OpenBSD 4.1 Released

adstro writes to quote from the BSD mailing list: "We are pleased to announce the official release of OpenBSD 4.1. This is our 21st release on CD-ROM (and 22nd via FTP). We remain proud of OpenBSD's record of ten years with only two remote holes in the default install. As in our previous releases, 4.1 provides significant improvements, including new features, in nearly all areas of the system."

Just curious...

My OpenBSD firewall box is several years old now (version 3.x), just keeps working and probably will until the 8yo hardware finally dies. Although I'm interested in the features in 4.1, and congratulate the developers on what'll doubtless be another good release, ultimately I'll probably stick with my existing setup. I *love* OpenBSD, for precisely one reason; it does what it's supposed to, and in my experience it *never* fails. However, I'm very unlikely to upgrade to any new version; why change something that works perfectly?

For those of you using OpenBSD, how many of you are in a similar situation?

Re:Just curious...

You wonder? You wonder? Of course it has security implications.

I think you are missing this :

We remain proud of OpenBSD's record of ten years with only two remote holes in the default install.

and the fact that openBSD doesn't use the linux/windows "security" paradigm of "write software quickly, find security bugs, fix them ASAP". Their strategy is instead to be secure out of the box, at the price of a slower pace of development and less features.

I am quite happy with linux right now. But I know that the day I will run a critical application/server, I will either use openBSD or maybe a stable debian but not a recent linux.

Re:Just curious...

And in this case, I'm not using that as a sarcastic reference to a low number, there really have only been two.

Hmm, sorry, two what ? Two remotely exploitable holes in the default install, or two users running the default install ?
(For those not in the know: the default install has - drums rolling - ssh enabled. And SMTP on 127.0.0.1. That's it. Over. No http, no ftp, no pop, nothing else.)

Don't get me wrong, I'm a great OpenBSD fan and run it on my 3 production machines. Still, personally I consider that statement about the two holes more embarassing than impressive.

Re:Just curious...

In other words, if you don't upgrade unless/until a new remote root exploit is found, you still have to worry about local users rooting your box (and don't forget that there typically are users like "www" etc. even when no actual person besides you has an account on the box; not a big problem for a firewall, most likely, but servers in general aren't automatically safe), and you still have to worry about remote priviledge escalation, remote denials of service and the like, too.

True, but you should also read about PrivSep [umich.edu], W^X, security levels [openbsd.org], systrace [openbsd.org] and other important security mechanisms that mitigates those risks (while not entirely eliminating them). All of these (and more) make a well-configured OpenBSD machine a very tough nut to crack. So to speak.

To me, the best thing about OpenBSD is not that it is perfectly secure (that can't be achieved) but that security is taken seriously and all this mechanisms are activated by default. The excellent documentation, especially manual pages vs the GNU unreadable info pages mess, and reactive developper community are also big pluses in my book.

Yea, but...

Yea, but does it run Linux? Oh wait....

Re:Yea, but...

Sysjail has a nice feature, where you can run everything inside the jail via a foreign system call framework. This means you can set up a sysjail on OpenBSD containing a complete Linux-compiled userland, and users can access it without ever being aware that it's not Linux unless they try to load a kernel module (or use a system call that isn't emulated).

2 remote holes in default install

so does this mean when i install my bick OS which defaults to turning off your NIC's, i will be able to claim my security is better then anyones?

Downloads

Why not a link to the .iso download page in the article?
(Yes, that was annoyed sarcasm). I'd rather donate to the project and download an image than get one shipped, I can't believe OpenBSD is still refusing to provide Official ISOs.

Re:Downloads

You can download a very small minimal iso and do a net install. I did it this evening -- the core system is pretty small, and comes down quickly. It's not as inconvenient as you might think.

Re:Downloads

Why don't people understand that the world of ISOs isn't practical
for EVERYTHING? They're not "refusing" anything, the OpenBSD people
provide an easy manner to obtain and install OpenBSD via ftp.

For beginners, and for people who don't understand try looking here:

http://www.openbsd101.com/ [openbsd101.com]

The above site is Linux user friendly.

Re:Downloads

Why not a link to the .iso download page in the article?

For the same reason Linux kernels, and any other files aren't directly linked in /. articles.

Just for you: ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.1/i386/cd 41.iso [openbsd.org]

I can't believe OpenBSD is still refusing to provide Official ISOs.

Creating an ISO is positively trivial. The file system layout is exactly the same as the FTP tree. Just be sure to make it bootable with mkisofs -b, or whatever "bootable" check-box your Win32 CD burner program has...

Not to mention that there are dozens of different ways to install, and a bootable CD is rarely the most convenient. FTP install is quite handy.

It's only for non-x86 systems that creating bootable CDs is somewhat difficult. And even there, I'd much rather create my own multiple system CD than download an x86 ISO, an Alpha ISO, a Sparc ISO, and burn each to several different (mostly-empty) CDs.

OpenBSD 4.1 Release Song

You mustn't exclude the OpenBSD 4.1 Release song from this article!

http://www.openbsd.org/lyrics.html [openbsd.org]
ftp://ftp.openbsd.org/pub/OpenBSD/songs/song41.mp3 [openbsd.org]

OpenBSD 4.1 Release Song

The OpenBSD 4.1 Release Song can be found at the OpenBSD Multimedia Resources List [mavetju.org].

The list is using the same sources as the other *BSDs Multimedia Resources Lists [mavetju.org] :-)

3 Years and Counting

I setup an OpenBSD box about 3 years ago. It has multiple gigE's and processes a reasonably tough load of network traffic 24 hours a day, even today. It has never ever crashed! it is not just crash proof, it simply doesn't give any other problems of any kind whatsover, heck I dont even know what to write in this darned comment!

Thanks for this. OpenBSD is rock solid!

But...

But.... does it have UAC?

No ISO policy

While I hear great things about OpenBSD, and realize it is for a niche market where stability and security are the number one concern, it seems to me that more people would check it out and use it, if not for this policy:

"The OpenBSD project does not make the ISO images used to master the official CDs available for download. The reason is simply that we would like you to buy the CD sets to help fund ongoing OpenBSD development. The official OpenBSD CD-ROM layout is copyright Theo de Raadt. Theo does not permit people to redistribute images of the official OpenBSD CDs. As an incentive for people to buy the CD set, some extras are included in the package as well (artwork, stickers etc).

Note that only the CD layout is copyrighted, OpenBSD itself is free. Nothing precludes someone else from downloading OpenBSD and making their own CD. If for some reason you want to download a CD image, try searching the mailing list archives for possible sources. Of course, any OpenBSD ISO images available on the Internet either violate Theo de Raadt's copyright or are not official images. The source of an unofficial image may or may not be trustworthy; it is up to you to determine this for yourself."

Now, FTP installs are pretty slick in these days of prevalent high speed; still, it seems a bit silly and arbitrary to intentionally restrict ISO distribution, to try and sell a few discs. The people who are willing to pay, would buy regardless of a free ISO being available (corporations and IT departments like having the official discs, and such).

I guess more than anything, this policy stikes me as a bit of "attitude", which turns me off the distribution, more than the mild inconvenience of not having ISO's readily available.

Re:No ISO policy

I understand your frustration with the policy and the attitude that it might imply but let me show you the other side of the story. The OpenBSD team works very hard to produce these releases and get little support in the form of donations from large companies that use pieces of the operating system. Theo De Raadt asked Sun for a donation for one of his hackathons and was not even given the time of day. He was not even answered which is tantamount to a 'no.' Given that OpenBSD provided extensive assistance to Sun in the integration of OpenSSH and voluntarily reported bugs in Sun's version (as well as others), I think it really would have been no skin off of Sun's back to provide a donation. The principle form of income for the project to function comes from sales of OpenBSD CD-ROMS. You could still make your own ISO, but please keep in mind the hard work of this project. Honestly, 50.00 is a drop in the bucket and you help keep the future of a good project stable.

Re:No ISO policy

Have you priced the official disks? Have you ever used OpenSSH? If so, have you ever given anything back to the creators and maintainers of OpenSSH (OpenBSD)?

    This attitude pisses me off. If you were actually using OpenBSD, you'd be willing to fork over a few buck to get the disks. But you're not using it. The amount of time spent to produce such a high quality OS is worth the money in my book.

    The other thing that pisses me off is that OpenBSD doesn't have a millionaire patron. But they do have Sun, Cisco, etc shipping their software (OpenSSH) withouth even bothering to contribute to the foundation. Kinda cheap, huh? Maybe that's why they charge for their install disks.

    You clearly know nothing about OpenBSD.

quick say something negative about OpenBSD ..

I really like OpenBSD except for, they don't make their own ISO images, they disown you if you install Edgy and er .. they don't make their own ISO images .. :)

OpenBSD wishlist

I've had a look at OpenBSD and while it is indeed very encouraging to have an OS that is secure without tweaking, as opposed to one where you have to know about, and disable, everything that could be a risk, there are still a few things that trouble me. a)If you want to follow the stable branch you need to compile from source. The OpenBSD developers correctly discourage you from compiling from source as it is more likely to break things, yet it is required for teh stable branch, which is annoying. b)The install is a bit complicated, especially if you are going to compile from source ( which you have to if you want to follow the stable branch ). There is quite a lot of work required here to get a system that is "secure by default". c)The price of the CD images. Yes, I know this is in order to fund the project, but it only really affects new users since those who have been using OpenBSD for some time are probably fine with the net-install or will donate money anyway. This policy hits new users, and if you don't really want to spend a lot of money on a system just to try it, this leaves you with an even more complicated install procedure. Maybe it could be an idea to have a "minimal" install CD for the very basics of the system, and then charge for the rest of the stuff. Most of these problems seem to be down to limited resources rather than the capabilities of the OpenBSD team. I don't really care much about the license policy, because quite frankly its their project and they are free to license it as they like. Personally I prefer the GPL for things I would write myself, but as a user having less restrictions is never a bad thing. All in all it's a nice project and I will probably try it out once I get some more experience with *NIX systems. For now I will stick with my Debian install however.

Elegy for *BSD

Elegy For *BSD

I am a *BSD user
and I try hard to be brave
That is a tall order
*BSD's foot is in the grave.

I tap at my toy keyboard
and whistle a happy tune
but keeping happy's so hard,
*BSD died so soon.

Each day I wake and softly sob
Nightfall finds me crying
Not only am I a zit faced slob
but *BSD is dying.

Xen?

Does anyone know the status of OpenBSD as a guest OS under Xen? Are we likely to see this any time soon?

Re:who cares?

Why do we care, because now people can use the code hex09f91102... oh have we moved on already?

No idea, they make a nice SSH program though.

Re:Yea but....

...does it run Linux? Oh wait...

Of course it does.

It runs Linux binaries directly, like all the BSDs.

It also has Qemu, Bochs, BasiliskII, GXEmul, etc. in ports, on which Linux will no-doubt run.

Insert "In Soviet Russia" "Beowulf Cluster" "I read that as" "??? Profit" and any other completely mindless /. cliches.

Re:Yea but....

It is not rainning in Sea... Oh never mind.

Re:who cares?

Well, if that is the case then I must be that kid in the movies because I see dead OSs on lots of my servers.

Re:Sad, but predictable

petrus4, I need your help. My BSD mentor has pretty much disowned me because a few weeks ago I installed Edgy on some old box I had lying around. (At the university I work for, outside of the user space, there is Windows, Solaris, and Linux servers. Linux is by far the most prevalent, and I figured it was time I stopped excluding myself from possible income sources.) What's the big deal? The penguinistas have become a lot less annoying in the last couple years about their cause, and Linux is progressing towards a stately adolescence. I guess what I'm asking is... where are the problems with linux that aren't in BSD? Is it lack of standardization? Or are there specific things that should work that were broken in linux? Why do hard-core admins scoff at linux?

Re:Sad, but predictable

I have to ask, Linux users...when are you going to stop making yourselves so easy to hate?

Don't tar all Linux users with the same trollbrush. There are a very few people on both sides who like to stir the old Linux vs. BSD shit for absolutely no good reason other than to rile the "other side". A lot of us also use a BSD, like it, and see the virtues of both OS families without the need to sling mud. I use predominantly Linux on the desktop, not because I hate Windows, but because I genuinely like Fedora Core. Strange, eh?! I also use FreeBSD on my server because it's a good OS for that purpose and I dislike monoculture. Why fight?

Re:So

C'mon, we do not want to start the old song again. You know, most first Linux drivers were ported over from BSD.

Development of both BSD & Linux isn't commercialized - so word "lifted" is unfit here. It is more about "exchange of ideas" [canonical.org] ;)