Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
BSD Operating Systems

OpenBSD 3.6 Live 86

An anonymous reader writes "There is a mounting excitement for the upcoming OpenBSD 3.6 release, as it is the first release that supports multiprocessor systems. To celebrate the event, ONLamp.com published an interview with several developers to discuss new features, tools, and future plans."
This discussion has been archived. No new comments can be posted.

OpenBSD 3.6 Live

Comments Filter:
  • by NekkidBob ( 807988 ) <[jason] [at] [purebsd.net]> on Friday October 29, 2004 @11:28AM (#10663953) Homepage
    There has been so much development in all the BSD's, and a new BSD system (DragonFlyBSD) coming out, how can anyone say *BSD is dead? The OpenBSD community has even pushed some vendors to release firmware for various hardware in a more open source way [theaimsgroup.com]. If a "dead" community can convince hardware vendors to do that, then why isn't the Linux community doing more to make vendors release more firmware/docs in an open way.

    • If a "dead" community can convince hardware vendors to [release firmware for various hardware in a more open source way], then why isn't the Linux community doing more to make vendors release more firmware/docs in an open way.

      You're assuming vendors are releasing firmware because they care about the *BSD community, but most BSDs were stable (and by far more complete) systems back when Linus was asking for help in the mailing lists, yet in all these years most vendors couldn't cared less about them. Only
  • Damn (Score:2, Insightful)

    by armypuke ( 172430 )
    SMP support on OpenBSD/i386 and OpenBSD/amd64 platforms.
    I was getting my hopes up that I could finally run OpenBSD on a couple of multiprocessor Sun boxes that I have.

    Damn

    • Re:Damn (Score:5, Informative)

      by NekkidBob ( 807988 ) <[jason] [at] [purebsd.net]> on Friday October 29, 2004 @11:37AM (#10664096) Homepage
      Well if you have enough to spare one, I'm sure a developer could use a multiproc sun box, check their wanted hardware list [openbsd.org] about donating one to further smp for sun.
  • Apache on OpenBSD (Score:5, Informative)

    by jpkunst ( 612360 ) on Friday October 29, 2004 @11:52AM (#10664308)

    Apache on OpenBSD always had a lot of security-related patches compared to the regular Apache (chroot for example), but it seems that Apache on OpenBSD can now be considered a real fork:

    After the 1.3.29 they decided to muck with their license, introducing stupid patent terms without understanding what they turned their license (that used to be a BSD-derived one) into with that, so we cannot import new versions unless they fix their license. It is not a big loss tho'. The Apache people have mostly given up on 1.3 anyway, and all that happened over the last years was bug fixes, documention work (actually, mainly translation), and some stupid code shuffling, that only made diffs bigger without improving anything. Now that it is certain that we don't have to worry about syncing to them any more, we can start making the mess of code readable tho'.

    JP

    • Re:Apache on OpenBSD (Score:3, Informative)

      by jtharpla ( 531787 )
      Indeed, they should rename it and continue to fork away, ala IPF->PF. Personally, though I know the roots were political, I have enjoyed the results. I prefer the OpenBSD-flavored Apache because of it's out-of-the-box chroot config. Somethings that would be nice to add in would be RedHat's default of having a directory of config files (easy enough to configure after the fact) and having a decent log rotation scheme. I ended up using VLogger, which is a nice Perl script that I found. Works well for h
  • At least he's honest (Score:2, Interesting)

    by cmad_x ( 723313 )

    FB: How does this compare with FreeBSD 4, FreeBSD 5, and DragonFlyBSD? Niklas Hallqvist: Actually I don't know. I'd expect we'd do worse in anything that is interrupt-intensive. We probably do worse even for the common case where several runnable processes exist simultaneously as well. But ... we do not aim to compete at the edge here. We want to make scalability happen without disrupting our security and robustness track record. We just have other priorities.

    Well at least he's being honest, unlike *coug

  • by Anonymous Coward on Friday October 29, 2004 @12:59PM (#10665222)
    I have never seen so much credible info from so many of the OpenBSD developers! I understand now a little more how they approach things. I wish I could read a similar article on the others, to see how FreeBSD and NetBSD and DragonflyBSD compare. Hopefully Oreilly will see the uptick in web hits and keep it up, with some more interview type articles.

    There is a storm brewing over at the OpenBSD Journal web site at http://undeadly.org over including binary blob files in the kernel for the fariuos wireless cards. I have to agree with the premise: You vendors put your binary firmware files on all the CDs you sell with your wireless cardss, so if anyone wanted to reverse engineer yoru stuff, they just have to buy the card and they get the binary file. OpenBSD just wants to put same file in their distribution so if you plug your wireless card into an OpenBSD system it will get recognized and used. Sounds simple enough to me. The other approach is to somehow download the file (freely available on sourceforge or from the vendor, or the CD that came with your little card..) That makes it so much more involved for installing.

    The short version: Some companies see the light and are cooperating, others, notably Texas Instruments http://www.ti.com have been strangely silent. Fasten your seat belts, fellow puffys.
    • Yeah. Unfortunately a lot of vendors are replacing wonderful Prism* chips with Ti chips that are less reliable (two such chips in the house, both flake out once every few hours, if indeed they work at all), almost completely unsupported in nixes, and just generally aren't as cool. Ti should stick to making calculators, or at the very least document the PC hardware they do taint the world with, so we nixers can make use of them.
  • On this note (Score:3, Insightful)

    by Anonymous Coward on Friday October 29, 2004 @01:53PM (#10666002)
    I never really understood why many commercial vendors are developing software for linux and not BSD.

    An example would be Oracle. I was comparing Linux to OpenBSD and I can't really figure out why so many people choose Linux over OpenBSD. Both have package management, good software support, and standard *nix features. OpenBSD on the other hand has features no other unix has such as secure levels and it is secure out of the box.

    Why would anyone select an OS (expecially for network infrastructure) that is not secure by default?
    • Re:On this note (Score:4, Informative)

      by setagllib ( 753300 ) on Friday October 29, 2004 @08:37PM (#10669385)
      The other BSDs have security levels. OpenBSD has a lot of things they don't, still, a large part of which is that it randomizes practically everything, making it very difficult for even a local attacker to know what the kernel is going to do next. They also yank out any external software that isn't getting properly treated against exploits, so their base package is still as firm as possible, and even ports are treated with great care.

      In practice, FreeBSD and NetBSD are about as hard to exploit remotely, but they don't take care of every possible exploit, so in theory there are still some holes. NetBSD is still a lot faster than OpenBSD (unless some miracle happened and I missed it) so a 'real world' server might benefit more, but for a stronghold of impenetrable security that doesn't need every last drop of performance, OpenBSD is the choice.

      Linux is nowhere near any of this. The code is sloppy and dirty (no, nobody can argue this, don't even try, just go read some yourself) and few distributions actually take security seriously. It does happen to perform better in many synthetic tests, and definitely on SMP, but the difference for most cases is so minimal that it's hard to understand why anyone would run Linux on a server and not a BSD.

      I put it down to hype. Business love to advertise their adoption of Linux and their entrance into open-source, because that's what customers want to hear, especially Linux zealots. The businesses (hell, even governments now) certainly aren't scientific about it, using an "operating system" (I still call Linux a kernel, up to you) mashed together from seemingly infinite and inconsistent projects and parents'-basement-developed hacks. The source shows this, hell even configuration shows this, but they seem to be okay with this so long as it sounds good. Or, and I wouldn't be surprised, they've never heard of BSD.
    • by Anonymous Coward
      I never really understood why many commercial vendors are developing software for linux and not BSD.


      Why are so many commercial vendors developing software for Windows and not RSX-11???!?!???!?!??!!!?!? Someone answer meeeeeee!
  • OpenBSD 3.6 released (Score:5, Informative)

    by dhartmei ( 664843 ) * <daniel@benzedrine.cx> on Friday October 29, 2004 @03:10PM (#10666892) Homepage Journal
    The official release has just happened. Here are the official announcement [theaimsgroup.com], the undeadly.org thread [undeadly.org] and a torrent for the i386 binaries [benzedrine.cx] (149MB, matching MD5 [openbsd.org] which might beat some of the mirrors). Cheers ;)
    • Thanks Daniel. For some reason, the /. minions rejected my submission of a frontpage story to that effect, including plugs for the torrent (via IRC) and ordering CDs to support the project. I can only assume that the anti-BSD Linux Zealots are responsible... /me shakes his fist

      Thanks to you and the rest of the crew for making sure I have something geekish to do this weekend.

    • (149MB, matching MD5 which might beat some of the mirrors). Cheers ;)

      Thanks Daniel.

      Just wondering, is it still safe to trust MD5? It is not now easier to create a bogus file with the same hash? I thought SHA1 would now be in use for this.

      Thank you very much for pf and all your OpenBSD work btw! I've been using since 2.5 and pf is probably the most impressive part of OpenBSD as it currently stands (for me).

      • by tedu ( 647286 )
        it would still have to pass the zlib crc in order to decompress. and then the attacker has to hope whatever esoteric changes they made are actually useful to them.

        anyway, where are you getting the md5 from? the same ftp server where you're getting the release?

        • anyway, where are you getting the md5 from? the same ftp server where you're getting the release?

          Good point. Funnily enough, I've brought that up a few times myself in the past. ; )
        • anyway, where are you getting the md5 from? the same ftp server where you're getting the release?

          Well, an MD5 is very small, and could easily be checked. If I was running the OpenBSD project, I'd have a machine with all the correct hashes, downloading the hash files from each server ever hour, and rasing hell if they're different. That would take care of the problem, if only the people running the project even cared.
      • by OttoM ( 467655 ) on Saturday October 30, 2004 @12:36AM (#10670488)
        MD5 is still safe for the purpose of file digests. The methods published do not allow the attacker to find a collision for a given digest value. Check this FAQ [cryptography.com] for some details.
      • I believe even though it is feasible to create a file that has the same hash as the other file its not a feasible comprimise. So MD5 is safe for now but given the paranoia when using openbsd they probally would or should provide an SHA1 hash.
  • Upgrade Pain (Score:2, Insightful)

    by Anonymous Coward
    Is there an easier way to upgrade to 3.6 from 3.5 without removing all the packages?
    I have a fairly amount of packages, but I would also want minimum downtime for the upgrade. Maybe a make world make install mergemaster (reboot) would work better. Any ideas?

    How stable is the SMP stuff?
    • How stable is the SMP stuff?

      Quite a generic question, so let's that split up:

      • Is it stable enough to be part of the release? Yes, and according to OpenBSD standards that actually means something.
      • Will there be bugs? Probably.
      • Will these bugs affect you? That's for you to try and decide.
  • Props (Score:5, Insightful)

    by jazman_777 ( 44742 ) on Friday October 29, 2004 @05:03PM (#10668013) Homepage
    OpenBSD showed me, security-wise, how crufty and cobbled Linux is. IPtables? Are you kidding? pf rolls it up and smokes it.
    • Re:Props (Score:3, Interesting)

      by Ricin ( 236107 )
      And pf was of course modeled after Darren Reed's ipfilter which was OBSD's package filter software in the past (until there was some disagreement), and NetBSD's (still now) and optionally FreeBSD's (one of two, now three).

      In fact I think iptables was somewhat modeled after ipflter. There has been an ipfilter port for RedHat around RH5 IIRC but it got abandoned.

      • Re:Props (Score:5, Insightful)

        by setagllib ( 753300 ) on Friday October 29, 2004 @08:43PM (#10669412)
        iptables modelled after ipfilter? I had always been under the impression it was moddled out of clay.

        No user->kernel facility interface should ever be that dirty, much less a packet filter. Sure, the way it handles NAT and everything in one relatively uniform way is kinda handy, but the syntax and rigidness is disgusting. You can have a range of ports, or a list of ports, but not a list of ranges of ports. Don't even think about logging and acting on a packet in the same rule. Just pathetic.

        ipfw, pf, ipfilter, they're all so much cleaner and so much more useful. With OpenBSD's new rule optimizer this is even more awesome. I still think natd/ipnat/ would be better off merging their functionality into the filter itself, even if only to make dynamic NAT rules by shell script easier.
  • by Anonymous Coward
    Here [osviews.com]'s the original link... but now the page says:
    "This article has been removed because many points made within it have been deemed unfactual." :-)
    That was a lousy article indeed. The *BSDs deserve much better reviews.
  • I know I sound like a broken record but I like to dream about the day when the BSD OSs will have binary updates. Just imagine reading your security alert emails and noticing

    "Eilko Bos reported that radius authentication, as implemented by login_radius(8), was not checking the shared secret used for replies sent by the radius server. This could allow an attacker to spoof a reply granting access to the attacker."

    Uh oh, OK I better grab and install the update.

    # pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/

    • Don't all the BSDs offer binary snapshots anyway? NetBSD churns them out every 3 days for people/machines that can't build from source easily enough.

      Binary updates would be handy, or better still, a mechanism that fetches security patches automatically, merges them into the source tree, recompiles only the bits that are needed, and installs them, then prompts you (/var/log/security would be fine even) to restart the server (or optionally does it on its own, if it's no showstopper to lose the server for a
    • Re:binary updates (Score:4, Informative)

      by evilviper ( 135110 ) on Saturday October 30, 2004 @06:18AM (#10671473) Journal
      Now do this on every OpenBSD,

      Not the case. You only need to do the compile on one, and distribute the binaries to the rest of your machines.

      Don't even get me started on release upgrades; ie. from 3.5 -> 3.6

      Why not? It's trivially easy. Merging old config files with new ones is the only thing you need to do maually. Config files don't change often, so it can be skipped, with little chance anything you run will have a problem.

      Not like any other OS has the upgrade path perfected. You sure as hell don't dare upgrade your Windows machines. I don't know anybody that upgrades their Linux machines, at least no more than installing a few RPMs of newer programs. It's generally best to start clean with Linux.

      • Re:binary updates (Score:3, Informative)

        by rsax ( 603351 )
        Not the case. You only need to do the compile on one, and distribute the binaries to the rest of your machines.

        I'm assuming you're referring to the release(8) [openbsd.org] procedure which will generate base35.tgz, etc35.tgz, comp35.tgz, misc35.tgz, man35.tgz etc.

        Now how large is base35.tgz? Approximately 30 megs? It doesn't make sense to transfer 30 meg updates to numerous machines to apply an update for just a couple of files that could have been 1 or 2 megs if smaller binary updates were available. Well atleast it

        • no, i think he's referring to the [s]cp command.

          foreach host (`cat ~/myhosts`) scp login_radius $host:/usr/libexec/auth end

        • I'm assuming you're referring to the release(8) [openbsd.org] procedure which will generate base35.tgz, etc35.tgz, comp35.tgz, misc35.tgz, man35.tgz etc.

          No, not at all. You can quite easily transfer only the changed binaries.

          Make release is not necessary, although it's certainly a good way to make new patched install CDs in-between releases if you like.
    • Never having really gone beyond the surface with any *BSD so forgive me if I sound trollish while being only naive... but: if it's that simple why not just write a script for it? I mean I agree that should be somehow built-in but it doesn't seem that troublesome. Looks like it could be scripted nicely with Perl which OpenBSD comes with by default IIRC.
      • if it's that simple why not just write a script for it?

        I think his point is that re-compiling from source, takes longer than just patching or even replacing a binary.
  • >> Nearly 2.5 Million Active Sites running FreeBSD
    > Holy crap, wow, just amazing! Man, wow!
    > Lets see, that's an amazing 6.7% of the web sites out there. Oh... hmmmm, OK.

    More properly, that should be modded "Silly" - or "Clueless GNU/Linux zealot". Time for new categories.. :) - because

    - Considering the lack of media hype, it *is* indeed an amazing result.

    - That link was posted in response to people cluelessly asserting that BSD's dying, and that's indeed a pretty convincing answer, I thin

  • Just checked the manual pages again, but I'm still missing the ifconfig functionality of changing the macaddress of a nic. I need this for the connection to my cablemodem, otherwise no dhcp address for me.
    I know about the sea.c patch for it, but I don't want to compile it for every upgrade. This is the only reason why I'm using FreeBSD for my firewall.

Do you suffer painful hallucination? -- Don Juan, cited by Carlos Casteneda

Working...