsd.org].

That's a very good change that I wasn't aware of. However, I'll keep running Postfix: user-level access is a stepping stone to full root, especially outside of a chroot() jail, since setuid executables are available to be exploited.

Theo and team seem confident in Sendmail's security. They've spent upwards of 30 hours going through the source and reporting bugs.

When did this happen? It would be interesting to know if any of the security bugs I linked to were reported after this audit was completed. That would be proof that their confidence was misplaced. (However, even if not, I still would not trust sendmail - the real question is of course what bugs remain, not what bugs have been discovered.)

Keep in mind that you can easily disable sendmail and go to postfix or another mail transfer agent through the ports tree if you don't trust Theo's judgement.

Yes, this is exactly what I used to do when I ran OpenBSD. It would be preferable if all outside packages were in ports rather than the main tree, to make completely removing sendmail more convenient.

My pen-tester co-workers have the same knee-jerk reaction to sendmail that you have.

It's not a knee-jerk reaction. Did you look at the links I posted? Postfix is secure by design. Sendmail is not.

Funny though, not one of them has been able to penetrate any of my OpenBSD boxes, through sendmail or any other avenue.

I have never exploited a new sendmail vulnerability, either. However, I am not convinced that no vulnerabilities remain to be exploited. I prefer to use something like Postfix - proper compartimentalization, much less code to be audited, so I have more faith in its correctness.

(Still not complete faith. My ideal system would have all network services implemented in a high-level language like Java. It is good to completely eliminate entire classes of vulnerabilities (buffer overflows, format strings) that occur over and over and over in software everyone uses. But comparable software does not yet exist in these languages, or I am unaware of it.)

Re:minus sendmail

[Just Some Guy (3352)]

Sendmail is fundamentally insecure. It is a single, monolithic process running as root - not necessary for most of its operations.

Where on Earth did you get that silly - and wrong - idea? My FreeBSD box has the remote and local MTAs separated into totally distinct processes, and the system users several UIDs for the different components.

It's great that you like Postfix, but try to find some real advantages before you evangelize it, OK?

Sparc64

[BrookHarty (9119)]

I see it says "Sparc64" anyone test this on a SunBlade yet?

Mozilla

[lyberth (319170)]

As soon as Mozilla runs natively under OpenBSD, it will be the best OS around

Twofish? AES? Serpent?

[karlm (158591)]

Do any of you know if the OpenBSD people have plans to replace blowfish with twofish in the kernel? What about Serpent and AES? Of all the people, I'm surprised that the OpenBSD people would be satisfied with "eh.. blowfish is good enough, why upgrade?".

Encrypted filesystem ?

[Oestergaard (3005)]

Does anyone know if an encrypted filesystem is availble for OpenBSD ? Seems like it still isn't. Except for the hacks like CFS... Is there an encrypted filesystem which is ready for *real* use out there ?

OpenBSD

[jbarnett (127033)]

Anyone know who does the music for the OpenBSD releases?

Re:How fast a computer needed?

[JohanV (536228)]

Yes

I run OpenBSD on a 486 with 16 MB RAM, so I would qualify your system as "overkill".

Re:How fast a computer needed?

[TrumpetPower! (190615)]

Quoth baywuulf:

I have an old Pentium 166 w/ 64MB and S3 virge video card lying around which I might use to play around with this stuff. Assuming no X Windows, will this be adequate to run OpenBSD without swapping to the harddrive much?

OpenBSD will run just fine on this computer. monk.trumpetpower.com [trumpetpower.com] is running on basically that same platform, and it's never given me a hint of trouble. Not that it or my DSL would likely survive a slashdotting, but....

My laptop is a Pentium 120 with 72 Mbytes RAM. I run Konqueror and Netscape under Windowmaker on it all the time. Sure, it's not a blazing speed daemon, but it's quite useable. And it's great to take onsite--I've got Apache, a DHCP server, lots more running on a machine I can tuck under my arm. I can max out a 100 Mbit Ethernet link with Apache, which actually makes the laptop a bit more convenient in some cases than a CD for transfering files.

b&

Re:How fast a computer needed?

[StandardDeviant (122674)]

more than adequate. I ran my home gateway on a p166/48mb ram machine for something like a year and a half (only downtime was due to things like me tripping over the power cable in a drunken stupor ;-)), no problems at all. I don't think the load ever went above 0.3 the whole time. (This was with 2.7, I don't see how 3.1 could be much different.) Heck, you could probably use a 486 if it had enough ram... Honestly, if all you're doing is firewall/gateway duty anything north of 8megs would probably be ok. I got openbsd to run on a 486/33 with (iirc) 6 megs at one point (a fancy struck me to put an irc server in my bathroom)... that was sort of painful, but the machine did run. I ended up reinstalling win98 on the p166 machine and using my old linksys router in it's place (becuase some friends of mine lost their computer in hurricane Allison last year, i figured they needed _a_ machine more than I needed _another_ machine, heh), if not for that then I imagine the little box would still be cheerfully tossing packets around for me. Now, obviously, if you have a bigger network behind the obsd machine than, say, 10 workstations, you're going to need more hw (faster proc, more ram to hold state tables, etc.)... Given that amd k6-2 cpus and super-7 motherboards are practically free these days, a machine to stand in front of a good sized office network probably wouldn't cost more than a hundred bucks if you were willing to scrounge (you only need a couple hundred meg hd unless you want to log things).

Re:How fast a computer needed?

[xtremex (130532)]

Absolutely....I run a webserver off of an old Cyrix 133 using OpenBSD. I'm going to add Jakarta to it soon and run servlets off of it. I don't know how well Java runs on the BSDs, but I'm hoping to find out.

Re:How fast a computer needed?

[__past__ (542467)]

I don't know how well Java runs on the BSDs, but I'm hoping to find out.

Depends on the BSD you're using. On FreeBSD, you can build a native version of Sun's JDK, on the others, you'll need Linux compatibility (you need this on FreeBSD also, but only to build the JDK, you can remove it afterwards).

So basically it runs quite well on OpenBSD, but you have to install the whole Linux base system (bad, bad thing if you have a small disk), as well as to enable Linux-compat in the kernel.

Re:How fast a computer needed?

[iabervon (1971)]

OpenBSD is older than your old Pentium, and it can still do everything it used to be able to do. It probably won't run Gnome or KDE, but it's more than enough to be a multi-user login server, mail server, web server, and run X. If you want to do anything involving really large data at the same time, though, you might want to have swap.

Re:Depends on what you want to use it for

[TrumpetPower! (190615)]

Quoth Sits:

Only problem is that to upgrade the current uptime of 49 days is going to have to go...

If you like your uptime, have a look here [trumpetpower.com].

b&

Re:ISO Images

[Troodon (213660)]

ISO images are copywrite to Theo de Raadt and are not distributed beyond actual cds. OpenBSD has a different support/developement model, funded through cd sales and donations.

The non US distribution points seem to be solely in Europe and can be found here [openbsd.org]

Re:ISO Images

[someonehasmyname (465543)]

Yes, but they give you instructions for making your own iso.. I just made my 3.1 iso. Very simple.

Re:ISO Images

[TrumpetPower! (190615)]

Quoth SpikyTux:

I wonder why there isn't any ISO images to download. I mean for someone who doesn't have credit card and live far away from North America, ISO images seems like the best alternative.

CD sales are a prime source of income for OpenBSD; you'll never see an official OpenBSD ISO image legally available for download.

Having said that, an ISO image really isn't necessary. You can download a floppy image and use that to do an install directly via FTP. Rather than ~600 Mbytes to transfer for an ISO, you'll only have to grab about 120 Mbytes for a full install.

More details can be found here [trumpetpower.com].

Re:ISO Images

[BrookHarty (9119)]

Thats the BAD part about BSD releases, alot of people dont have high speed Internet access, and an update ISO is needed. The ports tree alone should be on a seperate cd set, and updated monthly. The ports need audited badly, alot of stuff that wont compile, leaving a bad taste on people new to BSD.

The non-offical OpenBSD ISOs are trustworthy. Cheapbytes [cheapbytes.com] offers an ISO for 4.99.

Re:ISO Images

[__past__ (542467)]

Why would an "update ISO" be any better than upgrading via CVSup and friends? (For upgrading several boxen, either set up a local CVSup server, or man release) Most people who buy more than one OpenBSD CD set in their lifes do so to support the project, not to actually use them for an upgrade.

Re:ISO Images

[BrookHarty (9119)]

I was talking about the average user, if you have serval boxes, youre most likely to have high speed Internet.

foolish

[asv108 (141455)]

I think OpenBSD would be much better off providing ISO images for download. A realize OSS isn't a popularity contest but they could probably get a lot more funding with increased popularity so they wouldn't have to depend on CD sales. FTP download is nice, but most people are accustomed to using ISO images plus there are many occasions where installs are taking place on a system without net access. The major Linux distros wouldn't be nearly as popular if they didn't provide ISO images.

Re:ISO Images - make your own from snapshot

[RoundSparrow (341175)]

I used to think the same thing, but then I did a little searching on Groups.Google.Com and foud out that it is very easy to make your own ISO. You can get the latest snapshot... All you have to do is download the latest binary files from the OpenBSD FTP snapshot directory... Then use freeware cdrecord to do the change. I use a command like this on my Windows 2000 and Windows XP systems: Download the i386 to c:\OpenBSD\snapshot-05192002\i386\ and run mkisofs. c:\cdrecord\mkisofs -v -r -T -J -V "OpenBSD-i386-31" -b 3.1/i386/cdrom31.fs -c boot.catalog -o c:/OpenBSD/OpenBSD-i386-31-snap.iso -x c:/OpenBSD/OpenBSD-i3 86-31-snap.iso c:/OpenBSD/snapshot-05192002/ Obviously you have to mess with the paths a bit for your syste, but it isn't that hard. Creates a 130MB ISO, burn it with Nero (or something else) and boot. With Nero, make sure you do "full disc" and "finalize" options when burning the options. Again, check groups.google.com and search "openbsd mkisofs".

Re:ISO Images

[waspleg (316038)]

everyone else has pointed out why they are not available but they have no offered you any alternatives, personally i have found the ftp install from a floppy disk to be painless and there are many third parties who offer openbsd iso's.. just because they're not distributed by openbsd.org doesn't mean they don't work and theo's copyright is unenforced afiak (i've never heard of anyone getting sued or otherwise for using an iso)

i have bought several cd distributions and several t-shirts however, so don't blindly leech, i have been running an openbsd server for a couple years and i have to say it's almost *too* stable.. by the it breaks or needs upgrading i've usually forgotten how to go about doing that because it's so good you don' thave to fix shit all the time... its an excellent server, simple and elegant design, i highly reccomend trying it.

as for your isos ask on irc or look around, they probably won't be out immediately, but then if you have th ebandwidth to download the iso's you should be fine w/ an ftp install.. you don't really need the media for anything anyway, ports provides everything and the ftp install is actually faster since once you download the shit it's readily available rather than having to burn a cd and then install it..

you get cool stickers w/ the cd sets however, this alone has provided enough motivation for me in the past, the stickers are invaluable =)

Re:ISO Images

[Glytch (4881)]

It's just easier to get an ISO if you've got several machines, or if you just want to keep a backup cd around. I've got DSL, but I always get ISOs of Slackware (my unix of choice) rather than mess around with FTP installations.

Re:*BSD IS DYING

[Daniel Wood (531906)]

One more thing, don't forget that MS has threatened to build a reference implementation of .NET for FreeBSD. (slam away!)

This actually doesn't supprise me. Since MS is making an .NET implementation for MacOSX. Going from OSX (FreeBSD derrivative on Mach) to FreeBSD would be fairly trivial.

From OSOpinion [osopinion.com]: Reaffirming its support for the Macintosh platform and opening a bevy of new options for Apple's corporate direction, Microsoft this week is expected to announce its plans for implementing the .NET platform on the Mac OS.

Re:*BSD IS DYING

[__past__ (542467)]

MS has threatened to build a reference implementation of .NET for FreeBSD.

Um, "threatened"? Ever had a look at your ports tree recently, namely lang/cli?

Re:*BSD IS DYING

[nagora (177841)]

because the BSD people (the ones who actually *wrote* it) don't give a flying fuck... why should you?

Because, as a working programmer, they are activley supporting a company which is committed to putting me out of work by pushing various legal and illegal tactics to make it hard for non-MS companies to survive. I do give a flying fuck about that, even if BSD programmers don't.

The GPL makes it difficult for programmers to make money from their code but BSD makes it impossible, in the long run, for any programmer to make money unless they have the gracious permission of people like Gates who have plenty of cash to buy government policy and national markets.

TWW

Re:*BSD IS DYING

[nagora (177841)]

They could just as easily 'borrow' code from GNU projects, without anybody knowing.

At least they'd have to live in fear of a disgruntled employee blowing the whistle. It's not much but it is something.

TWW

Re:FUD?

[friscolr (124774)]

Independent of whether or not you're trolling, this article needs someone to link to Advocating OpenBSD [monkey.org], and especially to a link off of that page, The Sound And The Fury [byte.com].

Re:What? a Daemon?

[cperciva (102828)]

Originally, OpenBSD used a daemon; the fish came from BlowFish.

It happened, however, that people were starting to assume that daemon meant FreeBSD at around the same time as BlowFish became popular, so the openbsd crew decided to use the fish as mascot.

Re:Remote Install Question

[xtremex (130532)]

I think you need at least the boot floppy...there may be a way to launch the install disk using an image on the HDD....