OpenBSD 4.8 Released

Mortimer.CA writes "The release of OpenBSD 4.8 has been announced. Highlights include ACPI suspend/resume, better hardware support, OpenBGPD/OpenOSPFD/routing daemon improvements, inclusion of OpenSSH 5.5, etc. Nothing revolutionary, just the usual steady improving of the system. A detailed ChangeLog is available, as usual. Work, of course, has already started on the next release, which should be ready in May, according to the steady six-month release cycle."

Don't forget the Release Song!

[Anonymous Coward]

Someone forgot the infamous song release for 4.8 to be included in article details: El Puffiachi [openbsd.org]

song

[buchner.johannes]

The release song [openbsd.org] doesn't even have lyrics :-(
How good can the release be then, I ask!

Re:How are upgrades handled?

[the_brobdingnagian]

I'm curious. Having never used a BSD-based system, how are upgrades managed? I understand that instead of installing packages, one uses ports. My impression of that is that you run a file in a ports directory and it compiles the software and installs it. Correct me if I'm wrong.

Ports are meant for building packages. Users should only use packages normally. You can update your packages after you upgraded your base system with "pkg_add -ui -D update -D updatedepends"

But how does one upgrade from, say, OpenBSD 4.7 to 4.8?

OpenBSD has excellent docs and FAQ's: http://openbsd.org/faq/upgrade48.html [openbsd.org]

Re:fdisk

[Ex Machina]

IIRC you can suffix a quantity with M or G to specify size in megabytes or gigabytes.

Re:How are upgrades handled?

[resfilter]

ports are just a way to build packages for 3rd party (i.e. not in the base system) software.

unlike a lot of operating systems, openbsd includes apache, bind, and other common network servers in the base install.

there's no automated upgrade procedure that works well for the openbsd base system at all; but there's a manual procedure, which is well documented, for upgrading between major versions

as someone has tried to upgrade many major linux distributions in various environments, i can tell you that manually is the ONLY way to do a proper system upgrade on a critical system; and many complex package management systems can hinder such an effort

openbsd people seem to shy away from binary packages for the most part, and most people that upgrade end up using a full source tree of the system to do so. in fact, openbsd is a bit unique in that they don't have an official binary patch mechanism. security patches to the base system are also generally intended to be done on a virgin openbsd source tree.

it's a weird way of doing things, for the average administrator, but it's a niche operating system, so if you don't like doing things the slow (but reliable) way, openbsd is not for you.

Re:Suspend/Resume?

[the_brobdingnagian]

Suspend/resume support has been improved enormously. I have been using it without problems on my Asus Eee PC 1000H for a while now.

Re:fdisk

[the_brobdingnagian]

The OpenBSD installer can auto-partition your disk for you. No calculations needed if you don't want to.

Re:fdisk

[101percent]

You don't. I've had my 4.8 CD set for a week now. It auto-partitioned everything fully utilizing my entire disk space, / /home /tmp /var /usr and various /usr/*

Re:OSNews? Thom Holwerda? Seriously?

[Menkhaf]

Sorry man, that's not a highlight. It's a link.
I, uhm.. think you may have missed out a bit on the Internet. Here, I'll give you a link to start with: http://www.bing.com/ [bing.com] -- happy binge!

Besides, the mentioned "bullshit" was half way into his post. If you just read the first few words, I think he's happy.

Re:fdisk

[Noryungi]

Nice Troll. I'll bite.

Nor does an OpenBSD user excel on either Linux or Windows - they are three different worlds. You do not state, but imply, that someone that knows BSD knows those other systems. You either do so through intention (dishonesty) or through lack of thinking your argument out (ignorance), either one isn't particularly good.

I have three Linux machines (Slackware/Ubuntu) and one OpenBSD machine at home, all of them work very well. I also have two additional Windows machines at home, and I use one at work (sigh). I know all three systems pretty well. What's your point?

And, just to add an important precision: I administer Linux (Red Hat/SuSE), Solaris, AIX and HPUX machines at work. I know all of these systems pretty well.

The problem that the *BSD versions have for large acceptance is why? The big draw of it - security from the ground up - isn't really useful in most places.

Go ahead and tell that to the security engineers that audit the servers on a regular basis at work. Go ahead, I dare you. This is the best way to be out of a job pretty fscking quickly. OpenBSD is not perfect, but, when it comes to security, any serious person is going to consider it.

You need that at your firewall and router (usually one in the same for small to medium companies or a home network) and those are better handled by a hardware/software stack that is specifically designed for that.

In other words: trust us, we are from ______________ [insert big company name here]. No, thank you. I have been burned by vendors too many times.

Cisco solutions are a better combination of performance and costs. The OpenBSD box is never going to perform as well as the Cisco 28xx series and is no more secure so why go that way?

Mwa ha ha ha ha ha! Thanks, I needed the laugh.

Performance blows for general purpose hardware compared to specialized ones today.

You obviously have no idea what you are talking about. None.

Ten years ago they rocked, routers and firewalls on general purpose hardware was the the higher end of the market - today purchase a solution from Cisco if you really need it.

[More drivel follows]

A few points:
A) If you are trying to worship at the altar of Cisco, please find some other place for it. Cisco's hardware is uninteresting and overly expensive for what it does.
B) Even Cisco uses OpenSSH - which comes from OpenBSD. I really wonder why?
C) Why buy an overpriced Cisco XXXX, when a simple PC with 4 network cards and OpenBSD can do the job for half the price and three times the performance?

Crawl back under your bridge, little troll, and try to learn a bit about the real world before tooting your Cisco horn.

Re:How are upgrades handled?

[Noryungi]

Upgrade to OpenBSD 4.7 to 4.8 is as simple as booting the machine on the CD, and selecting (U)pgrade instead of (I)nstall.

Make sure you make a backup of your /etc/ directory beforehand and you are good to go. The upgrade process should keep your configuration intact, but it never hurts to be a bit cautious.

I'll note that i have been upgrading the same machine from OpenBSD 3.9 all the way to 4.8 without major problems.

Unless you have a very good reason to, do not use ports: use (pre-compiled) packages. Upgrading packages is as simple as typing: 'pkg_add' with the correct options. See here for more details: http://openbsd.org/faq/faq15.html#PkgUpdate [openbsd.org]

That's all there is to it. OpenBSD is a very simple operating system to use, and one that is a pleasure to upgrade and maintain.

Re:How are upgrades handled?

[badger.foo]

Make sure you make a backup of your /etc/ directory beforehand and you are good to go. The upgrade process should keep your configuration intact, but it never hurts to be a bit cautious.

For /etc upgrades, there's sysmerge.

In fact, you can run sysmerge -x xetcNN.tgz -s etcNN.tgz and answer the friendly prompts before booting into the installer for the upgrade. Then after you've done the base system upgrade, set your PKG_PATH to something sensible and run pkg_add -u to upgrade your packages. Time needed is mainly a function of how good your connectivity to the packages mirror is.

Re:fdisk

[Alioth]

I've been using OpenBSD since 3.3, and I don't think I've ever specified anything in cylinders when setting up. The BSD disk label tool accepts arguments in size, example 20M, 20G, 20T etc.

Re:OSNews? Thom Holwerda? Seriously?

[TheRaven64]

For example, if you need to build a web server, you might pick OpenBSD because of its "secure-by-default" mantra. But what does that really buy you? You still need to run web server software, which is going to be the vector for any attack.

The OpenBSD base system includes a version of Apache that has been heavily audited (fixing a lot of bugs that didn't seem to get fixed in the main branch until years later - look for 'does not affect OpenBSD' in security advisory notes) and runs in chroot by default.

Is lighttpd any more secure on OpenBSD than on Linux? No

As I recall, lighttpd runs in a chroot by default on OpenBSD, but I could be wrong. On top of this, it has (probably not a full list, just the things I remember):

• Address space randomisation, making return-to-libc attacks harder. Linux now includes a weaker version of this.
• OpenBSD's malloc() has an aggressive policy about returning memory to the kernel, which trades some performance for making it much harder to exploit use-after-free bugs.
• The OpenBSD system compiler enables stack canaries by default and they are enabled for all OpenBSD packages, making stack-smashing attacks basically impossible.
• W^X policy means that you can't map a page as both writable and executable at the same time. This is implemented even on x86, where it requires some convoluted stuff with segmentation because there is no native support in the page tables. This makes anything with a JIT compiler marginally harder to write and makes arbitrary code execution holes much harder. Linux can enforce something like this only on newer systems that have support for the NX bit in page tables.
• The network stack uses strong random numbers for a lot of TCP/IP header fields, making things like connection hijacking or SYN flood attacks harder (you said you were running a networked app, right?).

And the best thing? You don't need to configure or even understand any of these for them to work. That's what 'secure by default' means - no faffing with SELinux configuration, no optional security measures that people turn off because they're too hard to get right.

I would argue that OpenBSD may be secure by design, but SELinux is, in practice, more secure.

In practice, SELinux is usually disabled. In the few places it is enabled, it makes the attack surface larger and has led to exploitable bugs that are not present in Linux-without-SELinux.

Re:Have they decided to implement security yet?

[TheRaven64]

OpenBSD performance is not something they advertise, for good reason. If there's a trade between security and performance, they'll take security. The most noticeable example is the malloc() implementation. This is much more aggressive than any other that I've seen at returning memory to the kernel. This means that there are a lot more system calls being made by OpenBSD libc in any program that calls free() a lot and a lot more page churn (meaning more TLB misses). This hurts performance (about a 5-20% hit, depending on your benchmark), but it means that use-after-free bugs tend to crash early, rather than becoming exploitable. If you're doing HPC, OpenBSD probably isn't the system for you, but they never claimed it was.

Re:fdisk

[TheRaven64]

I haven't installed OpenBSD since around 3.8 (I've just done in-place updates since then), but you didn't have to specify C/H/S values for partition sizes. Values like 512M and 4.5G worked just fine.

Re:Audio on BSD?

[TheRaven64]

The opinions of 4Front are completely irrelevant to FreeBSD - their implementation of OSS 4 is independent of 4Front. 4Front does ship an OSS 4 implementation for FreeBSD, but it lacks per-channel volume control and AC-3 pass through while playing analogue audio, both of which are supported in the FreeBSD version.