OpenBSD 4.7 Preorders Are Up

badger.foo writes "The OpenBSD 4.7 pre-orders are up. That means the release is done, sent off to CD production, and snapshots will turn -current again. Order now and you more likely than not will have your CD set, T-shirt or other cool stuff before the official release date. You get the chance to support the most important free software project on the planet, and get your hands on some cool playables and wearables early. The release page is still being filled in, but the changelog has detailed information about the goodies in this release."

Most important free software project?

[Tiger4]

Just begging for it aren't you?

Prepare for incoming!!

Re:

[Jose]

pffft! don't you read the Financial Post? it has been screaming about Rely on the BSDs [financialpost.com] for a while...

Re:

[Rogerborg]

True dat, but you know who knows that? Me, thee, and Steve Jobs.

Re:Most important free software project?

[TheRaven64]

Please stop repeating nonsense.

Darwin is a member of the BSD family. The XNU kernel originally was a single server Mach microkenel running a 4BSD kernel. The Mach components are now reduced and most of the kernel code is either from FreeBSD or from Apple, but it's as much of a BSD descendent as OpenBSD. The Mach part of the kernel manages threads and memory, nothing else. The UNIX process model, all UNIX system calls, SysV and POSIX IPC, the networking stack, and so on all run in the BSD server. On OS X, unlike some earlier Mach systems, the BSD server lives in the kernel's address space and accounts for most of the ring-0 code that an OS X system is running.

On top of the XNU kernel, Darwin has a userland that gets a lot from FreeBSD, but some things from other sources. The init system is Launchd, which is a home-grown Apple system (now open sourced). The libc is from FreeBSD, but quite modified. The libstdc++, standard shell, and a couple of other things are from the GNU project.

OS X is Darwin with a lot of proprietary stuff on top (the audio stack and windowing system, for example).

Re:

[Sancho]

It's the BSD userland.

People in the Linux mindset probably don't understand how BSD is structured. FreeBSD is a kernel and userland, whereas in GNU/Linux, Linux is the kernel and GNU is the userland.

Whether this makes it a BSD is up for discussion, just as is any denotation. More accurately, it is "built from BSD."

Re:Most important free software project?

[tzanger]

Just because they created OpenSSH doesn't mean the OS is the most important open source project on the planet.

It is the most important open source project.

[Anonymous Coward]

OpenSSH is just a small part of why OpenBSD is so important.

They're basically the only major operating system project that gives a damn about security. Sure, Linux, for instance, is better than Windows when it comes to security. But that's only because Microsoft has fucked up Windows' security so badly.

The OpenBSD developers, on the other hand, are proactive about security. Their coding practices and extensive code reviews prevent bugs and security problems in the first place.

OpenBSD is what you use when yo

Re:

[DAldredge]

What exactly is wrong with Windows Server security?

Re:

[randallman]

I quit using Windows a few years ago, but does IIS still run as LocalSystem? At the time I thought it was ridiculous to run IIS for that reason alone.

Re:It is the most important open source project.

[Jaime2]

IIS doesn't really run as any specific user. The packet router, HTTP.sys, runs as LocalSystem. However the thread processing the request changes its security context very early in the request processing to a low priviledged account.

http://www.securityfocus.com/infocus/1765 [securityfocus.com]

This was all fixed seven years ago. IIS 6 and later have a pretty decent security record.

Re:

[DAldredge]

No Windows Home Server is based on Windows Server 2k3 SP2. Also modern Windows Servers and Clients come with nearly every port blocked by default.

Re:

[CAIMLAS]

That's a minor quibble of contention. Seriously. It's barely making note of, unless you can identify how Windows Server 2003 is different than XP (aside from the crippling of Terminal Services and the number of connections allowed). Otherwise, they are pretty much the exact same thing.

Re:

[timmarhy]

the fact that the user can migrate from one system to another without having to relearn the GUI and system management options isn't a fault, it's fucking technical victory linux BSD would do well to learn from.

Re:

[CAIMLAS]

Are you saying FreeBSD should look like Windows?

Because for the most part, system management options and the GUI (as well as CLI) remain fairly static. Yes, they improve, but otherwise...

Windows, on the other hand, usually preferences said bling changes to actual useful system changes. See: Aero on Vista.

Re:

[alexandre_ganso]

Any PC that is new enough to still be running its original power supply can run some incarnation of Windows 7.

You forget the fact that windows 7 screwed with drivers severely. We have seven different generations of computers in my department bought through the last thee years (it were several smaller university departments that were joined together, that's the reason of so many purchases), from 3-year hp desktops to 6-month asus notebooks.

NOT A SINGLE ONE OF THEM has all the drivers required for normal operation. You name it: 512mb radeon video cards which run with no 3d, no network, no wifi (my personal machine ha

Re:

[DAldredge]

I have for all three - no problems. That you do not tell us which actual devices you claim to have had trouble with harms your argument.

Re:

[alexandre_ganso]

Right from memory I have the Ati Radeon X1300 with 512mb ram. Windows says 3d is out - ati says it is in legacy mode and will not have drivers for win 7.

One of the wireless is a Prism/Javelin one.

I have to find out the others. I'm not in my city now.

Re:

[adolf]

I have an ATI X300 in my laptop, which is creeping up on being 5 years old. It works fine in Windows 7, with all the 3D and all the bling, using ATI's "legacy" drivers, which (incidentally) were just updated a few weeks ago.

It also worked fine with Vista drivers, before ATI had an official release supporting 7.

*shrug*

The only conclusion I can draw from all of your banter is that you're either incompetent, prejudiced, or both.

Re:

[alexandre_ganso]

X300 is not the same card as the X1300. My one does not have the "bling". It performs really bad with W7, and refused to have any 3d capability on W7.

The only conclusion I can draw is that your hardware is slightly different of mine. Anyway, I don't care anymore.

Re:

[Elshar]

He probably got one of these: Anus Laptops [anuslaptops.com]

I've heard they're a pain in the ass to configure.

Re:

[DAldredge]

Why can't anyone actually answer the question I asked?

Re:

[Pop69]

Probably because there's a limit on the amount you can put in a single post

Re:

[raddan]

OK, taking you seriously for a moment. Scroll down for the "where" and "impact" graphs.

Windows Server 2008 [secunia.com]

And, because Secunia categorizes each OpenBSD release separately...

OpenBSD 4.4 [secunia.com]
OpenBSD 4.3 [secunia.com]
OpenBSD 4.2 [secunia.com]
OpenBSD 4.1 [secunia.com]
OpenBSD 4.0 [secunia.com]

Obviously, the most important one in there is "system access", "from remote". Big difference, no?

Re:

[CAIMLAS]

but what MS does not do well is security. not at all.

I wouldn't argue against that, not even for a moment.

But despite the myriads of host, application, and server level exploits for Windows, the default security policies, and generally poor network server capabilities, there's one thing that sticks out in my mind: have there been any exploits for Microsoft's RDP implementation yet?

I realize that older versions of Microsoft products aren't able to upgrade to the newer versions, but I've never seen a "Terminal Services Root Exploit" as I have with OpenSSH. Mayb

Re:

[Sancho]

http://www.milw0rm.com/exploits/7309 [milw0rm.com]

Here you go, found with a pretty simple Google search.

Also, incidentally, older versions of RDP were susceptible to man-in-the-middle attacks to grab passwords and inject commands. I think newer versions do some certificate checking to verify the server to which they're connected.

Re:It is the most important open source project.

[slimjim8094]

http://www.microsoft.com/technet/security/Bulletin/MS10-006.mspx [microsoft.com]

That's a month ago. Took about two minutes of searching - like I said, it was a month ago so I didn't have to look backwards very far.

Remote code execution on Server 2k3 (all versions), Windows 7, and Server 2k8. Of course, this presupposes that Windows has SMB (hint: yes)

Or do you not consider remote code execution a security issue?

Look. I don't despise Microsoft like most people around here - just a lukewarm pain-in-my-assness. But let's not go pretending that they don't have more holes than Swiss cheese. If you do, you're either too ignorant to comment, or being delibrately obtuse.

Re:

[hey!]

But we aren't talking about Linux. We're talking about OpenBSD, arguably the most security conscious operating system in common use today.

While it wouldn't be accurate to say OpenBSD never has any security holes, it is fair to say that remote exploits are exceedingly rare. Since 1996 there have only been two remote exploits in the default install of OpenBSD. While that is as much due to the fact the default install is more locked down than you're realistically going keep your system, that in itself is a

Re:

[SgtAaron]

I'll not write as causticly as the AC who also replied, but I'll agree in principal.

One thing that is obvious and well-known is that it doesn't matter that you don't visit "shady" web sites to end up being subject to potential malware infection. Ad companies are letting nasty ads get through whatever controls they have in place. Serious vetting and the talent to implement it costs money, no doubt. I just found this, http://news.cnet.com/8301-27080_3-20000353-245.html [cnet.com]

My 7 year old nephew's computer was ch

They focused on Security to distinguish themselves

[doodlebumm]

I have great respect for the OpenBSD folks. Their focus on security was a result of needing to distinguish themselves in the free marketplace. Back in the late 90's it was necessary to focus on something to keep from being lost in the fray. I don't believe it was their altruism that pushed them to that focus as much as they had some good expertise and made the most of it for marketing. Like I said, I have great respect for them, but let's not put them up on a pedestal that is too high. They have made some

Re:

[Plunky]

Heh, flamebait it is not.. seems that some openbsd fanboy has modpoints today :)

Re:

[RichiH]

True, and I applaud them for their efforts, some of which make it back to Linux, etc.

But are they, and I quote, "the most important free software project on the planet"? No.

You are right in what you were saying, but you missed the point of what was being discussed.

Re:It is the most important open source project.

[e9th]

OpenBSD, while is very secure, does owe some, if not a lot, of it's security to security through obscurity.

Security through obscurity? What are you talking about? Name a better documented OS or distro.

New (and not so new) users are well-advised to keep the FAQs [openbsd.org] bookmarked, but the man pages shipped with the distribution are the most comprehensive I've ever seen. Terse, maybe, but complete, and the developers treat errors/omissions seriously.

Maybe you meant security due to small market share? Don't you think that every wannabe cracker out there wants to make a name for himself by rooting a properly configured OpenBSD box?

Re:

[Anne Thwacks]

Thinking that somehow it's magically safer because nobody uses it is just plain backwards.

Thinking nobody uses it is pretty ignorant too. If you were doing online money transfer or telecomms billing, you would probably use it (I use it for these things).

If you use Windows servers for financial transactions, you may have had a dose too many of "KGB" brand brain-wash (available from spamemrs everywhere).

Re:Most important free software project?

[evilviper]

Just because they created OpenSSH doesn't mean the OS is the most important open source project on the planet.

OpenSSH was a huge improvement in the security of networks the world over, but it's not at all the only thing OpenBSD has contributed to the world.

Certainly, OpenBSD's development of W^X security led to Microsoft doing the same, and Intel/AMD including instructions to make this easier...

OpenBSD's focus on code correctness and licensing has caused them to lead, and have Linux and other BSDs follow... They announced their dropping of Xfree86 in favor of Xorg before anyone else, and very soon after Xfree86 was no longer found on any OSes. Their objections over the performance, code complexity, and licensing of GCC4 led to them pushing alternative compilers forward, and other projects (like FreeBSD) followed suit, pushing hard to move their favored alternative compilers forward.

There's many more, but you'll have to wait for someone else to come up with a list...

Re:

[jgrahn]

Just because they created OpenSSH doesn't mean the OS is the most important open source project on the planet.

OpenSSH was a huge improvement in the security of networks the world over

Well, we already *had* the original ssh, but it was being weakened by the original author's effort to build a company around it. OpenSSH saved it,

Re:

[evilviper]

Well, we already *had* the original ssh, but it was being weakened by the original author's effort to build a company around it. OpenSSH saved it,

SSH1 was cryptographically weak, wasn't remotely as exploit-free, and much more than that, it wasn't being widely adopted... No SSH in Solaris, Cisco routers, etc., until OpenSSH matured, and showed everyone where the future undeniably was.

Perhaps the biggest thing OpenSSH had going for it, was that it was adopted into the OpenBSD base system immediately, and RSH

Re:

[buchner.johannes]

The OpenBSD also contribute back rewrites and fixes of insecure/buggy open software projects. For example in X.

Re:

[RichiH]

While true, this argument misses the point that they are not "the most important free software project on the planet".

You are basically arguing about a different thing than the rest of us.

Re:

[evilviper]

While true, this argument misses the point that they are not "the most important free software project on the planet".

It doesn't miss the point at all, it's merely more facts to support the claim. Certainly far from undeniable proof, but the fact that you don't care about the relevant facts just indicates you believe the answer to be a foregone conclusion.

You are basically arguing about a different thing than the rest of us.

No, you're simply reading "a different thing than the rest of us."

Re:

[RichiH]

It doesn't miss the point at all, it's merely more facts to support the claim. Certainly far from undeniable proof, but the fact that you don't care about the relevant facts just indicates you believe the answer to be a foregone conclusion.

Which, in turn, means you think the answer is a foregone conclusion, as well.
Debating the point is moot, but if we assume that we both could err, the statistical chance of "out of n samples, x is the most y" is a lot less than of "out of n samples, x is not the most y".
If we assume you can not err, you must be God [slashdot.org] or an OpenBSD person ;)

Jokes aside, I am not sure which the most important single piece of FLOSS is or even what scope is the right one and how to weigth the various facts. If someone claims they

Re:

[evilviper]

Which, in turn, means you think the answer is a foregone conclusion, as well.

False logic. Listening to an argument (or even offering some evidence supporting one) does not presuppose a decision, one way or the other (though one MIGHT infer some bias from it). Dismissing arguments, with no attempt to judge their veracity, immediately indicates prejudice (by definition).

Debating the point is moot, but if we assume that we both could err, the statistical chance of "out of n samples, x is the most y" is a lot

Re:

[RichiH]

False logic. Listening to an argument (or even offering some evidence supporting one) does not presuppose a decision, one way or the other (though one MIGHT infer some bias from it). Dismissing arguments, with no attempt to judge their veracity, immediately indicates prejudice (by definition).

So, basically, you get to pull the "I did not say that card" while I am stuck with being the evil, headless guy who did not even try to value your arguments? Cool.
Just for the record, I read, understood and even made part of the points you made in another subthread. Still, my basic point remains: OpenBSD is, in my opinion, not the single most important FLOSS project. And that's even when you throw in their admirable stance on closed-source firmware.

Yes, you have a statistically better chance of betting against someone, but this is not a bet. We are not operating in lieu of evidence, which substantially improves those odds.

Only if you assume that the initial statement is true. Feel

Re:

[evilviper]

After several replies, the only thing I've learned is that your reading comprehension is, apparently, quite poor. Are you a non-native English speaker by chance?

Only if you assume that the initial statement is true.

I was talking about statistics, and judging claims. Not only does it not require "assuming" anything, it is meaningless if you are going to just assume something...

So, basically, you get to pull the "I did not say that card" while I am stuck with being the evil, headless guy who did not even tr

Re:

[TheRaven64]

Really? Clang 1.1 can compile pretty much all of the code that I use. I could ditch GCC tomorrow without any problems, but ditching OpenSSH would be a lot harder.

But I want it now

[MichaelSmith]

Thats how people think these days. They don't care about having the three CDs in their soft shell case. The T shirt probably won't fit (I have a NetBSD shirt which would fit two of me).

So charge for an ISO download. Get'em out the door. Save money on CD burning, etc.

Re:

[icebraining]

You can choose the TShirt size from S to XXXL. I really hope that some of those sizes fits you :)

Re:

[deniable]

What definition are they using? I'm a large 'Made in India,' but an XL/XXL 'Made in China.'

Re:But I want it now

[Anonymous Coward]

is this still about t-shirts?

Re:

[contrapunctus]

I think if you stopped with the first sentence it would have been funny. Adding the second sentence made it mean and trolly.

Re:

[techno-vampire]

I'm not fat, but I am involved in SF fandom. Believe me, some of them are very, very fat. And, I must say, they joke about it instead of getting offended if you mention it.

Re:

[aztektum]

(I have a NetBSD shirt which would fit two of me).

Obviously you are not the target audience. I suggest an immediate increase in the consumption of Mtn Dew, Cheetos and pizza, followed by a rigorous session of WoW

Re:

[Rhaban]

Does WoW even run on openbsd?

I'd suggest nethack instead. Just bringing back the amulet of Yendor once should be enough for his shirt to fit him.

Re:

[evilviper]

You'll get the CDs BEFORE you can download the ISO. That should be sufficient incentive for those who can't wait to pony up some cash.

Re:

[the_B0fh]

then go do it. You can even run openbsd 4.8 (they just call it -current).

Re:

[the_B0fh]

when you come up with a working model for charging for ISO downloads for an *OPEN SOURCE* project, come back and tell us.

Is ugrading OpenBSD still kind of a mess?

[flydpnkrtn]

See the upgrade guide for upgrading 4.5 to 4.6... it's a 280 line upgrade guide:
http://www.openbsd.org/faq/upgrade46.html [openbsd.org]
 
...on RedHat and CentOS, to go from RHEL 5.3 to RHEL 5.4 I did "yum -y update". That's it.

Can we get there with OpenBSD? At my current place of employment we were using OpenBSD, but the upgrade process was an argument that was made (by other members of my team) to move to RHEL...

Re:

[MichaelSmith]

The BSD projects have a great packaging system but it is only used for layered applications. It could certainly be used for the whole system but I think that defeats the "as simple as possible" approach they try to use.

You can install from source and update with cvs if you want.

Re:

[CAIMLAS]

Much of how the BSD systems do things is very "clean" in principle, but in practice sucks the tits right off a cow.

It's so goddamn simple and straigh-forward that it requires an administrator to do one (or more, in combination) of the following:

a) devise an atypical, custom build process for dealing with simple systems administration tasks, upgrades, installs (partially due to the 'simple' approaches not working consistently or being all too finessed).
b) writing custom package/kernel/whatever administration

Re:Is ugrading OpenBSD still kind of a mess?

[flydpnkrtn]

To follow up on my own post, they have a draft upgrade guide up it looks like (they recommend that it not be used yet though):
http://www.openbsd.org/faq/upgrade47.html [openbsd.org]

Looks like they include a utility to make life easier when upgrading... looks similar to what Gentoo Linux does when config files are upgraded... new configs are diff'd, and can be interactively merged, etc:
"OpenBSD now includes the sysmerge(8) utility, which helps administrators update configuration files after upgrading their system. Sysmerge(8) compares the current files on your system with the files that would have been installed with a new install, and gives you the option of keeping the old file, installing the new file, or assisting you in the manual merging of the old and new files, using sdiff. For past upgrades, we've presented a list of files that are usually copied over "as-is", and a list of files which should be changed, and a patch file that applies those changes to what might be in those files on your system. You may opt to use sysmerge to make the changes, or you may wish to use the patch file first, and then follow up with a sysmerge session to clean up any loose ends."

So it looks like they're at least making an effort to make it less painful

Re:

[bertok]

To follow up on my own post, they have a draft upgrade guide up it looks like (they recommend that it not be used yet though):
http://www.openbsd.org/faq/upgrade47.html [openbsd.org]

Looks like they include a utility to make life easier when upgrading... looks similar to what Gentoo Linux does when config files are upgraded... new configs are diff'd, and can be interactively merged, etc:
"OpenBSD now includes the sysmerge(8) utility, which helps administrators update configuration files after upgrading their system. Sysmerge(8) compares the current files on your system with the files that would have been installed with a new install, and gives you the option of keeping the old file, installing the new file, or assisting you in the manual merging of the old and new files, using sdiff. For past upgrades, we've presented a list of files that are usually copied over "as-is", and a list of files which should be changed, and a patch file that applies those changes to what might be in those files on your system. You may opt to use sysmerge to make the changes, or you may wish to use the patch file first, and then follow up with a sysmerge session to clean up any loose ends."

So it looks like they're at least making an effort to make it less painful

Are you kidding me? The upgrade process is for the administrator to manually merge the configuration files!?!?

And this is the improved version? Wow. Just... wow.

I can't believe people here whine about how the Windows 'registry' is somehow the root of all evil, even though the vast majority of Windows apps (and Windows itself) handle version upgrades automatically.

It's like I've time travelled back to the 70s.

Re:

[BeardedChimp]

This is very disingenuous. The upgrade guide contains all possible contigency plans incase you have altered system files, or have chosen not to upgrade the kernel etc.

For example look at the debian lenny [debian.org] upgrade notes. They are way longer but generally debian based distros are considered some of the best for upgrades.

Re:

[flydpnkrtn]

I applaud OpenBSD for having good documentation, but again with Debian I remember just doing "apt-get dist-upgrade" and apt "figuring everything out"

Upgrading OpenBSD still looks to be a very manual process, to me anynway....

Re:

[crazybit]

You never found such OS? You should try CentOS, the whole upgrade guide is just 'yum -y update'. It rarely fails, specially if you never did something dumb like installing libraries from sources or such.

Re:Is ugrading OpenBSD still kind of a mess?

[Just Some Guy]

The funny thing (to me) is that the upgrade process looks a lot harder than it actually turns out to be. On our servers, it usually amounts to running the installer, running patch to update files in /etc, running a single command to upgrade all the installed 3rd-party software, and rebooting a last time to make sure it comes back up cleanly.

In practice, the things that OpenBSD doesn't automatically upgrade with the above steps are the kinds of things you wouldn't want a script to attempt, such as upgrading the firewall configuration to use new features. The process certainly isn't slick or pretty, but it does the job well and safely.

Re:

[flydpnkrtn]

Hmm... it's entirely possible you're right. I'm not someone who's been using OpenBSD for years, so I was basing my opinion mostly on what I'd seen in the docs.

The way you put it, the upgrade process doesn't sound that bad

Re:

[Niten]

I agree. The thing generally missed by people who criticize the OpenBSD upgrade process without having actually tried it themselves, is that OpenBSD is so cleanly designed and well documented that it's actually possible to hold a thorough understanding of the operating system in one's head, so to speak. It's like the Arch Linux philosophy [phraktured.net]:

Relying on complex tools to manage and build your system is going to hurt the end users. [...] "If you try to hide the complexity of the system, you'll end up with a mor

Re:

[awyeah]

FreeBSD in-place upgrades are also very smooth. They have been for as long as I've been using it (since 2.2.5-RELEASE, if I recall correctly). Occasionally, the mergemaster gets a little confusing (there are a lot of config files)... and once in a while I've accidentally replaced a config file I didn't want to... but other than that. :)

Re:Is ugrading OpenBSD still kind of a mess?

[evilviper]

See the upgrade guide for upgrading 4.5 to 4.6... it's a 280 line upgrade guide:
http://www.openbsd.org/faq/upgrade46.html [openbsd.org] ...on RedHat and CentOS, to go from RHEL 5.3 to RHEL 5.4 I did "yum -y update". That's it.

You can just do the OpenBSD upgrade without reading those instructions... as you did with RHEL.

If you'd actually started to read those instructions, you'd have seen they outline basically all feature changes between the previous and current release. See:

scrub in all no-df max-mss 1440

can be replaced with a rule using the new "match" action:

        match in all scrub (no-df max-mss 1440)

Did the yum upgrade automatically make all necessary syntax changes in all corner cases in your config files to adapt them for the newest versions of the software? Obviously not... You're left to figure those out yourself. If the new version of iptables uses different options for some obscure option, you're screwed. Oh well, guess you should have read the RHEL 5.4 errata, which happens to be SEVERAL THOUSAND LINES http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Release_Notes/index.html [redhat.com]

Re:

[TheRaven64]

Read the bits in bold teletype font. Those are the commands that you need to run. The rest of it is an explanation of what has changed since the last release and how it may affect you. Note also that those are the instructions for remote upgrading. If you have physical access to the machine, just boot from the install kernel + initrd and follow the on-screen instructions.

That said, I'd love it if they'd port the freebsd-update tool. Updating an OpenBSD machine remotely does take a few minutes of int

Re:

[Noryungi]

Yeah, right.
Here is MY OpenBSD upgrade guide:
1) insert CD, select (U)pgrade.
2) once upgrade is finished, enter, as root: "pkg_add -vvv -u -F upgrade"
That's it. I have used this for at least the past 5 upgrades.
You obviously have no idea what you are talking about.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Noryungi]

If you like Gentoo better than OpenBSD, all the more power to you.

But don't come and tell me that upgrading OpenBSD is a mess, because it is clearly not. It may be different from Gentoo, but it's not a mess.

And I strongly suspect it is much faster than upgrading Gentoo, but I haven't used Gentoo in a very long time, so I may be mistaken.

pf rulesets might need rewriting

[nuckfuts]

I wouldn't characterize it as a "mess", but I do notice there are some changes [openbsd.org] to to pf rules syntax, so some rewriting of your firewall rules might be required.

I've been using OpenBSD since around 2.7. I've come to really trust the judgment of the developers in general, and the pf developers in particular. I've yet to see them break backwards compatibility without good reason.

Um...who buys CDs anymore?

[hackel]

Seriously! Even for commercial products don't people purchase them electronically? Maybe I'm just so far-removed from the commercial software world that I can't even comprehend this in this day and age... I did order a free Ubuntu CD once, but never even ended up using it because Ubuntu releases so often that there's almost always a newer version the next time you want to install it, and downloading via bittorrent is so fast. Of course I understand for those unlucky folk who are living in the middle of

Re:

[Beelzebud]

To me it just sounds like someone enthused about something they enjoy being a part of...

Re:Subjective summary is subjective

[bsDaemon]

OpenBSD is also responsible for, among other things, OpenSSH, OpenBGPD, and OpenNTPD -- all three of which are widely adopted and used far, far beyond the sphere of influence of even OpenBSD itself. OpenSSH accounts for some 90% of all SSH deployments world-wide. Whether you know it or not, OpenBSD-related software enables quit a bit of the internet infrastructure.

Re:

[Hurricane78]

Two words: Linux kernel!

Re:

[onefriedrice]

As good as the Linux kernel is, there are viable replacements with arguably better licensing terms. On the other hand, the likes of OpenSSH are so good (and so widely used) that most people couldn't name a single ssh alternative.

Re:

[MrNaz]

11 words.
The Linux kernel would not be securely accessible remotely without OpenSSH.

Oh, really?

[RichiH]

You could write an alternative to OpenSSH faster than you could write an alternative to the Linux kernel.

Of course, I gloss over pretty much every detail, but so do you.

Re:

[deniable]

How does OpenSSH do without GCC?

Re:

[onefriedrice]

How does OpenSSH do without GCC?

Err... fine. Do you think OpenSSH only compiles on the gnu compiler?

Re:

[TheRaven64]

It, along with the rest of the OpenBSD base system, now compiles with PCC. It also compiles with clang and, last benchmarks I saw, performed better when compiled with clang than with GCC. So, I guess the answer to your question is 'better'.

Re:

[ftobin]

After looking into a replacement for NTPD, OpenNTPD was a terrible option. If I recall correctly, all it did was a very simplistic setting of the time from what the server says. No slewing, no safety mechanisms, etc. I remember reading that it was simply designed for simplicity, not features, but it went way overboard.

Re:Subjective summary is subjective

[OttoM]

Not true. It is simple, but it does slewing and rules out bad servers etc.

Re:

[ftobin]

My mistake on the use of the term slew; what I meant to get across is that it doesn't do any of the clock-slowing stuff that NTP or chrony does. All it did was get a packet and set the time. I'm pretty sure it didn't do any backing off or the like. I can't find any good references at the moment, but it was jaw-dropping inappropriate, especially for a situation where we have to keep all of our servers within a dozen microseconds or so.

Re:

[OttoM]

Wrong again. It does do clock slowing or speeding up. Both to get the clock right and to compute a persistent clock frequency adjustment. It does NOT just set the clock. I don't know which version on what platform you were testing. Maybe your port was terribly done. But on OpenBSD it works like a charm for almost any purpose.

Re:

[ftobin]

OpenNTPD does not account for hardware drift, which is what I attempted to describe in my second post. Multiple hits on google for "openntpd hardware drift" support this. Unfortunately the OpenNTPD docs do not say what they don't do with regards to NTPD or chrony, so you don't know what you are missing. Without clock disciplining, all it's really doing is setting the time.

From http://www.advogato.org/person/dtucker/diary.html?start=52 [advogato.org]

The comment about clock disciplining (compensation for systematic skew

Re:

[OttoM]

The advogato [post is outdated. Since them quite a few things changed. Look at the code and the manual page:
ntpd uses the adjtime(2) system call to correct the local system time without causing time jumps. Adjustments of 32ms and greater are logged using syslog(3). The threshold value is chosen to avoid having local clock drift thrash the log files. Should ntpd be started with the -d or -v option, all calls to adjtime(2) will be logged. After the local clock is synchroni

Re:

[ftobin]

Fair enough that the situation has improved. Do you know if portable OpenNTP has this functionality? I've read in multiple places that only non-portable version has this functionality; only 4.x and above has disciplining, and portable has been at at 3.9 for since 2006.

I still find it disingenuous that OpenNTP uses the NTP name but does not go to any lengths to indicate what they don't support.

Any way one goes about it, I find little reason to look at openntp in contrast to chrony, which is just as simple

Re:

[ftobin]

After doing some research and looking at the manpage for openntpd 3.9, the latest portable release, the manpage does not have the documentation you're referring to, leading me to believe that disciplining is only in later versions that only are applicable to OpenBSD. If having any discussion about the benefits of OpenNTPD it should be made clear that disciplining (a feature I consider crucial) is only available on OpenBSD.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[bsDaemon]

TCP/IP, as implemented, is brought to you by BSD. Same with Vi and very many other things. The TCP/IP implementation which won the final DARPA approval was implemented by Bill Joy, mostly by himself (same with the original vi). However, I do agree with you that open standards and specifications are the key.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[bsDaemon]

I'm not saying OpenBSD is "the most important" f/oss project, I'm just saying that OpenBSD in terms of the OpenBSD Foundation and all the projects it oversees really deserves a lot more credit than people usually give it. I don't use OpenBSD itself, but I make my living via FreeBSD as I have via Linux in the past. I still value OpenSSH more than pretty much any other free software project besides maybe gcc, and then there are other compilers like clang and pcc that i'm more intrigued by.

Re:

[timmarhy]

spend some time on the mailing list, you'll see why it's a marginalised project.

the funny thing is i really really wanted to like openbsd, i tried it on some production systems. lack of hardware support, problems with upgrading combined with the 6 month release cycle forcing you into the upgrade senario just made the whole thing too hard.

Re:

[mwvdlee]

How does a 6 month release cycle force you into an upgrading scenario any more than the release/patch cycle of any other OS does?

Re:Subjective summary is subjective

[timmarhy]

because after 2 releases they stop making security updates. other OS's go a hell of a lot longer before they EOL their releases.

i've had this arguement with openbsd people before. what it comes down to is openbsd is their toy and they like constantly updating rather then doing mundaine shit like patching old versions.

all well and good, it's their project they can do as they please, but don't pretend that it's a superior server OS, because it simply doesn't cut it if you don't have patch support after just 12 months. there's plenty of secure systems with more features and longer EOL's that make openbsd more trouble then it's worth.

Re:

[Anne Thwacks]

You can get it, install it and have it - and all the applications you are likely to need - running in 40 minutes, for nothing! (on a 450MHz processor), and quite possibly need only another 40 minutes maintenance, with no reboots, in the next two years. Any scripts you write will probably run on future versions for the next 10 years without modification. It is by far the lowest maintenqance infrastructure you can get in the long term

Obviously for a commercial webserrver, not a domestic workstation.

Disclai

Re:

[account_deleted]

Comment removed based on user account deletion