OpenBSD 3.2 Available

fredrikv writes "Right on time, the files defining OpenBSD 3.2 have moved away from "snapshots" to the 3.2 directory of the OpenBSD mirrors. It is well known as the world's most secure operating system and now sports chroot'd Apache, fewer suid binaries, cool pictures for xdm-logins, a brilliant "antispoof" packet filtering rule and as usual includes lots of small updates and fixes. The files are there. What are you waiting for?"

Re:Well, I'm waiting for a downloadable iso

[LordHunter317]

Download the sources. Burn on a CD. There you go.

IF oyu want it bootable, that's also fairly easy to pull off as well. Just have it boot to the floppy image.

Otherwise, buy a CD.. we need the money.

Re:OpenBSD questions

[Karamchand]

ad 1.) In this interview [kerneltrap.org] with pf developer Daniel Hartmeier he talks a bit about performance.

Re:FreeBSD

[c13v3rm0nk3y]

I've always been a fan of FreeBSD. How does OpenBSD compare?

Try this link [bsdtoday.com]. There are a bunch of FAQs, some of them directly compare *BSD, Linux &etc.

Re:FreeBSD

[CoolVibe]

Depends on what you want to do. FreeBSD is better suited as a workstation or a high-performance server. OpenBSD does great for bastion-hosts and firewalls.

Re:FreeBSD

[Ryvar]

Short Answer:
OpenBSD has less 'nice' functionality, slightly less performance tuning, and no SMP support.

On the other hand it has an extremely well-audited source tree (by largely the same developers as OpenSSH), SoftUpdates, the new systrace work, an excellent brand new packetfilter that has yet to fail to impress from either a security or speed standpoint . . .

OpenBSD isn't really so much the most secure OS in the world as it is in many situations the most secure OS on the x86. For most of us around here, that's probably close enough as makes no odds.

The last release (in a bug that affected the prior release as well) had an OpenSSH issue in the default installation that became the first remote compromise for the default installation in nearly 5 years of the operating system. Admittedly, most things are turned off by default (although I wish a few more - portmap, inetd). Because of this and a few other errata, 3.2 has been looked forward to for a long time.

To sum, you have a stripped-down no-nonsense OS with all of the unnecessary crap tossed out of the default installation and available as ports and packages to those that want it. The perfect OS for those who want a secure router, and/or single/few-function server. This isn't an appropriate choice if you need more than a commandline, really, and there's a fair amount of pride amongst the user community over that.

Re:*BSD

[c13v3rm0nk3y]

...is OpenBSD recommended as an internet server over all of the other distros?

Depends who you talk to ;)

A good place to start is here [openbsd.org], to find out what the intentions of the OBSD project are. Then check out the OpenBSD Journal [deadly.org] to see what people do with it.

My two cents: OBSD really shines as a secure inet server. Things like httpd, sshd, firewalling, bridging, routing. People do use it as a desktop, but IMHO it is not as desktop-friendly as FreeBSD. *shrug* I run it basically headless, as does everyone I know.

Then again, a cutting-edge desktop system is not a primary concern of the OBSD project.

Re:I'm waiting

[questionlp]

Maybe not quite what you are looking for, but there is the infamous Linux Compatibility mode [openbsd.org] for OpenBSD (as well as FreeBSD and NetBSD) that will allow you to run many Linux applications. OpenBSD also supports the Ext2 file system (again, same with FreeBSD and most likely NetBSD).

Re:*BSD

[c13v3rm0nk3y]

Java 1.3 is not "production" ready on any BSD, AFAIK. I've looked into this quite a bit, and even ported an app to FreeBSD.

They have recently been blessed by Sun to provide a native version of the JDK (the previous versions ran in linux_compat mode), but it is not considered production-ready by the developers.

Our customer threw caution to the wind, and has been running our app for a year or so now on FreeBSD. So far, so good. We _did_ QA it. Sheesh.

OpenBSD Java support is still (again, AFAIK)) a tweakers domain. If you need official J2EE, go with Linux (or one of those "others").

What are you waiting for?

[Anonymous Coward]

> What are you waiting for?

SMP Support.

And there's a new song, too

[jfedor]

ftp://ftp.openbsd.org/pub/OpenBSD/songs/song32.ogg [openbsd.org] (please use a mirror)

This time it's a Bond-movie theme, which matches the new logo [openbsd.org].

-jfedor

Official 3.2 CD and Poster available too

[Anonymous Coward]

As for the OpenBSD project, there are some nice 3.2 goodies you can order them now

Support the OpenBSD developers by getting a
3.2 CD $40 [openbsd.org] or for Europe EUR 45 [openbsd.org]

The new new 3.2 poster [openbsd.org] is very nice too, get it for [openbsd.org]
$10 US or EUR 14 in Europe [openbsd.org] The European size is 70x100 cm

Re:Minimum hardware requirements?

[fmbraga]

You'll need at least 32MB if you will install OpenBSD. Could be 16MB, but you'll have to turn swap on during install, as the Installation Guide will tell you.

Just be careful to read it, and you'll be running OpenBSD in less than 20 minutes.

Re:Still won't boot above 8 Gig

[c13v3rm0nk3y]

Well, this is a hardship only because you want to dual-boot, I'm guessing. Otherwise, you just partition and mount so that / is on the first 8Gb slice.

There are third-party boot managers that do magic to allow booting to happen from almost anywhere, for almost any OS. I don't know if it works with OBSD or not.

I've only run OBSD stand-alone on headless edge boxes, so I've never worried my pretty little head about the 8Gb limit. I'm assuming most folks who pay for the CDs every 6 months or so feel the same way. Well, that and the stickers. The stickers rule.

6 months

[azimir]

6 Months,

Every 6 months there is an OpenBSD release.
Every time they add .1 to the release number.
It is a simple as that.

Re:New PF syntax info

[cant_get_a_good_nick]

From the openbsd man pages:
pf.conf(5) [openbsd.org]
pfctl(8) [openbsd.org]
pf(4) [openbsd.org]

Re:FreeBSD

[Anonymous Coward]

On the other hand it has an extremely well-audited source tree (by largely the same developers as OpenSSH), SoftUpdates,
FreeBSD has softupdates too.

Admittedly, most things are turned off by default (although I wish a few more - portmap, inetd)
portmap is turned off by default in OpenBSD 3.2.

The perfect OS for those who want a secure router, and/or single/few-function server.
my OpenBSD workstation runs the same apps i need to work as my linux workstation does, and that is quite a few apps, yes i do real work.

This isn't an appropriate choice if you need more than a commandline, really,
X works fine in OpenBSD and i bet most users who use OpenBSD use X on OpenBSD desktops and commandline on *all* their Unix servers, regardless of flavour (why should a dedicated webserver/firewall/database need X running?).

The real Release notes:

[fries]

... couldn't make it through the 'Lameness filter'.

Please go to http://deadly.org where they did make it through.

OpenBSD use.

[azimir]

Warning: OpenBSD camp follower talking!

It has been over two years (since 2.7, actually) since OpenBSD sucked me in with its simplicity, security and *good* documentation.

In that time I have never started Xwindows on an OpenBSD machine. There is no need.

OpenBSD has been a solid firewall, router, bridge, MX, DNS server, NIS, NFS, Web, SSH/SCP/SFTP machine with nary a GUI to be seen.

With 3.2 they have finally done superb work with locking down services. This is even extended to services that are not on by default, such as apache. They have also gotten right of that annoying /etc/nat.conf file! Time for a round of upgrades.

Re:Most Secure OS

[TheOneEyedMan]

But they don't weight the percentages by number of users.
"Most of the known software vulnerabilities announced in 2002 affected Microsoft Windows (44%) followed by Linux (19%), BSD (9%) and Sun Solaris (7%). By comparison only 0.5% of the vulnerabilities announced in 2002 affected SCO Unix, and 1.9% affected Mac OS and Compaq Tru64 systems respectively."

It might be that no one is noticing mac or BSD flaws beacuse many fewer people care. A straight line weighting doesn't make sense either. We should expect a diminishing marginal return on eyeballs. The point is that this overstates Linux and Windows bugs and understates the others(actually I don't know usage rates on Linux but I assume it is the third most used OS.)

Re:It's good, but not that good

[glenmark]

VMS is architected such that overflowing data cannot be executed (i.e. doesn't get passed along to the shell). As far as the kernel level code itself is concerned, overflows don't occur in the first place due to the universal use of descriptors to pass data to system-level calls.

The complete OpenVMS doc set is available on the web from a link at http://www.openvms.compaq.com [compaq.com]. There are also several good books on OpenVMS internals, with links to info on them available at the same place.

Re:yes, we need SMP

[bmajik]

There's little reason for SMP in openbsd

1) It makes security that much harder. Think /tmp race conditions are bad ? How about race conditions in the kernel ? How about the fact that not even Intel is consistent in their docs on how two x86 chips re-order operations and maintain cache coherence in some situations.

2) 99% of the software on openBSD is fork/exec anyway. You might as well use assymmetric multi-processing, or, better yet, buy 3 uni-proc boxes for the price of a dual proc box, and partition your load accordingly.

Re:Same horrible fdisk and disklable process?

[Anonymous Coward]

Well, I added printing (and data entry)
for arbitrary units (ie - m, g, k, b, c (cylinders)) to fdisk a while back, so
a calculator should not be necessary anymore.

just do a "p m" in fisk like you used to do in disklabel.

Re:OpenBSD questions

[BitHive]

Quoth Daniel Hartmeier, the author of pf:

To prevent attackers from tearing down connections, for instance with spoofed RSTs, the packet filter checks the sequence numbers in each TCP packet. Only the two peers involved in the connection (and the hops in between them) know the right sequence numbers, as initial sequence numbers are generated randomly (or should be, rather, but pf can also randomize sequence numbers for hosts that have predictable ISN generators).

The goal in sequence number comparison is to allow only a minimal window of values through. This is not as easy as it may appear from studying perfect examples of TCP connections. In reality, packets can get lost and are retransmitted, packets take different routes and may arrive in different order than they were sent, etc.

Guido's work shows how to keep lower and upper bounds on the sequence numbers given only the (incomplete) information the packet filter has, with a precision and beauty similar to the one you can find in a mathematic proof.

Re:It's good, but not that good

[PapaZit]

NetBSD is (as far as I know) the ONLY one of the BSDs that ships with NO open services in the default install.

Y'know how OpenBSD used to brag about "X years without a remote root exploit in the default install"? These days, it's NetBSD that carries the "longest since remote root in default" banner, and they'll continue to have it (though they're a bit to understated to brag about it) until OpenBSD turns off incoming SSH and RPC.

Think that's a silly argument? Check your nearest OpenBSD box. Is it running RPC? Does it need to be? Isn't "turn off unnecessary services" one of the fundamentals of securing a box?

Re:OpenBSD based floppy firewall?

[Transcendent]

microbsd.net

not quite OpenBSD, but it's a BSD that fits on a coupla floppys.

Re:OpenBSD based floppy firewall?

[Electrum]

Try ClosedBSD [closedbsd.org], a FreeBSD based firewall. It rocks.