Bug Busters! OpenBSD 5.1 Released

An anonymous reader writes "Today the 5.1 release of OpenBSD has surfaced. As usual, it includes improved hardware support, but also OpenSSH 6.0 and over 7000 ports, with major performance and stability improvements in the package build process (and some really cool stickers). Here's the changelog, the download page, and the CD-ordering page. "

Re:YAY!

[Anonymous Coward]

OpenBSD is relevant to those of us to whom it's relevant. There is no "grand scheme". It's a secure, well-maintained, and well-documented OS. Oh, and it's free, in every sense of the word.

Re:YAY!

[101percent]

Given that OpenSSH alone is the most used FOSS program, and there is virtually no corporate contributions, I think Theo just has lost patience for people who come on the lists and complain.

Re:YAY!

[gman003]

In the Grand Scheme of Things? No.

But, for a grand enough definition of "grand scheme of things", your entire life is irrelevant. The history books will forget you, no matter how important, after enough millennia. And I'm pretty sure the rotation of the galaxy cares not one whit for the combined accomplishments (to date) of the entire human race.

So, in the end, who cares for the grand scheme of things? As long as it's relevant to you, it's relevant enough.

Personally, I have an OpenBSD box (normally my experimental-server-slash-tertiary-backup-desktop, currently my experimental-server-slash-secondary-backup-desktop, as my primary-desktop is currently my primary-doorstop). And I haven't updated it since... 4.6? 4.8? Can't be assed to ssh in and check. So 5.1 isn't important to me, but OpenBSD itself somewhat is.

Re:YAY!

[Just Some Guy]

This is true, but the base install is pretty limited, so it's hard to compare, really.

That's not a bug: it's a feature. I know you already know that, but I mention it for the benefit of people not already familiar with OpenBSD. OpenBSD installs almost nothing by default, to the point that many systems don't even have man pages or a compiler. Fewer things installed = few things to break = fewer attack vectors = fewer things to maintain.

That also means that it's trivially easy to deploy a task-specific server that runs almost nothing not directly related to performing that task. For example, here are all the processes running after booting a particular mail gateway:

$ ps ax
PID TT STAT TIME COMMAND
1 ?? Ss 0:00.01 /sbin/init
21888 ?? Is 0:00.00 syslogd: [priv] (syslogd)
11594 ?? I 0:00.01 /usr/sbin/syslogd -a /var/www/dev/log -a /var/empty/dev/log
18652 ?? Is 0:00.00 pflogd: [priv] (pflogd)
16925 ?? S 0:00.01 pflogd: [running] -s 160 -i pflog0 -f /var/log/pflog (pflogd)
4551 ?? Is 0:00.00 ntpd: [priv] (ntpd)
12960 ?? S 0:00.01 ntpd: ntp engine (ntpd)
15118 ?? I 0:00.00 ntpd: dns engine (ntpd)
8253 ?? Is 0:00.00 /usr/sbin/sshd
32235 ?? Ss 0:00.01 sendmail: accepting connections (sendmail)
1749 ?? Ss 0:00.00 /usr/sbin/cron
23675 ?? Is 0:00.05 sshd: kirk [priv] (sshd)
25682 ?? S 0:00.04 sshd: kirk@ttyp0 (sshd)
17102 p0 Ss 0:00.19 -zsh (zsh)
17713 p0 R+ 0:00.00 ps -ax
8581 C0 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC0
4910 C1 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC1
25709 C2 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC2
12308 C3 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC3
19809 C5 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC5

So we have init (boots the system; makes sure things are running that are supposed to be); the system event logger; the firewall event logger; an NTP daemon to keep the time set correctly; the SSH daemon I used to connect into it; Sendmail (the OpenBSD-hardened version); the scheduled task manager; my shell process; and the program that listens for console logins. There's just not a lot you can strip away from that.

Here's the list of open sockets that an external user can connect to:

tcp 0 0 127.0.0.1.587 star.star LISTEN
tcp 0 0 127.0.0.1.25 star.star LISTEN
tcp 0 0 *.22 star.star LISTEN

So SMTP (25 and 587) and SSH are listening. Again, that's as minimal as you can feasibly get. Well, I suppose you could axe everything firewall related, since the only open ports are to services that are deliberately exposed to the Internet already, but security comes in layers.

It's obviously possible to build secure systems with other OSes, but OpenBSD goes a long way toward making it easy. "Secure by default" is a wonderful starting point!

Oh, and pf has the most beautiful firewall rule syntax of any system I've ever used.

Re:YAY!

[TheRaven64]

OpenBSD installs almost nothing by default, to the point that many systems don't even have man pages or a compiler.

The standard install includes everything required by the Single UNIX Specification, including man pages and a compiler. You can choose not to install them, but that typically only happens on small embedded systems with 16-64MB of Flash.

Fewer things installed = few things to break = fewer attack vectors = fewer things to maintain

It also means you don't get the situation like Ubuntu where every time I turn on the system I have running Ubuntu it wants to install 200+MB of updates for stuff I never use and don't want installed.

Re:YAY!

[serviscope_minor]

Theo just has lost patience for people

That's simply not true. Theo has lost patience with whiners who want someone else to do their thinking for him.

I've got polite, helpful responses personally from Theo. I was trying to build a module (despite all the dire warnings how not to do this or ask questions and how unsupported it is) so I could hack on the drivers for a moderately exotic piece of hardware. I posted questions. He was one of the people with a response.

It turns out that if you know that the mailing list doesn't suffer fools, you work that little bit harder to write a sensible mail.

You double check everything and make sure you read the docs. This catches many of the bugs initially and then you don't need to post in the first place. If it doesn't fix the problem, it gives the mailing list inhabitants a good indication of what the problem is.

To me it seems unbelievible rude to ask some of the world experts for a bit of their time to help without bothering to check the things that you need help on. I just don't understand how most other people don't also see this as rude.