OpenBSD 4.7 Released 143
An anonymous reader writes "The release of OpenBSD 4.7 was announced today. Included in this release are support for more wireless cards, the loongson platform, pf improvements, many midlayer filesystem improvements including a new dynamic buffer cache, dynamic VFS name cache rewrite and NFS client stability fixes, routing daemon improvements including the new MPLS label distribution protocol daemon (ldpd) and over 5,800 packages. Please help support the project by ordering your copy today!"
The Insecurity of OpenBSD (Score:1, Interesting)
The insecurity of OpenBSD [osnews.com]
A criticism of the OpenBSD security philosophy is performed, along with an examination of the claims made regarding the project. In particular their rejection of any advanced access control framework is examined. A well researched and well written article, followed by over 200 comments that are also worth reading.
Got my CD in the mail a few days ago (Score:5, Interesting)
Yeah, I use OpenBSD. My firewall's named linksys and the SSID is default, both for sheer entertainment value. OpenBSD like anything else has its flaws: namely a insular and hostile user community and theocratic leader with a vision. On the other hand it's people like that who get things done.
It would be nice to do more with OpenBSD than I can now, but last I checked ports didn't have the latest asterisk, getting the latest Java running is a pita, the latest Apache has an incompatible license or something, ZFS will never be supported, etc, etc, etc. But staying up with the latest software isn't really a design goal for Theo & crew. It's sort of the PVP UNIX - no care bears welcome. Their targeted approach to security over features makes it the best OS out there for targeted uses, but who knows if they'll make it to 5.7 - decreasing relevance and due to narrowing mainstream software support definitely also narrows interest.
Regardless, congrats on another great release.
Re:Got my CD in the mail a few days ago (Score:3, Interesting)
Yeah, I use OpenBSD. My firewall's named linksys and the SSID is default, both for sheer entertainment value.
I guess you could describe that as "What's the sound of one-hand clapping?" or "An inside joke of the nth degree". ;-) Entertainment aside, pf users and fans should note the pf syntax changes [marc.info].
Re:The Insecurity of OpenBSD (Score:2, Interesting)
He is talking about what prevents OpenBSD from being a secure system for the points you mention.
I found the discussion on the blog quite interesting aside from the insults, which are a minority
Re:Got my CD in the mail a few days ago (Score:3, Interesting)
I'm not sure that it has decreasing relevance. For something like a firewall or other networked appliance (where you don't actually have users logging on and interactively using it), OpenBSD is way ahead of the game. Auditing the kernel and securing that is actually a good strategy for such devices, whereas mandatory access controls would be more of a cycle-hog. For reasons I don't entirely understand - or agree with - the world is slowly moving away from desktops and towards appliance-based computing. Look at the rate Droid is accumulating apps, compared to the rate new stuff is being written for Linux.
I do not know what the ideal security strategy is - I feel that it must involve components that are transparent to any part of the kernel the user or superuser can substantially interact with, because although you can prove a Security Kernel correct mathematically (it is one of the few OS components simple enough), this is useless if there is any means of either accessing the functions protected or re-implementing them, yet nobody likes re-designing implementations and call points are bound to be missed if code changes are required. This means that the security kernel has to act in a manner akin to dynamic probes and inject itself into modules without needing static insertion points. Security then just becomes a form of debug in step mode (continue until next probe, then pause the kernel thread) in which the debug data is analyzed automatically rather than by an engineer.
Re:Got my CD in the mail a few days ago (Score:3, Interesting)
"I'm planning on making this one into some sort of automatics control for the house (turn the lights on, report temperature, I don't know, a bunch of lame stuff like this)."
OBSD has support for the 20 pin gpio header on a Soekris net4801 board out-of-the-box. With that you can easily make either digital or transistor switches to control things. The shell command is gpioctl which you may want to grab the source and mod it so its not reading command line arguments and can be put in your code without an os system call depending how frequently you are reading/writing the pin states.
What happened to the music? (Score:3, Interesting)
Used to be that the Plaid Tongued Devils provided a new song for every release - this is the first song I've seen by someone else.
Re:The Insecurity of OpenBSD (Score:2, Interesting)
Maybe if the article had any real merit, instead of making stupid statements that aren't true.
It's a shame the author's love affair with MAC can't help him write a decent article.
I wonder how many installations of Linux have SELinux disabled because it broke something.
"not invented here" syndrome (Score:2, Interesting)
The things that are pioneered by OpenBSD, often make their way to everywhere else.
So, ahem, it IS invented in OpenBSD.
Re:The Insecurity of OpenBSD (Score:3, Interesting)
Most of us have been reading slashdot long enough that "several times a year" qualifies as sufficiently regular.
And yet going back even farther to more than 6 months I've yet to see a single one of those supposed articles that criticize Linux security. Care to actually link to even a single article that isn't more than a year old?
Re:The Insecurity of OpenBSD (Score:3, Interesting)
I wonder how many installations of Linux have SELinux disabled because it broke something.
The overwhelming majority, in my experience.