Bug Busters! OpenBSD 5.1 Released 135
An anonymous reader writes "Today the 5.1 release of OpenBSD has surfaced. As usual, it includes improved hardware support, but also OpenSSH 6.0 and over 7000 ports, with major performance and stability improvements in the package build process (and some really cool stickers). Here's the changelog, the download page, and the CD-ordering page. "
7000 Ports? (Score:1)
Will one of those 7000 ports run on my dishwasher?
Re: (Score:2)
They might if you chose NetBSD instead.
Re:7000 Ports? (Score:5, Informative)
OpenBSD ports are a set of makefiles that will build packages, not OS 'ports' like you are thinking.
Re: (Score:2)
Since he said "run" I would think he knew that. One doesn't "run" a network socket.
Re: (Score:2)
I know what a port in BSD is, thanks. So does the original poster. Mirix didn't think so, and I pointed out why it should be obvious to one who knows the difference.
Re: (Score:2)
No, GP was implying that his dishwasher was a rare architecture that most if not all of the 7000 available ports would not run on.
Re: (Score:1)
Then this is the site for you [slashdot.org]
Open BSD confirms it (Score:5, Funny)
Netcaft is dead....
Re: (Score:2)
That must be in Soviet Russia...
YAY! (Score:1, Flamebait)
I think..
Honestly is OBSD relevant any more in the grand scheme of things, mainly due to its 'director' and its limited scope?
Re: (Score:1, Flamebait)
Honestly is OBSD relevant any more
No.
Re: (Score:2, Insightful)
OpenBSD is relevant to those of us to whom it's relevant. There is no "grand scheme". It's a secure, well-maintained, and well-documented OS. Oh, and it's free, in every sense of the word.
Re: (Score:2)
you misunderstood the use of the term 'grand scheme'. It was not that OBSD had one, but the rest of the world has one, and wasn't sure if OBSD fits in there anymore.
It was relevant in the beginning but now, it doesn't seem like it so much.
Re: (Score:1)
Can you name another OS that's as secure as OpenBSD is? They did finally after a decade find a security hole in the base install. But, how many other OSes can claim that, even if you just limit it to more than a year?
It's still very much relevant to anybody that really cares about security. Other systems can be hardened, but they don't have a similar track record.
Re:YAY! (Score:5, Informative)
This is true, but the base install is pretty limited, so it's hard to compare, really.
(I think it's been three holes since the dawn of OpenBSD, by the way).
That said I still use it on some of my outward-facing stuff. PF is great. The pre-chrooted httpd is nice. Some other parts, not so much, though... can't think of a good example right now, but once in a while I run into things that amaze me with backwards-ness compared to my linux boxes.
Oh, and the documentation is a work of art compared to linux. That's a really nice feature.
Re: (Score:3, Informative)
Yeah, totally agree that OpenBSD is relevant today. I would even say OpenBSD is becoming more relevant today than it has been in the past, as we will receive more backdoors in open source projects that rely on binary distribution methods. I really hope OpenBSD sticks around, since it is the only truly stable open source distribution. I have used it since 2.6 and have always enjoyed the no-bullshit approach to having reliability and security together. The OpenBSD doesn't make the poor decisions that are
Re:YAY! (Score:5, Insightful)
This is true, but the base install is pretty limited, so it's hard to compare, really.
That's not a bug: it's a feature. I know you already know that, but I mention it for the benefit of people not already familiar with OpenBSD. OpenBSD installs almost nothing by default, to the point that many systems don't even have man pages or a compiler. Fewer things installed = few things to break = fewer attack vectors = fewer things to maintain.
That also means that it's trivially easy to deploy a task-specific server that runs almost nothing not directly related to performing that task. For example, here are all the processes running after booting a particular mail gateway:
So we have init (boots the system; makes sure things are running that are supposed to be); the system event logger; the firewall event logger; an NTP daemon to keep the time set correctly; the SSH daemon I used to connect into it; Sendmail (the OpenBSD-hardened version); the scheduled task manager; my shell process; and the program that listens for console logins. There's just not a lot you can strip away from that.
Here's the list of open sockets that an external user can connect to:
So SMTP (25 and 587) and SSH are listening. Again, that's as minimal as you can feasibly get. Well, I suppose you could axe everything firewall related, since the only open ports are to services that are deliberately exposed to the Internet already, but security comes in layers.
It's obviously possible to build secure systems with other OSes, but OpenBSD goes a long way toward making it easy. "Secure by default" is a wonderful starting point!
Oh, and pf has the most beautiful firewall rule syntax of any system I've ever used.
Re:YAY! (Score:5, Insightful)
OpenBSD installs almost nothing by default, to the point that many systems don't even have man pages or a compiler.
The standard install includes everything required by the Single UNIX Specification, including man pages and a compiler. You can choose not to install them, but that typically only happens on small embedded systems with 16-64MB of Flash.
Fewer things installed = few things to break = fewer attack vectors = fewer things to maintain
It also means you don't get the situation like Ubuntu where every time I turn on the system I have running Ubuntu it wants to install 200+MB of updates for stuff I never use and don't want installed.
Quality Control with Balls! (Score:4, Informative)
...the base install is pretty limited...
The base install is painstakingly audited. They look for all bugs, even ones that have no apparent means of exploitation. This has often resulted in OpenBSD being unaffected by holes discovered in other systems. The same degree of assurance cannot be extended to thousands of ports, however, so a line is drawn around the base install.
That being said, I've heard that Theo expects that one should be able to 'cd /usr/ports' and 'make install' - to build and install every port in the tree - without error. What other OS has the balls to pull that off?
Re: (Score:2)
The base install is limited, they did a great job auditing the code. But the moment you install something from the port, if that software contains bug, then OpenBSD is no more secure than Linux running that software. Or even worse, as OpenBSD refuses to have some kind of MAC implemented, Linux has SELinux/AppArmor/Tomoyo while FreeBSD has TrustedBSD. While those aren't silver bullet to every problem, they help in limiting the damage caused when your potential unsecure software gets compromised.
Re: (Score:2)
I care about the base install. It's all you need to make a highly secure firewall. I want as little as possible running on my firewalls.
PF is actually easier to setup and maintain complex sets of rules than iptables is. I know there isn't much you can't do with iptables but pf makes most of it way easier. Plus the iptables concept of a forward chain really is a bad thing.
You claim *BSD lacks all kinds of things but most of these look like big company process things that could be applied to the BSD's in just
Re: (Score:2)
You are claiming that either there are no updates for OpenBSD or they are too hard to apply? Read the OpenBSD website, they have errata for each release.
You think the IPtables forward chain make more sense than having comming and outgoing rules for each interface!? You don't get how firewalls work.
You use GUI's to configure a firewall!? You really don't get how firewalls work and should not be allowed anywhere near them.
IPSec with telnet? If you are trying to say that's better than OpenSSH?
Your sentence str
Re:YAY! (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Interesting)
I replaced our Sonicwall with OpenBSD+PF nearly 8 years ago. The only user-visible difference is that we stopped having unplanned network outages.
Re: (Score:2)
I replaced our Sonicwall with OpenBSD+PF nearly 8 years ago. The only user-visible difference is that we stopped having unplanned network outages.
s/sonicwall/pfsense/ and I did the same. It worked great.
I don't get why anyone wants stuff like pfsense. If people can't understand pf's easy syntax they can't really understand the network traffic it's manipulating.
How well does it run on VMs? (Score:2)
Sure, I realize that some people would rather have OpenBSD running on bare metal, without having untrustworthy layers underneath, but since in the grand scheme of things we're running just about everything on top of VMware these days (except stuff that needs hardware acceleration), how well does OpenBSD work on top of VMware? Is installing it straightforward, or does the disk partitioning get weird? Can I just hand VMware the ISO and tell it to install itself? Will the vmware tools install cleanly? I'm
Re: (Score:2)
It should work. Do remember that it's not paravirtualized. While not VMWare, I've run it in VirtualBox sessions. If VirtualBox can do it, so should VMWare.
Partitioning scheme: Not more complicated than on the bare metal.
ISO: You can do that, but you'll have to create the ISO yourself (which isn't hard - they might even provide downloadables these day... I wouldn't know, you'll see why), or you just buy the official CD (recommended version). Me? I don't bother with CD's anymore. Just use the PXE-boot (
Re: (Score:2)
Those VM tools allow the management system to do things like tell the guest operating system to reboot or shutdown cleanly, and provide an interface for the host to read back what the guest believes is free memory etc.
While not mandatory, they can be damn useful.
Re: (Score:2)
Re: (Score:2)
Last I had to play with it ('cause something moved and broke stuff in... i think 2.6.32?) there was a lot of kernel-specific stuff in those open-vm-tools. Porting that away from Linux would be quite a chore!
No idea if someone's done it. If so, kudos to them!
Re: (Score:2)
OpenBSD work on top of VMware?
In my experience (not very recently) it wouldn't run at all. I think it hung somewhere around disk probing, and I tried all the options that made sense to try to fix it. However for the same old version of VMware, and corresponding old OS versions, I had no issues with FreeBSD or NetBSD.
So maybe OBSD will run virtualized, but if not _some_ version of BSD will probably work. I think the reality is the OBSD developers probably don't really give a damn if it does run virtualized. I've also run into problem
Re: (Score:2)
It works fine however if you run this stuff under vmware you are destroying the security advantage that OpenBSD gives you.
I'm not running everything under vmware anyway. I have a few production servers under KVM but most of it is on bare metal.
Re: (Score:2)
You must be thinking of the 'desktop' vmware offerings.
Re: (Score:3)
It works fine on vmware, but it seems some other virtualization software don't work as well. It puts much strain on the virtualization.
You can install the full base OS in under 4 minutes like I did here https://www.youtube.com/watch?v=28ujY4vlz4c [youtube.com]
Re:YAY! (Score:5, Insightful)
Re: (Score:3)
>Theo just has lost patience for people
fixed.
Re:YAY! (Score:5, Insightful)
Theo just has lost patience for people
That's simply not true. Theo has lost patience with whiners who want someone else to do their thinking for him.
I've got polite, helpful responses personally from Theo. I was trying to build a module (despite all the dire warnings how not to do this or ask questions and how unsupported it is) so I could hack on the drivers for a moderately exotic piece of hardware. I posted questions. He was one of the people with a response.
It turns out that if you know that the mailing list doesn't suffer fools, you work that little bit harder to write a sensible mail.
You double check everything and make sure you read the docs. This catches many of the bugs initially and then you don't need to post in the first place. If it doesn't fix the problem, it gives the mailing list inhabitants a good indication of what the problem is.
To me it seems unbelievible rude to ask some of the world experts for a bit of their time to help without bothering to check the things that you need help on. I just don't understand how most other people don't also see this as rude.
Re: (Score:2)
It turns out that if you know that the mailing list doesn't suffer fools, you work that little bit harder to write a sensible mail.
You double check everything and make sure you read the docs. This catches many of the bugs initially and then you don't need to post in the first place. If it doesn't fix the problem, it gives the mailing list inhabitants a good indication of what the problem is.
To me it seems unbelievible rude to ask some of the world experts for a bit of their time to help without bothering to check the things that you need help on. I just don't understand how most other people don't also see this as rude.
This is my experience as well. When I ask a question online, I always try as many solutions as I can think of before asking. And I mention those attempts as well, so people see that I'm serious and take the time for it. Doing this I have solved many problems myself before it came to an online post...
Re: (Score:2)
And I mention those attempts as well, so people see that I'm serious and take the time for it.
That can't be over-emphasized: if you're stuck, tell what you've already tried. Not only does it save everyone else the time of suggesting something you've ruled out, but it demonstrates intent. It says, "I'm coming to you as a last resort after trying the self-help options, not as my first step because I don't value your time."
Re:YAY! (Score:4, Insightful)
In the Grand Scheme of Things? No.
But, for a grand enough definition of "grand scheme of things", your entire life is irrelevant. The history books will forget you, no matter how important, after enough millennia. And I'm pretty sure the rotation of the galaxy cares not one whit for the combined accomplishments (to date) of the entire human race.
So, in the end, who cares for the grand scheme of things? As long as it's relevant to you, it's relevant enough.
Personally, I have an OpenBSD box (normally my experimental-server-slash-tertiary-backup-desktop, currently my experimental-server-slash-secondary-backup-desktop, as my primary-desktop is currently my primary-doorstop). And I haven't updated it since... 4.6? 4.8? Can't be assed to ssh in and check. So 5.1 isn't important to me, but OpenBSD itself somewhat is.
Re: (Score:1)
Makes a better router than linux or windows....
Re: (Score:2)
Re: (Score:1)
most of the new shit in the Linux Kernel came from OpenBSD....
That requires documentation.
Re: (Score:2)
That's a linux epidemic...
Re: (Score:2)
Yeah, I mean what good do they do except for all that silly security stuff, like providing us with SSH and stuff.
Re: (Score:2)
Re: (Score:2)
Its limited scope is precisely why its relevant.
Ferraris have a more limited scope than OpenBSD but nobody counts them out. OpenBSD is very good at what it does and very useful to those who use it.
Over 7000 ports (Score:1)
... unless you don't feel like putting X on a server, in which case building from ports is unsupported and sometimes obviously broken.
Re:Over 7000 ports (Score:4, Informative)
Re: (Score:1)
over 7000 ports (Score:1)
What if someone needs to use port 8000?
Re: (Score:3)
just use port 4000 twice. It's all binary.
Re: (Score:1)
just use port 4000 twice. It's all binary.
4000 ain't binary. It's at least base 5.
Re: (Score:1)
what's binary for "whooosh"?
Re: (Score:2)
1110111 1101000 1101111 1101111 1110011 1101000,
or 011101110110100001101111011011110111001101101000, depending on how you take your coffee. Mine's with milk.
Re: (Score:2)
Re: (Score:2)
No, the ports are chmod 7000. They're setuid, setgid, and sticky.
Who ya gonna call? (Score:2)
Bug busters [openbsd.org]!
Thank you, Soulskill (Score:1)
Human-readable changelog (Score:1)
Anyone got a human-readable changelog with highlights? The linked one is a dump of everything that's changed.
Re: (Score:2)
The first link in the story is the human-readable changelog.
Re: (Score:2)
You are right.
I can only say that this is /. and one does not simply RTFA.
Security... (Score:2)
.
An awesome periphery and utility server OS.
relevance is overrated (Score:2)
Why does no one ask about the relevance of the porn industry? OpenSSH was the biggest thing since Debbie does Dallas. Few have more than that to their credit.
Bearded fellow: Let he who is without sin throw the the first stone.
Crazed villager [inspecting charismatic sinner]: Theo, is that you?
Crazed villager's wife: Who does this bearded guy think he is?
Here's the thing about security. If you have to ask about relevance, you can't handle the truth.
contributions to other apps and OS (Score:1)
Choices of s/w & IPv6 support (Score:3)
I had a look at it, and found some things interesting.
Under highlights, it mentions that it supports GNOME 3.2.1 (fallback mode), but for KDE, it supports 3.5.10. For GNOME, this is the first time I have seen any BSD support GNOME3 - in fact, there was some discussion in the past about how GNOME3 wouldn't run on BSDs due to systemd being a requirement. The other interesting aspect of this is that it goes for the latest, much publicly disparaged version of GNOME, but for KDE, which is much improved, it's @ 3.5. They could have either gone for KDE4.8, or if they didn't like that, they could have ditched KDE altogether and gone w/ Trinity.
The other thing I noticed throughout the notes was improvements in support for IPv6, such as fragment handling, but what I haven't figured out is how mature is OpenBSD's IPv6 support compared to FreeBSD? FBSD is currently second to none when it comes to IPv6 support (I'm not sure how it compares to Windows 7, which has been innovative for IPv6 on its own, w/o relying on the BSD layer 3 stack as it did for IPv4), but I was curious about OBSD. If someone wanted to create an IPv6 firewall cum router w/ OBSD as the management OS, does the OS have whatever it needs for this purpose?
On a separate note, I did find it interesting that they include software that's now GPL3 - such as Emacs, GCC, Libre Office, among others. In the case of the compiler, they didn't offer LLVM/Clang, and nor do they seem to prefer BSD software to others - for instance, Apache is the web server that they offer, and not Nginx. In short, I found their choices of default software pretty interesting, given all the recent discussions regarding GPL3 vs BSDL and so on.
Re: (Score:1, Informative)
Nothing you say makes sense. FreeBSD's IPv6 support is second to none only if you exclude OpenBSD.
They still have Apache because OpenBSD is extremely conservative. They forked Apache 1.3 over a decade ago and notwithstanding Apache's rough edges, has been rock solid (many of the recent Apache 1.3.x security issues were fixed or mitigated in OpenBSD's fork long ago). Nginx is in trunk already but OpenBSD is reticent to switch over until they're convinced it's worth the risk.
Likewise with Sendmail. They have
Re: (Score:1)
I do not think the word 'reticent' means what you think it means.
IPv6 support (Score:2)
How is OBSD's IPv6 support superior to FBSD, which is what your first statement above seems to suggest? I've checked their site - for instance, their Networking FAQ, [openbsd.org] and there is nothing there that suggests that OBSD has embraced IPv6 and supports it in a big way. There is no mention of any DHCP6 support, even though they have a major section on DHCP support, and in all the examples that they provide, they use only IPv4 examples, implying that equivalent IPv6 support either doesn't exist, or at best, is n
Re: (Score:2)
I have run OpenBSD as my firewall since forever, and have since set up a tunnel to give my LAN IPv6 connectivity. There has been absolutely no problem with IPv6 at all in OpenBSD[*]. Every application I've messed with, from packet filter to tunneling to DHCP to nameserver supports it. Granted my usage is probably very limited still, but my impression is that IPv6 is supported pretty much everywhere that IPv4 is. I can't say how this compares with FreeBSD though, because my experience with it is restricted t
Re: (Score:2)
Tunnelling IPv6 over IPv4, if that's what you meant, doesn't imply IPv6 support, which was my basic question. Here, one would simply be encapsulating IPv6 packets in IPv4 and running them over the network. That's pretty much the status quo, and could be done anyway - an OS doesn't need to have any IPv6 support to enable that.
I was asking whether one could set up an IPv6 network using an OBSD gateway acting as a router and firewall. Imagine that the external network (think Comcast or HE) was IPv6 as wel
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I pretty much cited what seemed to be a shortcoming of OBSD as far as IPv6 support goes - you really need to read the provided links, which are right from their home site FAQ. IPv6 itself hasn't been around for 10 years - the protocol has been constantly undergoing modifications, so if I'm on crack, you're on meth. FBSD support for IPv6 started w/ the KAME project, and in FBSD9, IPv6-only options have been added for the first time. Nor is IPv6 there on all BSDs - check out pFsense, which is an FBSD based
Re: (Score:2)
OpenBSD does include a DHCP6 package (or maybe it's in ports, I honestly don't remember, but anyway, it works). PF does support IPv6 filters, exactly the same as IPv4 as far as I can discern. As for routing protocols, I have no experience with them, but OpenBGPD does appear to support IPv6.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Packages are not part of the base system, so it's not so strange that the documentation doesn't refer to the wide-dhcpv6. I have checked now and it was indeed wide I was using. But I have actually disabled it now and using ipv6 autoconf instead.
That brings to mind another question. In the BSDs - particularly FreeBSD - a particular autoconfiguration mode, called EUI-64 is used, which uses the MAC address of the ethernet card as a part of the IPv6 address. Does OBSD do this as well? For an OS so focussed on security, it would seem odd if it did, since normally, one's MAC address does not go outside the network and gets translated at the switch, but here, it would go as a part of an EUI-64 created address and be subject to any scanning that could
Re: (Score:2)
Either way, IPv6 is really meant to have many IP address per machine. Use DHCP/static for servers as you need to know their IP address anyway for DNS reasons.
Re: (Score:2)
IIRC, EUI-64 is used to assign the interface ID to global unicast addresses - I'm not sure whether they're also used for either link-local or site-unique addresses. For the latter 2, there wouldn't be a problem, but for the first, any rogue scanners out there would simply have to look for certain patterns within an address to figure out the MAC address.
I agree that DHCP6 is the way to go for IPv6 address assignment. For IPv4, since there were only a handful of addresses depending on the subnetting done,
Re: (Score:2)
Re: (Score:2)
Note: NetBSD is completely different, and not what my question was about in the first place. It says squat about the current state of IPv6 support in OBSD.
OpenBSD was originally a fork of NetBSD. However, possibly too long ago to be directly relevant to the topic here.
Re: (Score:2)
Kame was well supported on OpenBSD. That Japanese guy was the only guy with write permissions into the kernel source code for a large number of OSes from linux to darwin to all the *BSDs.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Edit: Specifically, "IPv6 code was merged into NetBSD in June 1999, and is part of NetBSD."
http://www.netbsd.org/docs/network/ipv6/
So there.
Okay, checked out that page. Seems to be more of a history lesson on IPv6 support in NetBSD. One key thing I noticed - all the BSDs, be it FreeBSD or NetBSD seem to prefer the autoconfiguration as far as IP addresses go, and typically don't support DHCP6. So anyone who has issues w/ EUI-64 is SOL. They mention that routers can't be autoconfigured, and that nodes should not be manually configured. But this is one of the reasons that DHCP6 is more important in IPv6 than DHCP4 was in IPv4.
Re: (Score:1)
The truth about KDE: http://www.mail-archive.com/misc@openbsd.org/msg88679.html [mail-archive.com]
I also remember them coming to misc and inform the community and porters that KDE won't run on openbsd due to the use of a cool linux daemon to manage stuff.
They don't include Emacs (instead mg is in base, rewritten from scratch with a funny easter egg inside) neither do they include Libre Office. It's just a Makefile and some patches that are distributed. Package are a convenience for the users, and available only if the license
DEs and software (Score:2)
The truth about KDE: http://www.mail-archive.com/misc@openbsd.org/msg88679.html [mail-archive.com] I also remember them coming to misc and inform the community and porters that KDE won't run on openbsd due to the use of a cool linux daemon to manage stuff.
This was said to be true about GNOME3, where it was rumored that one linux daemon systemd was required - but OBSD seems to support GNOME3 in fallback mode. The fallback mode support for GNOME3 seems to be due to the requirement that in GNOME3, the GNOME shell requires 3D accelaration to work, as it requires graphics composition. That brings into focus the fact that most graphics cards don't include open source drivers, and while that's not a roadblock for FBSD, it does seem to be more of one for OBSD. O
Re: (Score:2)
umm, there was a recent report that compared ipv6 stacks of a bunch of OSes, and OpenBSD (5.0) came out #1 in terms of compliance to standards. Stands to reason, since these guys sticklers for doing things right.
Re: (Score:1)
Obligatory (Score:2)
Re: (Score:2)
depends on the font
Re:This one goes to 65535... (Score:5, Funny)
The OS I'm using has 65536 ports.
And if you're running Windows, there's a good chance they're all in use.
Re: (Score:2)
NetBSD? Is that you?