Forgot your password?
typodupeerror
Operating Systems BSD

Bug Busters! OpenBSD 5.1 Released 135

Posted by Soulskill
from the something-free-in-your-neighborhood dept.
An anonymous reader writes "Today the 5.1 release of OpenBSD has surfaced. As usual, it includes improved hardware support, but also OpenSSH 6.0 and over 7000 ports, with major performance and stability improvements in the package build process (and some really cool stickers). Here's the changelog, the download page, and the CD-ordering page. "
This discussion has been archived. No new comments can be posted.

Bug Busters! OpenBSD 5.1 Released

Comments Filter:
  • by Anonymous Coward

    Will one of those 7000 ports run on my dishwasher?

  • by future assassin (639396) on Tuesday May 01, 2012 @07:50PM (#39863211) Homepage

    Netcaft is dead....

  • YAY! (Score:1, Flamebait)

    by nurb432 (527695)

    I think..

    Honestly is OBSD relevant any more in the grand scheme of things, mainly due to its 'director' and its limited scope?

    • Re: (Score:1, Flamebait)

      Honestly is OBSD relevant any more

      No.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      OpenBSD is relevant to those of us to whom it's relevant. There is no "grand scheme". It's a secure, well-maintained, and well-documented OS. Oh, and it's free, in every sense of the word.

      • by nurb432 (527695)

        you misunderstood the use of the term 'grand scheme'. It was not that OBSD had one, but the rest of the world has one, and wasn't sure if OBSD fits in there anymore.

        It was relevant in the beginning but now, it doesn't seem like it so much.

        • by Anonymous Coward

          Can you name another OS that's as secure as OpenBSD is? They did finally after a decade find a security hole in the base install. But, how many other OSes can claim that, even if you just limit it to more than a year?

          It's still very much relevant to anybody that really cares about security. Other systems can be hardened, but they don't have a similar track record.

          • Re:YAY! (Score:5, Informative)

            by mirix (1649853) on Tuesday May 01, 2012 @09:01PM (#39863765)

            This is true, but the base install is pretty limited, so it's hard to compare, really.

            (I think it's been three holes since the dawn of OpenBSD, by the way).

            That said I still use it on some of my outward-facing stuff. PF is great. The pre-chrooted httpd is nice. Some other parts, not so much, though... can't think of a good example right now, but once in a while I run into things that amaze me with backwards-ness compared to my linux boxes.

            Oh, and the documentation is a work of art compared to linux. That's a really nice feature.

            • Re: (Score:3, Informative)

              by Anonymous Coward

              Yeah, totally agree that OpenBSD is relevant today. I would even say OpenBSD is becoming more relevant today than it has been in the past, as we will receive more backdoors in open source projects that rely on binary distribution methods. I really hope OpenBSD sticks around, since it is the only truly stable open source distribution. I have used it since 2.6 and have always enjoyed the no-bullshit approach to having reliability and security together. The OpenBSD doesn't make the poor decisions that are

            • Re:YAY! (Score:5, Insightful)

              by Just Some Guy (3352) <kirk+slashdot@strauser.com> on Tuesday May 01, 2012 @11:11PM (#39864475) Homepage Journal

              This is true, but the base install is pretty limited, so it's hard to compare, really.

              That's not a bug: it's a feature. I know you already know that, but I mention it for the benefit of people not already familiar with OpenBSD. OpenBSD installs almost nothing by default, to the point that many systems don't even have man pages or a compiler. Fewer things installed = few things to break = fewer attack vectors = fewer things to maintain.

              That also means that it's trivially easy to deploy a task-specific server that runs almost nothing not directly related to performing that task. For example, here are all the processes running after booting a particular mail gateway:

              $ ps ax
              PID TT STAT TIME COMMAND
              1 ?? Ss 0:00.01 /sbin/init
              21888 ?? Is 0:00.00 syslogd: [priv] (syslogd)
              11594 ?? I 0:00.01 /usr/sbin/syslogd -a /var/www/dev/log -a /var/empty/dev/log
              18652 ?? Is 0:00.00 pflogd: [priv] (pflogd)
              16925 ?? S 0:00.01 pflogd: [running] -s 160 -i pflog0 -f /var/log/pflog (pflogd)
              4551 ?? Is 0:00.00 ntpd: [priv] (ntpd)
              12960 ?? S 0:00.01 ntpd: ntp engine (ntpd)
              15118 ?? I 0:00.00 ntpd: dns engine (ntpd)
              8253 ?? Is 0:00.00 /usr/sbin/sshd
              32235 ?? Ss 0:00.01 sendmail: accepting connections (sendmail)
              1749 ?? Ss 0:00.00 /usr/sbin/cron
              23675 ?? Is 0:00.05 sshd: kirk [priv] (sshd)
              25682 ?? S 0:00.04 sshd: kirk@ttyp0 (sshd)
              17102 p0 Ss 0:00.19 -zsh (zsh)
              17713 p0 R+ 0:00.00 ps -ax
              8581 C0 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC0
              4910 C1 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC1
              25709 C2 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC2
              12308 C3 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC3
              19809 C5 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC5

              So we have init (boots the system; makes sure things are running that are supposed to be); the system event logger; the firewall event logger; an NTP daemon to keep the time set correctly; the SSH daemon I used to connect into it; Sendmail (the OpenBSD-hardened version); the scheduled task manager; my shell process; and the program that listens for console logins. There's just not a lot you can strip away from that.

              Here's the list of open sockets that an external user can connect to:

              tcp 0 0 127.0.0.1.587 star.star LISTEN
              tcp 0 0 127.0.0.1.25 star.star LISTEN
              tcp 0 0 *.22 star.star LISTEN

              So SMTP (25 and 587) and SSH are listening. Again, that's as minimal as you can feasibly get. Well, I suppose you could axe everything firewall related, since the only open ports are to services that are deliberately exposed to the Internet already, but security comes in layers.

              It's obviously possible to build secure systems with other OSes, but OpenBSD goes a long way toward making it easy. "Secure by default" is a wonderful starting point!

              Oh, and pf has the most beautiful firewall rule syntax of any system I've ever used.

              • Re:YAY! (Score:5, Insightful)

                by TheRaven64 (641858) on Wednesday May 02, 2012 @03:58AM (#39865589) Journal

                OpenBSD installs almost nothing by default, to the point that many systems don't even have man pages or a compiler.

                The standard install includes everything required by the Single UNIX Specification, including man pages and a compiler. You can choose not to install them, but that typically only happens on small embedded systems with 16-64MB of Flash.

                Fewer things installed = few things to break = fewer attack vectors = fewer things to maintain

                It also means you don't get the situation like Ubuntu where every time I turn on the system I have running Ubuntu it wants to install 200+MB of updates for stuff I never use and don't want installed.

            • by Anonymous Coward on Wednesday May 02, 2012 @02:46AM (#39865369)

              ...the base install is pretty limited...

              The base install is painstakingly audited. They look for all bugs, even ones that have no apparent means of exploitation. This has often resulted in OpenBSD being unaffected by holes discovered in other systems. The same degree of assurance cannot be extended to thousands of ports, however, so a line is drawn around the base install.

              That being said, I've heard that Theo expects that one should be able to 'cd /usr/ports' and 'make install' - to build and install every port in the tree - without error. What other OS has the balls to pull that off?

          • by Clarious (1177725)

            The base install is limited, they did a great job auditing the code. But the moment you install something from the port, if that software contains bug, then OpenBSD is no more secure than Linux running that software. Or even worse, as OpenBSD refuses to have some kind of MAC implemented, Linux has SELinux/AppArmor/Tomoyo while FreeBSD has TrustedBSD. While those aren't silver bullet to every problem, they help in limiting the damage caused when your potential unsecure software gets compromised.

        • Re:YAY! (Score:5, Interesting)

          by pipatron (966506) <pipatron@gmail.com> on Tuesday May 01, 2012 @08:50PM (#39863695) Homepage
          What has changed since the beginning that made OpenBSD less relevant?
        • by tck42 (227122)
          As a network appliance type device at least I'd say it's still very relevant. I still prefer configuring / maintaining pf over iptables (or any other competitor I've tried) for any non-trivial ruleset, the documentation is IMO much better than most of the other stuff out there, it's relatively secure and relatively stable, and the performance and compatibility with older hardware has been great (in my experience). I use it for my gateway device and have never had any problems. I briefly used Linux for the s
          • Re: (Score:3, Interesting)

            by Just Some Guy (3352)

            I replaced our Sonicwall with OpenBSD+PF nearly 8 years ago. The only user-visible difference is that we stopped having unplanned network outages.

            • by 1s44c (552956)

              I replaced our Sonicwall with OpenBSD+PF nearly 8 years ago. The only user-visible difference is that we stopped having unplanned network outages.

              s/sonicwall/pfsense/ and I did the same. It worked great.

              I don't get why anyone wants stuff like pfsense. If people can't understand pf's easy syntax they can't really understand the network traffic it's manipulating.

        • Sure, I realize that some people would rather have OpenBSD running on bare metal, without having untrustworthy layers underneath, but since in the grand scheme of things we're running just about everything on top of VMware these days (except stuff that needs hardware acceleration), how well does OpenBSD work on top of VMware? Is installing it straightforward, or does the disk partitioning get weird? Can I just hand VMware the ISO and tell it to install itself? Will the vmware tools install cleanly? I'm

          • It should work. Do remember that it's not paravirtualized. While not VMWare, I've run it in VirtualBox sessions. If VirtualBox can do it, so should VMWare.

            Partitioning scheme: Not more complicated than on the bare metal.

            ISO: You can do that, but you'll have to create the ISO yourself (which isn't hard - they might even provide downloadables these day... I wouldn't know, you'll see why), or you just buy the official CD (recommended version). Me? I don't bother with CD's anymore. Just use the PXE-boot (

            • by X0563511 (793323)

              Those VM tools allow the management system to do things like tell the guest operating system to reboot or shutdown cleanly, and provide an interface for the host to read back what the guest believes is free memory etc.

              While not mandatory, they can be damn useful.

              • by smash (1351)
                there's a port for freebsd at least, open-vm-tools - that does most of the vmware tool stuff with open-source code. should be available for openbsd too i would suspect?
                • by X0563511 (793323)

                  Last I had to play with it ('cause something moved and broke stuff in... i think 2.6.32?) there was a lot of kernel-specific stuff in those open-vm-tools. Porting that away from Linux would be quite a chore!

                  No idea if someone's done it. If so, kudos to them!

          • by ifrag (984323)

            OpenBSD work on top of VMware?

            In my experience (not very recently) it wouldn't run at all. I think it hung somewhere around disk probing, and I tried all the options that made sense to try to fix it. However for the same old version of VMware, and corresponding old OS versions, I had no issues with FreeBSD or NetBSD.

            So maybe OBSD will run virtualized, but if not _some_ version of BSD will probably work. I think the reality is the OBSD developers probably don't really give a damn if it does run virtualized. I've also run into problem

          • by 1s44c (552956)

            It works fine however if you run this stuff under vmware you are destroying the security advantage that OpenBSD gives you.

            I'm not running everything under vmware anyway. I have a few production servers under KVM but most of it is on bare metal.

          • by Nikademus (631739) *

            It works fine on vmware, but it seems some other virtualization software don't work as well. It puts much strain on the virtualization.
            You can install the full base OS in under 4 minutes like I did here https://www.youtube.com/watch?v=28ujY4vlz4c [youtube.com]

    • Re:YAY! (Score:5, Insightful)

      by 101percent (589072) on Tuesday May 01, 2012 @08:15PM (#39863433)
      Given that OpenSSH alone is the most used FOSS program, and there is virtually no corporate contributions, I think Theo just has lost patience for people who come on the lists and complain.
      • by identity0 (77976)

        >Theo just has lost patience for people

        fixed.

        • Re:YAY! (Score:5, Insightful)

          by serviscope_minor (664417) on Wednesday May 02, 2012 @04:37AM (#39865719) Journal

          Theo just has lost patience for people

          That's simply not true. Theo has lost patience with whiners who want someone else to do their thinking for him.

          I've got polite, helpful responses personally from Theo. I was trying to build a module (despite all the dire warnings how not to do this or ask questions and how unsupported it is) so I could hack on the drivers for a moderately exotic piece of hardware. I posted questions. He was one of the people with a response.

          It turns out that if you know that the mailing list doesn't suffer fools, you work that little bit harder to write a sensible mail.

          You double check everything and make sure you read the docs. This catches many of the bugs initially and then you don't need to post in the first place. If it doesn't fix the problem, it gives the mailing list inhabitants a good indication of what the problem is.

          To me it seems unbelievible rude to ask some of the world experts for a bit of their time to help without bothering to check the things that you need help on. I just don't understand how most other people don't also see this as rude.

          • by rvw (755107)

            It turns out that if you know that the mailing list doesn't suffer fools, you work that little bit harder to write a sensible mail.

            You double check everything and make sure you read the docs. This catches many of the bugs initially and then you don't need to post in the first place. If it doesn't fix the problem, it gives the mailing list inhabitants a good indication of what the problem is.

            To me it seems unbelievible rude to ask some of the world experts for a bit of their time to help without bothering to check the things that you need help on. I just don't understand how most other people don't also see this as rude.

            This is my experience as well. When I ask a question online, I always try as many solutions as I can think of before asking. And I mention those attempts as well, so people see that I'm serious and take the time for it. Doing this I have solved many problems myself before it came to an online post...

            • And I mention those attempts as well, so people see that I'm serious and take the time for it.

              That can't be over-emphasized: if you're stuck, tell what you've already tried. Not only does it save everyone else the time of suggesting something you've ruled out, but it demonstrates intent. It says, "I'm coming to you as a last resort after trying the self-help options, not as my first step because I don't value your time."

    • Re:YAY! (Score:4, Insightful)

      by gman003 (1693318) on Tuesday May 01, 2012 @08:39PM (#39863589)

      In the Grand Scheme of Things? No.

      But, for a grand enough definition of "grand scheme of things", your entire life is irrelevant. The history books will forget you, no matter how important, after enough millennia. And I'm pretty sure the rotation of the galaxy cares not one whit for the combined accomplishments (to date) of the entire human race.

      So, in the end, who cares for the grand scheme of things? As long as it's relevant to you, it's relevant enough.

      Personally, I have an OpenBSD box (normally my experimental-server-slash-tertiary-backup-desktop, currently my experimental-server-slash-secondary-backup-desktop, as my primary-desktop is currently my primary-doorstop). And I haven't updated it since... 4.6? 4.8? Can't be assed to ssh in and check. So 5.1 isn't important to me, but OpenBSD itself somewhat is.

    • by Anonymous Coward

      Makes a better router than linux or windows....

    • it's probably the most relevant OSS OS project out there. How many other projects have cultivated as much new software? Hell, most of the new shit in the Linux Kernel came from OpenBSD....
      • by Nutria (679911)

        most of the new shit in the Linux Kernel came from OpenBSD....

        That requires documentation.

    • by LurkerXXX (667952)

      Yeah, I mean what good do they do except for all that silly security stuff, like providing us with SSH and stuff.

    • Its limited scope is precisely why its relevant.

      Ferraris have a more limited scope than OpenBSD but nobody counts them out. OpenBSD is very good at what it does and very useful to those who use it.

  • ... unless you don't feel like putting X on a server, in which case building from ports is unsupported and sometimes obviously broken.

    • Re:Over 7000 ports (Score:4, Informative)

      by e9th (652576) <e9th.tupodex@com> on Tuesday May 01, 2012 @08:44PM (#39863635)
      There was a brief time, four or five years ago, when something (expat maybe?) was mistakenly placed in xbase, so you had to install the xbase set for a whole bunch of ports/packages. That situation didn't last. And even then, you didn't have to run X.
      • Depends. I was playing around wth rrdtool on OpenBSD 5.0 and there was a library it required in xbase. I just extracted it and put it where needed, but it sure was a pain.
  • by Anonymous Coward

    What if someone needs to use port 8000?

  • Bug busters [openbsd.org]!

  • You know, you can write a robust, rumbunstious, attention-grabbing headline without being a deceiptful troll-weasel (cough sanzem-something), like soulskill has done here.
  • Anyone got a human-readable changelog with highlights? The linked one is a dump of everything that's changed.

  • I use OpenBSD as one of the layers that protect me from the evils that lurk on the Internet. OpenBSD works quite well as my firewall and router and ntp time server and DHCP server and DNS server and....

    .

    An awesome periphery and utility server OS.

  • Why does no one ask about the relevance of the porn industry? OpenSSH was the biggest thing since Debbie does Dallas. Few have more than that to their credit.

    Bearded fellow: Let he who is without sin throw the the first stone.
    Crazed villager [inspecting charismatic sinner]: Theo, is that you?
    Crazed villager's wife: Who does this bearded guy think he is?

    Here's the thing about security. If you have to ask about relevance, you can't handle the truth.

  • I would like to see the number of contributions from OpenBSD that are currently in other applications and/or other operating systems as compared to other *nix....
  • by unixisc (2429386) on Wednesday May 02, 2012 @12:48AM (#39864979)

    I had a look at it, and found some things interesting.

    Under highlights, it mentions that it supports GNOME 3.2.1 (fallback mode), but for KDE, it supports 3.5.10. For GNOME, this is the first time I have seen any BSD support GNOME3 - in fact, there was some discussion in the past about how GNOME3 wouldn't run on BSDs due to systemd being a requirement. The other interesting aspect of this is that it goes for the latest, much publicly disparaged version of GNOME, but for KDE, which is much improved, it's @ 3.5. They could have either gone for KDE4.8, or if they didn't like that, they could have ditched KDE altogether and gone w/ Trinity.

    The other thing I noticed throughout the notes was improvements in support for IPv6, such as fragment handling, but what I haven't figured out is how mature is OpenBSD's IPv6 support compared to FreeBSD? FBSD is currently second to none when it comes to IPv6 support (I'm not sure how it compares to Windows 7, which has been innovative for IPv6 on its own, w/o relying on the BSD layer 3 stack as it did for IPv4), but I was curious about OBSD. If someone wanted to create an IPv6 firewall cum router w/ OBSD as the management OS, does the OS have whatever it needs for this purpose?

    On a separate note, I did find it interesting that they include software that's now GPL3 - such as Emacs, GCC, Libre Office, among others. In the case of the compiler, they didn't offer LLVM/Clang, and nor do they seem to prefer BSD software to others - for instance, Apache is the web server that they offer, and not Nginx. In short, I found their choices of default software pretty interesting, given all the recent discussions regarding GPL3 vs BSDL and so on.

    • Re: (Score:1, Informative)

      by Anonymous Coward

      Nothing you say makes sense. FreeBSD's IPv6 support is second to none only if you exclude OpenBSD.

      They still have Apache because OpenBSD is extremely conservative. They forked Apache 1.3 over a decade ago and notwithstanding Apache's rough edges, has been rock solid (many of the recent Apache 1.3.x security issues were fixed or mitigated in OpenBSD's fork long ago). Nginx is in trunk already but OpenBSD is reticent to switch over until they're convinced it's worth the risk.

      Likewise with Sendmail. They have

      • by mfwitten (1906728)

        I do not think the word 'reticent' means what you think it means.

      • How is OBSD's IPv6 support superior to FBSD, which is what your first statement above seems to suggest? I've checked their site - for instance, their Networking FAQ, [openbsd.org] and there is nothing there that suggests that OBSD has embraced IPv6 and supports it in a big way. There is no mention of any DHCP6 support, even though they have a major section on DHCP support, and in all the examples that they provide, they use only IPv4 examples, implying that equivalent IPv6 support either doesn't exist, or at best, is n

        • by HonIsCool (720634)

          I have run OpenBSD as my firewall since forever, and have since set up a tunnel to give my LAN IPv6 connectivity. There has been absolutely no problem with IPv6 at all in OpenBSD[*]. Every application I've messed with, from packet filter to tunneling to DHCP to nameserver supports it. Granted my usage is probably very limited still, but my impression is that IPv6 is supported pretty much everywhere that IPv4 is. I can't say how this compares with FreeBSD though, because my experience with it is restricted t

          • by unixisc (2429386)

            Tunnelling IPv6 over IPv4, if that's what you meant, doesn't imply IPv6 support, which was my basic question. Here, one would simply be encapsulating IPv6 packets in IPv4 and running them over the network. That's pretty much the status quo, and could be done anyway - an OS doesn't need to have any IPv6 support to enable that.

            I was asking whether one could set up an IPv6 network using an OBSD gateway acting as a router and firewall. Imagine that the external network (think Comcast or HE) was IPv6 as wel

            • by HonIsCool (720634)
              What I meant was that I set up an IPv6 over IPv4 tunnel on my openbsd box which then acts as a IPv6 router for my LAN. IPv6 packets are routed to and subjected to the OpenBSD firewall just like IPv4 packets. I also have DHCPv6-server running to deal with computers on the LAN getting proper IPv6 addresses. In other words, my setup sounds pretty similar to what you are asking about. If my ISP offered native IPv6, that would actually simplify things as it would mean one less step as I wouldn't need the tunnel
              • by unixisc (2429386)
                Ok, thanks, that does make this clearer. Did the DHCP6 server come as a part of the package - reading the OBSD website, there is nothing there to suggest that it is included. Or did you get it separately from elsewhere?
          • by Bengie (1121981)
            I wonder how OBSD would compare to FBSD for firewall throughput using 10Gb interfaces and a 6 core Xeon.
            • by HonIsCool (720634)
              It appears the FreeBSD packet filter is actually a port of OpenBSD's PF. If nothing's changed, OpenBSD's PF is single-threaded, so if all the box is going to do is to filter packets, more cores won't improve things. I don't know if FreeBSD have threaded their port, or otherwise made performance improvements.
    • by spirat (2570111)

      The truth about KDE: http://www.mail-archive.com/misc@openbsd.org/msg88679.html [mail-archive.com]
      I also remember them coming to misc and inform the community and porters that KDE won't run on openbsd due to the use of a cool linux daemon to manage stuff.

      They don't include Emacs (instead mg is in base, rewritten from scratch with a funny easter egg inside) neither do they include Libre Office. It's just a Makefile and some patches that are distributed. Package are a convenience for the users, and available only if the license

      • The truth about KDE: http://www.mail-archive.com/misc@openbsd.org/msg88679.html [mail-archive.com] I also remember them coming to misc and inform the community and porters that KDE won't run on openbsd due to the use of a cool linux daemon to manage stuff.

        This was said to be true about GNOME3, where it was rumored that one linux daemon systemd was required - but OBSD seems to support GNOME3 in fallback mode. The fallback mode support for GNOME3 seems to be due to the requirement that in GNOME3, the GNOME shell requires 3D accelaration to work, as it requires graphics composition. That brings into focus the fact that most graphics cards don't include open source drivers, and while that's not a roadblock for FBSD, it does seem to be more of one for OBSD. O

    • by the_B0fh (208483)

      umm, there was a recent report that compared ipv6 stacks of a bunch of OSes, and OpenBSD (5.0) came out #1 in terms of compliance to standards. Stands to reason, since these guys sticklers for doing things right.

The clearest way into the Universe is through a forest wilderness. -- John Muir

Working...