Forgot your password?
typodupeerror
Operating Systems Security BSD

Why OpenBSD's Release Process Works 310

Posted by timothy
from the those-slides-are-a-bit-dense dept.
An anonymous reader writes "Twelve years ago OpenBSD developers started engineering a release process that has resulted in quality software being delivered on a consistent 6 month schedule — 25 times in a row, exactly on the date promised, and with no critical bugs. This on-time delivery process is very different from how corporations manage their product releases and much more in tune with how volunteer driven communities are supposed to function. Theo de Raadt explains in this presentation how the OpenBSD release process is managed (video) and why it has been such a success."
This discussion has been archived. No new comments can be posted.

Why OpenBSD's Release Process Works

Comments Filter:
  • Is there a transcript? (Don't have time to watch a video...zzz.)
  • by Jailbrekr (73837) <jailbrekr@digitaladdiction.net> on Thursday July 16, 2009 @07:41PM (#28724563) Homepage

    but at least he is stubbornly consistent. Without it, openBSD would not exist in its current fine form.

    That video can serve as a lesson to others on how to manage a project for an extended period of time and keep things consistent and predictable.

    • by Anonymous Coward on Thursday July 16, 2009 @08:03PM (#28724745)

      No wacky and nutty GPL kooks.

      No screaming diatribes over 'purity' of ideology.

      No foaming at the mouth tantrums that someone is using your code and not kissing your fat ugly ass in reverence.

      Over the years I've learned that BSD developers are engineers while GPL developers are ideologues - ie. wackos and nutcases.

      Thank god BSD is well on their way to ridding themselves of GCC and already have the amazing LLVM compiler tech building the system. The efforts the GNU crowd has done to keep open source developers locked into their compiler is sickening from anyone who likes to believe the open source world is some sort of technological marketplace of ideas compared to the Microsoft world.

      Every BSD project I've followed or participated with has been a positive experience due to those types of licensed projects attracting engineers who just want to write good code and want their code to be available and free to everyone to make good use of it.

      • by Anonymous Coward on Thursday July 16, 2009 @08:08PM (#28724779)
        Hi Theo!
      • by Draek (916851) on Thursday July 16, 2009 @09:41PM (#28725393)

        No wacky and nutty GPL kooks.

        But in return you get wacky and nutty BSD kooks.

        No screaming diatribes over 'purity' of ideology.

        You don't know who Theo de Raadt is?

        No foaming at the mouth tantrums that someone is using your code and not kissing your fat ugly ass in reverence.

        You definitely don't know Theo de Raadt.

        The efforts the GNU crowd has done to keep open source developers locked into their compiler is sickening from anyone who likes to believe the open source world is some sort of technological marketplace of ideas compared to the Microsoft world.

        Yeah, how dare they make a superior product, couldn't they have made GCC suck a bit more so the alternatives wouldn't look so bad?

        Every BSD project I've followed or participated with has been a positive experience due to those types of licensed projects attracting engineers who just want to write good code and want their code to be available and free to everyone to make good use of it.

        Same here, and the same goes for GPL'ed projects. In all cases, its the users (and the ocassional Slashdot troll) who make them look bad. Well, except for Theo's yearly foaming-at-the-mouth, but he's such a talented engineer we're ready to let that one pass.

      • Re: (Score:3, Interesting)

        by kelnos (564113)
        This crap is marked insightful? Wow.

        No wacky and nutty GPL kooks.

        No screaming diatribes over 'purity' of ideology.

        You do realise we're discussing an article about Theo de Raadt, right? From what I've read, he's just as much of a BSD kook and idealist as RMS is. Just he gets less flak for it because he (currently, at least) is much more respected for his *engineering* contributions than RMS is.

        Over the years I've learned that BSD developers are engineers while GPL developers are ideologues - ie. wackos and nutcases.

        Wow, so I'm a wacko and a nutcase, and not real engineer? Sorry, not buying it.

        Thank god BSD is well on their way to ridding themselves of GCC and already have the amazing LLVM compiler tech building the system. The efforts the GNU crowd has done to keep open source developers locked into their compiler is sickening from anyone who likes to believe the open source world is some sort of technological marketplace of ideas compared to the Microsoft world.

        Yes, because everyone is just so completely *required* to use gcc. You can't use icc, Sun cc, MSVC, or anythin

    • by Jack9 (11421)

      That video can serve as a lesson to others on how to manage a project for an extended period of time and keep things consistent and predictable.

      I'd say to limit this "lesson" to an Open Source project, not just any project. His points are good strategic choices, which are well reasoned, even if some of them are incomplete or not fully explained in the length of the talk. He makes caveats throughout the presentation to exclude traditional choices found in commercial enterprise level development due to the he

    • IIRC (even though its not really comparable), LinuxMint moved to the 6 month scheme too and has gotten alot better from it.

  • by Anonymous Coward

    While OpenBSD does have an outstanding security record, with good design & separation of privileges, they aren't perfect.

    As they say on their website, "Only two remote holes in the default install, in a heck of a long time!" [openbsd.org]

    • by nethenson (1093205) on Thursday July 16, 2009 @07:51PM (#28724659) Journal
      They should try to do it in the Microsoft way.

      MS-DOS: zero remote holes in the default install.

    • 2 vs ? This is just the count of kernel vulnerabilities right? obviously this varies by distro but what sort of record do debian/redhat have?

      • Re: (Score:2, Informative)

        by Anonymous Coward

        This is not just the kernel, it's all remote holes in the default installation. Meaning there have only ever been two (known) vulnerabilities whereby a vanilla install of OpenBSD can be compromised. With the exception of those two holes, any version of OpenBSD is still totally secure today.

  • Its not... (Score:3, Funny)

    by Darkness404 (1287218) on Thursday July 16, 2009 @07:47PM (#28724613)
    Its not a success until Netcraft confirms it.
  • by jsewell (86485) on Thursday July 16, 2009 @07:54PM (#28724679)

    Is it possible to slashdot youtube? I tried to watch but the video had these annoying pauses...

  • It works? (Score:5, Interesting)

    by girlintraining (1395911) on Thursday July 16, 2009 @08:09PM (#28724785)

    Let's compare --

    Linux (1991--present): The code base has never forked. The release process has remained largely in the hands of Alan Cox and Linus Torvalds throughout its history, and except for some cosmetic differences, patch submission and integration has been handled the same way. Most people consider the two head developers and various major contributors to be, on the whole, pretty nice guys, though the snafu with loading binary blobs, and the driver architecture supporting 'non-free' elements in kernel-space was notable for the high level of frustration on all sides.

    OpenBSD (1994--present): Forked from NetBSD (1993--present), who forked from 386BSD (1992--1994), that originally derived its codebase from BSD4 (1977--1995). The history of BSD is a blood-bath of politics leading to forks; Most of the developers of the *BSDs are variously referred to as "difficult, abrasive, etc.," although Theo, to his credit, has had a major change in reputation over the past several years.

    Historically, the BSD variants have enjoyed a smaller uptake in the market and casual open source contributors find it difficult to get involved because of cultural/political differences. They also tend to fragment, as noted by the number of variants, which further weakens their position. Linux, on the other hand, likely enjoys a much broader userbase and more contributions due to its more relaxed community standards and the general approachability of its core team. I would say the "release process works", but by feature count, contributions, and hardware support, the process is full of fail. Does that mean it's a failed project? No--I'm just saying that the differing priorities and political/cultural values held by the core developers has had an overwhelming impact. Businesses might appreciate the consistency of the release schedule and the relatively bug-free nature of those releases, but looking at market share it's pretty clear those are not the priorities for most businesses.

    • Re:It works? (Score:4, Interesting)

      by Anonymous Coward on Thursday July 16, 2009 @08:18PM (#28724837)

      Alan Cox hasn't really been an important figure in Linux for like 10 years.

      Sometimes I think most of the people on this site got laid off after the dotcom boom and are just mindlessly repeating a view of the IT world circa 2001.

      • Re:It works? (Score:4, Informative)

        by diegocgteleline.es (653730) on Friday July 17, 2009 @09:27AM (#28728725)

        Alan Cox hasn't really been an important figure in Linux for like 10 years.

        10 years? I disagree, it hasn't been that long, it'd say 5 or 6 years, since 2.5 started and akpm became the Linus' right hand. And while he has not been as active as he used to be, he still contributes quite frequently (50 changes in 2.6.30, 1032 in the last 10 versions), and he is quite active in the mailing lists. And the kind of work he does is not exactly easy, in the last year he has been fixing the tty locking, a long overdue task that not many hackers (if any) dared to do. He has also been a quite active libata/ide contributor (including new drivers), maintains the 8250 serial driver and edac related things, an sends patches that touch many other places of the tree. He has not the reponsibility he used to have, but i wouldn't say he is not an important figure

    • Re:It works? (Score:5, Insightful)

      by Piranhaa (672441) on Thursday July 16, 2009 @08:29PM (#28724929)

      They have different philosophies. I really don't know where you're going with that post because isn't very accurate. You can't compare the "Linux Kernel" with OpenBSD's whole. A kernel is pretty much useless without a "userland." OpenBSD, FreeBSD, NetBSD are all operating systems. Linux, sorry to say, is not.

      If you want to compare BSD versions to Linux versions, then you'd have to compare with (in no particular order):
      -Gentoo
      -Debian - Ubuntu - Xubuntu - Xandros - (how many more are there?)
      -Slackware
      -RedHat
      -Ubuntu .... because I can't even keep track

      So, you have a million confusion projects going on based on the code all, called "Linux". How many versions of "OpenBSD" are there out there? Umm, ONE. Sure, someone could go and make their own userland and such, but it cannot be called OpenBSD. So, before you go on a rant about how many times BSD has been forked, please get your facts straight.

      Thanks,

      • Re:It works? (Score:4, Insightful)

        by girlintraining (1395911) on Thursday July 16, 2009 @08:51PM (#28725071)

        They have different philosophies. I really don't know where you're going with that post because isn't very accurate.

        You just said it: They have different philosophies. I'm answering the question of why, and what's come out of those approaches historically.

        OpenBSD, FreeBSD, NetBSD are all operating systems. Linux, sorry to say, is not.

        I think you're confusing the terms "operating system" and "distribution".

        So, you have a million confusion projects going on based on the code all, called "Linux".

        No, I believe they call themselves things like "Redhat" or "Gentoo", etc.

        So, before you go on a rant about how many times BSD has been forked, please get your facts straight.

        Sir, a full exploration of all of the facts and an exhaustive comparison between all the Unix variants has been the subject of many books, panel discussions, conventions, and academic discourses, and has yet to be fully explored. I think that a high-level overview is both more productive, and better suited, for a humble posting on an electronic forum.

        • Re: (Score:3, Insightful)

          by perlchild (582235)

          He's not confusing operating system and distribution. The D in BSD is for "Distribution", they practically invented the term.

          It's a new idea, though, to have a distribution that wasn't responsible for the kernel. And several terms, like platform, and operating system, were inveted to differentiate from distribution as a result. IMHO, companies(corporate clients) do not confuse platform, operating system, or distribution, they can only evaluate(assign a value to) a distribution, a set of software tested t

        • Re: (Score:3, Insightful)

          by klui (457783)

          Boot the Linux kernel and nothing else. What can you do with it? Not very much, therefore, just the kernel is not an operating system.

          Your original post states that the Linux code base has never been forked you imply that OpenBSD has. I don't think OpenBSD has been forked after its creation. Who really cares what the code's history was before it became OpenBSD? This article is about OpenBSD release engineering. If it were about BSD release engineering, you would have a point.

      • A kernel is pretty much useless without a "userland." OpenBSD, FreeBSD, NetBSD are all operating systems. Linux, sorry to say, is not.

        Stop trying to redefine the term "Operating System". The rest of what you said might have merit, but once you tried to force your (wrong) interpretation of "Operating System" onto others I lost interest. Please explain to me and others how Linux is not an operating system.

        So, before you go on a rant about how many times BSD has been forked, please get your facts straight.

        How about you following your own advice?

        • by iggymanz (596061)
          a kernel, (in the past also called a "nucleus: or "core"), is the central part of the operating system that manages resources and allows other programs to use those resources. In operating systems, say OS for the IBM mainframe or VMS for VAX, not only is there included that core but also utility programs for systems administration tasks. So Linux by itself is just a nucleus or kernel or core, while FreeBSD, DragonFly, NetBSD, and Mac OSX include not only a core but utilties to form a complete OS easy fo
      • Re: (Score:3, Insightful)

        by rbanffy (584143)

        They are all GNU/Linux. You can't compare BSD to the Linux kernel, but you can compare it to the Linux kernel plus the GNU userland.

        The fact there are different distros that share slightly off-sync versions of a common base continuously forking and merging back makes for a more interesting history than the, as the GP aptly described, BSD fork bloodbath.

        BSD is for those who want to write free software, while GPL is for those who write free software and want it to be free forever. They may be called ideologue

    • Re:It works? (Score:5, Insightful)

      by harmonise (1484057) on Thursday July 16, 2009 @08:46PM (#28725025)

      Your post is off-topic from the video and the Slashdot article. This isn't a comparison about how Linux compares versus OpenBSD. The video, if you watch it, is about how the OpenBSD team manages their releases, meets their agreed upon release dates, and makes sure that each release is a quality product.

      The points he discusses in his video revolve around conducting adequate testing of the product and having the developers use the to-be-released system rather than throwing something out as a release and moving on. His points about managing the release process are just as valid if they were applied to manufacturing and releasing cars, paper products, or skateboards as they are to operating systems.

      • The video, if you watch it, is about how the OpenBSD team manages their releases, meets their agreed upon release dates, and makes sure that each release is a quality product.

        Yes, and I'm noting that various cultural and political influences that come from the core developers have a substantial impact on all of the above, and then comparing those influences in similar projects (ie, Linux).

        His points about managing the release process are just as valid if they were applied to manufacturing and releasing cars, paper products, or skateboards as they are to operating systems.

        And I don't think anyone's going to argue there's a different corporate culture at Ford than Toyota and it translates directly to the products those respective brands produce.

    • Re:It works? (Score:5, Informative)

      by Troy (3118) on Thursday July 16, 2009 @08:49PM (#28725057)

      This is somewhat of an apples/oranges comparison. Linux proper is principally the kernel, while the development teams for most *BSD variants manage both the BSD kernel and the userland. While it may be the case (and I don't know for sure honestly) that there are no viable forks of the Linux kernel, that really doesn't provide a fair basis for comparison.

      I would suggest that a BSD variant (OpenBSD, FreeBSD, etc) is much more analogous to a Linux distribution than just the Linux kernel. When you frame it that way, I think it is safe to say that there is much more fragmentation in the Linux world than the BSD world.

    • Re:It works? (Score:5, Insightful)

      by Just Some Guy (3352) <kirk+slashdot@strauser.com> on Thursday July 16, 2009 @08:53PM (#28725087) Homepage Journal

      Most of the developers of the *BSDs are variously referred to as "difficult, abrasive, etc.," although Theo, to his credit, has had a major change in reputation over the past several years.

      I've never heard that referring to anyone in the BSDs but Theo himself. When was the last time you heard complaints about NetBSD or the FreeBSD core team?

      They also tend to fragment, as noted by the number of variants, which further weakens their position. Linux, on the other hand [...]

      ...is even more fragmented. How many Debian derivatives are there? RedHat? What about Gentoo, LFS, etc.? There's probably more similarity (and shared code) between FreeBSD and OpenBSD than between Ubuntu and Slackware.

      Cut the BSDs some love. They deserve it, and there's plenty to go around.

      • Re: (Score:3, Informative)

        I've never heard that referring to anyone in the BSDs but Theo himself. When was the last time you heard complaints about NetBSD or the FreeBSD core team?

        Matt Dillon, before the FreeBSD -> DragonflyBSD split. I liked him, there were plenty of people who felt otherwise though. I don't pay attention to NetBSD.

    • Re:It works? (Score:5, Informative)

      by Anonymous Coward on Thursday July 16, 2009 @09:00PM (#28725131)

      The original BSD code base was maintained by UC Berkeley and a bare bones system that was used as the basis for many industrial operating systems (e.g. SunOS). It was never meant to be a full fledged operating system for all usages, so different groups forked in order to target special niches. Similarly System-V would be considered forked (e.g. Solaris). Generally one considers both a base design, as neither were mature enough or managed in way to solve all of the purposes that were spawned.

      386BSD was a port of 4.3BSD to x86 and when development ceased then NetBSD and FreeBSD were created simultaniously to continue development.

      It was only the NetBSD/OpenBSD clash that was a political/cultural difference. All others were natural progressions given the maturity of the industry, communication technology, and specializations required. The primary reasons that Linux became successful was (a) the BSD lawsuit, (b) IBM. The SVLUG was one of the earliest user groups and its archives site members stating that they switched communities due to concerns at the time. Still, both were equally popular until IBM became involved in the late 90s promoting it with their illegal spray painting all over San Francisco. As IBM was a hardware company, the GPL was more attractive than the BSD license due to restricting competitors (Sun) from leveraging IBM's contributions. Before IBM's commitment and promotion of Linux, which was followed by other big vendors like SGI for similar reasons, FreeBSD was arguably more popular (e.g. it was adopted by EBay, Yahoo!, and other startups).

    • by MeNeXT (200840)

      Marketshare? What does market share have to do with this? OpenBSD is for security. Secure out of the box. Joe six pak has no need for security. So OpenBSD is not for them. FreeBSD has stability, standardization and has been consistent since almost it's inception. If you like BSD and need it to run on obscure hardware then NetBSD is for you. If you wish a stable desktop Linux or one of it's flavors. Linux is also a good server. Mac OS X is great if you want user friendly and can be customized if need be. Win

    • Re:It works? (Score:5, Insightful)

      by man_of_mr_e (217855) on Thursday July 16, 2009 @09:30PM (#28725333)

      I disagree. The "forks" from original BSD weren't really forks. They were Berkeley giving up on it and letting others take over.

      Most of the various BSD's are "forks" because they have different purposes. OpenBSD is security oriented, NetBSD is intended to run on vritually everything that has a CPU, FreeBSD was intended for more mainstram use.

      The only real "schism" I can think of is when Matt Dillon broke off and formed DragonFly BSD. Everything else was pretty much some guys saying "I'm gonna go off and do this instead".

      There may not be any real Linux "forks", but that's because Linus has tried very hard to make Linux "one size fits all", and that has resulted in its own set of problems (see the various scheduler wars, for instance.. they were bloody). There are also any number of "branches" in which different patches are applied to the mainline kernel for different purposes.

      • by Nimey (114278)

        Another schism was when de Raadt was booted from the NetBSD team and formed OpenBSD back in the mid '90s.

        • Re: (Score:2, Interesting)

          by grub (11606)

          Another schism was when de Raadt was booted from the NetBSD team and formed OpenBSD back in the mid '90s.

          In hindsight, that was probably one of the best things to have ever happened in Free-OS-Land. I sure am happy it did.

          .
      • Re:It works? (Score:4, Informative)

        by girlintraining (1395911) on Thursday July 16, 2009 @11:13PM (#28725751)

        I disagree. The "forks" from original BSD weren't really forks. They were Berkeley giving up on it and letting others take over.

        Berkeley "gave up" exactly once, in 1995. And it wasn't because they made room for others, but because of USL v. BSDi, a lawsuit that probably created the conditions for Linux to rise to power in the first place. Linus himself once said that had there been no legal ambiguity regarding the BSD code base, he probably wouldn't have started a completely new project from scratch.

        Second, since you may be unaware of what a "fork" means, it's simply a point where developers take the existing code and then begin independent development on it. With the exception of Minix and Linux, every UNIX-like operating system has its code base derived from the original Unics in some fashion. Every UNIX variant EXCEPT Minux and Linux has forks that trace back to that.

      • I disagree. The "forks" from original BSD weren't really forks. They were Berkeley giving up on it and letting others take over.

        Most of the various BSD's are "forks" because they have different purposes. OpenBSD is security oriented, NetBSD is intended to run on vritually everything that has a CPU, FreeBSD was intended for more mainstram use.

        First of all they weren't forks directly from Berkeley, they all forked from a dead OS called 386BSD that had a lot of development problems.

        Second, everything I've read on the topic indicates this was very much personality-driven and related to 386BSD politics. The "reasoning" behind each BSD was something that was developed later.

        In an ideal world, I suppose, 386BSD would have been managed better and there would be no forks.

        • faux inefficiency (Score:5, Insightful)

          by epine (68316) on Friday July 17, 2009 @01:45AM (#28726449)

          In an ideal world, I suppose, 386BSD would have been managed better and there would be no forks.

          In your "ideal world" I suspect we would all be rather less well off.

          I've never understood the appeal of one-size-fits all. Why is it the premise of so many off-the-cuff comments in every venue of discussion?

          So far as I can see, it accomplishes two things: makes it easy to criticize others for not getting along, and relieves the commentator of having to learn or understand systems theory, which is subtle and difficult. If only the whales had not split off from the carnivorous ungulates, evolution, in the ideal world, would have accomplished so much more. Put into a real context, the idea barely parses.

          Within the prokaryote kingdom, there is a great deal of horizontal gene transfer. Within the BSD clade, there is a great deal of horizontal transfer (of ideas and code) whenever the need arises.

          horizontal gene transfer [wikipedia.org]

          The most profound fork is probably the GPL from the long-standing conventions of public domain, which the BSD license more nearly mimics.

          I don't see much difference between the scope of source code and the scope of human interpersonal relationships. In an ideal world, we would all be better off if either A) all information was private, or B) all information was public. Turns out, some people have information they don't wish to share (for a list of reasons which includes every human motivation) so the GPL lacks universal appeal. Turns out, some people have information which they don't wish other people not to share, so neither does the BSD license have universal appeal.

          Having the two license camps puts a crimp on horizontal transfer, but it hasn't caused the world to stop turning. Is it fundamentally a bad thing to implement an idea twice, beginning from two different sets of premises? Only if your goal is world domination. For maximizing insight, diversity rocks.

          I could continue, but I'm sure the choir has already figured this out, and the sinners are set in their ways.

          At the end of the day, fork has become a term of social derision founded upon a monolithic Garden of Eden which never existed, and wouldn't have been a paradise even if it had.

          If the only reason to fork is that two parties can't get along (X, libc are possibilities, but I don't know enough of the story) then forking is a mite unseemly, much like a failed marriage. Do open source communities fork more often than any other walk of life? I suspect not. And no, I'm not counting whiner attrition, where one or two guys copy a code base into their own tree, make a dozen patches, and are never heard from again. Does IBM fork every time a deadbeat is fired or quits?

          Many of these projects have accomplished things through volunteer collaboration that twenty years ago few would have believed possible, yet they are mostly criticized in retrospect for the occasional loud public spat prior to a parting of ways, by people who are deeply in touch with their inner primate.

          Those of us in the results oriented camp are less inclined to praise the false nirvana of pretending to agree when you really don't.

          For an interesting comparison, consider the disputes over the years within NASA over the "smaller, faster, cheaper" engineering meme.

          Small Is Beautiful, But Big Is Necessary [nasa.gov]

          I suspect smaller, faster, cheaper might work, but it won't ever be NASA who consistently pulls this off. NASA is what you get when an agency never forks. Ideal leaves a lot to be desired.

    • by dbIII (701233)
      A couple of points. First not everyone regards the binary blobs as a truly horrible situation - we are talking about linux here and not hurd. Linux is not a gnu project and most of those frustrated "on all sides" were from the outside looking in without contributing a single line and were even at times working at cross purposes (eg. RMS demanding that gcc stop working on linux only optimisations becuase that wouldn't nelp hurd).
      In the second case I think you are trying to compare success vs exceptional s
  • ...at least, in that Matz releases a new version at Christmas each year. For example, here's his Christmas post from Dec 2004 for Ruby 1.8.2 [nagaokaut.ac.jp]. Way back when!

  • The reasons, mechanics and social workings of our process have never been detailed outside the project, but now will be, hopefully providing some insight to others who face delays and quality issues with their own product lines.

    He's clearly talking about Microsoft here, but why would he want to help them?

  • both with SSH. That's still damned impressive.

  • by timmarhy (659436) on Thursday July 16, 2009 @09:08PM (#28725185)
    the poster is making the assertion that it works, a lot of people would say their release cycle is a terrible burden on the project.

    1. code freeze happens every six months meaning you don't get to finish off features and fixes which might have been of huge benefit. it would make much more sense to base your release cycle around features and improvements, then some arbitary number of days.

    2. openBSD EOL's it's releases so quickly, that only in the very rare instance that a business is willing to pay through the nose for inhouse support will you be able to see your system patched.

    3. 6 months is way WAY too short of a time for a whole new release. 12 months (if you have to go with the retarded time based release) would be much less of a drain on resources as there is a certain amount of work that must go into a release wether it's got useful upgrades or not.

    i've used openbsd in production environment, and it doesn't cut it in hardware support or speed. it's firewall was nice, but i've got that in freebsd now which is a far better OS.

    • by Tom (822) on Friday July 17, 2009 @06:37AM (#28727553) Homepage Journal

      I call bullshit on all of that, and I do have a couple OpenBSD systems installed in a commercial setting.

      1.) if you wait for the coders to finish up the "cool", uh, sorry "desperately needed" features, you could just as well put the release date on Independence Day, 2025. Having a fixed date forces the coders to concentrate on the essential, instead of the "cool" stuff.

      2.) yes, you need to upgrade rapidly. However, your point is misleading. Upgrading OpenBSD has, in all the many upgrades I have made, been no more problematic than, say, running "apt-get update && apt-get upgrade" on Debian.

      3.) it's not a "whole new release". It's minor version numbers every six months. And six months can be a damn short time in the security world.

      i've used openbsd in production environment, and it doesn't cut it in hardware support or speed.

      So you're lamenting why, exactly? If the release cycle isn't even your main problem?

  • by Mana Mana (16072)

    but this is just plain wrong!

    `` exactly on the date promised''

    Lies! OBSD releases are regularly released a month early.

    And, the canard that de Raadt is an asshole is plain wrong. To those who follow OBSD for anything other than a short period of time will know what his, the team's refrain is: We make this OS for us, not for you! Your benefit is an unintended consequence. We don't want to be the most popular, we make this OS for us, not for you! You want Linux. We don't talk, we code. We don't suggest bs fea

  • by metrix007 (200091) on Thursday July 16, 2009 @10:51PM (#28725633)

    A secure system is more than just not having vulnerabilities.

    Secure systems, for a start, should have the ability to control and restricts information to a fine grained level. Unfortunately, Theo is stubborn that things like MAC and RBAC should not be included, as they are not necessary. Which is remarkably short-sighted. DAC has many problems, any any truly secure system should have an alternative. As much as I like OpenBSD for what it is, and as much as I respect the development team, a focus on quality is not the same as a focus on security. Secure by default is a good approach, but is somewhat meaningless, as you are limited in what you can do with it. A true metric would be to look at the vulnerabilities of software in the ports tree, of which there is still a lot.

    At the moment, SELinux or RSBAC are far more secure systems, despite those platforms having more vulnerabilities. If you gain a root shell through Apache for example, you will not be able to do a damn thing. On OpenBSD, as there is no defence in depth, the system is yours. Even NetBSD and FreeBSD seem to have more of a focus on actual security, with efforts like SEBSD, executable signatures, PAX/NX support etc.

    OpenBSD is quality, top not software. It is not however, a secure system.

    • by synthesizerpatel (1210598) on Friday July 17, 2009 @03:31AM (#28726811)

      SELinux and RSBAC don't necessarily provide any additional security. They certainly seem to suggest it, but the software you trust is just software like everything else.

      But, I think the primary 'hmm' here is that you suggest that there aren't more granular levels in BSD. Of course there are.

      * chroot
      * privilege separation (root from an apache server? sounds like a linux box to me..)
      * sysctls for kernel and other behavior (security level, immutables)
      * built-in stack protection (isn't that half of why you'd need SELinux anyway??
      * encrypted swap/fs
      * randomized malloc()

      There's a variety of standard, well documented features that anyone can use. Each element on it's own has it's own vulnerabilities, used in concert correctly they are very effective and predictable. Unlike SELinux for instance that will randomly just not let something happen emitting a cryptic error message. And, while we're at it.. why do you trust SELinux? Audited it's code?

      Given the overall security track record of the Linux distros (Debian SSH RNG anyone?) -- I trust OpenBSD a tiny bit more.

  • by guacamole (24270) on Friday July 17, 2009 @12:11AM (#28726029)

    I could be wrong, but I think the primary reason they release so fast is because the OpenBSD team does not attempt to bundle all of existing open source software with their OS like say Debian is trying to do. In *BSD distros, there is the core OS that includes essentially only the operating system and some utilities, and then there is the ports collection. I believe a serious bug in some port package will not halt the release process of a BSD distribution, at least for non-essential ports.

  • by fialar (1545) on Friday July 17, 2009 @06:29AM (#28727519)

    As someone who had used Linux quite extensively for the past 11 years, I recently started rolling out OpenBSD servers at my job. Two OpenBSD firewalls power our production network (using CARP/pfsync) and they do it flawlessly.

    In our office, an OpenBSD firewall connected to two DSL modems is able to load balance traffic out, and do proper asymmetric routing. All this thanks to the developers who make a lot of great, innovative code for pf, CARP, pfsync, etc..

    I couldn't do any of this properly with Linux, especially not the asymmetric routing.

    I've worked on OpenBSD ports to make them better. I've found the developers friendly and helpful. The code is quite solid.

Mirrors should reflect a little before throwing back images. -- Jean Cocteau

Working...