Forgot your password?
typodupeerror
Operating Systems Software Upgrades BSD

OpenBSD 4.1 Released 218

Posted by kdawson
from the hot-bits dept.
adstro writes to quote from the BSD mailing list: "We are pleased to announce the official release of OpenBSD 4.1. This is our 21st release on CD-ROM (and 22nd via FTP). We remain proud of OpenBSD's record of ten years with only two remote holes in the default install. As in our previous releases, 4.1 provides significant improvements, including new features, in nearly all areas of the system."
This discussion has been archived. No new comments can be posted.

OpenBSD 4.1 Released

Comments Filter:
  • Just curious... (Score:5, Interesting)

    by darnok (650458) on Wednesday May 02, 2007 @03:49AM (#18953491)
    My OpenBSD firewall box is several years old now (version 3.x), just keeps working and probably will until the 8yo hardware finally dies. Although I'm interested in the features in 4.1, and congratulate the developers on what'll doubtless be another good release, ultimately I'll probably stick with my existing setup. I *love* OpenBSD, for precisely one reason; it does what it's supposed to, and in my experience it *never* fails. However, I'm very unlikely to upgrade to any new version; why change something that works perfectly?

    For those of you using OpenBSD, how many of you are in a similar situation?
    • I recently upgraded my firewall from a 3.x to 4.0 because the version I was running had a bug that didn't allow ALTQ rules to be unloaded from pf.

      Now, the standard kernel is too big. Programs keep running out of memory. The machine is from, like, 1993. It's a 75MHz Pentium with 16MB of RAM.

      Oops.
      • by udippel (562132)
        The machine is from, like, 1993. It's a 75MHz Pentium with 16MB of RAM.

        Just drop by, I'll have another 16MB of EDO RAM for you; and you'll be fine (the 75 MHz Pentium is very much okay, even on 4.X).
      • Have you tried building a new kernel? The default is intended to support most hardware. For a limited platform, I would recommend that you make an absolutely minimal kernel config and use that; I do for a Geode box I own, and it's a 266MHz chip with 64MB of RAM...
        • Yes, I was going to, but then I messed up the system I was building it on when I unpacked the kernel source. I haven't gotten around to trying again. (Luckily it was a virtual machine.)
    • Re: (Score:3, Insightful)

      by asninn (1071320)

      However, I'm very unlikely to upgrade to any new version; why change something that works perfectly?

      Because holes continue to be found in every version and because old versions do not receive fixes anymore. There's only been two remote holes, of course, but there's an emphasis on both "remote" *and* "holes" here - and also an emphasis on "root", which unfortunately isn't even included in the slogan.

      In other words, if you don't upgrade unless/until a new remote root exploit is found, you still have to

      • Re:Just curious... (Score:4, Interesting)

        by Noryungi (70322) on Wednesday May 02, 2007 @09:22AM (#18955619) Homepage Journal

        In other words, if you don't upgrade unless/until a new remote root exploit is found, you still have to worry about local users rooting your box (and don't forget that there typically are users like "www" etc. even when no actual person besides you has an account on the box; not a big problem for a firewall, most likely, but servers in general aren't automatically safe), and you still have to worry about remote priviledge escalation, remote denials of service and the like, too.

        True, but you should also read about PrivSep [umich.edu], W^X, security levels [openbsd.org], systrace [openbsd.org] and other important security mechanisms that mitigates those risks (while not entirely eliminating them). All of these (and more) make a well-configured OpenBSD machine a very tough nut to crack. So to speak.


        To me, the best thing about OpenBSD is not that it is perfectly secure (that can't be achieved) but that security is taken seriously and all this mechanisms are activated by default. The excellent documentation, especially manual pages vs the GNU unreadable info pages mess, and reactive developper community are also big pluses in my book.


    • by toadlife (301863)

      "it does what it's supposed to, and in my experience it *never* fails"

      That was my experience too, until I accidentally typed `postsuper -r all|postfix reload` instead of `postsuper -r all;postfix reload` on my Open BSD 3.5/postfix box. It caused a Kernel panic.

      Other than that, the box ran without a problem for 2.5 years straight.
      • by drsmithy (35869)

        That was my experience too, until I accidentally typed `postsuper -r all|postfix reload` instead of `postsuper -r all;postfix reload` on my Open BSD 3.5/postfix box. It caused a Kernel panic.

        If that's what actually happened (ie: you didn't coincidentally get hit by a cosmic ray at exactly the same time) it's a pretty serious bug. Is it repeatable ?

        • by toadlife (301863)
          Yes, it was repeatable. I tried it again to verify that it was not a coincidence. The box no longer even exists and at the time I didn't report it to the OpenBSD folks.

          If you want to try it it, was OpenBSD 3.5 and postfix 2.x, spamassassin and amavisd. Maybe I install it in aspare box try to repeat it and do the right thing and report it.
    • by Niten (201835)

      I'm upgrading to 4.1 because now the generic kernel allows my PowerMac G4 router/server to restart automatically in the event of a power failure. But frankly, I probably would have upgraded anyway: otherwise, it would be difficult for me to justify buying the CD and supporting the project, wouldn't it? :P

    • Re: (Score:3, Interesting)

      by raddan (519638)
      I would do the same, but we are affected by some of OpenBSD's recent patches. While it's true that there are only 2 remote holes in the default install in 10 years, there are other bugs like denial of service, database corruption, and local privilege escalation that would have affected us. I've backported a few easy patches to some of the machines that are difficult to take down for maintenance, but in general we make the effort to upgrade every other release.

      OpenBSD is great because maintenance is muc
  • Yea, but... (Score:4, Funny)

    by Heembo (916647) on Wednesday May 02, 2007 @03:53AM (#18953515) Journal
    Yea, but does it run Linux? Oh wait....
    • Re: (Score:3, Informative)

      by LizardKing (5245)

      To which the stock answer is, yes OpenBSD does run Linux - Linunx binaries at any rate (linux_compat(8) [openbsd.org]). I don't know about OpenBSD, but on NetBSD this works very well. Before a native JDK 1.4.2 was available for NetBSD I ran the Linux binaries of it under emulation.

      • Re:Yea, but... (Score:5, Interesting)

        by TheRaven64 (641858) on Wednesday May 02, 2007 @08:03AM (#18954731) Journal
        Sysjail has a nice feature, where you can run everything inside the jail via a foreign system call framework. This means you can set up a sysjail on OpenBSD containing a complete Linux-compiled userland, and users can access it without ever being aware that it's not Linux unless they try to load a kernel module (or use a system call that isn't emulated).
  • so does this mean when i install my bick OS which defaults to turning off your NIC's, i will be able to claim my security is better then anyones?
  • Downloads (Score:4, Interesting)

    by dleigh (994882) on Wednesday May 02, 2007 @04:01AM (#18953551) Homepage
    Why not a link to the .iso download page in the article?
    (Yes, that was annoyed sarcasm). I'd rather donate to the project and download an image than get one shipped, I can't believe OpenBSD is still refusing to provide Official ISOs.
    • Re: (Score:3, Insightful)

      by geminidomino (614729) *
      That's the one thing that's hindered my using it, too.

      Keeping in mind who we're dealing with, though, I don't see it changing any time soon.
    • Re:Downloads (Score:5, Informative)

      by astrashe (7452) on Wednesday May 02, 2007 @04:05AM (#18953579) Journal
      You can download a very small minimal iso and do a net install. I did it this evening -- the core system is pretty small, and comes down quickly. It's not as inconvenient as you might think.

      • You can also download the installation packages, burn those to a CD, and that along with the installation CD to do an offline install.

        Or you could burn the packages to a CD and then boot bsd.rd.
        • It's still making you jump through hoops for no obvious benefit. SuSe does something similar (or did last time I looked) it was enough to nudge me towards RH.
      • by kestasjk (933987)

        You can download a very small minimal iso and do a net install. I did it this evening -- the core system is pretty small, and comes down quickly. It's not as inconvenient as you might think.

        Yeah, but if you do that you won't be able to stick your install CD into a music player any time you like and play the "Puffy Baba and the 40 Vendors" [openbsd.org] 4.1 song.
    • Re:Downloads (Score:5, Informative)

      by Anonymous Coward on Wednesday May 02, 2007 @04:08AM (#18953591)
      Why don't people understand that the world of ISOs isn't practical
      for EVERYTHING? They're not "refusing" anything, the OpenBSD people
      provide an easy manner to obtain and install OpenBSD via ftp.

      For beginners, and for people who don't understand try looking here:

      http://www.openbsd101.com/ [openbsd101.com]

      The above site is Linux user friendly.
      • by shish (588640)

        Why don't people understand that the world of ISOs isn't practical for EVERYTHING? They're not "refusing" anything, the OpenBSD people provide an easy manner to obtain and install OpenBSD via ftp.

        Can I still do an FTP install if I can't get online?

        • by jcgf (688310)
          No, but if you can't get online, you can't download the iso if it were available either.
      • Why don't people understand that the world of ISOs isn't practical
        for EVERYTHING?

        Why, precisely, would complete (rather than minimal) official ISOs not be practical for OpenBSD? Yes, clearly, there are workarounds and alternatives of various complexities, including a fairly straightforward method to roll-your-own complete install disks, none of which indicate that complete ISOs would be impractical.

        The issue isn't "everything", its OpenBSD 4.1, and I certainly don't see any reason to think that complete IS

    • Re:Downloads (Score:5, Informative)

      by evilviper (135110) on Wednesday May 02, 2007 @04:44AM (#18953725) Journal

      Why not a link to the .iso download page in the article?

      For the same reason Linux kernels, and any other files aren't directly linked in /. articles.

      Just for you: ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.1/i386/cd 41.iso [openbsd.org]

      I can't believe OpenBSD is still refusing to provide Official ISOs.

      Creating an ISO is positively trivial. The file system layout is exactly the same as the FTP tree. Just be sure to make it bootable with mkisofs -b, or whatever "bootable" check-box your Win32 CD burner program has...

      Not to mention that there are dozens of different ways to install, and a bootable CD is rarely the most convenient. FTP install is quite handy.

      It's only for non-x86 systems that creating bootable CDs is somewhat difficult. And even there, I'd much rather create my own multiple system CD than download an x86 ISO, an Alpha ISO, a Sparc ISO, and burn each to several different (mostly-empty) CDs.
      • Re: (Score:3, Informative)

        by kestasjk (933987)

        Creating an ISO is positively trivial. The file system layout is exactly the same as the FTP tree. Just be sure to make it bootable with mkisofs -b, or whatever "bootable" check-box your Win32 CD burner program has...
        If that's too challenging you can also burn the minimal ISO, and burn the install files to another CD. Boot up off the minimal ISO, then use the second CD as the source for the installation tarballs.
        • by evilviper (135110)
          Now that's a huge waste of CDs, and really no easier, since you still have to get the layout right, and the like.
      • Re: (Score:2, Informative)

        by turing_m (1030530)
        Or you could download everything in the ftp directory on another computer, host it locally, and install from there. Quicker and you don't waste a CDR.
    • Re: (Score:3, Insightful)

      by LizardKing (5245)

      Why don't you download the floppy boot images, do a net install and save having to waste a CDR?

      The reason official downloadable ISO images are not available is to encourage people to buy the prepackaged CDs. The revenue from these sales is a significant reason why OpenBSD continues to flourish, as people like Theo de Raadt have an income that allows them to work full time on the project. Hopefully this will prevent a monoculture of Linux on servers, which in some respects would be as bad as the monoculture

    • by DrSkwid (118965)
      The bootable CD / .tgz packages works very well for me.
      One can choose to download only the parts one needs - i.e. no ports or no X
      You can install via ftp, pxe, cdrom with tgz files on it

      OpenBSD is the fastest installing fully bloated OS I've tried.

      If you need to run Apache 1.x that comes as standard set up to run chrooted in /var/www which saves a bit of fannying about.

      • by udippel (562132)
        milksucks ? Maybe. How about a coffee ? Or was the 'fully bloated' supposed to be funny ? Intentional ?
    • by Niten (201835)

      Well, they have FTP bandwidth bills to pay: I can't imagine that the effect of replacing the bandwidth used to get a minimal boot image and whichever installation sets you select for your specific architecture, with three full-sized CD images, would be negligible.

      If it's that much of a concern for you that you can't get the official installation CD images without buying a physical copy, maybe you could just make a $50 donation to the project and then copy the CDs from a friend (the pre-orders were actuall

  • by Anonymous Coward on Wednesday May 02, 2007 @04:22AM (#18953637)
    You mustn't exclude the OpenBSD 4.1 Release song from this article!

    http://www.openbsd.org/lyrics.html [openbsd.org]
    ftp://ftp.openbsd.org/pub/OpenBSD/songs/song41.mp3 [openbsd.org]

    • by simong (32944)
      Hmm, yes, I think I can sing that:

      #Boo hoo, Linux won't share driver documentation with us, boo hoo boo hoo#

      The last paragraph in the left hand column on that page is frankly nonsense. Linux has more driver support because there are more people working on driver support. I would like to see evidence of any kind that the OpenBSD community has been refused driver documentation which has been given to the Linux community.
      • by Dan Ost (415913)
        If you were to look into it, I think you would find that one of the reasons that Linux has more driver support is because Linux is willing to accept specs under non-disclosure agreements. OBSD developers are not will to do the same since it makes maintenance impossible for anyone who hasn't signed the NDA.

        I'm mostly a Linux user, but I don't buy hardware unless it's supported by OBSD for exactly this reason.

        Looks like it's time for another donation to OBSD.
  • 3 Years and Counting (Score:2, Informative)

    by p0 (740290)
    I setup an OpenBSD box about 3 years ago. It has multiple gigE's and processes a reasonably tough load of network traffic 24 hours a day, even today. It has never ever crashed! it is not just crash proof, it simply doesn't give any other problems of any kind whatsover, heck I dont even know what to write in this darned comment!

    Thanks for this. OpenBSD is rock solid!
  • But... (Score:5, Funny)

    by Arielholic (196983) on Wednesday May 02, 2007 @05:38AM (#18953945)
    But.... does it have UAC?
    • Kind of. It has systrace, which allows the arguments to every system call to be validated before being issued, and either allowed, denied, or allowed with elevated privilege based on a policy. Unlike UAC (or SELinux), it can be enabled on a per-process basis, so you can only use it for the processes you don't trust, or use it for everything, depending on your level of paranoia.
  • No ISO policy (Score:4, Informative)

    by PhotoGuy (189467) on Wednesday May 02, 2007 @07:00AM (#18954325) Homepage
    While I hear great things about OpenBSD, and realize it is for a niche market where stability and security are the number one concern, it seems to me that more people would check it out and use it, if not for this policy:

    "The OpenBSD project does not make the ISO images used to master the official CDs available for download. The reason is simply that we would like you to buy the CD sets to help fund ongoing OpenBSD development. The official OpenBSD CD-ROM layout is copyright Theo de Raadt. Theo does not permit people to redistribute images of the official OpenBSD CDs. As an incentive for people to buy the CD set, some extras are included in the package as well (artwork, stickers etc).

    Note that only the CD layout is copyrighted, OpenBSD itself is free. Nothing precludes someone else from downloading OpenBSD and making their own CD. If for some reason you want to download a CD image, try searching the mailing list archives for possible sources. Of course, any OpenBSD ISO images available on the Internet either violate Theo de Raadt's copyright or are not official images. The source of an unofficial image may or may not be trustworthy; it is up to you to determine this for yourself."


    Now, FTP installs are pretty slick in these days of prevalent high speed; still, it seems a bit silly and arbitrary to intentionally restrict ISO distribution, to try and sell a few discs. The people who are willing to pay, would buy regardless of a free ISO being available (corporations and IT departments like having the official discs, and such).

    I guess more than anything, this policy stikes me as a bit of "attitude", which turns me off the distribution, more than the mild inconvenience of not having ISO's readily available.
    • Re:No ISO policy (Score:5, Informative)

      by DaMattster (977781) on Wednesday May 02, 2007 @07:23AM (#18954457)
      I understand your frustration with the policy and the attitude that it might imply but let me show you the other side of the story. The OpenBSD team works very hard to produce these releases and get little support in the form of donations from large companies that use pieces of the operating system. Theo De Raadt asked Sun for a donation for one of his hackathons and was not even given the time of day. He was not even answered which is tantamount to a 'no.' Given that OpenBSD provided extensive assistance to Sun in the integration of OpenSSH and voluntarily reported bugs in Sun's version (as well as others), I think it really would have been no skin off of Sun's back to provide a donation. The principle form of income for the project to function comes from sales of OpenBSD CD-ROMS. You could still make your own ISO, but please keep in mind the hard work of this project. Honestly, 50.00 is a drop in the bucket and you help keep the future of a good project stable.
      • And the FreeBSD people dont? Or NetBSD? Or K/Ubuntu? Its his work, and its his choice, but i also agree with many its a bit of an 'elitist' attitude, that really isnt necessary. Its not about the cost, its about the attitude.
    • Re:No ISO policy (Score:5, Insightful)

      by LittleLebowskiUrbanA (619114) on Wednesday May 02, 2007 @08:08AM (#18954767) Homepage Journal
      Have you priced the official disks? Have you ever used OpenSSH? If so, have you ever given anything back to the creators and maintainers of OpenSSH (OpenBSD)?

          This attitude pisses me off. If you were actually using OpenBSD, you'd be willing to fork over a few buck to get the disks. But you're not using it. The amount of time spent to produce such a high quality OS is worth the money in my book.

          The other thing that pisses me off is that OpenBSD doesn't have a millionaire patron. But they do have Sun, Cisco, etc shipping their software (OpenSSH) withouth even bothering to contribute to the foundation. Kinda cheap, huh? Maybe that's why they charge for their install disks.

          You clearly know nothing about OpenBSD.
      • The other thing that pisses me off is that OpenBSD doesn't have a millionaire patron. But they do have Sun, Cisco, etc shipping their software (OpenSSH) withouth even bothering to contribute to the foundation.

        *Snicker* Maybe you guys should switch to a GPL license to prevent big companies from selling all that hard work and giving back nothing.

        I joke. I'm glad that the OpenBSD team sticks to their idea of software freedom even when they appear to get taken advantage of.

      • by Raenex (947668)
        So they say their work is free for anybody to use, without payment, and then they get all bitchy when they aren't paid for their work? And they resort to gimmicks like trying to copyright an ISO image?
    • by k1e0x (1040314)
      There is nothing wrong with wanting to make money.. especially if you are working to do it.
    • Well, it is Theo remember.. what else would you expect?
    • by PhotoGuy (189467)
      A followup on my own posting:

      I decided to check out OpenBSD anyway, despite lack of an ISO. I used a Parallel's virtual machine to try an install.

      The baseline netbook fired up, prompted me with a lot of text prompts and manual disk editing (wow, they still do that?), detected the network fine, prompted me for packages, and started downloading them. Great.

      After getting base41.tgz (I think it was), it just sat there. For an hour. Doing nothing.

      So I restarted the install. It hung at the same place.

      No diag

Some people carve careers, others chisel them.

Working...