OpenBSD 4.1 Released

adstro writes to quote from the BSD mailing list: "We are pleased to announce the official release of OpenBSD 4.1. This is our 21st release on CD-ROM (and 22nd via FTP). We remain proud of OpenBSD's record of ten years with only two remote holes in the default install. As in our previous releases, 4.1 provides significant improvements, including new features, in nearly all areas of the system."

Just curious...

[darnok]

My OpenBSD firewall box is several years old now (version 3.x), just keeps working and probably will until the 8yo hardware finally dies. Although I'm interested in the features in 4.1, and congratulate the developers on what'll doubtless be another good release, ultimately I'll probably stick with my existing setup. I *love* OpenBSD, for precisely one reason; it does what it's supposed to, and in my experience it *never* fails. However, I'm very unlikely to upgrade to any new version; why change something that works perfectly?

For those of you using OpenBSD, how many of you are in a similar situation?

Re:Just curious...

[TodMinuit]

I recently upgraded my firewall from a 3.x to 4.0 because the version I was running had a bug that didn't allow ALTQ rules to be unloaded from pf.

Now, the standard kernel is too big. Programs keep running out of memory. The machine is from, like, 1993. It's a 75MHz Pentium with 16MB of RAM.

Oops.

Re:Just curious...

[udippel]

The machine is from, like, 1993. It's a 75MHz Pentium with 16MB of RAM.

Just drop by, I'll have another 16MB of EDO RAM for you; and you'll be fine (the 75 MHz Pentium is very much okay, even on 4.X).

Re:Just curious...

[TheRaven64]

Have you tried building a new kernel? The default is intended to support most hardware. For a limited platform, I would recommend that you make an absolutely minimal kernel config and use that; I do for a Geode box I own, and it's a 266MHz chip with 64MB of RAM...

Re:Just curious...

[TodMinuit]

Yes, I was going to, but then I messed up the system I was building it on when I unpacked the kernel source. I haven't gotten around to trying again. (Luckily it was a virtual machine.)

Re:Just curious...

[asninn]

However, I'm very unlikely to upgrade to any new version; why change something that works perfectly?

Because holes continue to be found in every version and because old versions do not receive fixes anymore. There's only been two remote holes, of course, but there's an emphasis on both "remote" *and* "holes" here - and also an emphasis on "root", which unfortunately isn't even included in the slogan.

In other words, if you don't upgrade unless/until a new remote root exploit is found, you still have to worry about local users rooting your box (and don't forget that there typically are users like "www" etc. even when no actual person besides you has an account on the box; not a big problem for a firewall, most likely, but servers in general aren't automatically safe), and you still have to worry about remote priviledge escalation, remote denials of service and the like, too.

That's not to say that OpenBSD is not a very secure system, but the slogan is somewhat misleading (it's marketing, after all!), and not keeping a system up to date with security patches is never a good idea.

Re:Just curious...

[Noryungi]

In other words, if you don't upgrade unless/until a new remote root exploit is found, you still have to worry about local users rooting your box (and don't forget that there typically are users like "www" etc. even when no actual person besides you has an account on the box; not a big problem for a firewall, most likely, but servers in general aren't automatically safe), and you still have to worry about remote priviledge escalation, remote denials of service and the like, too.

True, but you should also read about PrivSep [umich.edu], W^X, security levels [openbsd.org], systrace [openbsd.org] and other important security mechanisms that mitigates those risks (while not entirely eliminating them). All of these (and more) make a well-configured OpenBSD machine a very tough nut to crack. So to speak.

To me, the best thing about OpenBSD is not that it is perfectly secure (that can't be achieved) but that security is taken seriously and all this mechanisms are activated by default. The excellent documentation, especially manual pages vs the GNU unreadable info pages mess, and reactive developper community are also big pluses in my book.

Re:Just curious...

[synthespian]

OpenBSD's man pages are the gold standard.

Re:Just curious...

[udippel]

And in this case, I'm not using that as a sarcastic reference to a low number, there really have only been two.

Hmm, sorry, two what ? Two remotely exploitable holes in the default install, or two users running the default install ?
(For those not in the know: the default install has - drums rolling - ssh enabled. And SMTP on 127.0.0.1. That's it. Over. No http, no ftp, no pop, nothing else.)

Don't get me wrong, I'm a great OpenBSD fan and run it on my 3 production machines. Still, personally I consider that statement about the two holes more embarassing than impressive.

Re:Just curious...

[LurkerXXX]

Embarrassing? Why? Because they don't run a bunch of unneeded services off the bat like some other OS's do/have-done-in-the-past?

Re:Just curious...

[udippel]

Mmh. I *do* like and prefer the 'you have to enable' philosophy of OpenBSD. No need to lock down any box.
But you don't want to tell me that a box running ssh and nothing more and nothing less makes any sense to run, do you ?
So what's the point of bragging with this ssh-only box to have so few vulnerabilities ? Again, I'm a fan; except of this aspect, which I still consider embarrassing. But maybe that's only me.

Re:Just curious...

[LurkerXXX]

But you don't want to tell me that a box running ssh and nothing more and nothing less makes any sense to run, do you ?

I do it all the time. I've got lots of firewalls running that only have SSH running, and no other external services.

If I do want another service going, I'll start it myself, because when I install the machine, it has no way of knowing if I want to run a web/smtp/imap/pop/ntp/ftp/samba/nfs/tomcat/dhcp/dn s/yadda/yadda/yadda server, and so cranking any or all of those up just in case I want them is rather silly.

Re:Just curious...

[udippel]

Ah, see. You change your /etc/rc.conf.local by adding pf=YES.
Lost. This is not the default install, and possible vulnerabilities in PF don't contribute to the 'two'.
So, you would not know how many vulnerabilities your install had had over the last years.
If you are worth your salary, you add time tracking.
Lost. This is not the default install, and any vulnerability in ntp/ntpd/ntpdate/rdate/openntpd does not increment the 'two'.

So let's leave the 'two' as a marketing hoax.

Re:Just curious...

[Dog-Cow]

I think the point is that having a super-secure OS w.r.t to remote vulnerabilities is very easy when there is no remote access. If (open)ssh was the only service enabled on a Windows box*, it would be just as secure from a remote-exploit point of view, would it not? That's why it's embarrassing. When you learn that there are no remote services enabled in the default install, it makes the whole idea totally pointless.

* To my knowledge, the NT kernel has never had a remote-exploit found. Only services above that level.

Re:Secure bricks

[LurkerXXX]

SSH is useless? Not to anyone I know who runs UNIX. Maybe if all you use is windows I can see it as 'useless' to you, but then, those folks wouldn't be running OpenBSD in the first place.

Re:Just curious...

[Tweekster]

Why would you want anything more than that running in a default install?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Just curious...

[drsmithy]

That was my experience too, until I accidentally typed `postsuper -r all|postfix reload` instead of `postsuper -r all;postfix reload` on my Open BSD 3.5/postfix box. It caused a Kernel panic.

If that's what actually happened (ie: you didn't coincidentally get hit by a cosmic ray at exactly the same time) it's a pretty serious bug. Is it repeatable ?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Just curious...

[Niten]

I'm upgrading to 4.1 because now the generic kernel allows my PowerMac G4 router/server to restart automatically in the event of a power failure. But frankly, I probably would have upgraded anyway: otherwise, it would be difficult for me to justify buying the CD and supporting the project, wouldn't it? :P

Re:Just curious...

[raddan]

I would do the same, but we are affected by some of OpenBSD's recent patches. While it's true that there are only 2 remote holes in the default install in 10 years, there are other bugs like denial of service, database corruption, and local privilege escalation that would have affected us. I've backported a few easy patches to some of the machines that are difficult to take down for maintenance, but in general we make the effort to upgrade every other release.

OpenBSD is great because maintenance is much easier. I don't have to worry, for example, about a broken libc after an 'emerge world' like I do on my linux boxen at home. That's an extremely painful lesson to learn.

BTW, if you love the OS as much as you say you do, shell out the 50 clams to buy a CD set. If donating doesn't give you that warm, fuzzy feeling, at least the cool stickers will. The latest set comes with a wireframe Puffy. Awesome.

Re:Just curious...

[QuantumG]

I do wonder whether not upgrading has security implications..

You wonder? You wonder? Of course it has security implications.

Sheesh.

Re:Just curious...

[Yvanhoe]

You wonder? You wonder? Of course it has security implications.

I think you are missing this :

We remain proud of OpenBSD's record of ten years with only two remote holes in the default install.

and the fact that openBSD doesn't use the linux/windows "security" paradigm of "write software quickly, find security bugs, fix them ASAP". Their strategy is instead to be secure out of the box, at the price of a slower pace of development and less features.

I am quite happy with linux right now. But I know that the day I will run a critical application/server, I will either use openBSD or maybe a stable debian but not a recent linux.

Re:Just curious...

[melstav]

Except that, as was pointed out to me by several people when I tried to dispute the (at the time) "only one remote vulnerability ..." claim, once you change a config file, you no longer have a default install.

The example I used was that the version of sendmail they had been distributing had a vulnerability that could be exploited to allow someone to allow the execution of arbitrary code with elevated privileges. The response I got was that, because they pre-configure sendmail to only accept connections from the local host, it's not a remote vulnerability -- it's a local one, and thus doesn't count.

I'm sorry, but if all I have to do to "default install" to have a remotely exploitable vulnerability is reconfigure a service that is installed and running in the default install to accept connections from remote computers, I think the claim is disingenuous.

I'm not saying that I have a problem with OpenBSD -- I use it on my firewall boxen and love it. I just have issues with some of their advertising.

Re:Just curious...

[TheRaven64]

I disagree that the grandparent is a troll. To some extent, I agree with him. I don't rush to deploy OpenBSD updates, because the system got to a state where I consider that it does everything I want from a (server) OS some time ago. Of course, new features are nice. I don't want to imply that they should stop developing them, and I do often see new things I might find a use for, but my OpenBSD installs currently work and work very well. I find updates from some other Free Software projects a lot more exciting, ironically, because they don't yet do everything I want them to.

Re:Just curious...

[smittyoneeach]

Rather limited view.
You also need to provide some positive feedback to the system that produced your rock-solid product.
Get a poster or t-shirt, if not the new version.
One need not love Theo, but he's worthy of respect and support.

Re:Just curious...

[kv9]

He's running a firewall you dolt.

I don't care what the fuck he is running. nobody is holding a gun to his head to upgrade. this stupid question *always* pops out. and you can compress this thread down to three things: 1, does it run Linux? 2, why should I upgrade? 3, did you forget about the song?

to answer your interesting questions: 1, yes it does with Xen or COMPAT_LINUX. 2, you shouldn't. 3, no we did not.

If it supports your eth cards than that's it.

4.1 comes with a shitload of NIC updates.

You don't need anything else. At all.

you need it to support the rest of the components in your computer unless you plan to run it straight off the NIC

Re:Just curious...

[kv9]

I think he was claiming that for his particular application (a firewall), he didn't need anything more than what it already provides.

how is that relevant to the discussion? 4.1 brings all kinds of goodies to the table: new nic drivers, hoststated, pf related improvements, sensors and more. just rtfrelease. these changes are all related to "his particular application".

this is the typical remark of the "nerd" with a single old box in his basement: "why should I upgrade?". you shouldn't. install it on your test systems, and if it works out deploy it on your new installs. and eventually you'll upgrade the older ones too. or more likely, you'll just apply the security patches and chug along with the old systems.

I'm not an upgrade nut. we still run 3.8 on "production" systems, but the newer ones have 4.0 (and pretty soon 4.1) installed.

Re:Just curious...

[kv9]

no.

Re:Just curious...

[ScrewMaster]

Aw, man ... I hate when that happens.

You're going to need a bigger UPS.

Yea, but...

[Heembo]

Yea, but does it run Linux? Oh wait....

Re:Yea, but...

[LizardKing]

To which the stock answer is, yes OpenBSD does run Linux - Linunx binaries at any rate (linux_compat(8) [openbsd.org]). I don't know about OpenBSD, but on NetBSD this works very well. Before a native JDK 1.4.2 was available for NetBSD I ran the Linux binaries of it under emulation.

Re:Yea, but...

[TheRaven64]

Sysjail has a nice feature, where you can run everything inside the jail via a foreign system call framework. This means you can set up a sysjail on OpenBSD containing a complete Linux-compiled userland, and users can access it without ever being aware that it's not Linux unless they try to load a kernel module (or use a system call that isn't emulated).

2 remote holes in default install

[timmarhy]

so does this mean when i install my bick OS which defaults to turning off your NIC's, i will be able to claim my security is better then anyones?

Downloads

[dleigh]

Why not a link to the .iso download page in the article?
(Yes, that was annoyed sarcasm). I'd rather donate to the project and download an image than get one shipped, I can't believe OpenBSD is still refusing to provide Official ISOs.

Re:Downloads

[geminidomino]

That's the one thing that's hindered my using it, too.

Keeping in mind who we're dealing with, though, I don't see it changing any time soon.

Re:Downloads

[astrashe]

You can download a very small minimal iso and do a net install. I did it this evening -- the core system is pretty small, and comes down quickly. It's not as inconvenient as you might think.

Re:Downloads

[TodMinuit]

You can also download the installation packages, burn those to a CD, and that along with the installation CD to do an offline install.

Or you could burn the packages to a CD and then boot bsd.rd.

Re:Downloads

[Hognoxious]

It's still making you jump through hoops for no obvious benefit. SuSe does something similar (or did last time I looked) it was enough to nudge me towards RH.

Re:Downloads

[Hognoxious]

It certainly have. It seems that since Novell took them over, the only downloads available are demo [novell.com] versions - even so-called "open server" [novell.com]. Otherwise, you have to pay for the disks. So I was wrong - it's even worse than I thought.

Re:Downloads

[dylan_-]

No, that's the Enterprise version. The free version is called opensuse [opensuse.org].

Re:Downloads

[TodMinuit]

Because OpenBSD create top-notch software and needs money to do so.

"So why don't they be a friggin' business already," you say. Well, because they want to be open source. "So why not do both?" They do.

If you don't like it, don't use it. Or create your own ISO and distribute it.

Re:Downloads

[Peaker]

If you don't like it, don't use it.

I think that's what people are saying here: "We don't like it, so we don't use it."
I guess they are saying this as they are hoping that the OpenBSD folks realize that their user base is small enough as it is to use such user-alienating tactics.

Re:Downloads

[kestasjk]

You can download a very small minimal iso and do a net install. I did it this evening -- the core system is pretty small, and comes down quickly. It's not as inconvenient as you might think.

Yeah, but if you do that you won't be able to stick your install CD into a music player any time you like and play the "Puffy Baba and the 40 Vendors" [openbsd.org] 4.1 song.

Re:Downloads

[Anonymous Coward]

Why don't people understand that the world of ISOs isn't practical
for EVERYTHING? They're not "refusing" anything, the OpenBSD people
provide an easy manner to obtain and install OpenBSD via ftp.

For beginners, and for people who don't understand try looking here:

http://www.openbsd101.com/ [openbsd101.com]

The above site is Linux user friendly.

Re:Downloads

[shish]

Why don't people understand that the world of ISOs isn't practical for EVERYTHING? They're not "refusing" anything, the OpenBSD people provide an easy manner to obtain and install OpenBSD via ftp.

Can I still do an FTP install if I can't get online?

Re:Downloads

[jcgf]

No, but if you can't get online, you can't download the iso if it were available either.

Re:Downloads

[DragonWriter]

Why don't people understand that the world of ISOs isn't practical
for EVERYTHING?

Why, precisely, would complete (rather than minimal) official ISOs not be practical for OpenBSD? Yes, clearly, there are workarounds and alternatives of various complexities, including a fairly straightforward method to roll-your-own complete install disks, none of which indicate that complete ISOs would be impractical.

The issue isn't "everything", its OpenBSD 4.1, and I certainly don't see any reason to think that complete ISOs would not be "practical".

Re:Downloads

[mindstormpt]

Not that BSD tools helps output is any useful anyway.

On the other hand their manpages actually say something.

Re:Downloads

[ThePhilips]

Man pages which are displayed by BSD's unique 'more'. Thanks you very much.

If you are really into command line, then check out Gentoo. Right after installing you would get feeling that Gentoo devels are really using command line - since it is so well made and polished.

Re:Downloads

[Dan Ost]

export PAGER=your_pager_of_choice

There, that wasn't hard.

I haven't played with it long enough to really know for usre, but I actually think I like the BSD version of less better than the Linux version. It's easier to grok.

Re:Downloads

[jcgf]

If you are really into command line, then check out Gentoo. Right after installing you would get feeling that Gentoo devels are really using command line

why leave bsd to go to wannabe bsd? Other than to gain the priveledge of an even more difficult install.

Re:Downloads

[kernelpanicked]

Ummm no. Nobody said "targeted at Linux users." Don't know where you got that BS from. Here are a few tips though.

1. --help? What the fuck is up with GNU and the ridiculous long options. Try reading the man pages which actually provide information on a BSD system as well as examples. By the way, every command, device, and config file has one on OpenBSD.

2. Korn shell is nearly a drop in replacement for bash and in some ways a damn sight nicer.

3. export PAGER=less. And you call yourself a command line user? For shame.

Re:Downloads

[LizardKing]

BSD is dead. As long as they have the antique command line tools.

Well Linux, and every other Unix like OS including Mac OS X, are dead then as they also include "antique" command line tools. In fact Windows must be dead as well, as it includes command line tools, albeit piss-poor ones.

Think whatever you want, but I cannot live w/o GNU command line. bash alone isn't sufficient - text-tools, file-tools are also important.

Last time I checked, the ksh that comes with the BSDs can do everything bash can. The BSDs include all the command line tools that the GNU file and text tool packages have, after all they're clones of the Unix ones found in BSD, plus with the BSDs the manpages are actually complete and usually include examples. With the GNU tools you are often faced with an incomplete or out of date manpage that refers you to some difficult to navigate or search "info" pages.

e.g. BSD's moronic find requires directory name - while GNU one picks current directory by default. All GNU tools support --help and --version - try to find common help displaying option in BSD variants. Not that BSD tools helps output is any useful anyway.

Wow, GNU find extends POSIX with one extra feature that I've never used in over a decade of using it. As for --help, that's what manpages are for (sorry, I forgot that your GNU manpages are incomplete), and --version, how often do you need to know what version of find you're using?!?

Also BSD's ps suck big time.

Hmm, last I checked the output of both ps on Linux and NetBSD looked remarkably similar. Note that what you probably consider "GNU ps" is actually "Linux ps", as the implementation of such a command tends to be very closely tied to the kernel it's running on.

The stupid insistence on using 'more' instead of 'less' isn't helping either.

Oh dear, never heard of the PAGER command line variable? I guess your particular brand of Linux just happens to default it to /bin/less. Funnily enough, so does /etc/skel/.profile on my BSD machines.

Also, it might surprise you, 'vi' is no more. Everybody had forgotten what it is - for good - and are using 'vim' instead. But the fact remain: BSD has no sane decent text editor preinstalled. Because POSIX 'vi' cannot be called 'sane' nor 'decent'.

nvi, the default vi on BSDs has more features than the minimum required POSIX - see the Solaris implentation for something approaching that minimalism! Personally I find vim to be a mess, and have had it crash on me a number of times. However, the approach taken with the BSDs is that a minimum is included in the base install and ports or packages can be added to create the "perfect" environment. That said, OpenBSD includes a minimal emacs workalike in the base install which may be more to your taste.

Constructive note. BSD should align themselves with Debian or Gentoo.

God no. Gentoo is grinding to a halt as it's an unstable mess, while Debian reflects the whole GNU mentality of replacing things with new, no less buggy implementations every so often, with no interface consistency and way too many esoteric features. Having fought with aptitude and had it crash far too many times, I'm more than happy with the BSD ports systems instead.

Re:Downloads

[synthespian]

You don't like the mg Emacs-like editor installed by default?
What a fucking troll...

Re:Downloads

[evilviper]

Why not a link to the .iso download page in the article?

For the same reason Linux kernels, and any other files aren't directly linked in /. articles.

Just for you: ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.1/i386/cd 41.iso [openbsd.org]

I can't believe OpenBSD is still refusing to provide Official ISOs.

Creating an ISO is positively trivial. The file system layout is exactly the same as the FTP tree. Just be sure to make it bootable with mkisofs -b, or whatever "bootable" check-box your Win32 CD burner program has...

Not to mention that there are dozens of different ways to install, and a bootable CD is rarely the most convenient. FTP install is quite handy.

It's only for non-x86 systems that creating bootable CDs is somewhat difficult. And even there, I'd much rather create my own multiple system CD than download an x86 ISO, an Alpha ISO, a Sparc ISO, and burn each to several different (mostly-empty) CDs.

Re:Downloads

[kestasjk]

Creating an ISO is positively trivial. The file system layout is exactly the same as the FTP tree. Just be sure to make it bootable with mkisofs -b, or whatever "bootable" check-box your Win32 CD burner program has...

If that's too challenging you can also burn the minimal ISO, and burn the install files to another CD. Boot up off the minimal ISO, then use the second CD as the source for the installation tarballs.

Re:Downloads

[evilviper]

Now that's a huge waste of CDs, and really no easier, since you still have to get the layout right, and the like.

Re:Downloads

[turing_m]

Or you could download everything in the ftp directory on another computer, host it locally, and install from there. Quicker and you don't waste a CDR.

Re:Downloads

[LizardKing]

Why don't you download the floppy boot images, do a net install and save having to waste a CDR?

The reason official downloadable ISO images are not available is to encourage people to buy the prepackaged CDs. The revenue from these sales is a significant reason why OpenBSD continues to flourish, as people like Theo de Raadt have an income that allows them to work full time on the project. Hopefully this will prevent a monoculture of Linux on servers, which in some respects would be as bad as the monoculture of Windows on the desktop. Personally I don't need CDs, but if I was using OpenBSD (rather than a certain other BSD) then I would be doing net installs from a server on my own network, and making a donation.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Downloads

[DrSkwid]

The bootable CD / .tgz packages works very well for me.
One can choose to download only the parts one needs - i.e. no ports or no X
You can install via ftp, pxe, cdrom with tgz files on it

OpenBSD is the fastest installing fully bloated OS I've tried.

If you need to run Apache 1.x that comes as standard set up to run chrooted in /var/www which saves a bit of fannying about.

Re:Downloads

[udippel]

milksucks ? Maybe. How about a coffee ? Or was the 'fully bloated' supposed to be funny ? Intentional ?

Re:Downloads

[Niten]

Well, they have FTP bandwidth bills to pay: I can't imagine that the effect of replacing the bandwidth used to get a minimal boot image and whichever installation sets you select for your specific architecture, with three full-sized CD images, would be negligible.

If it's that much of a concern for you that you can't get the official installation CD images without buying a physical copy, maybe you could just make a $50 donation to the project and then copy the CDs from a friend (the pre-orders were actually shipped about two weeks ago, so chances are that someone near you already has his or hers). Just a thought.

Re:Downloads

[turing_m]

They have no users? They are currently on #52 in the page hit rank on distrowatch. Right below linspire.

OpenBSD 4.1 Release Song

[Anonymous Coward]

You mustn't exclude the OpenBSD 4.1 Release song from this article!

http://www.openbsd.org/lyrics.html [openbsd.org]
ftp://ftp.openbsd.org/pub/OpenBSD/songs/song41.mp3 [openbsd.org]

Re:OpenBSD 4.1 Release Song

[simong]

Hmm, yes, I think I can sing that:

#Boo hoo, Linux won't share driver documentation with us, boo hoo boo hoo#

The last paragraph in the left hand column on that page is frankly nonsense. Linux has more driver support because there are more people working on driver support. I would like to see evidence of any kind that the OpenBSD community has been refused driver documentation which has been given to the Linux community.

Re:OpenBSD 4.1 Release Song

[Dan Ost]

If you were to look into it, I think you would find that one of the reasons that Linux has more driver support is because Linux is willing to accept specs under non-disclosure agreements. OBSD developers are not will to do the same since it makes maintenance impossible for anyone who hasn't signed the NDA.

I'm mostly a Linux user, but I don't buy hardware unless it's supported by OBSD for exactly this reason.

Looks like it's time for another donation to OBSD.

Re:OpenBSD 4.1 Release Song

[chriscappuccio]

They didn't show it very well in the cartoon, but the linux pengiun "stealing" the documentation is analogous to signing an NDA, as nobody else gets to see the documentation (the whole point of the NDA)

And then for signing the NDA, he gets "stabbed" by the real thieves and he "dies" (what happens to devices when there's no documentation)

3 Years and Counting

[p0]

I setup an OpenBSD box about 3 years ago. It has multiple gigE's and processes a reasonably tough load of network traffic 24 hours a day, even today. It has never ever crashed! it is not just crash proof, it simply doesn't give any other problems of any kind whatsover, heck I dont even know what to write in this darned comment!

Thanks for this. OpenBSD is rock solid!

But...

[Arielholic]

But.... does it have UAC?

Re:But...

[TheRaven64]

Kind of. It has systrace, which allows the arguments to every system call to be validated before being issued, and either allowed, denied, or allowed with elevated privilege based on a policy. Unlike UAC (or SELinux), it can be enabled on a per-process basis, so you can only use it for the processes you don't trust, or use it for everything, depending on your level of paranoia.

No ISO policy

[PhotoGuy]

While I hear great things about OpenBSD, and realize it is for a niche market where stability and security are the number one concern, it seems to me that more people would check it out and use it, if not for this policy:

"The OpenBSD project does not make the ISO images used to master the official CDs available for download. The reason is simply that we would like you to buy the CD sets to help fund ongoing OpenBSD development. The official OpenBSD CD-ROM layout is copyright Theo de Raadt. Theo does not permit people to redistribute images of the official OpenBSD CDs. As an incentive for people to buy the CD set, some extras are included in the package as well (artwork, stickers etc).

Note that only the CD layout is copyrighted, OpenBSD itself is free. Nothing precludes someone else from downloading OpenBSD and making their own CD. If for some reason you want to download a CD image, try searching the mailing list archives for possible sources. Of course, any OpenBSD ISO images available on the Internet either violate Theo de Raadt's copyright or are not official images. The source of an unofficial image may or may not be trustworthy; it is up to you to determine this for yourself."

Now, FTP installs are pretty slick in these days of prevalent high speed; still, it seems a bit silly and arbitrary to intentionally restrict ISO distribution, to try and sell a few discs. The people who are willing to pay, would buy regardless of a free ISO being available (corporations and IT departments like having the official discs, and such).

I guess more than anything, this policy stikes me as a bit of "attitude", which turns me off the distribution, more than the mild inconvenience of not having ISO's readily available.

Re:No ISO policy

[DaMattster]

I understand your frustration with the policy and the attitude that it might imply but let me show you the other side of the story. The OpenBSD team works very hard to produce these releases and get little support in the form of donations from large companies that use pieces of the operating system. Theo De Raadt asked Sun for a donation for one of his hackathons and was not even given the time of day. He was not even answered which is tantamount to a 'no.' Given that OpenBSD provided extensive assistance to Sun in the integration of OpenSSH and voluntarily reported bugs in Sun's version (as well as others), I think it really would have been no skin off of Sun's back to provide a donation. The principle form of income for the project to function comes from sales of OpenBSD CD-ROMS. You could still make your own ISO, but please keep in mind the hard work of this project. Honestly, 50.00 is a drop in the bucket and you help keep the future of a good project stable.

OpenBSD team works very hard

[nurb432]

And the FreeBSD people dont? Or NetBSD? Or K/Ubuntu? Its his work, and its his choice, but i also agree with many its a bit of an 'elitist' attitude, that really isnt necessary. Its not about the cost, its about the attitude.

Re:No ISO policy

[LittleLebowskiUrbanA]

Have you priced the official disks? Have you ever used OpenSSH? If so, have you ever given anything back to the creators and maintainers of OpenSSH (OpenBSD)?

    This attitude pisses me off. If you were actually using OpenBSD, you'd be willing to fork over a few buck to get the disks. But you're not using it. The amount of time spent to produce such a high quality OS is worth the money in my book.

    The other thing that pisses me off is that OpenBSD doesn't have a millionaire patron. But they do have Sun, Cisco, etc shipping their software (OpenSSH) withouth even bothering to contribute to the foundation. Kinda cheap, huh? Maybe that's why they charge for their install disks.

    You clearly know nothing about OpenBSD.

Re:No ISO policy

[GreyWolf3000]

The other thing that pisses me off is that OpenBSD doesn't have a millionaire patron. But they do have Sun, Cisco, etc shipping their software (OpenSSH) withouth even bothering to contribute to the foundation.

*Snicker* Maybe you guys should switch to a GPL license to prevent big companies from selling all that hard work and giving back nothing.

I joke. I'm glad that the OpenBSD team sticks to their idea of software freedom even when they appear to get taken advantage of.

Re:No ISO policy

[Raenex]

So they say their work is free for anybody to use, without payment, and then they get all bitchy when they aren't paid for their work? And they resort to gimmicks like trying to copyright an ISO image?

Re:No ISO policy

[LittleLebowskiUrbanA]

And Linux never borrowed from the BSD TCP/IP stack? Shut the fuck up.

Re:No ISO policy

[k1e0x]

There is nothing wrong with wanting to make money.. especially if you are working to do it.

a bit of "attitude"

[nurb432]

Well, it is Theo remember.. what else would you expect?

Re:No ISO policy

[PhotoGuy]

A followup on my own posting:

I decided to check out OpenBSD anyway, despite lack of an ISO. I used a Parallel's virtual machine to try an install.

The baseline netbook fired up, prompted me with a lot of text prompts and manual disk editing (wow, they still do that?), detected the network fine, prompted me for packages, and started downloading them. Great.

After getting base41.tgz (I think it was), it just sat there. For an hour. Doing nothing.

So I restarted the install. It hung at the same place.

No diagnostics. No indication of what might be wrong. A network issue? Possibly. If so, an ISO would have avoided that glitch.

As it stands, I'll never bother spending the time to figure it out, and will never end up using/recommending/buying OpenBSD at this time. For now, when I need a lean, mean, gateway machine, NetBSD seems small, ISO-available, stable, and secure, so I'll use/recommend that.

(One other thing that "bothered" me about the non-ISO thing, was that the "CD layouts" were "Copyright by Theo." Having a layout of all things, copyrighted by one person, again, seems a bit small-time and unprofessional. And the /. crowd is the type that would be up in arms about a layout being copyrightable, since arguably there's no creative design involved, just some drudgery of getting a bootloader and the packages on a disc.)

Anyhow, I do have a lot of respect for what the OpenBSD folks have done over the years. I just think that the ISO thing is hurting them more than it's helping them. Let people see what you have, as easily as possible. If they like it, and they are the type of person/corporation/role that would pay for things, they will. If they're not the type that would pay, they won't. But you're only excluding potential customers in the former category, by not making it as easy as possible for them.

(/me goes off to download the latest NetBSD to play and see what they've been up to...)

Re:who cares?

[Marcion]

Why do we care, because now people can use the code hex09f91102... oh have we moved on already?

No idea, they make a nice SSH program though.

Re:who cares?

[Anonymous Coward]

Well, if that is the case then I must be that kid in the movies because I see dead OSs on lots of my servers.

Re:who cares?

[WilliamSChips]

Bruce Willis is dead.

Re:Yea but....

[evilviper]

...does it run Linux? Oh wait...

Of course it does.

It runs Linux binaries directly, like all the BSDs.

It also has Qemu, Bochs, BasiliskII, GXEmul, etc. in ports, on which Linux will no-doubt run.

Insert "In Soviet Russia" "Beowulf Cluster" "I read that as" "??? Profit" and any other completely mindless /. cliches.

Re:Yea but....

[RLiegh]

>It also has Qemu,
But no kqemu; so I'll stick with Linux, FreeBSD or Solaris; all of which have proper kernel support for Qemu.

>Bochs,

Ewwwwww, that's disgusting! I thought with Qemu we had managed to finally put bochs out of our misery.

Re:Yea but....

[evilviper]

But no kqemu; so I'll stick with Linux, FreeBSD or Solaris;

In my experience (using Qemu on FreeBSD), kqemu doesn't provide even a noticeable performance improvement, even with the recent "-kernel-kqemu" improvements... Perhaps disk I/O is so much of a bottleneck that the virtual CPU doesn't really get maxed-out often?

Re:Yea but....

[RLiegh]

It seems to help the most under Linux, as far as I can tell; it helps somewhat under solaris and freebsd (but not as much) and doesn't help at all under windows.

I've tried using qemu (without kqemu) under netbsd, and it was (to me) noticibly slow enough that I simply wasn't able to put up with it.

Re:Sad, but predictable

[ettlz]

I have to ask, Linux users...when are you going to stop making yourselves so easy to hate?

Don't tar all Linux users with the same trollbrush. There are a very few people on both sides who like to stir the old Linux vs. BSD shit for absolutely no good reason other than to rile the "other side". A lot of us also use a BSD, like it, and see the virtues of both OS families without the need to sling mud. I use predominantly Linux on the desktop, not because I hate Windows, but because I genuinely like Fedora Core. Strange, eh?! I also use FreeBSD on my server because it's a good OS for that purpose and I dislike monoculture. Why fight?

Re:Sad, but predictable

[k1e0x]

There is nothing "wrong" with either.

Linux tends to have abit better hardware support (for stuff you really dont need) at the rick of stability. There is also more software that is ported to Linux. Did I say Linux was unstable? Well that depends, Debian is very well tested and will generally give you good preformance in the server role.

I know BSD well but, I prefer Linux and sometimes Solaris over *BSD.

Re:Sad, but predictable

[petrus4]

Where are the problems with linux that aren't in BSD? Is it lack of standardization? Or are there specific things that should work that were broken in linux? Why do hard-core admins scoff at linux?

There is a set specification [unix.org] which outlines what a UNIX system is. As far as admins complaining about Linux not being "standard" it often genuinely is the case with a number of binary Linux distributions that a number of the utilities outlined by that specification are not installed by default, but rather are viewed by the distribution makers as being optional extras. They do this in an attempt to increase user-friendliness or save disk space, but there are times when for some people anyway it can simply make life more difficult.

The BSDs are designed to include all of these utilities as part of the core system, so admins and other users who want them can rely on them being there; there is no uncertainty as there can be with Linux distros.

For basic desktop use, Ubuntu is fine, and has been praised for its' user-friendliness. If however there comes a time when you wish to learn more, (which may be of benefit if you wish, as you say, to gain Linux-related employment) I strongly recommend investigating the Linux From Scratch [linuxfromscratch.org] Project. They release an online book which will teach you how to assemble a Linux system yourself that is largely compliant with the abovementioned specification, at least as far as the installed utilities are concerned. If that sounds intimidating right now, I'd also recommend this [slashdot.org] which is a guide that I wrote for someone else a while back. That will give you the background knowledge you need before attempting to complete the Linux From Scratch book.

After you've done that and used Linux for a while, (months, years, whatever) I'd definitely recommend installing FreeBSD at some point, if only for the sake of contrasting the two and rounding out your knowledge. You will then be in a very good position to determine which system you wish to make your environment of choice, long term.

Re:Sad, but predictable

[delire]

There's a lot of comments, (including on /. - see article on Dell shipping Ubuntu Linux), about 'Linux' being less suited to the server role than BSD, (requires daily reboots, lock up without reason..)

The BSD's are a fine family of OS's. This is widely understood now. There's no need to resort to baseless exaggeration to superficially elevate BSD's position in the mind of the reader, who will probably read your comment, in turn, as "the BSD's are so threatened by Linux that I will resort to back-handed absurdities".

You're above comment is contrary to the quiet confidence I'd expect any BSD user to have..

Best you climb back under the bridge I think.. You're safer there, and so are we.

Re:Sad, but predictable

[rindeee]

Whuh?! There are lots of comments on /. about goatsecs too, but I doubt you would use that in support of your stance for/against the subject (I don't want to know). If you have a Linux server (or any server for that matter) that requires daily reboots and you can squarely blame it on the OS, why are you running that OS? I've numerous servers running BSD, Linux, OS X, Solaris and yes, even Windows, that are all quite stable and simply do not require reboots save for an occasional reboot on a Windows or OS X box after an update (do not like, but not a big deal if it's planned for). Sorry friend, but your statement is utter rubbish.

Re:Sad, but predictable

[Bearhouse]

I'll reply to the least offensive post. Why do people think that insulting others somehow makes their argument more compulsive?
The guy asked a question, I gave him a potential reason why people might think that way - look around, guys, I'm just reporting what others are saying. That does not mean that I AGREE with that.

For the record.

1. No, really not into Goatsecs.
2. The only server that I managed that needed frequent reboots was one running Windows NT that I 'inherited' - soon fixed that, (memory leak).

Yes, you can make any OS stable with enough work, you just need to get the right distro. and set it up right. But how many people know how to do that? Would you start with an Unbuntu 'desktop' ISO? Of course not.

Finally, it's well known that Linux is not yet ready to used be an 'enterprise' OS with heavy DB access...that may explain the original poster's colleagues' atitude.

Re:Sad, but predictable

[udippel]

Seems I tend to agree somewhat with one of the more offensive posters:

1. Whatever I read on /., the 'daily reboots' of Linux isn't exactly what I remember w.r.t. your 'lots of comments'.

2. If that chap asked a question, why cite what you (wrongly, as is) think that others were saying ? Instead of giving your own opinion and experience ?

3. Finally, it's well known that Linux is not yet ready to used be an 'enterprise' OS with heavy DB access.
Is there somehow anything that you know about databases, or are you back in the mere realms of assumption ? The largest databases ('enterprise') could be running DB2 or Oracle. Miraculously, both run on Linux:
http://www.oracle.com/technologies/linux/index.htm l [oracle.com]
http://www-306.ibm.com/software/data/db2/linux/ [ibm.com]

Re:Sad, but predictable

[ettlz]

Assuming the parent isn't a troll, it should be pointed out that it's much more complicated than this. BSD is not a failure and it is not dying: a considerable portion of webservers run on FreeBSD. OpenBSD is considered by many to be the de facto for routing, network services, etc. The fact is that Linux is more in the public eye now. I think this is because (1) there was all that legal wrangling over BSD in the early-mid 1990s, when Linux was starting to take off, that made the latter more attractive. (2) Linux thereby acquired a bigger "cult" following of disaffected, former Windows-using youths (like me!) who were looking for something different; they then grew to love it and the wonderful, larger world of UNIX. This, plus the much publicised Push for the Desktop amongst Linux distros (the likes of Ubuntu, Fedora and SuSE), has resulted in it getting much more mainstream media attention. There's nothing really sexy about servers.

Linux is a success, but it is very wrong to call BSD a "failure".

Re:Sad, but predictable

[synthespian]

Besides, Linux users are always in the public eye, due to the profusion of basically 3 types of articles:

1) "Look, Ma! Look at my Beryl spinning cube interface!!" articles, or The Linux Desktop Wallpaper How-To;

2) The We-Are-Fighting-Evil genre of articles (Free Java, Free Flash, Free .Net, Free Mac OS, etc.)

3) We-Are-Fighting-Each-Other genre (e.g., "Debian X Ubuntu" material).

Re:So

[ThePhilips]

C'mon, we do not want to start the old song again. You know, most first Linux drivers were ported over from BSD.

Development of both BSD & Linux isn't commercialized - so word "lifted" is unfit here. It is more about "exchange of ideas" [canonical.org] ;)

hey Redundant ..

[rs232]

And then mod down posts that say something positive.

was (Score:1, No sense of humor)