Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
BSD Operating Systems

OpenBSD 3.2 Available 331

fredrikv writes "Right on time, the files defining OpenBSD 3.2 have moved away from "snapshots" to the 3.2 directory of the OpenBSD mirrors. It is well known as the world's most secure operating system and now sports chroot'd Apache, fewer suid binaries, cool pictures for xdm-logins, a brilliant "antispoof" packet filtering rule and as usual includes lots of small updates and fixes. The files are there. What are you waiting for?"
This discussion has been archived. No new comments can be posted.

OpenBSD 3.2 Available

Comments Filter:
  • FreeBSD (Score:2, Interesting)

    by drxenos ( 573895 )
    I've always been a fan of FreeBSD. How does OpenBSD compare?
    • Re:FreeBSD (Score:5, Informative)

      by c13v3rm0nk3y ( 189767 ) on Friday November 01, 2002 @01:06PM (#4578747) Homepage
      I've always been a fan of FreeBSD. How does OpenBSD compare?
      Try this link []. There are a bunch of FAQs, some of them directly compare *BSD, Linux &etc.
    • Re:FreeBSD (Score:4, Informative)

      by CoolVibe ( 11466 ) on Friday November 01, 2002 @01:08PM (#4578763) Journal
      Depends on what you want to do. FreeBSD is better suited as a workstation or a high-performance server. OpenBSD does great for bastion-hosts and firewalls.
    • Re:FreeBSD (Score:5, Informative)

      by Ryvar ( 122400 ) on Friday November 01, 2002 @01:13PM (#4578806) Homepage
      Short Answer:
      OpenBSD has less 'nice' functionality, slightly less performance tuning, and no SMP support.

      On the other hand it has an extremely well-audited source tree (by largely the same developers as OpenSSH), SoftUpdates, the new systrace work, an excellent brand new packetfilter that has yet to fail to impress from either a security or speed standpoint . . .

      OpenBSD isn't really so much the most secure OS in the world as it is in many situations the most secure OS on the x86. For most of us around here, that's probably close enough as makes no odds.

      The last release (in a bug that affected the prior release as well) had an OpenSSH issue in the default installation that became the first remote compromise for the default installation in nearly 5 years of the operating system. Admittedly, most things are turned off by default (although I wish a few more - portmap, inetd). Because of this and a few other errata, 3.2 has been looked forward to for a long time.

      To sum, you have a stripped-down no-nonsense OS with all of the unnecessary crap tossed out of the default installation and available as ports and packages to those that want it. The perfect OS for those who want a secure router, and/or single/few-function server. This isn't an appropriate choice if you need more than a commandline, really, and there's a fair amount of pride amongst the user community over that.
      • Re:FreeBSD (Score:2, Informative)

        by Anonymous Coward
        On the other hand it has an extremely well-audited source tree (by largely the same developers as OpenSSH), SoftUpdates,
        FreeBSD has softupdates too.

        Admittedly, most things are turned off by default (although I wish a few more - portmap, inetd)
        portmap is turned off by default in OpenBSD 3.2.

        The perfect OS for those who want a secure router, and/or single/few-function server.
        my OpenBSD workstation runs the same apps i need to work as my linux workstation does, and that is quite a few apps, yes i do real work.

        This isn't an appropriate choice if you need more than a commandline, really,
        X works fine in OpenBSD and i bet most users who use OpenBSD use X on OpenBSD desktops and commandline on *all* their Unix servers, regardless of flavour (why should a dedicated webserver/firewall/database need X running?).

      • OpenBSD use. (Score:2, Informative)

        by azimir ( 316998 )
        Warning: OpenBSD camp follower talking!

        It has been over two years (since 2.7, actually) since OpenBSD sucked me in with its simplicity, security and *good* documentation.

        In that time I have never started Xwindows on an OpenBSD machine. There is no need.

        OpenBSD has been a solid firewall, router, bridge, MX, DNS server, NIS, NFS, Web, SSH/SCP/SFTP machine with nary a GUI to be seen.

        With 3.2 they have finally done superb work with locking down services. This is even extended to services that are not on by default, such as apache. They have also gotten right of that annoying /etc/nat.conf file! Time for a round of upgrades.
    • Other comments have mentioned the security/performance tradeoff, so I won't go into that.

      Part of the difference with OpenBSD is that it runs on way more platforms than FreeBSD does. It's not as many as NetBSD (its parent) but it's a lot closer to NetBSD than FreeBSD.

  • by Zech Harvey ( 604609 ) on Friday November 01, 2002 @12:59PM (#4578681)
    Common Criteria certification so it can be just as secure as my Windows 2000 boxen!
  • Well .. (Score:5, Funny)

    by Mr_Silver ( 213637 ) on Friday November 01, 2002 @12:59PM (#4578687)
    The the files are there. What are you waiting for?

    5:30pm, 8 pints of lager, one dodgy kebab and a chance to yet again make a piss poor attempt to chat the attractive barmaid up.

    Well you did ask!

  • I'm waiting (Score:2, Funny)

    by swillden ( 191260 )

    What are you waiting for?

    Ummm... a Linux port?

  • cool pictures for xdm-logins...What are you waiting for?

    Someone to provide a direct link to the xdm backgrounds so I can use them on my Linux systems.

    Actually, I didn't wait and started trawling through their FTP archive looking for them before deciding that was a) selfish and b) stupid. At least I had enough sense not to download XFree hoping they were in there and not in a separate artwork package...

    • Nope, they are embedded in the source for XF4. You have to run OpenBSD to see them. (Hint: they are #ifdef'ed)
    • IIRC, the custom xdm stuff is in xshare.tgz, so you could download xshare.tgz, extract that, and the custom files are somewhere under /etc/X11 (/etc/X11/xdm, maybe? I'm going off of memory) The OpenBSD .tgzs extract to a relative path, so you could extract the tgz in your home directory, find the files you need, and copy them to wherever your Linux distribution wants them.
  • by ryanvm ( 247662 ) on Friday November 01, 2002 @01:09PM (#4578781)
    It is well known as the world's most secure operating system

    Whoa, partner. Sure OpenBSD is designed with security in mind, and as far as the BSDs go (which are generally pretty secure in their own right), it's probably the tightest. But it's quite a leap to say that OpenBSD is the most secure operating system in the entire world.

    I don't know which OS would get that "award". But I'd have to believe that it'd be something obscure like a tiny, embedded, OS the NSA uses in their crypto equipment or some such.
    • I don't know which OS would get that "award". But I'd have to believe that it'd be something obscure like a tiny, embedded, OS the NSA uses in their crypto equipment or some such.

      An embedded OS, especially if it has no networking, sure. For general purpose operating system that actually communicate with the outside world, my vote would have to be OpenVMS. So secure it makes even OpenBSD look as leaky as cheesecloth... (Buffer overflow exploits? No such thing in VMS.)

      • by LordHunter317 ( 90225 ) <[moc.liamg] [ta] [ttuksa]> on Friday November 01, 2002 @01:24PM (#4578906)
        Bullcrap. We just had to put in a patch to cover a buffer overflow/memory leak issue in UCX For OpenVMS. We know it caused buffer overflow issues becuase we could bomb Sybase sending it large amounts of data. Now there may be no OS-level overflows, but your statment is just ludicris. Our code is one walking buffer-overflow. Kernel != System, and just because the kernel is secure doesn't mean the system is.

        Otherwise, I tend to agree, but OpenVMS is bi*ch to configure.
        • Sure, app level buffer overflows can occur (if for example, the programmer uses null-terminated strings instead of descriptors, a necessary evil for implementing most Internet protocols), but the overflowing data does not get executed, nor does it get written to an area for which the application has no privs.
      • (Buffer overflow exploits? No such thing in VMS.)

        Ok, so you believe, programs are absolutely immune against buffer overflow exploits on OpenVMS?

        Then I'll show you a simple example of a buffer overflow exploit on OpenVMS/Alpha.


        The victim program compares a user-supplied password with a password stored inside a file.

        I wasn't able to include the source code, because I always get errors like "Your comment has too few characters per line (currently 24.5)." if I do.
        Email me, if you'd like to get the complete source code, and I'll send it back to you.

        $ cc vmshackme.c;1

        strcpy(l_input, input); .^
        %CC-I-IMPLICITFUNC, In this statement, the identifier "strcpy" is implicitly declared as a function.
        at line number 66 in file $DKA100:[USERS.OCTOGEN]VMSHACKME.C;1

        if (strncmp(l_input, l_pass, _max_pwd_len) == 0) .....^
        %CC-I-IMPLICITFUNC, In this statement, the identifier "strncmp" is implicitly declared as a function.
        at line number 68 in file $DKA100:[USERS.OCTOGEN]VMSHACKME.C;1
        $ link vmshackme.obj;1
        $ type pass.pwd;1
        $ run vmshackme
        Password correct
        $ run vmshackme
        Wrong password, try again.


        The program works, as you can see.

        Now I'll type in a bit too much:

        $ run vmshackme
        Pass word correct


        What I'm exploiting here is nothing else than a simple example of a buffer overflow.

        Even if you can't execute arbitrary code (and I'm quite sure you can do that, too!), you can still damage data structures, data pointers, numeric values like buffer offsets and many other things - so there are a lot of possibilities left for exploiting a buffer overflow vulnerability.
        AS/400s have hardware protection for system pointers, so they are even more secure than OpenVMS. But even on AS/400s you can still damage space pointers, and I'm quite sure, this example program would even work on an AS/400.
        It might not be possible to execute arbitrary code on an AS/400, but you can still damage many things by exploiting buffer overflows.


        • I didn't say that buffer overflows can't happen (except with system calls), but that buffer overflow exploits don't happen. The example you showed will not permit unauthorized code access (unless you plan on using it as a poorly written telnet deamon or such and completely bypassing SYSUAF for authentication), nor does it allow arbitrary execution of overflowing code.
    • Actually, chunks of OpenBSD have made it into embedded security devices. I don't have the link handy, but the details are on
    • Most Secure OS (Score:5, Interesting)

      by SirGeek ( 120712 ) <> on Friday November 01, 2002 @01:29PM (#4578933) Homepage
      According to this article [] the most secure OS were SCO Unix, Mac OS and Tru 64.
      • I looked at that article, and couldn't find any real numbers in it. They grouped the *BSDs together, so you can't tell where OpenBSD fit, but probably a small fraction of the 9% for BSD in general.
      • According to this article [] the most secure OS were SCO Unix, Mac OS and Tru 64.

        That depends on what you mean by most secure. For me it's very important how fast they fix the bugs. And remote holes are much more important than local ones (I don't have local users I don't trust).

        • Re:Most Secure OS (Score:2, Insightful)

          by Anonymous Coward
          I don't have local users I don't trust

          you have users you can trust? god, do i want your job.

          my users can't be trusted to follow the simplest directions. EVERYTHING better be automatic and iron-clad or they will find a way to break it.
      • But they don't weight the percentages by number of users.
        "Most of the known software vulnerabilities announced in 2002 affected Microsoft Windows (44%) followed by Linux (19%), BSD (9%) and Sun Solaris (7%). By comparison only 0.5% of the vulnerabilities announced in 2002 affected SCO Unix, and 1.9% affected Mac OS and Compaq Tru64 systems respectively."

        It might be that no one is noticing mac or BSD flaws beacuse many fewer people care. A straight line weighting doesn't make sense either. We should expect a diminishing marginal return on eyeballs. The point is that this overstates Linux and Windows bugs and understates the others(actually I don't know usage rates on Linux but I assume it is the third most used OS.)

      • Re:Most Secure OS (Score:3, Interesting)

        by Daleks ( 226923 )
        This pattern is mirrored by the overt digital attack data collected for 2002, which demonstrates this has been the worst year on record with 57,977 attacks having already taken place. The most attacked operating system in 2002 has been Microsoft Windows with 31,431 attacks (54%) followed by Linux with 17,218 attacks (30%), BSD (6%) and Solaris (5%). Apple Mac's OS suffered only 31 overt digital attacks, ie, 0.05% of all attacks in 2002 although Apple Mac has roughly 3% of the world's computer market share. SCO Unix suffered 165 digital attacks (0.2%) and Compaq Tru64 suffered 10 attacks (0.02%).

        The above uses attacks per overall attacks as the rating for the OS. What should be done is OS specific attacks per installed machines running the particular OS.

        MA -- machine attacks
        TA -- total attacks
        MI -- machines installed
        TI -- total installed

        The article gives MA/TA, but we want MA/MI. MA/MI gives the vulnerability of a particular OS seperated from the quantity of attacks. I don't know the total number of installed computers, but say it's 10,000,000. Then the MA/MI for Mac's is:

        10,000,000 * 0.03 = 300,000
        31/300,000 = 0.000103

        So about 0.0103%. By contract look at the Windows numbers. Suppose Windows has 75% market share.

        10,000,000 * 0.75 = 7,500,000
        31,431/7,500,000 = 0.0041908

        So about 0.41908%. These numbers show what percentage of installed machines will be affected instead of what portion of all attacks they represent. Another way to think about it is say you have 1 machine running CrappyOS and that machine is attacked. It will only represent 1/57,978 hacks performed in 2002. By contrast MA/MI will be 100%, meaning that every single machine running CrappyOS was hacked.

        Numbers don't lie, people do.
    • by PapaZit ( 33585 ) on Friday November 01, 2002 @07:14PM (#4581569)
      NetBSD is (as far as I know) the ONLY one of the BSDs that ships with NO open services in the default install.

      Y'know how OpenBSD used to brag about "X years without a remote root exploit in the default install"? These days, it's NetBSD that carries the "longest since remote root in default" banner, and they'll continue to have it (though they're a bit to understated to brag about it) until OpenBSD turns off incoming SSH and RPC.

      Think that's a silly argument? Check your nearest OpenBSD box. Is it running RPC? Does it need to be? Isn't "turn off unnecessary services" one of the fundamentals of securing a box?
  • security (Score:2, Insightful)

    It is well known as the world's most secure operating system

    That is true.. if you do a default installation and make absolutely no change to any of the services that come installed with it.. that's why it was secure for 4 something years.. but they didn't mention that if you had an old BIND version at the time it would still be "secure" :-)
    • Re:security (Score:5, Insightful)

      by c13v3rm0nk3y ( 189767 ) on Friday November 01, 2002 @01:38PM (#4579002) Homepage

      It's pretty common to run a few releases back on important and complex daemons like BIND, or Sendmail.

      There is little value in going to BIND 8 or 9 if it has not been audited by the OBSD team first. BIND 4 is well understood and the faults, warts and bugs are well-known. BIND 8 is still new enough that it is considered an unknown.

      This is one of the downsides (if you consider it a downsid) of trying to be "secure by design".

      Of course, OBSD is free, as in beer and as in speech. This means you can run a parallel box with BIND 8 or 9 (or whatever) yourelf until you deem it safe. The responsibility is now yours to maintain security on that chunk of the OS, but everything is a trade-off, especially in host security.

      BIND 8/9 will eventually make it into a future release. 99% of us do not need it, however, and so having a well-known and secure BIND 4 implementation has more value for the rest of us.

  • by Dr_DTHP ( 132769 ) on Friday November 01, 2002 @01:12PM (#4578804)
    >[OpenBSD is] the world's most secure operating system

    Hear that sound? It's the VMS users (all 8 of them, currently, unless Fred's VAX killed his mains power again and he switched to OSX) choking on their lunches in laughter.
  • *ahem*, not quite (Score:2, Redundant)

    by naasking ( 94116 )
    It is well known as the world's most secure operating system

    Let's rephrase that as, "It is well known as the world's most secure UNIX operating system." Otherwise it's not true.
  • Here's a mirror of the official release announcement []. Lots of cool new stuff in this release...among them:
    • ELF for Sparc []
    • Non executable stack on many architectures (including x86), non executable heap on many architectures
    • More support for hardware crypto accelerators
    • Apache runs chrooted by default (if you want)
    • systrace
    • Non executable stack on many architectures (including x86), non executable heap on many architectures

      Not to troll (well, not much anyway) but interesting to see this here when Linus was adamant about not getting this into Linux, the whole false sense of security thing. Has this changed in Linux? I've heard of stack smashes, never a head attack. I wonder how common these are.
  • Good to see, there are several facets of it that I absolutely love.

    Now only if they could speed up the network and disk I/O to the levels of FreeBSD. Oh, and SMP would be great, too, but according to the OpenBSD developers, that's not a hot project of theirs.

    So until then, I still keep a watchful eye, and a PC in the closet where it belongs with the latest version installed as a toy to play around with.
  • by Anonymous Coward on Friday November 01, 2002 @01:26PM (#4578917)
    > What are you waiting for?

    SMP Support.
  • New songs too... (Score:2, Insightful)

    by millert ( 10803 )
    The 3.2 song is available via ftp from: [] []

    (other mirrors have not caught up yet)

    The lyrics are available from: []
  • by jfedor ( 27894 ) <> on Friday November 01, 2002 @01:31PM (#4578958) Homepage [] (please use a mirror)

    This time it's a Bond-movie theme, which matches the new logo [].

  • by Anonymous Coward on Friday November 01, 2002 @01:34PM (#4578980)
    As for the OpenBSD project, there are some nice 3.2 goodies you can order them now

    Support the OpenBSD developers by getting a
    3.2 CD $40 [] or for Europe EUR 45 []

    The new new 3.2 poster [] is very nice too, get it for []
    $10 US or EUR 14 in Europe [] The European size is 70x100 cm

  • I've been wanting to install OpenBSD on my laptop but it seems like its the only OS that can't have its boot loader above 8Gig on the HD. This is a major shortcoming as far as I am concerned.
    • by c13v3rm0nk3y ( 189767 ) on Friday November 01, 2002 @01:48PM (#4579093) Homepage

      Well, this is a hardship only because you want to dual-boot, I'm guessing. Otherwise, you just partition and mount so that / is on the first 8Gb slice.

      There are third-party boot managers that do magic to allow booting to happen from almost anywhere, for almost any OS. I don't know if it works with OBSD or not.

      I've only run OBSD stand-alone on headless edge boxes, so I've never worried my pretty little head about the 8Gb limit. I'm assuming most folks who pay for the CDs every 6 months or so feel the same way. Well, that and the stickers. The stickers rule.

      • Hi,

        No, OpenBSD is unique. You have to plan for OpenBSD before you ever install a multiboot machine. The only way to get it to work is to put a small boot partitiion near the beginning of the disk. Unfortunately, thats not how most people end up installing OS's. First Windows, then Linux or something, then another OS, sequentially installed over time. I'd like to try OpenBSD, but I've put so much time into getting my -stable and -current FreeBSD partitions right, that I just can't redo the whole computer.
  • Does anybody have a link to the description and uses of the improvements made to pf?

    The complete 3.2 errata has numerous mentions of improvements, including antispoof and better handling of inappropriate/nonsensical statements. A more thorough explanation is what I'm hoping to find.

  • yes, we need SMP (Score:5, Insightful)

    by mainmain ( 618360 ) on Friday November 01, 2002 @02:10PM (#4579278)
    BSD is great, but it's just not going to make inroads into the server market without SMP. It's fine for us amateurs with racks at home and 384k upload at best, but for business that really need to crank it up, OpenBSD falls short.

    What's great about Open over Free (and most Linux distros) is simply that one can go from zero to installed, up and running in no time flat. The need to secure the OS is minimal (though as another said, why portmap and why inetd?), which also greatly reduces time to production. And no worries about all of those "extra" packages that one doesn't want installed that get installed whether you like it or not, and then having to find a way to yank them out.

    That said, yes, I pre-ordered my CDs.

    • Re:yes, we need SMP (Score:5, Informative)

      by bmajik ( 96670 ) <> on Friday November 01, 2002 @03:31PM (#4579940) Homepage Journal
      There's little reason for SMP in openbsd

      1) It makes security that much harder. Think /tmp race conditions are bad ? How about race conditions in the kernel ? How about the fact that not even Intel is consistent in their docs on how two x86 chips re-order operations and maintain cache coherence in some situations.

      2) 99% of the software on openBSD is fork/exec anyway. You might as well use assymmetric multi-processing, or, better yet, buy 3 uni-proc boxes for the price of a dual proc box, and partition your load accordingly.

  • by minipunk ( 596806 ) on Friday November 01, 2002 @02:12PM (#4579298)
    Anyone know if one exists? Please send URL!
  • by fries ( 14958 ) <> on Friday November 01, 2002 @02:32PM (#4579434) Homepage Journal
    ... couldn't make it through the 'Lameness filter'.

    Please go to where they did make it through.
  • by dazdaz ( 77833 ) on Friday November 01, 2002 @02:38PM (#4579493)
    People always get annoyed with this, however we would like .iso's of OpenBSD. I believe the philosophy is flawed in that .iso's are not made available so people have to purchase the cd's which helpds fund the project. However this limits the distribution of OpenBSD. If anyone could download an .iso, become familiar with OpenBSD, the userbase would be larger and therefore more people would purchase the official CD's.

    What do others think?
    • In my experience, if you provide an ISO, nobody buys a CD, and they just burn the ISO. With OBSD, at least one person buys a CD, and all his/her friends copy that.

      This helps OBSD make exactly one sale, instead of none.

      Seriously, I don't know. There isn't much incentive to buy OpenBSD CD sets (or any free OS, for that matter) in the first place. Giving the CDs away is just not going to help that, if you ask me.

      Then again, I've bought few CD sets myself; I usually just get a few t-shirts and install via FTP and/or create my own ISO.

    • ISOs are wasteful for OpenBSD. With the boot floppies images, and 3-5 .tgz's totaling 40ish megs, you can have a fully functional firewall box. Even if you were installing X, and other desktop oriented niceties, there are 10ish .tgz in total, probably not eclipsing 200megs altogether. If they hosted ISOs, that is a 600 meg download.

      OpenBSD has a CLI, but clean install routine. If you read the install directions, anyone can successfully install it via ftp, with only 50-200megs of net traffic.

      Finally, they put in a ton of effort to have great man pages. Thus, the support base expects you to read before asking questions. Therefore, if you aren't willing to read the install guide to do a ftp based install, you aren't going to have much luck with the OS and its support community.

    • by waspleg ( 316038 ) on Friday November 01, 2002 @03:29PM (#4579922) Journal
      1.44 floppy net-based installs, which is what i usually use and i've been using openbsd since 2.5

      just because there are no "Official" iso's does not mean that they are not available from "Unofficial" sources just look around but you really should support hte project if you can

      (the t-shirts/posters/stickers are all cool and the later can only be found w/ the official cdrom distribution)

      my personal server (which is used primarily for NAT and personal ftp) has been running OpenBSD for years and it's certainly hte most elegant and simply designed UNIX based system that I've ever used and is far more intuitive and secure than Linux (which i have also dealt with since '95 and presently have a debian desktop machine running under my desk so no flames please) by default.. anyway my $.02

      here is a link to the floppy internet based install instructions:

    • Maybe Theo meant it as a filter; if a user can't install without ISOs then he's not worthy of using OpenBSD. :)

      Seriously, making your own OpenBSD CD is not that hard; you just download the files, the boot floppy images, then boot with that floppy, check the path in which it looks for the installation files, and then make a CD with files in that path and using the boot floppy image as your El Torito boot image. I've been doing it since 2.9 and it works like a charm. I put all the files on CD anyway, to save HD space on our server, and making it so that the CD was bootable and could be installed from was obvious and simple.
  • I've installed OpenBSD about 10 times now, and I've always been amazed that they've kept the just terrible disk partitioning and labeling scheme for the install. Does the new release have any new features in that area? If not, please just steal some code from FreeBSD or somewhere! Then I won't have to use a calculator to do an install :) :)
    • I often wonder if it's kept in order to keep an element of elitism attached with OpenBSD. Afterall look what happened to Linux.
    • No offense man, but by the 10th time you should have figured out you can use "M" and specify megs for partition size. Accept the default locations on the disk and guestimate in MB on what you need for /, swap, /tmp, /var, /home, and use the rest for /usr. Each time you add a partition, it will place the start of it after the end of the last one. Easy as pie.

      Yes, the disk partitioning is the least intuitive part of the install, but it only took a complete newbie like myself a few times (3, maybe 4) to feel comfortable with it so I think you might have missed something in the documentation. I was using "Building Linux and OpenBSD Firewalls" at the time as well, but it's all there on the screen for you.


  • Signed files? MD5s? (Score:4, Interesting)

    by piranha(jpl) ( 229201 ) on Saturday November 02, 2002 @03:44AM (#4582969) Homepage
    I appreciate OpenBSD a lot; I use it on one system at home, and plan to do two more OpenBSD installations. There are some really cool things, like systrace, that aren't available for Linux yet.

    That said, how can I trust that my copy of the "world's most secure operating system" hasn't been tampered with? OpenBSD does not sign their files with PGP, GnuPG, or OpenSSL (yes, the latter has been suggested on lists). OpenSSH does. Why can't OpenBSD?

    The ports tree, the kernel source, and the rest of the base source (ports.tar.gz, srcsys.tar.gz, and src.tar.gz) don't even have published MD5 hashes (but the archetecture-specific binaries do). The source matters, because (aside from using potentially unstable snapshots binaries) you need the source to apply security patches as security issues are discovered.

    For an OS with such a focus on cryptography "because we can", I don't see it being used where it counts. (I've written to the misc list, and only received one response. I've filed a bug report and have received none.)

Money is better than poverty, if only for financial reasons.