Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Open Source Operating Systems Security Upgrades BSD News

OpenBSD 4.7 Preorders Are Up 191 writes "The OpenBSD 4.7 pre-orders are up. That means the release is done, sent off to CD production, and snapshots will turn -current again. Order now and you more likely than not will have your CD set, T-shirt or other cool stuff before the official release date. You get the chance to support the most important free software project on the planet, and get your hands on some cool playables and wearables early. The release page is still being filled in, but the changelog has detailed information about the goodies in this release."
This discussion has been archived. No new comments can be posted.

OpenBSD 4.7 Preorders Are Up

Comments Filter:
  • by bsDaemon ( 87307 ) on Saturday March 13, 2010 @10:01PM (#31468892)
    OpenBSD is also responsible for, among other things, OpenSSH, OpenBGPD, and OpenNTPD -- all three of which are widely adopted and used far, far beyond the sphere of influence of even OpenBSD itself. OpenSSH accounts for some 90% of all SSH deployments world-wide. Whether you know it or not, OpenBSD-related software enables quit a bit of the internet infrastructure.
  • by flydpnkrtn ( 114575 ) on Saturday March 13, 2010 @10:31PM (#31469092)

    To follow up on my own post, they have a draft upgrade guide up it looks like (they recommend that it not be used yet though): []

    Looks like they include a utility to make life easier when upgrading... looks similar to what Gentoo Linux does when config files are upgraded... new configs are diff'd, and can be interactively merged, etc:
    "OpenBSD now includes the sysmerge(8) utility, which helps administrators update configuration files after upgrading their system. Sysmerge(8) compares the current files on your system with the files that would have been installed with a new install, and gives you the option of keeping the old file, installing the new file, or assisting you in the manual merging of the old and new files, using sdiff. For past upgrades, we've presented a list of files that are usually copied over "as-is", and a list of files which should be changed, and a patch file that applies those changes to what might be in those files on your system. You may opt to use sysmerge to make the changes, or you may wish to use the patch file first, and then follow up with a sysmerge session to clean up any loose ends."

    So it looks like they're at least making an effort to make it less painful

  • by BeardedChimp ( 1416531 ) on Saturday March 13, 2010 @10:32PM (#31469096)
    This is very disingenuous. The upgrade guide contains all possible contigency plans incase you have altered system files, or have chosen not to upgrade the kernel etc.

    For example look at the debian lenny [] upgrade notes. They are way longer but generally debian based distros are considered some of the best for upgrades.
  • The funny thing (to me) is that the upgrade process looks a lot harder than it actually turns out to be. On our servers, it usually amounts to running the installer, running patch to update files in /etc, running a single command to upgrade all the installed 3rd-party software, and rebooting a last time to make sure it comes back up cleanly.

    In practice, the things that OpenBSD doesn't automatically upgrade with the above steps are the kinds of things you wouldn't want a script to attempt, such as upgrading the firewall configuration to use new features. The process certainly isn't slick or pretty, but it does the job well and safely.

  • by Anonymous Coward on Sunday March 14, 2010 @12:51AM (#31469852)

    What exactly is wrong with Windows Server security?

    Only a fool who has never used OpenBSD would ask such a question.

  • by Anonymous Coward on Sunday March 14, 2010 @12:55AM (#31469870)

    do you know what you're talking about? I'll take a gander and tell you: you're a fucking idiot.

    the ability to have an admin in windows without a password is the reason for the security risk *by itself*. It's bad enough that malware and the likes can escalate their own privileges, but now they don't even have to guess the admin password to do so?

    In case you're wondering you can do the same things in windows as admin as you can in linux, generally speaking. This means: screw the computer in an instant, rootkit it, etc.

    I haven't gotten a virus yet.

    is a misnomer. You could (and very likely do) have one, and have no idea, specifically because you have an admin account with no password.

  • by Anonymous Coward on Sunday March 14, 2010 @01:36AM (#31470048)

    If you want one thing, how about this one: Long time between disclosures and fixes.

    SSL renegotiation is still vulnerable in all Windows versions, something OpenBSD fixed in November last year.

  • by evilviper ( 135110 ) on Sunday March 14, 2010 @01:36AM (#31470050) Journal

    See the upgrade guide for upgrading 4.5 to 4.6... it's a 280 line upgrade guide: [] ...on RedHat and CentOS, to go from RHEL 5.3 to RHEL 5.4 I did "yum -y update". That's it.

    You can just do the OpenBSD upgrade without reading those instructions... as you did with RHEL.

    If you'd actually started to read those instructions, you'd have seen they outline basically all feature changes between the previous and current release. See:

    scrub in all no-df max-mss 1440

    can be replaced with a rule using the new "match" action:

            match in all scrub (no-df max-mss 1440)

    Did the yum upgrade automatically make all necessary syntax changes in all corner cases in your config files to adapt them for the newest versions of the software? Obviously not... You're left to figure those out yourself. If the new version of iptables uses different options for some obscure option, you're screwed. Oh well, guess you should have read the RHEL 5.4 errata, which happens to be SEVERAL THOUSAND LINES []

  • by evilviper ( 135110 ) on Sunday March 14, 2010 @02:15AM (#31470228) Journal

    Just because they created OpenSSH doesn't mean the OS is the most important open source project on the planet.

    OpenSSH was a huge improvement in the security of networks the world over, but it's not at all the only thing OpenBSD has contributed to the world.

    Certainly, OpenBSD's development of W^X security led to Microsoft doing the same, and Intel/AMD including instructions to make this easier...

    OpenBSD's focus on code correctness and licensing has caused them to lead, and have Linux and other BSDs follow... They announced their dropping of Xfree86 in favor of Xorg before anyone else, and very soon after Xfree86 was no longer found on any OSes. Their objections over the performance, code complexity, and licensing of GCC4 led to them pushing alternative compilers forward, and other projects (like FreeBSD) followed suit, pushing hard to move their favored alternative compilers forward.

    There's many more, but you'll have to wait for someone else to come up with a list...

  • by OttoM ( 467655 ) on Sunday March 14, 2010 @03:23AM (#31470484)
    Not true. It is simple, but it does slewing and rules out bad servers etc.
  • by timmarhy ( 659436 ) on Sunday March 14, 2010 @05:14AM (#31470828)
    because after 2 releases they stop making security updates. other OS's go a hell of a lot longer before they EOL their releases.

    i've had this arguement with openbsd people before. what it comes down to is openbsd is their toy and they like constantly updating rather then doing mundaine shit like patching old versions.

    all well and good, it's their project they can do as they please, but don't pretend that it's a superior server OS, because it simply doesn't cut it if you don't have patch support after just 12 months. there's plenty of secure systems with more features and longer EOL's that make openbsd more trouble then it's worth.

  • by Jaime2 ( 824950 ) on Sunday March 14, 2010 @06:33AM (#31471108)
    IIS doesn't really run as any specific user. The packet router, HTTP.sys, runs as LocalSystem. However the thread processing the request changes its security context very early in the request processing to a low priviledged account. []

    This was all fixed seven years ago. IIS 6 and later have a pretty decent security record.
  • by TheRaven64 ( 641858 ) on Sunday March 14, 2010 @10:27AM (#31471982) Journal

    Please stop repeating nonsense.

    Darwin is a member of the BSD family. The XNU kernel originally was a single server Mach microkenel running a 4BSD kernel. The Mach components are now reduced and most of the kernel code is either from FreeBSD or from Apple, but it's as much of a BSD descendent as OpenBSD. The Mach part of the kernel manages threads and memory, nothing else. The UNIX process model, all UNIX system calls, SysV and POSIX IPC, the networking stack, and so on all run in the BSD server. On OS X, unlike some earlier Mach systems, the BSD server lives in the kernel's address space and accounts for most of the ring-0 code that an OS X system is running.

    On top of the XNU kernel, Darwin has a userland that gets a lot from FreeBSD, but some things from other sources. The init system is Launchd, which is a home-grown Apple system (now open sourced). The libc is from FreeBSD, but quite modified. The libstdc++, standard shell, and a couple of other things are from the GNU project.

    OS X is Darwin with a lot of proprietary stuff on top (the audio stack and windowing system, for example).

Man is an animal that makes bargains: no other animal does this-- no dog exchanges bones with another. -- Adam Smith