OpenBSD 4.6 Released

pgilman writes "The release of OpenBSD 4.6 was announced today. Highlights of the new release include a new privilege-separated smtpd; numerous improvements to packet filtering, software RAID, routing daemons, and the TCP stack; a new installer; and lots more. Grab a CD set or download from a mirror, and please support the project (which also brings you OpenSSH and lots of other great free software) if you can."

October 18th is also its birthday

[wb8wsf]

OpenBSD is 14 as of today.

Today would be a great day for even a little gift. ;-)

Re:

[Brian Gordon]

Does BSD support "Q" yet? Linux stole the "P" code ages ago and implemented "Q" but released it under a restrictive license that prevents the original authors from using the new features. Come on, get with it BSD!

Re:

[jonadab]

> Does BSD support "Q" yet?

It always has. You might want to check your keyboard layout settings. I think they're in /usr/local/config someplace. Look around.

Re:

[http]

Get your word usage right.

Does BSD support "Q" yet? Linux stole the "P" code ages ago and implemented "Q" but released it under a restrictive license that prevents the original authors from using the new features. Come on, get with it BSD!

GPL's restrictions are not on feature usage.

Re:

[Anonymous Coward]

The code was already "free". In fact it was free-er before slapping a new license on it. :)

Re:

[cyphercell]

Stallman's already announced plans to put that in GPLv4.

Re:

[dmiller]

Yes. See http://www.openbsd.org/cgi-bin/man.cgi?query=softraid&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html [openbsd.org]

Thanks Theo and everyone else.

[Anonymous Coward]

I just want to give a huge Thanks to Theo and the rest of the OpenBSD developers. They're doing a fantastic job. I'll order my CD soon.

Re:

[munctional]

Just wondering, but are you unable to simply download the sources/ISO files? Unless you collect the CDs or something, it seems strange in this day and age. That said, I will be donating to the project today. :-)

Re:

[plaukas pyragely]

Wouldn't it be better to download iso and the donate those $'s for CD to OpenBSD project?

Now There's Some Software Engineering!

[yup2000]

Doing what others only dream... a scheduled release, early!

Torrent?

[DragonDru]

They have lots of mirrors and they likely work well, but with a torrent I could help pass it around.
What is with projects not offering the option?

Re:

[Anonymous Coward]

OpenBSD is, if nothing else, a very conservative OS. It's not particularly surprising that they don't adopt the new shiny if their current system is working just fine.

Re:

[Jared555]

Their main CD is not very large at all. If I remember correctly most of the files are downloaded during the installation.

Re:

[Jared555]

Was looking at the wrong file, guess it is 200MB but they probably have their reasons for not offering a torrent by default

Re:

[incripshin]

Don't ask why I'm looking at such an old story. I love OpenBSD!

They want you to buy the discs, I think.

Re:

[rivaldufus]

They didn't have a full install iso until somewhat recently, as they felt that it would hurt their CD sales. I suppose they will do a bit torrent sometime, but probably not for a release or two.

ISO Policy Explained

[nuckfuts]

OpenBSD's FAQ explains their choices regarding ISO images [openbsd.org].

I like to install OpenBSD from a floppy image [arcticnetwork.ca] - only 1.44 MB! I then choose an FTP mirror [openbsd.org] and install whatever parts I want on the fly.

Re:

[buchner.johannes]

You can install it from your running Linux or something to a free partition if you don't want to burn a CD.
It is a good finger exercise to do without a CD.

Re:

[Anonymous Coward]

In summary, buy the cds they come with cool stickers and they're only $50.

I got my cds in the mail on friday.

Already have the OpenBSD 4.6 stickers on my lappy :D

cyphercell

ps - it really is a drop in the bucket compared to my other work expenses this year.

Re:

[Rick the Red]

So put the floppy image on a USB stick (instead of a floppy disk) and boot from that. Sheesh, do we have to hold your hand, or do you need us to type the commands for you, or what?

Re:

[cbhacking]

From the top story at Distrowatch.com, the link to the OpenBSD torrent site is http://openbsd.somedomain.net/index.php?version=latest+release [somedomain.net]
The ones you're mostly likely interested in:
http://openbsd.somedomain.net/torrents/OpenBSD_4_6_i386_install46_iso-2009-10-18-1238.torrent [somedomain.net] (i386)
http://openbsd.somedomain.net/torrents/OpenBSD_4_5_amd64_install45_iso-2009-04-30-2207.torrent [somedomain.net] (x86_64)
http://openbsd.somedomain.net/torrents/OpenBSD_4_5_macppc_install45_iso-2009-05-01-1435.torrent [somedomain.net] (PPC)

Still no torrent?

[phantomcircuit]

Come on! FreeBSD has been releasing via bittorrent for a while now [freebsd.org]. Get with it OpenBSD!

Re:

[Jared555]

Most distros have at least one or two really good mirrors nearby. Maybe when they don't offer a 4GB file (their install.iso file is 200MB) they don't see the need.

Re:

[phantomcircuit]

Even a 200MB iso would benefit from bittorrent.

Re:

[dayid]

Except if you're following installation directions (and for some reason not using bsd.rd, etc, to install), you would be downloading the 6MB cd64.iso, not the 200MB install46.iso. http://www.openbsd.org/faq/faq3.html#ISO [openbsd.org]

Re:

[phantomcircuit]

Funny that just says that the iso files available are not official. I do not see where it says that the 6MB network installer is more official than the 200 MB installer with all of the file sets on it.

Re:

[dayid]

For those that need a bootable CD for their system, bootdisk ISO images (named cd46.iso) are available for a number of platforms [...]. ...

Re:

[phantomcircuit]

Just because cd46.iso is a bootable cd does not mean that install46.iso is not.

Re:

[Jared555]

Funny that just says that the iso files available are not official. I do not see where it says that the 6MB network installer is more official than the 200 MB installer with all of the file sets on it.

I am guessing that statement is just outdated since at one point in time some or all of the .iso files they release now were not available in the past and other people made and distributed unofficial ones.

Re:

[blhack]

Maybe when they don't offer a 4GB file (their install.iso file is 200MB) they don't see the need.

Every openbsd installer I have ever downloaded has been 10MB...

Re:

[Jared555]

install.iso is 200MB, the iso that has just the installer on it without packages is around 10MB.

Re:

[dayid]

The x86 install disk is less than 6MB. Maybe when they have 4GB DVD iso's available like FreeBSD they'll feel the pain and go torrents?

Re:

[zach_the_lizard]

That's only the net install ISO, not the full disk.

Re:

[MichaelSmith]

NetBSD has torrents as well. About as year ago I wanted an AMD64 iso to I got the torrent but it turned into a straight download so I may as well not have bothered. I wonder if the actual demand for openbsd is enough to justify the effort.

Re:

[cbhacking]

http://openbsd.somedomain.net/index.php?version=latest+release [somedomain.net]

List of all their torrents, by architecture and type. Search for the text "install" to find the binary install images (rather than source code or package bundles).

Re:

[DragonDru]

But one would make a torrent for the 200 MB iso.

Re:

[Jared555]

The 200MB iso is meant primarily for installing on networkless or low speed connections so the packages are already available. A comparison would be a linux network install cd/floppy vs the live cd/cd with packages on it.

Where's the song?

[martin-boundary]

Where's the song [openbsd.org]? There was supposed to be an earth-shattering song!

Re:Where's the song?

[dayid]

Right here: http://openbsd.org/lyrics.html#46 [openbsd.org]

Re:

[pddo]

That is some of the funniest/wierdest music I've ever heard.

Re:

[Anonymous Coward]

I swear the release songs are what excites me the most about each OpenBSD release song. :-)

I also find myself agreeing with most of them too. This last one is particularly poignant. I feel the same way a lot of the time, that the technology is trying to be too controlling, that there is too much (technological) power in the hands of the big monopolies, that our choices are dwindling and we must defend them.

Don't ask me to rationally defend all these positions. I just don't like one-button iPods, locked

Software RAID?

[WarlockD]

Anyone know of the preformace? Been using mdadm for a while and been liking it.

Re:

[Galactic Dominator]

Now if mdadm only had the ease use gmirror/geom does in freebsd, then it might be more widely adopted.

mdadm is a perfectly functional package, but it's setup is quite awkward. gmirror however is a breeze to setup, and it's performance kicks the crap out of most hardware controllers I've tried(admittedly few). I imagine OpenBSD implementation is also a good performer as software raid. This states a 30% speedup for certain cases. http://www.openbsd.org/plus.html [openbsd.org]

OpenBSD - not that secure...

[metrix007]

OpenBSD security is in large part overstated, and at worst, a myth.

Let us look at 3 main points, of which the last is the most important.

1. Secure by default. Yes, having services turned off by default is a good move. It also actually has nothing to do with the security of what you actually have running.

2. Auditing. Only the base system is audited. The ports are often quite far behind. Most attacks are not against "the base system".

3. Lastly...OpenBSD, by design, is not a secure system. A secure system is m

Re:OpenBSD - not that secure...

[Spit]

OpenBSD's focus is preventing the exploits in the first place with many overflow vulnerabities in third-party software being non-exploitable on OpenBSD. After running it for 10 years, I trust OpenBSD's record. It has some of the best in the business probing it, and with the most serious flaw in years being a subtle IP6 attack, I think that trust is well founded. If you were to prove otherwise, I'm sure you would instantly be a big name in security.

Although sound design, role security is added complexity which increases scope for vulnerabilities. From coding errors to implementation errors, complexity breeds insecurity. They also create a false sense of security: having implemented RBAC on Solaris I was initially impressed until I realized one could bypass it with suid bombs.

OpenBSD's simple design and sound default permissions mean that even with a local account, it is very difficult to gain root access. The base system is comprehensive so usually there's little reason to go to ports to implement OpenBSD in its perimiter focused role.

You would do well to back up your claim that OpenBSD is snake-oil.

Re:

[cbhacking]

Indeed. For example, I believe OpenBSD was the first production (non-research) OS to implement Address Space Layout Randomization [wikipedia.org]. This is the kind of forward-thinking and comprehensive defense-in-depth approach that OpenBSD takes; even if an application vulnerability is found, it's hard to make an exploit that will *do* anything.

Re:

[metrix007]

My point was that OpenBSD is not a 'secure system', despite being quality code.

It provides no ways to limit or control the system, or to limit access if an attack does occur.

It is good practice to assume that an attack may occur, and be prepared for it.

I never said OpenBSD was snake oil, simply that it is not the secure system people seem to think it is.

And, no, you can't bypass RBAC with SUID bombs if it is set up correctly.

Re:

[Spit]

You can bypass RBAC on Solaris. Covert root to a role as per doco, then as a user not associated with root role run sudo. Assuming the user has root role in sudo, that user becomes root.

Re:

[Spit]

I think you should test my observation before poo-pooing my incompetence.

Re:

[kestasjk]

"Only two remote holes in the default install, in a heck of a long time!" just isn't the impressive statement it used to be.. When was the last Windows/Linux remote hole in a default install. Last I can remember was blaster, and you can bet Windows will have a hell of a lot more people looking for holes in it than OpenBSD.

Things like NX which OpenBSD rushed to emulate in software are now implemented in hardware on every modern computer. It's not the late 90s/early 2000 when robust security was a real sell

Re:

[Spit]

Solaris supported Ultrasparc NX in the late 90s. OpenBSD's innovation was to enforce NX pages on i386 which doesn't have any such hardware support. OpenBSD supports hardware NX of course.

Re:

[munctional]

SELinux has nothing on GRSecurity. http://www.grsecurity.net/ [grsecurity.net]

Re:

[atarashi]

Well, I beg to differ (what else ;-)

OpenBSD does help you, when something goes wrong:
like for example with immuteable files, or append only files, so no one can delete your logfiles! At least you have the chance to look at what the "bad guys" did. Indeed a very fine feature for a logserver, isn't it?
Or OpenBSD secure modes?
Plus, you can put your WEB-Server in a jail, so *IF* someone breaks into your WEB-Server, well, the whole system is still NOT compromised.
Jails work very well! Maybe even better the the c

Re:

[metrix007]

What problem do you have with SELinux? Perhaps you don't understand correctly how it works. It has a bad rep for being cumbersome, but it isn't terribly hard to learn if you're willing. There are several examples of it blocking exploits and 0 day attacks, because of the method I describe. You may find this article [linuxworld.com] interesting, with links to some of Dan Walsh's blog posts.

As for VMS, it is widely considered to be one of the most secure systems. Just have a quick look at it's vulnarability history. It puts Op

Re:

[metrix007]

Oops, sorry. OpenVMS security overview here.

http://www.blacksheepnetworks.com/security/resources/openvms/ [blacksheepnetworks.com]

The web server can finally serve large files

[Mr.Ned]

When I looked at the release notes sent out by email, I saw this under "New functionality":

"httpd(8) can now serve files larger than 2GB in size."

I'm very surprised by this.

Re:

[DNS-and-BIND]

"Two Gigabytes ought to be enough for anybody!"

Seriously, this just reflects the conservativeness of OpenBSD, just like DOS back in the day. They move slowly, if at all. Users are expected to be grateful for improvements made years ago in other OSes.

Re:

[vlm]

When I looked at the release notes sent out by email, I saw this under "New functionality":
"httpd(8) can now serve files larger than 2GB in size."
I'm very surprised by this.

apache has been able to do that since 2.2. Of course, a web page larger than 2 gigs is a bug not a feature...

http://httpd.apache.org/docs/2.2/new_features_2_2.html [apache.org]

Large File Support
httpd is now built with support for files larger than 2GB on modern 32-bit Unix systems. Support for handling >2GB request bodies has also been added.

Re:

[Abcd1234]

apache has been able to do that since 2.2. Of course, a web page larger than 2 gigs is a bug not a feature...

You *are* aware that HTTP is used to transfer more than just HTML, right?

Re:

[SgtChaireBourne]

apache has been able to do that since 2.2. Of course, a web page larger than 2 gigs is a bug not a feature...

You *are* aware that HTTP is used to transfer more than just HTML, right?

Like he said, it's a bug not a feature. Torrent and FTP are much more efficient, especially when handling interrupted transfers. HTTP doesn't. Unreliable networks can make a net-based installation process drag on and on or even freeze.

Re:

[Abcd1234]

Torrent and FTP are much more efficient, especially when handling interrupted transfers.

Bullshit. Bittorrent isn't appropriate for all applications, and for large transfers, HTTP and FTP are basically a wash as far as efficiency goes, while HTTP handles resumes just fine (the browser needs only to send along a start offset in the request header). Meanwhile, unlike HTTP, FTP doesn't play well with firewalls or caches.

Re:

[Ant P.]

HTTP has handled partial transfers since version 1.1. ... does OpenBSD not support HTTP 1.1 yet either?

Re:

[petermgreen]

Torrent and FTP are much more efficient
FTP wastes server resources and complicates interactions with firewalling and NAT by using seperate control and data connections. FTP and HTTP both have resume functionality nowadays.

Torrent is designed for peer to peer distribution, of peices this can save the server a lot of bandwith but also adds a lot of checking overhead and is somewhat controversial.

Unreliable networks can make a net-based installation process drag on and on or even freeze.
That is more likely a c

Re:

[kestasjk]

I know, isn't it great? :-) They're still working on the 8.3 filename limitation, but let no-one say UFS is standing still!

Looks like a typical OpenBSD release

[fadir]

Rock solid, thought through and very conservative.

They have their niche and do their best to serve it as good as they can. I'm very glad that this project exists even though I don't use OpenBSD but various of its offsprings (OpenSSH/SSL, etc.) only.
Theo is a very controversial person but at least he keeps the project on focus and going. Congratulations for that and best of luck for the future.
I don't see myself using OpenBSD anytime soon but I know a few people that do and they are happy with it. So keep going, the community needs you!

They're behind - way behind . . .

[greenreaper]

FreeBSD is already at 7.2! No way they can catch up now, unless they pull a Windows.

softraid

[RAMMS+EIN]

Apparently, softraid is also included in the GENERIC kernel. This means that, unlike with the old RAIDframe, you don't have to compile your own kernel before you can use it.

Support OpenSSH?

[klapaucjusz]

> please support the project (which also brings you OpenSSH Is it possible to support OpenSSH without the money being wasted on OpenBSD?

I want to build an AP with openbsd

[drinkypoo]

Can someone recommend a good platform on which to run OpenBSD which will consume the lowest possible power and let me run a Wireless-G and a Wireless-N NIC in master mode at the same time? I also need 100baseT[x]. Ideally it would run from fairly broad DC power (8-18VDC). I want to spend minimal money :) So far in the running are PC Engines, Mikrotik, and Soekris, in my current order of preference from most to least. I'm willing to have my mind changed, though. SD, USB, or CF storage, I don't care.

Re:

[Hatta]

You can run OpenBSD on a PC Engine [wikipedia.org]? Awesome!

Re:

[kestasjk]

Oh boy you're in for a fun time..

Re:

[drinkypoo]

I guessed as much, which is why I asked. It's pretty easy to do with Linux if you buy the right hardware, and if I don't get any good replies I will try one or two other places and then just do it with Linux, for which I don't require any hand-holding because several companies are intelligent enough to sell me what I want.

Re:

[drinkypoo]

It doesn't even sound like OpenBSD supports 802.11n, so I guess I will be using Linux. I appreciate OpenBSD's slower pace in most cases, but this is one of those times it's not acceptable (for me.) So far PC Engines does look like the winner.

Package management status?

[bbasgen]

When I last tried to use OpenBSD, package management was a big barrier to entry. In those days, I yearned for apt-get like ease to set updates and even distribution upgrades automatically. I noticed that OpenBSD added pkg_add several years ago, but I haven't really tried it in the enterprise. How is the package management system today? How easy is it to do hands-off administration of tens if not hundreds of these servers?

Re:Soft RAID?

[rivaldufus]

OpenBSD has had the RAIDframe driver for a long time. This releases is adding some sort of RAID 4 and 5 implementation.

Re:

[x2A]

Aye, just notice the use of semicolons and commas in the sentence :-)

Becomes:

Numerous improvements to: (packet filtering, software RAID, routing daemons, and the TCP stack);

(but yes I did read it for a moment as saying that one of the new things was a TCP stack!)

Re:

[rivaldufus]

It's true, but the OpenBSD FAQ only lists RAIDFRAME and not softraid. I suspect that will change in a release or two.

Re:

[Dr. Smoove]

ah, that's super easy, have you ever even tried to read the docs? If 10.0.0.1 is a gateway that people are nat'd behind, something like block in from 10.0.0.1 to 192.168.0.0/24 in pf.conf, done. pfctl -n -f /etc/pf.conf to check that the grammar is correct, and pfctl -F rules -f /etc/pf.conf to reload the rules. If you mean you need to set up the openbsd box to *do* nating it's still pretty simple. All it takes is a quick look at the PF documentation.

Re:

[Dr. Smoove]

Most places using it use it for site-to-site VPN, routers, firewalls, etc, so A. only people from significant sites probably know the answer and B. it's not really what it's known for being great at.

Re:

[DaMattster]

I use it for my father's site-to-site VPN and the ease of configuration of OpenBSD's ipsec.conf makes it wonderful. It is highly reliable and, in the two years I have had it implemented it went down due to the failure of the onboard NIC in a Dell Server. I simply threw in a spare INTEL PRO/100 (em) and it was back up within 5 minutes.

Re:

[hotfireball]

No, why troll... First, Yahoo is not only on BSD. Second, BSD is widely in a Cisco stuff, mostly for network appliances, routers, firewalls etc. It is very good firmware-like OS for network stuff.

For everything else you've got Solaris... :-)

Re:

[Galactic Dominator]

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/nutshell.html#INTRODUCTION-NUTSHELL-USERS [freebsd.org]

Many, many not listed, one example is php.net.

Re:openbsd kernel

[Just Some Guy]

*BSDs (all of them) still lack HA and failover clustering software.

Ironic in a story about an OS release that features improved HA networking.

Re:

[DaMattster]

Funny, I thought that was what CARP and pfsync were. They are for failover but I don't know about clustering and load balancing.

Re:

[jimicus]

CARP and pfsync can provide a virtual IP address managed by a cluster to act as a frontend to N web servers, but AFAIK (and no I haven't RTFA) they don't have anything else to help like a clustered filesystem, a web server that clusters so sessions can fail over within the cluster or anything fancy like that.

Re:

[cyphercell]

http://www.nabble.com/CARP-failover-behaviour-td3490125.html [nabble.com]

Re:

[raddan]

You want relayd [openbsd.org], also previously known as hoststated.

Re:

[Galactic Dominator]

Do you have any clue who is responsible for developing Common Address Redundancy Protocol?

You have other options too,

http://www.freebsd.org/cgi/cvsweb.cgi/ports/sysutils/heartbeat/ [freebsd.org]

or for a DRBD eqiv, try ggated + gmirror

http://serverbbs.ccw.com.cn/thread-14564-1-1.html [ccw.com.cn]

Re:

[pgilman]

The story points to plus46.html which isn't useful for a general distribution announcement like this. Here's a much better choice (which includes a link to the plus46.html page):

http://www.openbsd.org/46.html [openbsd.org]

or

http://www.sigmasoft.com/~openbsd/archives/html/openbsd-announce/2009-10/msg00001.html [sigmasoft.com]

for the record, i submitted it with different links. plus46.html was originally linked from the text "and lots more." they "improved" the links in the story before they published it.

Re:

[Blakey Rat]

"floor" is one of those functions... ugh.

Depending on what language/program/whatever you're using, it'll either round towards -inf (as apparently they've patched this one to do), or towards 0. The mathematical definition of the term "floor" is -inf, so I guess this change makes it "more correct." But God help you if you have a program that relied on the previous behavior.

Re:

[Undead NDR]

But God help you if you have a program that relied on the previous behavior.

Well, IIUC, that would just entail converting all floors on negative numbers to ceils:

double floorToZero (double n)
{
        return (n < 0) ? ceil(n) : floor(n);
}

Re:

[Blakey Rat]

Once you notice the bug... after possibly years of extremely subtle incorrect accounting errors.

I'm not saying it's hard to fix. It's hard to find.

Re:

[AliasMarlowe]

Depending on what language/program/whatever you're using, it'll either round towards -inf (as apparently they've patched this one to do), or towards 0.

This cursed wrongness of many implementations of floor (returning closest integer not further from zero) has caused me no end of hassle through many different environments. The bugs can be quite subtle, but significant, and occasionally really weird. This uncertainty in floor behavior is not limited to c-libraries, but can also be encountered in some higher-level analysis packages, such as in graphical programming environments and interactive data analysis packages. After being bitten in the butt too many t

Re:

[Blakey Rat]

Yeah, it's a huge fucking pain. One of those functions you have to look up for every environment-- even though you know exactly what it's "supposed" to do, you have no idea if it's right in any given environment.

I haven't gone as far as just writing my own all the time, but if the library version is prone to changing from one implementation to another, I really should... that's a bug waiting to happen.

rant for the aged

[epine]

God help you if you have a program that [relies on floor() truncating toward zero]

So true. Either the person writing the library or the person writing the program has no mathematical training or little concern over disregarding conventions long associated with quality software.

The authors of APL back in 1963 worked very, very hard to define the computational equivalents of common mathematical notation to preserve and obey the maximal set of mathematical identities. Perhaps they worked harder at this than

Re:

[AliasMarlowe]

The authors of APL back in 1963 worked very, very hard to define the computational equivalents of common mathematical notation to preserve and obey the maximal set of mathematical identities. Perhaps they worked harder at this than other language teams because identities are none too compelling expressed in Lisp notation.
Later, when I learned many ideas about program correctness and defensive programming from Dijkstra, his notions of program correctness were highly APL compliant. People don't understand the full gravity of Dijkstra's lament APL is a mistake, carried through to perfection. The only language consistent with his notions of programming elegance was a failed enterprise out of the starting gate. His implied converse also interests me: X, for X != APL, is a valuable step forward, borked beyond all recognition.

Old geezer reminisces: APL was my first computer language, back in the 1970s. It's notational elegance is still my favourite, and I occasionally use it as a sort of pseudocode to describe a computation. A few lines of APL can convey an unambiguous algorithm equivalent to hundreds of lines of C or C++.
FYI, Ken Iverson (inventor of the APL notation and abstract language in 1958) was also involved in the design of Mathematica, and produced an APL successor named J (before Microsoft assigned the name J++ to a

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion