OpenBSD 3.5 Released 345
pgilman writes "The word just hit the announce@openbsd.org mailing list: "We are pleased to announce the official release of OpenBSD 3.5.
We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install. As in our previous releases, 3.5 provides significant improvements, including new features, in nearly all areas of the system" including security, hardware support, software ports, and lots more. Support the project if you can by ordering the cds, or grab it from the net (use a mirror!). Thanks to Theo and the whole team!"
Excellent (Score:5, Insightful)
Re:Excellent (Score:2, Interesting)
what about www.grsecurity.net [grsecurity.net]? IMHO, I think grsecurity is much more a better solution especially if it were ever integrated into 2.6 kernels. Face it, what other patch/modification/os could potentially protect you from flaws in the kernel itself??
Re:Excellent (Score:2, Informative)
Re:Excellent (Score:5, Insightful)
I'm sure grsecurity is nice, but today it exists as a set of patches to the vanilla kernel only. The only distros that supports it is Adamantix and Gentoo (part of Hardened Gentoo). Other widely used distros like RedHat, SuSE and Mandrake does not.
As long as this state of affair exists, GRsecurity will not be a viable option for the majority of Linux users.
On OpenBSD you have similar technology integrated with the OS. No need for patches or other stuff to use it.
Re:Excellent (Score:3, Interesting)
Mandrake has been very good about using grsecurity in their secure kernels, and include it within the sets of patches in their kernel source packages. That is one of the things that has always attracted me to Mandrake. Their attention to security is often overlooked amidst all the attention they ge
Re:Excellent (Score:2)
That sure is impressive!
I did not even know a person had an IP.
Or do they mean "Intellectual Property"???
A firewall should /require/ a GUI? (Score:2)
It's called sarcasm (Score:3, Insightful)
I don't honestly believe you think I was advocating replacing an OpenBSD firewall with a Windows machine under any circumstances. Windows ISA Server is by far the worst firewall I've ever had the misfortune of deploying.
Re:Excellent (Score:5, Funny)
Another thing, if Linux's "iptables" interface to netfilter challenges you, then you have no business using computers at all.
Congratulations! You've won "The 1337ist Statement of the Day Award"!!
Re:Excellent (Score:2, Troll)
If I write a daemon that prints "Hello World" it does not need to be chrooted to be secure. So should all daemons be. If a network-accessible program is accessing files, especially user-specified files, it needs to be god damned careful about it. End of story.
Chroot is a poor kludge of an attempt to turn a non-secure program into a secure one. I would prefer if it weren't in OpenBSD at all, it gives people a false sense of security. Even a perfe
about security holes (Score:5, Interesting)
If you call chroot a poor kludge, you're obviously not a security guy. Granted, it's not perfect, but it does help a little. Ever heard of the principle of the least privilege? The idea, that programs shouldn't be allowed to do anything except what they need to do? Well, taken to the extreme, this would mean:
- Program should declare what syscalls it uses, what libraries it needs, etc, and no other syscalls/libraries would be allowed.
- Program should declare what kind of access it needs to the filesystem to function. No other parts of the "real" filesystem should be visible in the program's namespace at all.
- Same for every other resource such as sockets, etc...
This could be achieved through a manifest file of some sort, which the kernel would read and interpret. It could be part of the program image itself. This would be truly beautiful, however anything that implements any of the above is a GOOD thing.
You're saying chroot is giving a false sense of security. So, shouldn't the people be educated about what it solves and what it doesn't, then? Obviously it's a good feature, it just isn't intended to be a solution to everything. Just a solution to one problem: filesystem namespace visibility.
Re:about security holes (Score:4, Informative)
- Program should declare what kind of access it needs to the filesystem to function. No other parts of the "real" filesystem should be visible in the program's namespace at all.
- Same for every other resource such as sockets, etc...
You mean like systrace?
Re:about security holes (Score:3, Interesting)
Re:about security holes (Score:4, Informative)
- Program should declare what kind of access it needs to the filesystem to function. No other parts of the "real" filesystem should be visible in the program's namespace at all.
- Same for every other resource such as sockets, etc...
systrace(1) [openbsd.org]
Re:about security holes (Score:4, Insightful)
Not true, I'm "a security guy", and I'd say he's right (although I would phrase that differently).
From everything I've seen, it hurts more than it helps in 99% of cases.
Yes, and Chroot seems to be prevnting people from actually doing that.
The huge majority of network services do not need to be root, except to open a port <1024... If it was not for that, most programs could run as an unprivlidged user, and NEVER need root access.
Remember, with chroot, you have to trust your program to only do what it needs to do as root, and be secure about it. Then you have to trust that it is dropping privlidges as soon as possible. You have to trust it is setting up the chroot correctly, and that it is dropping privlidges correctly. There have been several instances where services have been exploitable because they did not properly drop privlidges. (IIRC, samba was one of them)
Okay, everyone, chroot solves nothing. You use it only if no other security measure are possible, such as is the case with OpenSSH.
It is not a solution to that. First off, access to any of the files on a system (except for suid/sgid files) is not a security risk AT ALL.
Second, and most importantly, it is possible to break out of a chroot, so it's not providing much security.
Re:Excellent (Score:4, Interesting)
LK
Re:Excellent (Score:3, Interesting)
Dont' think so mainstream. Think exotic:
a 3x PCI 0x AGP SMP ATX board would make the perfect Home-Server. It would offer possibility for a WLAN card, a 4ch S-ATA RAID controller and a 2nd NIC, maybe with embedded firewall. [cyberguard.com]
While o
Re:Excellent (Score:2)
I would rather the OpenBSD team concentrated on things other than SMP. For the large proportion of cost-effective routing/firewall systems, SMP isn't a priority.
What is a priority is (a) continual stripping out of GNU licensed artifacts, (b) continual code "securisation", (c) continual security features (i.e. CARP, etc).
SMP sounds like a nice bit of candy: but I'd prefer the healthy food first.
Security (Score:2, Interesting)
So if I want optimal security, how do I choose which packages to use?
Re:Security (Score:5, Insightful)
Use common sense, chose packages of software you have faith in to not suck.
Re:Security (Score:3, Insightful)
This is lowsy advice. You can have all the programs you want installed, and it won't make your system any less safe.
The only exception is suid/sgid programs.
It always drives me insane when I read another "security" tutorial on the web that suggest deleting unused programs, or your compiler, will make your system more secure, somehow.
Incidentally, ports do include patches, and most maintainers
pfsync/CARP (Score:4, Interesting)
It's now suitable for replacing a lot of the Cisco gear out there.
Re:pfsync/CARP (Score:5, Insightful)
I haven't had a router in a few years, but when I did have a couple, they were rock solid. I always assumed that a big part of it was the fact that they didn't have any moving parts.
Wouldn't the computer architecture make an OpenBSD router less stable?
Re:pfsync/CARP (Score:5, Interesting)
OpenBSD (and all the rest) don't need moving parts, except for the power supply fan. VIA Eden chips can run without a fan, and there are other chips from other architechtures with similar specs. The hard drive can be replaced by a flash IDE drive if your space requirements are small enough.
Cisco still wins on speed when all you're doing is routing, and in many other situations, but the firewall isn't that impressive.
Not necessarily, it runs on a lot of different architectures... Xeon's, Opterons, PowerPC, MIPS, etc. If you didn't have to patch, uptimes of years wouldn't be a problem.
Re:pfsync/CARP (Score:2, Interesting)
They don't even need a power supply fan; My epia system has a 12VDC -> ATX power board that plugs into an external AC/DC converter (power brick). It supplies plenty of power (60 watts; plenty for an epia at least) a
Re:pfsync/CARP (Score:2)
So, an Eden Epia + 12VDC power board + Flash Drive = no moving parts at all. And it's more flexible and cheaper than a Cisco router!
It is also the ultimate silent multipurpose computer! Doing maintenance work in a machine room full of these would be a dream!
Re:pfsync/CARP (Score:5, Insightful)
All but the high-end Cisco boxes are very short of central processor power. Look at boxes in the 1700, 2600 and 3700 lines. They need additional co-processor cards to help with tasks like encryption and compression, where a PC could perform these easily without any help.
And when you need only little bandwidth but need a nontrivial amount of interfaces, you are forced to buy quite a large box. (the 1700 series accomodates only 2 interfaces, and on the 2600 series there is the possibility of 4 interfaces but only for Voice, not for Data. so very quickly you will need a 3725, for applications where a PC could still easlily handle the load)
We don't need no steenking moving parts (Score:4, Interesting)
Re:pfsync/CARP (Score:5, Insightful)
The only really special thing about Cisco hardware as compared to a PC is that their backplane has traditionally been much faster than anything a PC has had to offer, and they have offered network cards (or blades in the Cisco parlance) with more ports (since they are larger) and with additional processors on the cards which do routing themselves. (Layer 3 switch blades, for example.) It's nothing you couldn't do on a PC, though, there just hasn't been a reason to. The most modern PCs have an extremely fast bus however, in the form of 66MHz/64 bit PCI, and now PCI-Express is coming along and the wider versions of that are even faster from what I understand.
Anyway, since when do routers not have moving parts? Every Cisco product beyond the SOHO level has at least one cooling fan. A cat5k (I pick on it a lot because it's what I have most experience with) has, like, eight plus one per power supply. Meanwhile, there are PCs without any moving parts - A cisco PIX 520 would be one of these, if it didn't have a power supply fan, because it's just a PC in a custom rack case, with an expansion card with a flash ram disk on it, and some Intel EEPro 100/B Management Adapters in it. (Someone told me once that tulips work too, as they were used in older pix 520s, but I've never seen that before.)
So the short form is "no", the computer architecture won't make an OpenBSD router less stable than a Cisco one. The only thing that might would be OpenBSD itself.
Re:pfsync/CARP (Score:5, Informative)
- Configure, maintain and secure your routing protocols and interfaces in one easy to read and edit configuration file.
- Store the configuration in solid-state flash memory.
- Upgrade the entire OS by TFTP'ing a single file.
- Provide support for many types of LAN and WAN interfaces (DSx, hardware accelerated ATM segmentation and reassembly, etc.)
- Provide support for layer 2/3 QoS packet tagging in hardware (on ALL WAN interface types i.e. ATM, Frame, DSx) to reduce CPU load on distribution routers.
- Handle IPv4 traffic routing in hardware, with the OS just maintaining flow state information.
- Provide support for the plethora of legacy protocols that are on corporate networks (DLSw, X.25, etc.)
When the only tool you have is a hammer, everything looks like a nail.-Pat
Re:pfsync/CARP (Score:4, Funny)
Re:pfsync/CARP (Score:2, Funny)
Yeah, they made us shout that in group before trust building exercises at the Borden Institute of Family Relationships.
KFG
Re:pfsync/CARP (Score:4, Informative)
This already is a Cisco killer for one simple reason, VSRP is crap.
Re:pfsync/CARP (Score:2)
Re:pfsync/CARP (Score:2)
You have to select an IOS version that includes all the features you need, fits in the memory you have, and does not have any of the bugs that are blocking to you. This is becoming increasingly difficult.
A more modular approach (a base kernel with drivers and features loaded as modules) will be required to be able to move forward without keeping all that archaic stuff forever.
Re:pfsync/CARP (Score:5, Insightful)
One file, more files, what is the difference? If the config files are well organized, which they are, there is no reason to have it all in one file.
Store the configuration in solid-state flash memory.
Get a CompactFlash card and a CF-to-IDE adapter.
Upgrade the entire OS by TFTP'ing a single file.
Could be done, you would need twice as much disk (CF) space as you need for a single installation, then download the new OS, unpack it on a free partition, swich default partition for booting, reboot. Ok, perhaps noone has done this until now. Perhaps it's because noone really needs it, not even the people who use OpenBSD on all their routers.
Provide support for many types of LAN and WAN interfaces (DSx, hardware accelerated ATM segmentation and reassembly, etc.)
Provide support for layer 2/3 QoS packet tagging in hardware (on ALL WAN interface types i.e. ATM, Frame, DSx) to reduce CPU load on distribution routers.
Handle IPv4 traffic routing in hardware, with the OS just maintaining flow state information.
Why do you need to do all this in hardware? Most of this stuff can be done in software a strong enough CPU and IO. The rest that can't be done in software is probably not used by majority of Cisco users (see below for more).
Really, you are building these requirements in such a way that OpenBSD cannot comply. It's a bit like saying that OpenOffice will replace MS Office if the third submenu in the 'File' menu is 'Open', when you click on it, go 102 pixels down and 53 pixels left, click, select the third option, and it reads 'Microsoft Word (.doc)'. What you really need is that it opens a
Provide support for the plethora of legacy protocols that are on corporate networks (DLSw, X.25, etc.)
Not everyone needs those, and the majority who do not can use OpenBSD. The rest will probably use Cisco anyway, but it may just not be enough for Cisco to survive. Thus "Cisco killer".
In fact I don't think this will happen, as the strong Cisco feature is that they sell everything in one package, unpack and plug and play
Re:pfsync/CARP (Score:4, Insightful)
This is bull. Cisco routers do not have text editors, and transfering a config file to/from a cisco router every time you need to make a change is quite cumbersome.
I used to be annoyed that different Unix config files have different syntaxes, until I used Cisco... There, each different option (hundreds, if not thousands in each config) may have it's own syntax, that you really have to memorize, or look-up to get right.
Not a problem at all. I had a router running solely on a 32MB PCMCIA card several years ago.
Now that's pretty stupid. First, I've seen many routers corrupted because TFTP is so very hit-or-miss... The fact that most Cisco routers are only able to use TFTP is a serious drawback, not an advantage.
As for the single file... OpenBSD's base system is spread across about 5 tar.gz files... If it makes you feel better, I could very quickly whip up a script that will combine them into one tgz file. Better?
QoS is supported by PF. It's not in hardware, but that's no real concern.
When you only own stock in Cisco, everything else must be inferior.
Re:pfsync/CARP (Score:2)
OpenBSD is only a cisco killer in SOHO and SME type environments. Even then, part of the problem is that it still requires expertise to setup - there are a lot of CCIE/CCNE out there, and no so many pf/carp/openbsd experts.
The thing for the OpenBSD guys to do is make OpenBSD an attractive platform to OEM's who will build more user friendly solutions onto it.
Monty Python clone??? wtf? (Score:4, Interesting)
Anyway I downloaded the 3.5 song and found it about a protest on cisco patents on rundantant firewalling and vrp in a monty python format.
Strange but somewhat ammusing to say the least. Go download it [openbsd.org].
Re:Monty Python clone??? wtf? (Score:2)
yea (Score:3, Informative)
and OpenBSD Rocks!
my favorite comment from the changelog (Score:5, Funny)
I don't know what it means, but I approve.
Re:my favorite comment from the changelog (Score:5, Informative)
Here's all you need to know (Score:3, Funny)
Happy user since 2.7 (Score:5, Insightful)
I have used OpenBSD since 2.7 as a firewall, a web server, and a file server. There are a lot of unix-like operating systems out there, but for me, nothing can beat the simplicity and security of OpenBSD in these areas.
I'm also extremely happy with the ease of applying patches on OpenBSD. It makes remote management the easiest thing in the world (well, from a unix perspective anyway).
If you haven't tried OpenBSD, and are looking for an excellent server OS, I highly recommend giving it a try. I would recommend supporting the effort by buying a CD too.
Re:Happy user since 2.7 (Score:3, Insightful)
No real help is given to new users and such an elitest attitude is suicide.
A number of the reviews and guides I looked at before deciding on OpenBSD warned me about the communities attitude to this. But, firstly - I guess it's an understandable attitude if you aren't really concerned about promoting your OS and just want to be able to run it yourself, let's face it most of us are really freeloaders (I can't hack kernel code can you?). Secondly, the only time I've ever asked for help was on bsdforums and
Mascot (Score:3, Informative)
OpenBSD (Score:4, Funny)
never-been-rooted claims getting sillier (Score:3, Funny)
Prediction for OpenBSD 6.0 announcement:
"We remain proud of OpenBSD's record of 15 years with only a single remote hole on a 986, executed from a windows system over a local network by a person under the age of 18. On tuesday. During a full moon. At low tide."
Re:never-been-rooted claims getting sillier (Score:5, Interesting)
Re:never-been-rooted claims getting sillier (Score:5, Insightful)
2. The stock install comes with apache, an ftp server, X, and routing software.
3. No, every recent DoS attack that has effected obsd has been fixed. I would hardly call, same day patches as "ignoring".
No, not silly. (Score:2, Insightful)
Uber secure? I'd grant them that.
Secure? Probably not, but they're working on that.
Secure means that I can run unpatched vulnerable software with impunity.
Security does not mean that I have to try playing catch-up with the latest security "fixes".
Fast AES (Score:5, Interesting)
I found this part of the release notes particulary interesting:
OpenSSL now directly uses the new AES instructions some VIA C3 processors provide, increasing AES to 780MBytes/second (so you get to see a fan-less cpu performing AES more than 10x faster than the fastest cpu currently sold).
I don't know if the fanless assertion is right (the AES instruction is available in the newer (step 8?) Nehemiah processors, which I don't think there is a fanless version yet on the market.) Of course someone will prove me wrong.
Now all VIA needs to do is make a network centric Nano-ITX board (drop the video, audio, firewire, usb, etc etc, and add in two more good ethernet ports), and this could be a serious IPsec/VPN platform.
Re:Fast AES (Score:4, Interesting)
Re:Fast AES (Score:4, Interesting)
Re:Fast AES (Score:4, Interesting)
BTW, your mention of "uATX-like" is way off base. Mini-ITX is sgnificantly smaller, and VIA has released it's even smaller Nano-ITX range as well.
Re:Fast AES (Score:2)
Here [silentpcreview.com] is a case which uses a heatpipe to replace the fan on a EPIA M motherboard. Honestly though, if I wasn't tracking the mini|nano-itx stuff I wouldn't have known.
Re:Fast AES (Score:3, Informative)
Re:Fast AES (Score:4, Informative)
Isn't it about time... (Score:5, Funny)
My addition (Score:4, Interesting)
I've been using OpenBSD since 2.8 and have loved it since. It was the first UNIX-like OS I used. I currently use it on one box for my firewall, but have switched to gentoo for the web & mail servers.
Thats not the best part though. I have some friends who needed a residential gateway, and I set them up with an old box running obsd 3.1, and its been running non-stop (aside from power outages) since, with no problems. I keep telling them I should upgrade them, but it really isn't required.
Anyway, thats my addition. I wonder if anybody will have the paitence to read this far down in the comments. Hmmmm...
One remote whole... (Score:4, Informative)
We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install.
I love OpenBSD as much as anyone serious about security, but this quote is completely full of shit.
If you look at the release 3.4 [openbsd.org] errata list, there's at least three or four root exploits waiting to happen. And 3.3 [openbsd.org] and 3.2 [openbsd.org] aren't any better.
And YES, sendmail was in the default install. As well as many programs based off the lately bad libc-6.
OpenBSD is the most secure, and secure-oriented, but its not perfect by any means.
And yes, I run OpenBSD on a few servers, and one desktop!
Re:One remote whole... (Score:2)
I love OpenBSD as much as anyone serious about security, but this quote is completely full of shit.
Ok Ok, well I got one that's completely true and an even longer timeframe.
MS-DOS: 0 Remote Root Exploits in over 20 years
Re:One remote whole... (Score:5, Insightful)
Taken together, a large chunck of potential remote exploits become much less serious problems because the exploit isn't capable of root'ing an OpenBSD box. Sure, a DoS vulnerability is nothing to sneeze at, but it sure beats getting rooted. Same vulnerability will that will root a linux box, will often only annoy the living hell out of an Open box, and you'll still see a patch faster for OpenBSD.
Re:One remote whole... (Score:4, Informative)
Perfect Timing (Score:3, Informative)
But now that OpenBSD is only on Firewalls, no webservers, it's less pressing.
Of course it's out (Score:4, Funny)
Documentation (Score:5, Insightful)
I run Linux on my main workstation (and having been a Linux user since the 0.12 kernel days, Linux is close to my heart), but I'm increasingly impressed with OpenBSD as a firewall - the documentation is light-years ahead of Linux iptables documentation for a start, and then there's the new capabilities of pf with 3.5. It's not far off challenging the big boys like CheckPoint FireWall-1 (whose only advantage for our particular network is a pretty GUI configuration tool). With OpenBSD 3.5 with carp and pfsync, the CheckPoint box's days are numbered - I can get better reliability/redundancy with OpenBSD now. The OpenBSD documentation is better. The mailing lists for OpenBSD are more informative than the CheckPoint ones. The hardware is a lot less expensive, and you don't have to pay annual software rental like you do with FW-1.
Re:Documentation (Score:3, Informative)
What I really like about OpenBSD is that I don't have to google for a HOWTO on configuring pf and altq.
I'd also throw in that the file system layout is very consistant with OpenBSD. There's even a hier(7) [openbsd.org] man page describing the layout. When I'm working on another OS I find myself digging around, even for configuration files, way too often.
Re:Documentation (Score:3, Insightful)
Looks like an excellent release! (Score:5, Informative)
The ones that stand out for me are -
Chrooting and dropping privileges for BIND by default (kept me feeling fairly safe through a few vulnerabilities, and without the extra work of maintaining my own bind built for chroot)
Picking up ssh and releasing a good, free version
Coming up with the nicest firewall I've used, taking it from nothing to ready for release within 6 months (That still amazes me!)
spamd - After breaking 400 spam messages a day directed at my inbox, wiring Spamhaus SBL into the firewall and tarpitting a good portion of the traffic is a nice bonus. Noticing a week after setting that up that OpenBSD 3.5 has graylisting is a nice surprise.
Propolice stack protection built into the OS and integrated for the long haul
Now with CARP, I can feel comfortable getting all this in any environment - I think failover support really opens up a lot of possibilities for the future of OpenBSD.
All in all, OpenBSD has all the attributes I like in an OS -
regular 6 month releases (production quality doesn't have to mean stale),
cohesiveness (no waiting for glibc to catch up to a new kernel feature, or vice-versa),
a real commitment to free software (as demonstrated with OpenSSH, pf, and now CARP)
really delivering - as opposed to various Linux security projects that I've seen integrated with mainstream distros, then apparently forgotten about or relegated to a special option marked with a warning label, OpenBSD is a real tested system.
As a system, it can progress toward its goals through every aspect of the system (eg., the pervasive privilege separation), rather than a patchset to a mainstream distro, which has inherent lag time and may be working at cross-purposes to that distro or the numerous projects that make up the distro it's trying to secure. I've seen a few patchsets come and go over the years, too, while OpenBSD keeps adding to the foundation they've built.
Thanks, OpenBSD team, for all the great releases... (and all the fish
Now I'm off to explore my new OpenBSD 3.5 system, where make build just finished.
Re:Looks like an excellent release! (Score:3, Troll)
I have to say, I think you've got it backwards. I was using OpenBSD back in the day myself, and from the first install, it was impressive. Unlike all the other OSes, any hardware you had installed would just work, with absolutely no user intervention (assuming it was supported). You could shutdown, swap your soundcard with something completely different, reboot, and with no changes at all, your new soundcard wo
live cd (Score:3, Interesting)
Really, I only use Linux because it was the easier way to get me a KDE desktop. I couldn't give a damn about what kernel I'm running, I just want to have the best desktop environment available today.
Of course, I _could_ use better performance.
Os with *ZERO* remote holes since longer ago.... (Score:3, Funny)
... how about load balancing? CARP do that yet? (Score:3, Interesting)
However, I was wondering if there's anything whereby the firewalls themselves load balance outgoing connections?
For those of us who have more than one internet link into their home, and who currently have to manually switch between one route and the other, this kind of functionality would be an absolute godsend.
Anyway, congrats to the OpenBSD team, it's always good to see another BSD that doesn't buy into the "How many times can we bump the version to make it look good to the users" game.
Amazingly, yes (Score:4, Informative)
Re:Every Hacker's Wet Dream (Score:2, Interesting)
seriously though, just check netcraft. there are lots of sites hosted on OpenBSD.
Re:Every Hacker's Wet Dream (Score:5, Funny)
-truth
Re:heh... burlington does suck (Score:2)
Re:Every Hacker's Wet Dream (Score:3, Interesting)
The sites with the longest uptime run OpenBSD
thats who uses it
Re:Every Hacker's Wet Dream (Score:4, Interesting)
thats who uses it
That's not a valid list.
$ uname -sr
SunOS 5.7
$ uptime
12:11am up 1585 day(s), 8:41, 1 user, load average: 0.27, 0.27, 0.26
That puts us in the top 10, and we're not the only ones. The problem is the uptime solaris reports to netcraft rolls over every 495 days.
Upgrade Mini-FAQ (Score:4, Informative)
Re:"single remote hole" (Score:5, Informative)
OpenSSH.
Re:"single remote hole" (Score:4, Informative)
Re:"single remote hole" (Score:3, Interesting)
It seems to me that the design level of OpenBSD is remote administration of the box where an intervening router is owned by a competent enemy.
Re:"single remote hole" (Score:3, Funny)
Of a nice day.
Re:2 Remote Holes in 8 years (Score:2)
If it's only 8 years old then it really could be just one remote hole in it's entire lifespan.
Well I'm shure quite a few people here know how old OpenBSD is and will chime up, I'd be curious to see if my guess is right
Mycroft
Re:For the trolls, out there... (Score:3, Funny)
Re:For the trolls, out there... (Score:2)
k, troll, I'll bite.... (Score:5, Insightful)
ok....
Very recently the head of our IT department decided that we were going to switch every one of our networks over to Windows XP Professional.
Hmmm.... ok. I guess that's possible.
We had previously been running OpenBSD on all our quad processor Xeons.
*bzzzzzt* You are either lying or dumb. Why install OpenBSD, which I admittedly love and am not biased against, on a quad processor system when SMP is in like alpha stage, beta at best? Because you're trolling or have no idea what you are doing. Next!
-truth
I'll bite too... (Score:5, Informative)
1) Devry... nice..
2) A company capable of buying quad xeon hardware doesn't sound like the kind of cmopany that needs to resort to running a workstation OS--XP Professional--on a server. Plus, Windows XP will only use 2 CPUs maximum.
3) Like mentioned before, you'd never run OpenBSD on an SMP box in a production scenario
4) What kind of password? The Windows XP password has nothing to do with Dell. If you mean the BIOS password, that has nothing to do with Windows.
5) Microsoft's multi-user computing (read: NT Domains/Active Directory) is actually quite good.
6) If your server had three years of uptime, there was probably (I'm sure there wasn't but I don't want to be wrong) no OpenBSD SMP support (not even beta) 3 years ago... I wonder how your boss feels about a server having 75% of its computing power being unused.
There's more wrong with your post, but why bohter...
Re:Argh (Score:3, Informative)
Not all mirrors have 3.5 yet... (Score:4, Informative)
In case google is broken, which it's not (Score:4, Informative)
Re:Downloadable ISO? (Score:3, Informative)
$ cd OpenBSD/3.5/i386
Then get the following files from a mirror:
CKSUM
MD5
base35.tgz
bsd
bsd.rd
bsd . rd-a.out
cdrom35.fs
comp35.tgz
etc35.tgz
game3 5.tgz
man35.tgz
misc35.tgz
xbase35.tgz
xfont35
xserv35.tgz
xshare35.tgz
$ cd
And optionally also fetch these files:
ports.tar.gz
src.tar.gz
sys.tar.gz
$ cd
$ mkisofs -J -r -T -V "OpenBSD_3.5" -b 3.5/i386/cdrom35.fs -c boot.catalog -o
Re:Downloadable ISO? (Score:5, Informative)
I think the easiest way to do an installation ( I ran 3.5 up on an old p-166 this evening ) is to download the arch-specific install files ( ie everything under
For detailed info on the install, see the FAQ [openbsd.org].
The Errata [openbsd.org] page should be checked regularly too. Unlike the 3.4 release that had a number of bugfixes that needed to be applied as soon as it was officially released, 3.5 has no need for further patching at this point in time.
Re:Was anyone else pissed when... (Score:2, Funny)
Re:FreeBSD and OpenBSD (Score:3, Informative)
I use OpenBSD on my desktop at work. There's a FreeBSD and Linux (among others) binary compatibility option which work great for me. I use the Linux Citrix client binary to connect to a Citrix server across the country just fine. I don't think I've ever run a FreeBSD binary but I install from ports usually so the port-meister of that particular software takes care of issues.
OpenBSD supports a load of different architectures [openbsd.org], far more than FreeBSD. However I think you're really asking about supported hardwa
Re:Breaking backward compatibility? (Score:3, Interesting)
NetBSD has Kernel options "COMPAT_16" or "COMPAT_15" so the kernel itself will support binaries which are targetted at older releases and thus can run software from (decades?) ago without much more than installing the older libraries it was linked against.
OpenBSD, as I recall, has no such functionality to
Re:Ok., who has a free iso (Score:4, Informative)
Torrent [hewus.com], and Source torrent [hewus.com].