Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Bug Busters! OpenBSD 5.1 Released

Soulskill posted more than 2 years ago | from the something-free-in-your-neighborhood dept.

Operating Systems 135

An anonymous reader writes "Today the 5.1 release of OpenBSD has surfaced. As usual, it includes improved hardware support, but also OpenSSH 6.0 and over 7000 ports, with major performance and stability improvements in the package build process (and some really cool stickers). Here's the changelog, the download page, and the CD-ordering page. "

Sorry! There are no comments related to the filter you selected.

7000 Ports? (1)

Anonymous Coward | more than 2 years ago | (#39863203)

Will one of those 7000 ports run on my dishwasher?

Re:7000 Ports? (1)

nurb432 (527695) | more than 2 years ago | (#39863243)

They might if you chose NetBSD instead.

Re:7000 Ports? (4, Informative)

mirix (1649853) | more than 2 years ago | (#39863297)

OpenBSD ports are a set of makefiles that will build packages, not OS 'ports' like you are thinking.

Re:7000 Ports? (-1)

Anonymous Coward | more than 2 years ago | (#39863477)

I'm waiting for it to include an anal port. I'm /bi-curious.

Re:7000 Ports? (1)

Anonymous Coward | more than 2 years ago | (#39864981)

Then this is the site for you [slashdot.org]

Open BSD confirms it (5, Funny)

future assassin (639396) | more than 2 years ago | (#39863211)

Netcaft is dead....

Re:Open BSD confirms it (2)

HyperQuantum (1032422) | more than 2 years ago | (#39866051)

That must be in Soviet Russia...

YAY! (1, Flamebait)

nurb432 (527695) | more than 2 years ago | (#39863213)

I think..

Honestly is OBSD relevant any more in the grand scheme of things, mainly due to its 'director' and its limited scope?

Re:YAY! (0, Flamebait)

Frank T. Lofaro Jr. (142215) | more than 2 years ago | (#39863369)

Honestly is OBSD relevant any more

No.

Re:YAY! (2, Insightful)

Anonymous Coward | more than 2 years ago | (#39863375)

OpenBSD is relevant to those of us to whom it's relevant. There is no "grand scheme". It's a secure, well-maintained, and well-documented OS. Oh, and it's free, in every sense of the word.

Re:YAY! (1)

nurb432 (527695) | more than 2 years ago | (#39863443)

you misunderstood the use of the term 'grand scheme'. It was not that OBSD had one, but the rest of the world has one, and wasn't sure if OBSD fits in there anymore.

It was relevant in the beginning but now, it doesn't seem like it so much.

Re:YAY! (1)

Anonymous Coward | more than 2 years ago | (#39863645)

Can you name another OS that's as secure as OpenBSD is? They did finally after a decade find a security hole in the base install. But, how many other OSes can claim that, even if you just limit it to more than a year?

It's still very much relevant to anybody that really cares about security. Other systems can be hardened, but they don't have a similar track record.

Re:YAY! (5, Informative)

mirix (1649853) | more than 2 years ago | (#39863765)

This is true, but the base install is pretty limited, so it's hard to compare, really.

(I think it's been three holes since the dawn of OpenBSD, by the way).

That said I still use it on some of my outward-facing stuff. PF is great. The pre-chrooted httpd is nice. Some other parts, not so much, though... can't think of a good example right now, but once in a while I run into things that amaze me with backwards-ness compared to my linux boxes.

Oh, and the documentation is a work of art compared to linux. That's a really nice feature.

Re:YAY! (3, Informative)

Anonymous Coward | more than 2 years ago | (#39864211)

Yeah, totally agree that OpenBSD is relevant today. I would even say OpenBSD is becoming more relevant today than it has been in the past, as we will receive more backdoors in open source projects that rely on binary distribution methods. I really hope OpenBSD sticks around, since it is the only truly stable open source distribution. I have used it since 2.6 and have always enjoyed the no-bullshit approach to having reliability and security together. The OpenBSD doesn't make the poor decisions that are so common in Linux distributions (the plymouth OS process on Ubuntu is a good example of common Linux stupidity). Also, OpenBSD doesn't have the hardware pressure of NetBSD, nor the feature pressure of FreeBSD, so they can focus on security and reliability. OpenBSD is relevant to those of us that require a quality operating system.

Re:YAY! (5, Insightful)

Just Some Guy (3352) | more than 2 years ago | (#39864475)

This is true, but the base install is pretty limited, so it's hard to compare, really.

That's not a bug: it's a feature. I know you already know that, but I mention it for the benefit of people not already familiar with OpenBSD. OpenBSD installs almost nothing by default, to the point that many systems don't even have man pages or a compiler. Fewer things installed = few things to break = fewer attack vectors = fewer things to maintain.

That also means that it's trivially easy to deploy a task-specific server that runs almost nothing not directly related to performing that task. For example, here are all the processes running after booting a particular mail gateway:

$ ps ax
PID TT STAT TIME COMMAND
1 ?? Ss 0:00.01 /sbin/init
21888 ?? Is 0:00.00 syslogd: [priv] (syslogd)
11594 ?? I 0:00.01 /usr/sbin/syslogd -a /var/www/dev/log -a /var/empty/dev/log
18652 ?? Is 0:00.00 pflogd: [priv] (pflogd)
16925 ?? S 0:00.01 pflogd: [running] -s 160 -i pflog0 -f /var/log/pflog (pflogd)
4551 ?? Is 0:00.00 ntpd: [priv] (ntpd)
12960 ?? S 0:00.01 ntpd: ntp engine (ntpd)
15118 ?? I 0:00.00 ntpd: dns engine (ntpd)
8253 ?? Is 0:00.00 /usr/sbin/sshd
32235 ?? Ss 0:00.01 sendmail: accepting connections (sendmail)
1749 ?? Ss 0:00.00 /usr/sbin/cron
23675 ?? Is 0:00.05 sshd: kirk [priv] (sshd)
25682 ?? S 0:00.04 sshd: kirk@ttyp0 (sshd)
17102 p0 Ss 0:00.19 -zsh (zsh)
17713 p0 R+ 0:00.00 ps -ax
8581 C0 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC0
4910 C1 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC1
25709 C2 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC2
12308 C3 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC3
19809 C5 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC5

So we have init (boots the system; makes sure things are running that are supposed to be); the system event logger; the firewall event logger; an NTP daemon to keep the time set correctly; the SSH daemon I used to connect into it; Sendmail (the OpenBSD-hardened version); the scheduled task manager; my shell process; and the program that listens for console logins. There's just not a lot you can strip away from that.

Here's the list of open sockets that an external user can connect to:

tcp 0 0 127.0.0.1.587 star.star LISTEN
tcp 0 0 127.0.0.1.25 star.star LISTEN
tcp 0 0 *.22 star.star LISTEN

So SMTP (25 and 587) and SSH are listening. Again, that's as minimal as you can feasibly get. Well, I suppose you could axe everything firewall related, since the only open ports are to services that are deliberately exposed to the Internet already, but security comes in layers.

It's obviously possible to build secure systems with other OSes, but OpenBSD goes a long way toward making it easy. "Secure by default" is a wonderful starting point!

Oh, and pf has the most beautiful firewall rule syntax of any system I've ever used.

Re:YAY! (4, Insightful)

TheRaven64 (641858) | more than 2 years ago | (#39865589)

OpenBSD installs almost nothing by default, to the point that many systems don't even have man pages or a compiler.

The standard install includes everything required by the Single UNIX Specification, including man pages and a compiler. You can choose not to install them, but that typically only happens on small embedded systems with 16-64MB of Flash.

Fewer things installed = few things to break = fewer attack vectors = fewer things to maintain

It also means you don't get the situation like Ubuntu where every time I turn on the system I have running Ubuntu it wants to install 200+MB of updates for stuff I never use and don't want installed.

Quality Control with Balls! (4, Informative)

Anonymous Coward | more than 2 years ago | (#39865369)

...the base install is pretty limited...

The base install is painstakingly audited. They look for all bugs, even ones that have no apparent means of exploitation. This has often resulted in OpenBSD being unaffected by holes discovered in other systems. The same degree of assurance cannot be extended to thousands of ports, however, so a line is drawn around the base install.

That being said, I've heard that Theo expects that one should be able to 'cd /usr/ports' and 'make install' - to build and install every port in the tree - without error. What other OS has the balls to pull that off?

Re:YAY! (1)

Clarious (1177725) | more than 2 years ago | (#39864849)

The base install is limited, they did a great job auditing the code. But the moment you install something from the port, if that software contains bug, then OpenBSD is no more secure than Linux running that software. Or even worse, as OpenBSD refuses to have some kind of MAC implemented, Linux has SELinux/AppArmor/Tomoyo while FreeBSD has TrustedBSD. While those aren't silver bullet to every problem, they help in limiting the damage caused when your potential unsecure software gets compromised.

Re:YAY! (0)

GioMac (862536) | more than 2 years ago | (#39865781)

Is that a joke?
Nobody cares about base install.
In this case we care about updates, immediate patches, commercial support and strong, quality community and commercial background with experience.

At first, *BSD market is too small to have this on appropriate level.
At second. What do you call "security"? Patching holes? No no no. Security is a hard thing;
* it's about hardening too
* it's about writing policies
* it's about having consistent directory structure
* it's about easy and ensured, certified audit
* it's about ease of maintenance
* it's about consistency checking
* it's about access limiting
* it's about support from various vendors etc.
* It's about enterprise integration

*BSD lacks that. I see no future in here for production corporate environment.

I'm not yet talking about possibilities of other operating system and software suite, I'm just telling that BSD is even worse than Windows in here.

When I hear "*BSD is secure operating system" or "*BSD is a good thing" (c), I don't hear any other arguments. Please prove.

Re:YAY! (1)

1s44c (552956) | more than 2 years ago | (#39866741)

I care about the base install. It's all you need to make a highly secure firewall. I want as little as possible running on my firewalls.

PF is actually easier to setup and maintain complex sets of rules than iptables is. I know there isn't much you can't do with iptables but pf makes most of it way easier. Plus the iptables concept of a forward chain really is a bad thing.

You claim *BSD lacks all kinds of things but most of these look like big company process things that could be applied to the BSD's in just the same way they are applied to windows. Access limiting for example.. Well were do you think openssh came from?

OpenBSD works fine in my 'production corporate environment' thanks.

Re:YAY! (4, Interesting)

pipatron (966506) | more than 2 years ago | (#39863695)

What has changed since the beginning that made OpenBSD less relevant?

Re:YAY! (0)

Anonymous Coward | more than 2 years ago | (#39863955)

everything else.

Re:YAY! (0)

Anonymous Coward | more than 2 years ago | (#39864817)

Don't get sucked in by the trolling of the Linux folks. Most of them haven't realized there's more Kool-Aid than just Apple's.

Re:YAY! (2)

tck42 (227122) | more than 2 years ago | (#39863723)

As a network appliance type device at least I'd say it's still very relevant. I still prefer configuring / maintaining pf over iptables (or any other competitor I've tried) for any non-trivial ruleset, the documentation is IMO much better than most of the other stuff out there, it's relatively secure and relatively stable, and the performance and compatibility with older hardware has been great (in my experience). I use it for my gateway device and have never had any problems. I briefly used Linux for the same task and found myself spending more time messing with it. I could easily see it replacing all sorts of expensive commercial solutions at my workplace but managers like commercial vendors. It's just well put together and does what it's built for quite well. I think there's room for all sorts of stuff in the "grand scheme", not just shiny and popular stuff.

Re:YAY! (2, Interesting)

Just Some Guy (3352) | more than 2 years ago | (#39864493)

I replaced our Sonicwall with OpenBSD+PF nearly 8 years ago. The only user-visible difference is that we stopped having unplanned network outages.

Re:YAY! (1)

1s44c (552956) | more than 2 years ago | (#39866751)

I replaced our Sonicwall with OpenBSD+PF nearly 8 years ago. The only user-visible difference is that we stopped having unplanned network outages.

s/sonicwall/pfsense/ and I did the same. It worked great.

I don't get why anyone wants stuff like pfsense. If people can't understand pf's easy syntax they can't really understand the network traffic it's manipulating.

How well does it run on VMs? (1)

billstewart (78916) | more than 2 years ago | (#39865293)

Sure, I realize that some people would rather have OpenBSD running on bare metal, without having untrustworthy layers underneath, but since in the grand scheme of things we're running just about everything on top of VMware these days (except stuff that needs hardware acceleration), how well does OpenBSD work on top of VMware? Is installing it straightforward, or does the disk partitioning get weird? Can I just hand VMware the ISO and tell it to install itself? Will the vmware tools install cleanly? I'm mainly interested in using the firewall bits and IPSEC tunnels, and maybe also the http servers for things that need security more than they need flashy content management.

Re:How well does it run on VMs? (2)

jawtheshark (198669) | more than 2 years ago | (#39865405)

It should work. Do remember that it's not paravirtualized. While not VMWare, I've run it in VirtualBox sessions. If VirtualBox can do it, so should VMWare.

Partitioning scheme: Not more complicated than on the bare metal.

ISO: You can do that, but you'll have to create the ISO yourself (which isn't hard - they might even provide downloadables these day... I wouldn't know, you'll see why), or you just buy the official CD (recommended version). Me? I don't bother with CD's anymore. Just use the PXE-boot (netboot) method and be done with it.

VMWare tools: What VMWare tools? I'm pretty sure, there aren't any... You don't need them. You're not going to run X on it anyway, are you? Once you have ssh running, you probably never will use the console again. Besides, I'm sure VMWare can handle serial-port connections. My OpenBSD box doesn't even have a graphics card. RS232 is enough.

Re:How well does it run on VMs? (1)

ifrag (984323) | more than 2 years ago | (#39866217)

OpenBSD work on top of VMware?

In my experience (not very recently) it wouldn't run at all. I think it hung somewhere around disk probing, and I tried all the options that made sense to try to fix it. However for the same old version of VMware, and corresponding old OS versions, I had no issues with FreeBSD or NetBSD.

So maybe OBSD will run virtualized, but if not _some_ version of BSD will probably work. I think the reality is the OBSD developers probably don't really give a damn if it does run virtualized. I've also run into problems on OBSD with real physical disks / controllers as well, so it could just be they've emulated a piece of hardware that didn't work in the first place.

Re:How well does it run on VMs? (1)

1s44c (552956) | more than 2 years ago | (#39866769)

It works fine however if you run this stuff under vmware you are destroying the security advantage that OpenBSD gives you.

I'm not running everything under vmware anyway. I have a few production servers under KVM but most of it is on bare metal.

Re:YAY! (0)

Anonymous Coward | more than 2 years ago | (#39863801)

The news is certainly relevant to me, as I'm a FreeBSD user with a number of production servers hosting services to various corporate clients and I like to read about these bug fixes as OpenBSD bug fixes cross pollinate with FreeBSD bug fixes.

Re:YAY! (0)

Anonymous Coward | more than 2 years ago | (#39863385)

I think..

Honestly is OBSD relevant any more in the grand scheme of things, mainly due to its 'director' and its limited scope?

I could say the same thing about every other OS. You're weird man.

Re:YAY! (5, Insightful)

101percent (589072) | more than 2 years ago | (#39863433)

Given that OpenSSH alone is the most used FOSS program, and there is virtually no corporate contributions, I think Theo just has lost patience for people who come on the lists and complain.

Re:YAY! (2)

identity0 (77976) | more than 2 years ago | (#39864785)

>Theo just has lost patience for people

fixed.

Re:YAY! (0)

Anonymous Coward | more than 2 years ago | (#39865571)

> Theo just has lost patience *with* people.

Properly fixed, i.e. not in nigger speak.

Re:YAY! (5, Insightful)

serviscope_minor (664417) | more than 2 years ago | (#39865719)

Theo just has lost patience for people

That's simply not true. Theo has lost patience with whiners who want someone else to do their thinking for him.

I've got polite, helpful responses personally from Theo. I was trying to build a module (despite all the dire warnings how not to do this or ask questions and how unsupported it is) so I could hack on the drivers for a moderately exotic piece of hardware. I posted questions. He was one of the people with a response.

It turns out that if you know that the mailing list doesn't suffer fools, you work that little bit harder to write a sensible mail.

You double check everything and make sure you read the docs. This catches many of the bugs initially and then you don't need to post in the first place. If it doesn't fix the problem, it gives the mailing list inhabitants a good indication of what the problem is.

To me it seems unbelievible rude to ask some of the world experts for a bit of their time to help without bothering to check the things that you need help on. I just don't understand how most other people don't also see this as rude.

Re:YAY! (1)

rvw (755107) | more than 2 years ago | (#39866053)

It turns out that if you know that the mailing list doesn't suffer fools, you work that little bit harder to write a sensible mail.

You double check everything and make sure you read the docs. This catches many of the bugs initially and then you don't need to post in the first place. If it doesn't fix the problem, it gives the mailing list inhabitants a good indication of what the problem is.

To me it seems unbelievible rude to ask some of the world experts for a bit of their time to help without bothering to check the things that you need help on. I just don't understand how most other people don't also see this as rude.

This is my experience as well. When I ask a question online, I always try as many solutions as I can think of before asking. And I mention those attempts as well, so people see that I'm serious and take the time for it. Doing this I have solved many problems myself before it came to an online post...

Re:YAY! (3, Insightful)

gman003 (1693318) | more than 2 years ago | (#39863589)

In the Grand Scheme of Things? No.

But, for a grand enough definition of "grand scheme of things", your entire life is irrelevant. The history books will forget you, no matter how important, after enough millennia. And I'm pretty sure the rotation of the galaxy cares not one whit for the combined accomplishments (to date) of the entire human race.

So, in the end, who cares for the grand scheme of things? As long as it's relevant to you, it's relevant enough.

Personally, I have an OpenBSD box (normally my experimental-server-slash-tertiary-backup-desktop, currently my experimental-server-slash-secondary-backup-desktop, as my primary-desktop is currently my primary-doorstop). And I haven't updated it since... 4.6? 4.8? Can't be assed to ssh in and check. So 5.1 isn't important to me, but OpenBSD itself somewhat is.

Re:YAY! (1)

Anonymous Coward | more than 2 years ago | (#39863993)

Makes a better router than linux or windows....

Re:YAY! (1)

teknopurge (199509) | more than 2 years ago | (#39864011)

it's probably the most relevant OSS OS project out there. How many other projects have cultivated as much new software? Hell, most of the new shit in the Linux Kernel came from OpenBSD....

Re:YAY! (0)

Nutria (679911) | more than 2 years ago | (#39864281)

most of the new shit in the Linux Kernel came from OpenBSD....

That requires documentation.

Re:YAY! (1)

LurkerXXX (667952) | more than 2 years ago | (#39864775)

Yeah, I mean what good do they do except for all that silly security stuff, like providing us with SSH and stuff.

Re:YAY! (1)

LurkerXXX (667952) | more than 2 years ago | (#39864825)

sigh, posted as plain text and lost the </sarcasm> snark.

Over 7000 ports (0)

pathological liar (659969) | more than 2 years ago | (#39863383)

... unless you don't feel like putting X on a server, in which case building from ports is unsupported and sometimes obviously broken.

Re:Over 7000 ports (4, Informative)

e9th (652576) | more than 2 years ago | (#39863635)

There was a brief time, four or five years ago, when something (expat maybe?) was mistakenly placed in xbase, so you had to install the xbase set for a whole bunch of ports/packages. That situation didn't last. And even then, you didn't have to run X.

Re:Over 7000 ports (1)

jawtheshark (198669) | more than 2 years ago | (#39865413)

Depends. I was playing around wth rrdtool on OpenBSD 5.0 and there was a library it required in xbase. I just extracted it and put it where needed, but it sure was a pain.

over 7000 ports (1)

Anonymous Coward | more than 2 years ago | (#39863447)

What if someone needs to use port 8000?

Re:over 7000 ports (2)

JustOK (667959) | more than 2 years ago | (#39863833)

just use port 4000 twice. It's all binary.

Re:over 7000 ports (1)

stderr_dk (902007) | more than 2 years ago | (#39864153)

just use port 4000 twice. It's all binary.

4000 ain't binary. It's at least base 5.

Re:over 7000 ports (1)

Anonymous Coward | more than 2 years ago | (#39864249)

what's binary for "whooosh"?

Re:over 7000 ports (1)

CrashandDie (1114135) | more than 2 years ago | (#39865019)

1110111 1101000 1101111 1101111 1110011 1101000,

or 011101110110100001101111011011110111001101101000, depending on how you take your coffee. Mine's with milk.

Re:over 7000 ports (1)

jones_supa (887896) | more than 2 years ago | (#39865461)

The parent had three of letter 'o' there, so you're missing one.

Re:over 7000 ports (1)

machine321 (458769) | more than 2 years ago | (#39863867)

No, the ports are chmod 7000. They're setuid, setgid, and sticky.

Who ya gonna call? (2)

Billly Gates (198444) | more than 2 years ago | (#39863461)

Bug busters [openbsd.org] !

Thank you, Soulskill (1)

oldhack (1037484) | more than 2 years ago | (#39863547)

You know, you can write a robust, rumbunstious, attention-grabbing headline without being a deceiptful troll-weasel (cough sanzem-something), like soulskill has done here.

Only 7000? (0)

Anonymous Coward | more than 2 years ago | (#39863729)

Only 7000 ports? But NetBSD has OVER NINE THOUSAAAAAAAAAAAAAND!

Re:Only 7000? (0)

Anonymous Coward | more than 2 years ago | (#39863741)

Nine is bigger than seven.

Re:Only 7000? (1)

JustOK (667959) | more than 2 years ago | (#39863839)

depends on the font

Re:Only 7000? (0)

Anonymous Coward | more than 2 years ago | (#39863811)

Only 7000 ports? But NetBSD has OVER NINE THOUSAAAAAAAAAAAAAND!

Wow, and openbsd has only half the number of developers.... what an achievment.

Re:Only 7000? (1)

knuthin (2255242) | more than 2 years ago | (#39865453)

7 eats 9.

LSD can help you imagine how broken OpenBSD really (0)

Anonymous Coward | more than 2 years ago | (#39863805)

http://wideopenbsd.org/

Human-readable changelog (0)

Nimey (114278) | more than 2 years ago | (#39864145)

Anyone got a human-readable changelog with highlights? The linked one is a dump of everything that's changed.

Re:Human-readable changelog (1)

dolmant_php (461584) | more than 2 years ago | (#39864309)

The first link in the story is the human-readable changelog.

Re:Human-readable changelog (1)

Nimey (114278) | more than 2 years ago | (#39864381)

You are right.

I can only say that this is /. and one does not simply RTFA.

This one goes to 65535... (0)

Anonymous Coward | more than 2 years ago | (#39864173)

Pfffttt... Only 7000 ports?

The OS I'm using has 65536 ports.

Re:This one goes to 65535... (5, Funny)

Just Some Guy (3352) | more than 2 years ago | (#39864479)

The OS I'm using has 65536 ports.

And if you're running Windows, there's a good chance they're all in use.

Re:This one goes to 65535... (1)

Hillgiant (916436) | more than 2 years ago | (#39866793)

NetBSD? Is that you?

Where is the P2P distribution? (0)

Anonymous Coward | more than 2 years ago | (#39864177)

So many people (apologists?) use downloading different distributions of *nix operating systems as justification for P2P applications.

How come OpenBSD isn't using P2P (BitTorrent specifically) to help spread the wealth? I understand they're affiliated with many Universities and hence "free bandwidth", but honestly it's 2012 now.

Why no torrent?..

Re:Where is the P2P distribution? (0)

Anonymous Coward | more than 2 years ago | (#39864361)

The full install CD is only 240MB, which is probably related.

Wikipedia admin J.delanoy suffers from autism (-1)

Anonymous Coward | more than 2 years ago | (#39864365)

He is higly dangerous, and is known to abuse cats while high on meth. Do not approach him, please boycott Wikipedia until they fire him from his abusive position of power.

Security... (1)

QuietLagoon (813062) | more than 2 years ago | (#39864519)

I use OpenBSD as one of the layers that protect me from the evils that lurk on the Internet. OpenBSD works quite well as my firewall and router and ntp time server and DHCP server and DNS server and....

.

An awesome periphery and utility server OS.

relevance is overrated (1)

epine (68316) | more than 2 years ago | (#39864705)

Why does no one ask about the relevance of the porn industry? OpenSSH was the biggest thing since Debbie does Dallas. Few have more than that to their credit.

Bearded fellow: Let he who is without sin throw the the first stone.
Crazed villager [inspecting charismatic sinner]: Theo, is that you?
Crazed villager's wife: Who does this bearded guy think he is?

Here's the thing about security. If you have to ask about relevance, you can't handle the truth.

contributions to other apps and OS (1)

br0ked (2629951) | more than 2 years ago | (#39864969)

I would like to see the number of contributions from OpenBSD that are currently in other applications and/or other operating systems as compared to other *nix....

Choices of s/w & IPv6 support (2)

unixisc (2429386) | more than 2 years ago | (#39864979)

I had a look at it, and found some things interesting.

Under highlights, it mentions that it supports GNOME 3.2.1 (fallback mode), but for KDE, it supports 3.5.10. For GNOME, this is the first time I have seen any BSD support GNOME3 - in fact, there was some discussion in the past about how GNOME3 wouldn't run on BSDs due to systemd being a requirement. The other interesting aspect of this is that it goes for the latest, much publicly disparaged version of GNOME, but for KDE, which is much improved, it's @ 3.5. They could have either gone for KDE4.8, or if they didn't like that, they could have ditched KDE altogether and gone w/ Trinity.

The other thing I noticed throughout the notes was improvements in support for IPv6, such as fragment handling, but what I haven't figured out is how mature is OpenBSD's IPv6 support compared to FreeBSD? FBSD is currently second to none when it comes to IPv6 support (I'm not sure how it compares to Windows 7, which has been innovative for IPv6 on its own, w/o relying on the BSD layer 3 stack as it did for IPv4), but I was curious about OBSD. If someone wanted to create an IPv6 firewall cum router w/ OBSD as the management OS, does the OS have whatever it needs for this purpose?

On a separate note, I did find it interesting that they include software that's now GPL3 - such as Emacs, GCC, Libre Office, among others. In the case of the compiler, they didn't offer LLVM/Clang, and nor do they seem to prefer BSD software to others - for instance, Apache is the web server that they offer, and not Nginx. In short, I found their choices of default software pretty interesting, given all the recent discussions regarding GPL3 vs BSDL and so on.

Re:Choices of s/w & IPv6 support (0)

Anonymous Coward | more than 2 years ago | (#39865041)

they dont include the gpl3 versions of the software you mentioned . also the ipv6 support is great.

Re:Choices of s/w & IPv6 support (1, Informative)

Anonymous Coward | more than 2 years ago | (#39865079)

Nothing you say makes sense. FreeBSD's IPv6 support is second to none only if you exclude OpenBSD.

They still have Apache because OpenBSD is extremely conservative. They forked Apache 1.3 over a decade ago and notwithstanding Apache's rough edges, has been rock solid (many of the recent Apache 1.3.x security issues were fixed or mitigated in OpenBSD's fork long ago). Nginx is in trunk already but OpenBSD is reticent to switch over until they're convinced it's worth the risk.

Likewise with Sendmail. They have their own MTA in the pipeline but are extremely conservative about switching over. They forked sendmail long ago.

This conservatism means two things: security vulnerabilities are exceedingly rare (newer code is always riskier), and system administration is a breeze. Very little changes from one release to the next. Administering OpenBSD is almost exactly the same today as it was 10 years ago, the biggest change being the addition of /etc/rc.d a coupe of cycles ago. The easier administration means the more likely one can keep a tight ship.

One thing OpenBSD is not conservative about is documentation, standards support, and the networking stack. All of these things are under constant development, but OpenBSDs philosophy is incremental improvement, which means you rarely see announcements about huge features. Features are completed gradually and more-or-less silently rolled out as a finished product.

Re:Choices of s/w & IPv6 support (1)

mfwitten (1906728) | more than 2 years ago | (#39865211)

I do not think the word 'reticent' means what you think it means.

IPv6 support (1)

unixisc (2429386) | more than 2 years ago | (#39865213)

How is OBSD's IPv6 support superior to FBSD, which is what your first statement above seems to suggest? I've checked their site - for instance, their Networking FAQ, [openbsd.org] and there is nothing there that suggests that OBSD has embraced IPv6 and supports it in a big way. There is no mention of any DHCP6 support, even though they have a major section on DHCP support, and in all the examples that they provide, they use only IPv4 examples, implying that equivalent IPv6 support either doesn't exist, or at best, is nowhere near as ready. Except in the section that describes ifconfig, there is nothing that suggests that IPv6 is even supported, if one goes by just this section of the FAQ.

I agree that their improvements would be incremental, but for your claim that it exceeds that of FBSD, I'd need to see that 5.1 supports everything about IPv6 that FBSD9 supports - and more. At least going through their above documentation, nothing seems to suggest that this support is there. Only thing about FBSD - some of its derivatives, like pFsense, which is purely an FBSD firewall and router, does not support IPv6, despite FBSD supporting it. Which is a real disappointment.

Re:IPv6 support (1)

HonIsCool (720634) | more than 2 years ago | (#39865409)

I have run OpenBSD as my firewall since forever, and have since set up a tunnel to give my LAN IPv6 connectivity. There has been absolutely no problem with IPv6 at all in OpenBSD[*]. Every application I've messed with, from packet filter to tunneling to DHCP to nameserver supports it. Granted my usage is probably very limited still, but my impression is that IPv6 is supported pretty much everywhere that IPv4 is. I can't say how this compares with FreeBSD though, because my experience with it is restricted to a brief laptop install circa 1998 (although, I was briefly considering installing it on a desktop machine this weekend actually!)

[*] Well, actually, one of the remote holes in the default install actually was in the IPv6 implementation, but that was before I set up my tunnel fortunately!

Re:IPv6 support (1)

unixisc (2429386) | more than 2 years ago | (#39865733)

Tunnelling IPv6 over IPv4, if that's what you meant, doesn't imply IPv6 support, which was my basic question. Here, one would simply be encapsulating IPv6 packets in IPv4 and running them over the network. That's pretty much the status quo, and could be done anyway - an OS doesn't need to have any IPv6 support to enable that.

I was asking whether one could set up an IPv6 network using an OBSD gateway acting as a router and firewall. Imagine that the external network (think Comcast or HE) was IPv6 as well, and imagine that this network, for the sake of this discussion, was using only IPv6 addresses, and various scopes of addresses, be it global unicast, local-link, site-unique and so on.

I read up a bit on pF, and seems like it can process filtering rules for IPv6, unless I'm mistaken. My question, which I posted to the AC below, was whether OBSD has a DHCP6 client the same way it has a DHCP client, whether it supports IPv6 versions of the supported IPv4 routing protocols, and so on. In other words, if somebody was setting up an IPv6 based network and wanted to use OBSD, w/ its famed security, as the gateway, does OBSD have all the IPv6 support to do that w/o any fallback to IPv4?

Re:IPv6 support (1)

HonIsCool (720634) | more than 2 years ago | (#39865775)

What I meant was that I set up an IPv6 over IPv4 tunnel on my openbsd box which then acts as a IPv6 router for my LAN. IPv6 packets are routed to and subjected to the OpenBSD firewall just like IPv4 packets. I also have DHCPv6-server running to deal with computers on the LAN getting proper IPv6 addresses. In other words, my setup sounds pretty similar to what you are asking about. If my ISP offered native IPv6, that would actually simplify things as it would mean one less step as I wouldn't need the tunnel anymore.

Re:IPv6 support (1)

unixisc (2429386) | more than 2 years ago | (#39866009)

Ok, thanks, that does make this clearer. Did the DHCP6 server come as a part of the package - reading the OBSD website, there is nothing there to suggest that it is included. Or did you get it separately from elsewhere?

Re:IPv6 support (1)

Bengie (1121981) | more than 2 years ago | (#39866717)

I wonder how OBSD would compare to FBSD for firewall throughput using 10Gb interfaces and a 6 core Xeon.

Re:IPv6 support (0)

Anonymous Coward | more than 2 years ago | (#39865459)

Are you on crack? The BSDs have been supporting IPv6 for over 10 years and were the first to support it. This might be hard to understand for Linux weenies. It's not advertised as much because it's a given.

Re:IPv6 support (0)

Anonymous Coward | more than 2 years ago | (#39865465)

Edit: Specifically, "IPv6 code was merged into NetBSD in June 1999, and is part of NetBSD."

http://www.netbsd.org/docs/network/ipv6/

So there.

Re:IPv6 support (1)

unixisc (2429386) | more than 2 years ago | (#39865705)

I pretty much cited what seemed to be a shortcoming of OBSD as far as IPv6 support goes - you really need to read the provided links, which are right from their home site FAQ. IPv6 itself hasn't been around for 10 years - the protocol has been constantly undergoing modifications, so if I'm on crack, you're on meth. FBSD support for IPv6 started w/ the KAME project, and in FBSD9, IPv6-only options have been added for the first time. Nor is IPv6 there on all BSDs - check out pFsense, which is an FBSD based firewall cum router, and it supports only IPv4, not IPv6. That's despite FBSD supporting IPv6 for a while now! Oh, and another point - nowhere did I say a thing about Linux - that was not even there in this conversation.

So be more specific, instead of just a handwaving exercise. Does OBSD include a DHCP6 package, the same way they include DHCP4? Note that DHCP and DHCP6 are completely different, so just b'cos OBSD has a built-in DHCP4 client and server does not imply that it supports DHCP6 the same way. Same question regarding the firewalls - does pF include IPv6 filters? Do IPv6 versions of IPv4 routing protocols, such as RIPng, or OSPF6, or EIGPR6, get supported here? Or is all that currently a work in progress, targeted for some future release of OBSD?

Note: NetBSD is completely different, and not what my question was about in the first place. It says squat about the current state of IPv6 support in OBSD.

Re:IPv6 support (1)

HonIsCool (720634) | more than 2 years ago | (#39865755)

OpenBSD does include a DHCP6 package (or maybe it's in ports, I honestly don't remember, but anyway, it works). PF does support IPv6 filters, exactly the same as IPv4 as far as I can discern. As for routing protocols, I have no experience with them, but OpenBGPD does appear to support IPv6.

Re:IPv6 support (1)

unixisc (2429386) | more than 2 years ago | (#39865909)

Sorry, I did a search throughout the site, and found nothing to suggest that there is any DHCP6 client or server included the way there is for DHCP4. But you're right about pF - the packet filters do seem to be supported.

Re:IPv6 support (0)

Anonymous Coward | more than 2 years ago | (#39865961)

WTF is pF? Is this some I'm-a-unique-snowflake bullshit where you invent some spelling that has no relation to reality?

It's called PF, moron.

Re:IPv6 support (1)

unixisc (2429386) | more than 2 years ago | (#39865995)

You're right hon, I somehow had the pFsense spelling in my mind, and wrote it as pF. It's nice that you could catch that, since you could not answer any of my other questions about IPv6 support, which doesn't seem to be evident from reading the site itself.

Re:IPv6 support (1)

HonIsCool (720634) | more than 2 years ago | (#39866033)

I think a DHCP6 client/server might not be included on the same level as DHCP4, but there absolutely is an option to install a working one, since I'm indeed using it. A quick scan shows the "wide-dhcp6" in packages, but I'm not quite sure if this is the one. I can check later when I get home if you want?

Re:IPv6 support (1)

ifrag (984323) | more than 2 years ago | (#39866297)

Note: NetBSD is completely different, and not what my question was about in the first place. It says squat about the current state of IPv6 support in OBSD.

OpenBSD was originally a fork of NetBSD. However, possibly too long ago to be directly relevant to the topic here.

Re:IPv6 support (2)

unixisc (2429386) | more than 2 years ago | (#39865935)

Edit: Specifically, "IPv6 code was merged into NetBSD in June 1999, and is part of NetBSD."

http://www.netbsd.org/docs/network/ipv6/

So there.

Okay, checked out that page. Seems to be more of a history lesson on IPv6 support in NetBSD. One key thing I noticed - all the BSDs, be it FreeBSD or NetBSD seem to prefer the autoconfiguration as far as IP addresses go, and typically don't support DHCP6. So anyone who has issues w/ EUI-64 is SOL. They mention that routers can't be autoconfigured, and that nodes should not be manually configured. But this is one of the reasons that DHCP6 is more important in IPv6 than DHCP4 was in IPv4.

Re:Choices of s/w & IPv6 support (1)

spirat (2570111) | more than 2 years ago | (#39865679)

The truth about KDE: http://www.mail-archive.com/misc@openbsd.org/msg88679.html [mail-archive.com]
I also remember them coming to misc and inform the community and porters that KDE won't run on openbsd due to the use of a cool linux daemon to manage stuff.

They don't include Emacs (instead mg is in base, rewritten from scratch with a funny easter egg inside) neither do they include Libre Office. It's just a Makefile and some patches that are distributed. Package are a convenience for the users, and available only if the license is 'free' enough (i.e legally possible). They want to switch to pcc instead of gcc, I've heard that Theo does that.

OpenBSD's IPv6 stack is one of the most mature stack. I bet its code is already somewhere else (free license => not wasting engineering efforts). You might want to read about Packet Filter if your especially interested in tunning/handling IPv6 traffic.

Apache is actually an old version of apache, before the license sucked, and it underwent a lot of changes. Don't compare it to nginx. You can get it in the ports/package sysem if your not happy with the shipped apache.

As a side note, OpenBSD uses the ISC license when i can now. Might be worth looking ;).

DEs and software (1)

unixisc (2429386) | more than 2 years ago | (#39865893)

The truth about KDE: http://www.mail-archive.com/misc@openbsd.org/msg88679.html [mail-archive.com] I also remember them coming to misc and inform the community and porters that KDE won't run on openbsd due to the use of a cool linux daemon to manage stuff.

This was said to be true about GNOME3, where it was rumored that one linux daemon systemd was required - but OBSD seems to support GNOME3 in fallback mode. The fallback mode support for GNOME3 seems to be due to the requirement that in GNOME3, the GNOME shell requires 3D accelaration to work, as it requires graphics composition. That brings into focus the fact that most graphics cards don't include open source drivers, and while that's not a roadblock for FBSD, it does seem to be more of one for OBSD. On the FSF side of things, some of the FSF endorsed Linux distros, like Trisquel, had the same issue, and they too defaulted w/ this fallback mode GNOME option.

Was this ever a problem in KDE4? While KDE4 had initial problems due to Qt4 being unready at the time, KDE4.8, as it stands today, is reasonably mature. KDE5 and beyond will support Wayland in addition to X, but OBSD needn't go that route if it doesn't want to. At any rate, does KDE4.8, like GNOME3, require 3D accelaration to get going? I've never heard of KDE having such a requirement.

They don't include Emacs (instead mg is in base, rewritten from scratch with a funny easter egg inside) neither do they include Libre Office. It's just a Makefile and some patches that are distributed. Package are a convenience for the users, and available only if the license is 'free' enough (i.e legally possible). They want to switch to pcc instead of gcc, I've heard that Theo does that.

Okay, why does this page [openbsd.org] seem to suggest that Emacs and Libre Office are included? Very strange!

OpenBSD's IPv6 stack is one of the most mature stack. I bet its code is already somewhere else (free license => not wasting engineering efforts). You might want to read about Packet Filter if your especially interested in tunning/handling IPv6 traffic.

Apache is actually an old version of apache, before the license sucked, and it underwent a lot of changes. Don't compare it to nginx. You can get it in the ports/package sysem if your not happy with the shipped apache.

I listed my questions about IPv6 support above, under the discussion I renamed 'IPv6 support'.

As a side note, OpenBSD uses the ISC license when i can now. Might be worth looking ;).

It doesn't use the normal BSD license like other BSDs?

Re:DEs and software (0)

Anonymous Coward | more than 2 years ago | (#39866165)

They don't include Emacs (instead mg is in base, rewritten from scratch with a funny easter egg inside) neither do they include Libre Office. It's just a Makefile and some patches that are distributed. Package are a convenience for the users, and available only if the license is 'free' enough (i.e legally possible). They want to switch to pcc instead of gcc, I've heard that Theo does that.

Okay, why does this page [openbsd.org] seem to suggest that Emacs and Libre Office are included? Very strange!

They are available as convenient packages but not included in base.

As a side note, OpenBSD uses the ISC license when i can now. Might be worth looking ;).

It doesn't use the normal BSD license like other BSDs?

New code in OpenBSD receives an ISC-like (don't ask) license, which is similar to the BSD license in spirit.

Re:DEs and software (0)

Anonymous Coward | more than 2 years ago | (#39866317)

Nice troll.

Okay, why does this page [openbsd.org] seem to suggest that Emacs and Libre Office are included? Very strange!

So you understand, they are included as in the sentence "iPhone includes Angry Birds".

It doesn't use the normal BSD license like other BSDs?

Other BSDs use it too. It removes unnecessary terms from the classic BSD license. OpenBSD uses a version the FSF doesn't aprove of as it could be interpreted by very obtuse lawyers to mean you can't distribute unmodified copies, which would be inconvenient the next time a GPL project lifts ISC code.

welcome to buy the special nike shoes (-1)

Anonymous Coward | more than 2 years ago | (#39865607)

nike outlet online [nikecco.com] .
nikecco.com free shipping and discount sale nike outlet online,nike outlet store,nike free shoes [nikecco.com] .nike air max ,nike dunk sb,nike shox lady,ladies nike shox, shox nike shoes [nikecco.com] .Welcome to come to purchase.,max air shoes ,nike lunarglide [nikecco.com] .nike lunarglide And so on,100% satisfaction and guarantee.Recommend the Cheap Nike Shoes online sale up to 50% Off!

nikecco.com free shipping and discount sale nike (-1)

Anonymous Coward | more than 2 years ago | (#39865631)

nikecco.com free shipping and discount sale nike outlet online,nike outlet store, nike outlet online [nikecco.com] .Welcome to come to purchase.
nike free shoes,nike air max ,nike dunk sb,nike shox lady,ladies nike shox, shox nike shoes,max air shoes ,nike lunarglide And so on,100% satisfaction and guarantee.Recommend the Cheap Nike Shoes online sale up to 50% Off!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?