OpenBSD 4.1 Released

adstro writes to quote from the BSD mailing list: "We are pleased to announce the official release of OpenBSD 4.1. This is our 21st release on CD-ROM (and 22nd via FTP). We remain proud of OpenBSD's record of ten years with only two remote holes in the default install. As in our previous releases, 4.1 provides significant improvements, including new features, in nearly all areas of the system."

Just curious...

[darnok]

My OpenBSD firewall box is several years old now (version 3.x), just keeps working and probably will until the 8yo hardware finally dies. Although I'm interested in the features in 4.1, and congratulate the developers on what'll doubtless be another good release, ultimately I'll probably stick with my existing setup. I *love* OpenBSD, for precisely one reason; it does what it's supposed to, and in my experience it *never* fails. However, I'm very unlikely to upgrade to any new version; why change something that works perfectly?

For those of you using OpenBSD, how many of you are in a similar situation?

Downloads

[dleigh]

Why not a link to the .iso download page in the article?
(Yes, that was annoyed sarcasm). I'd rather donate to the project and download an image than get one shipped, I can't believe OpenBSD is still refusing to provide Official ISOs.

OpenBSD 4.1 Release Song

[Anonymous Coward]

You mustn't exclude the OpenBSD 4.1 Release song from this article!

http://www.openbsd.org/lyrics.html [openbsd.org]
ftp://ftp.openbsd.org/pub/OpenBSD/songs/song41.mp3 [openbsd.org]

Re:Downloads

[turing_m]

They have no users? They are currently on #52 in the page hit rank on distrowatch. Right below linspire.

Re:Just curious...

[Anonymous Coward]

running 4.0 on a p166 w/32 of EDO

generally, I just keep a copy of all the files I change in /home/update/{etc,var,...}

and simply back this up prior to the uprade,
reinstall 'new' (not upgrade), make sure my ethernet if's didn't change somehow,
and just diff & cp until I'm up to date.

usually takes about 1-2 hours each release, since I've really only touched
pf.conf, rc.conf, hostname.if, and a few others.

for the guy with the 16MB: just rebuild the kernel with less drivers, etc..
might take 6 hours, but hey, it will still compile, right?

Re:Yea, but...

[TheRaven64]

Sysjail has a nice feature, where you can run everything inside the jail via a foreign system call framework. This means you can set up a sysjail on OpenBSD containing a complete Linux-compiled userland, and users can access it without ever being aware that it's not Linux unless they try to load a kernel module (or use a system call that isn't emulated).

Re:Just curious...

[melstav]

Except that, as was pointed out to me by several people when I tried to dispute the (at the time) "only one remote vulnerability ..." claim, once you change a config file, you no longer have a default install.

The example I used was that the version of sendmail they had been distributing had a vulnerability that could be exploited to allow someone to allow the execution of arbitrary code with elevated privileges. The response I got was that, because they pre-configure sendmail to only accept connections from the local host, it's not a remote vulnerability -- it's a local one, and thus doesn't count.

I'm sorry, but if all I have to do to "default install" to have a remotely exploitable vulnerability is reconfigure a service that is installed and running in the default install to accept connections from remote computers, I think the claim is disingenuous.

I'm not saying that I have a problem with OpenBSD -- I use it on my firewall boxen and love it. I just have issues with some of their advertising.

Re:Just curious...

[raddan]

I would do the same, but we are affected by some of OpenBSD's recent patches. While it's true that there are only 2 remote holes in the default install in 10 years, there are other bugs like denial of service, database corruption, and local privilege escalation that would have affected us. I've backported a few easy patches to some of the machines that are difficult to take down for maintenance, but in general we make the effort to upgrade every other release.

OpenBSD is great because maintenance is much easier. I don't have to worry, for example, about a broken libc after an 'emerge world' like I do on my linux boxen at home. That's an extremely painful lesson to learn.

BTW, if you love the OS as much as you say you do, shell out the 50 clams to buy a CD set. If donating doesn't give you that warm, fuzzy feeling, at least the cool stickers will. The latest set comes with a wireframe Puffy. Awesome.

Re:Just curious...

[Noryungi]

In other words, if you don't upgrade unless/until a new remote root exploit is found, you still have to worry about local users rooting your box (and don't forget that there typically are users like "www" etc. even when no actual person besides you has an account on the box; not a big problem for a firewall, most likely, but servers in general aren't automatically safe), and you still have to worry about remote priviledge escalation, remote denials of service and the like, too.

True, but you should also read about PrivSep [umich.edu], W^X, security levels [openbsd.org], systrace [openbsd.org] and other important security mechanisms that mitigates those risks (while not entirely eliminating them). All of these (and more) make a well-configured OpenBSD machine a very tough nut to crack. So to speak.

To me, the best thing about OpenBSD is not that it is perfectly secure (that can't be achieved) but that security is taken seriously and all this mechanisms are activated by default. The excellent documentation, especially manual pages vs the GNU unreadable info pages mess, and reactive developper community are also big pluses in my book.

Re:Downloads

[LizardKing]

BSD is dead. As long as they have the antique command line tools.

Well Linux, and every other Unix like OS including Mac OS X, are dead then as they also include "antique" command line tools. In fact Windows must be dead as well, as it includes command line tools, albeit piss-poor ones.

Think whatever you want, but I cannot live w/o GNU command line. bash alone isn't sufficient - text-tools, file-tools are also important.

Last time I checked, the ksh that comes with the BSDs can do everything bash can. The BSDs include all the command line tools that the GNU file and text tool packages have, after all they're clones of the Unix ones found in BSD, plus with the BSDs the manpages are actually complete and usually include examples. With the GNU tools you are often faced with an incomplete or out of date manpage that refers you to some difficult to navigate or search "info" pages.

e.g. BSD's moronic find requires directory name - while GNU one picks current directory by default. All GNU tools support --help and --version - try to find common help displaying option in BSD variants. Not that BSD tools helps output is any useful anyway.

Wow, GNU find extends POSIX with one extra feature that I've never used in over a decade of using it. As for --help, that's what manpages are for (sorry, I forgot that your GNU manpages are incomplete), and --version, how often do you need to know what version of find you're using?!?

Also BSD's ps suck big time.

Hmm, last I checked the output of both ps on Linux and NetBSD looked remarkably similar. Note that what you probably consider "GNU ps" is actually "Linux ps", as the implementation of such a command tends to be very closely tied to the kernel it's running on.

The stupid insistence on using 'more' instead of 'less' isn't helping either.

Oh dear, never heard of the PAGER command line variable? I guess your particular brand of Linux just happens to default it to /bin/less. Funnily enough, so does /etc/skel/.profile on my BSD machines.

Also, it might surprise you, 'vi' is no more. Everybody had forgotten what it is - for good - and are using 'vim' instead. But the fact remain: BSD has no sane decent text editor preinstalled. Because POSIX 'vi' cannot be called 'sane' nor 'decent'.

nvi, the default vi on BSDs has more features than the minimum required POSIX - see the Solaris implentation for something approaching that minimalism! Personally I find vim to be a mess, and have had it crash on me a number of times. However, the approach taken with the BSDs is that a minimum is included in the base install and ports or packages can be added to create the "perfect" environment. That said, OpenBSD includes a minimal emacs workalike in the base install which may be more to your taste.

Constructive note. BSD should align themselves with Debian or Gentoo.

God no. Gentoo is grinding to a halt as it's an unstable mess, while Debian reflects the whole GNU mentality of replacing things with new, no less buggy implementations every so often, with no interface consistency and way too many esoteric features. Having fought with aptitude and had it crash far too many times, I'm more than happy with the BSD ports systems instead.