Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Operating Systems

OpenBSD 7.3 Released (openbsd.org) 135

metrix007 writes: OpenBSD, the OS that earned an exaggerated reputation for security simply by disabling services by default, has released version 7.3. Plenty of new improvements and bug fixes including to the editor, although still no real security features to help lock down a system, no virtual machine support for non-OpenBSD guests and no modern file system.
This discussion has been archived. No new comments can be posted.

OpenBSD 7.3 Released

Comments Filter:
  • Bitter much? (Score:5, Interesting)

    by menkhaura ( 103150 ) <espinafre@gmail.com> on Monday April 10, 2023 @12:24PM (#63438696) Homepage Journal

    Just use Linux. Or Windows. No need for such bitterness.

    • ... who is bitter? You were literally the first poster.
      • ... who is bitter? You were literally the first poster.

        You didn't even read the summary?

        • by jmccue ( 834797 )

          On slashdot, joking right ? I think we are lucky if people even reads the Title.

          Like the articles, these days no one reads the summary.

          • On slashdot, joking right ? I think we are lucky if people even reads the Title.

            Like the articles, these days no one reads the summary.

            You must be new here. Your first response should have been a wild misunderstanding of what I said complete with straw-man argument proving I was wrong... ;)

      • Awful way of presenting any sort of technology related news.
    • Re:Bitter much? (Score:5, Informative)

      by e065c8515d206cb0e190 ( 1785896 ) on Monday April 10, 2023 @12:56PM (#63438792)
      I came here just to say that. The jab in TFS felt totally unnecessary.
      • Waaayyyyyyy back in the day Slashdot was instrumental in establishing OpenBSD’s exaggerated reputation for security. One that a lot of people still get caught up in even though no serious OS has shipped with a half dozen pointless services running in well over a decade.

        To be fair to obsd it also had pf which is also no longer a big deal.

        But it’s nice to see people finally admitting obsd isn’t special in 2023.

        • by Noryungi ( 70322 )

          I am sure you a great security expert, just like 99% of people on /.

          • At the time obsd was doing things much better than other unixes I might as well have been neo just for understanding ARP and buffer overflows. Your account is old enough that you know this is true.

        • So the editor felt like they had to make up for past excessive praise of OpenBSD?
          • Hahah honestly probably not. I probably wouldn’t normally like a submission like that but it’s nice to see someone speaking the truth. I used obsd a long time ago and reinstalled it maybe 10 years ago and was very unimpressed. Like it was no different than when I ran it in the late 90s. It’s supposedly got better in since 2010 and I hope it continues to get better.

        • Pf is very nice. It's so much nicer to use than iptables.

          I think you forgot openssh though. The Linux works utterly depends on openssh.

          • Yup. That is the reason I ran it on a SBC firewall years ago. For a single use smallish appliance OpenBSD is not bad.

        • Sure. We too now don't enable useless services, we too now have pf. I wonder what's the current thing that we'll be saying in 5 years that "we have it too now", that OBSD users have now.
          • I wonder what's the current thing that we'll be saying in 5 years that "we have it too now", that OBSD users have now.

            We got all that stuff a long time ago bro. Probably the next advancement we’ll steal from obsd is having no drivers for anything.

        • no serious OS has shipped with a half dozen pointless services running in well over a decade.

          No, with Windows and many Linux distros it's more like two or three dozen pointless services.

    • by ArchieBunker ( 132337 ) on Monday April 10, 2023 @01:23PM (#63438872)

      Sounds like Theo was fucking OP’s wife or something. Perhaps Theo called him a bad name on a mailing list?

      • They called him a bad name? That narrows it down to anyone that ever posted anything on there openbsd mailing list.

        I like openbsd as software and the things that came out of the project, but Theo has a reputation for being abrasive in the extreme.

      • by Tom ( 822 )

        There must be more to it than that (the 2nd part), because if everyone whom Theo ever called a bad name came posting bitterness-infused /. stories, we would read nothing else for a couple months.

    • by paulfm ( 552273 )
      Or FreeBSD - which is a bit more lax on security (but still is considered better than even Linux - when run correctly). I think things are missing (like filesystems,and VM support) both for security and for hardware compatibility reasons. openBSD is also know to run on more hardware than most other OSes (which makes it useful for some specialized tasks - and makes it a good utility OS). And it can be installed with a very small footprint. It would be nice if they added ZFS to the supported filesystems (eve
    • by jhuebel ( 44324 ) on Monday April 10, 2023 @01:40PM (#63438914)
      Yeah, somebody really needs a Snickers bar. Maybe had low blood sugar when he submitted this.
    • Re:Bitter much? (Score:5, Interesting)

      by roman_mir ( 125474 ) on Monday April 10, 2023 @03:08PM (#63439148) Homepage Journal

      Exactly, this is the strangest 'story' ever. If they hate OpenBSD that much, why even post it? I love OpenBSD, I have a bunch of servers on it. I love the fact that there is no concept of 'locking down the system' there because it is the system that is locked by default, it is a vault in itself. The FS works, I have services running on it that I *need* and that I *approve* of.

      • Re: (Score:2, Informative)

        by metrix007 ( 200091 )

        I don't think I really expected the story to get accepted? I know it was snarky, I posted it before going to bed...didn't really think it would go through, figured someone else would also submit it and that that story would go through.

        As for the system being locked by default - not really. Quoting from another comment, but OpenBSD bets everything on eliminating all bugs, and provides very little to help lock down the system if there are bugs.

        • Ah, we get to meet the poster. Who proceeds to inform us that he sunk to the level of the person he was attacking because he did not think it would be posted and.. it was late? Huh?

          If you think you can get away with simple using “right before I go to bed, and I did not think you were listening anyways!” as an excuse to throw insults at your wife/GF you are going to die a lonely man. Maybe you should just not talk not talk to people like that?

          • Not sure why you're taking it so personally and trying to equate a snarky summary with domestic violence.

            That's pretty weird.

        • Well, there's no such thing as bad publicity, only publicity.

          Theo (and his attrocious bunch of mini-me's) owe you a beer for bringing attention to their system (which has become rather boring and technically uninteresting, with their obsession on theoretical & dogmatic rather than real-life attacks, and their silly voodoo remedies)

          OpenBSD ... provides very little to help lock down the system if there are bugs.

          Why lock it down when you can just pull the plug?

    • Re:Bitter much? (Score:4, Interesting)

      by stanbrown ( 724448 ) on Monday April 10, 2023 @03:39PM (#63439246) Homepage

      Yep, and for those of us that actually understand technology we will continue to rely on the rock solid security provided by the hard working OpenBSD team.

      Articles like this make me almost understand Theo attitude.

  • by GeekWithAKnife ( 2717871 ) on Monday April 10, 2023 @12:25PM (#63438704)
    With this new release we're fast approaching critical momentum for Linux. 2024 will be the year of the Linux desktop. Soon it will be shoulder to shoulder with Windows XP installations.
    • With this new release we're fast approaching critical momentum for Linux.
      2024 will be the year of the Linux desktop. Soon it will be shoulder to shoulder with Windows XP installations.

      I see the humor, but unfortunately also feel compelled to point out that BSD is not Linux.

      Both are Unixes though (as is macOS).

  • wut (Score:5, Insightful)

    by TheWorstTakes ( 10347040 ) on Monday April 10, 2023 @12:30PM (#63438724)

    I'm not going to say OpenBSD's claims to security aren't exaggerated, but this is just petty. This feels like OP is still upset that Theo de Raadt won't pointlessly incorporate Rust into the base tree for reasons.

    • by DarkOx ( 621550 ) on Monday April 10, 2023 @12:52PM (#63438776) Journal

      That language in the summary is pretty darn weasly.

        It would be 'interesting' to see a real apples to apples BSD vs Linux comparison. Like take CVS that apply to an contemporary GNU/Linux environment with an LTS kernel, make sure the kernel is compiled with stuff for which thier is no option to build without, there is a direct parity with BSD, or a nearly 1:1 feature analog with BSD. Similar for user land, comporable feature sets in terms of build options and include components for the gnu user land vs bsd packages.

      Really see which system comes out better.

      • obsd is way behind in features. Last I played with it was during the lulzsec saga and it’s improved since then but it would have taken a superhuman effort to close the gap between obsd and the other BSDs or Linux.

        It’s the least feature rich of any mainstreamish BSD.

        • Yes because openbsd has always claimed to have most features—oh wait they do not. That is like complaining my Honda Accord can not haul a ton of cargo.
          • Well the above poster is talking about comparing BSD with Linux in a thread about obsd so it’s worth informing him that obsd is probably not a good candidate for making that comparison for the reasons you’ve just stated.

            • No he is complaining about something that is technically true about OpenBSD but not something that OpenBSD has ever claimed to be a characteristic of their fork. Again, my Honda Accord cannot haul a ton of cargo; while that is true it is also a pointless criticism as a person buying an Accord should know that is not a design goal for the Accord. Or in another example, why is it our IT network person cannot balance our accounts receivable every month?
      • Re:wut (Score:5, Informative)

        by Noryungi ( 70322 ) on Monday April 10, 2023 @03:31PM (#63439226) Homepage Journal

        Let me put it this way: if you take a look at some mailing lists like OSS, where people discuss things they actually know, you will note OpenBSD is one of the OS they go back to constantly.

        And the refrain is: "Oh yeah, OpenBSD disabled this, or corrected this, or implemented this 3 years ago".

        Maybe you don't like OpenBSD programmers or BDFL for their abrasive personalities, but they are way ahead of Linux in many ways.

      • It's not a competition. A criticism can stand on its own and remain true, regardless of if there are 'worse' alternatives out there or not.

    • Re:wut (Score:5, Funny)

      by 93 Escort Wagon ( 326346 ) on Monday April 10, 2023 @12:59PM (#63438802)

      "the OS that earned an exaggerated reputation for security simply by disabling services by default"

      And yet it took Windows many years to figure this out...

      • No. Windows is still fucked. If it suits Microsoft’s 5 year plan to keep everyone running a service that like 1% of users have any need for they’ll do it. At the time that obsd earned it’s rep windows security was like a door tied shut with a bit of twine. Like I’m not going to break in because it would take effort and I don’t care about your stash of Pam Anderson nudes enough to try.

        The thing was most unixes and serious devices of the era would happily ship with chargen, e

    • by chill ( 34294 )

      Rust? That sounded like the OP is still butthurt about OpenBSD not adopting Systemd, or even that Emacs is still port and not a package!

  • Guess it's time to fire up a VM and see what it has to offer.

  • by Beryllium Sphere(tm) ( 193358 ) on Monday April 10, 2023 @12:42PM (#63438750) Journal

    They did way more work than that.

    https://en.wikipedia.org/wiki/... [wikipedia.org]

    If you want to make a case for an "exaggerated reputation", a better line of attack is how much the rest of the world has caught up on stack protection, API control, and so on over the decades.

  • internet (Score:4, Insightful)

    by awwshit ( 6214476 ) on Monday April 10, 2023 @12:55PM (#63438788)

    Did the internet turn everyone into an anti-social crank?

    • by DarkOx ( 621550 )

      Yes it really has.

    • by KlomDark ( 6370 )

      Stop talking to me! ;)

    • Re:internet (Score:4, Interesting)

      by Seven Spirals ( 4924941 ) on Monday April 10, 2023 @01:23PM (#63438870)
      Not everyone, but it's feeling more and more like that every day. Folks running /. have nearly always been petty lil' bitches about BSD. At first, it was a rivalry around features and their security. Nowadays, like most things, it's become a political statement. I've been running all three BSD's in various capacity for years. I'm not the biggest fan of OpenBSD, but I respect their goals and the (helluva lot more than disabling services) and the security improvements, driver updates, and general high quality code that comes from the project. I'm a big fan of NetBSD and we've benefited a lot since the divorce; no complaints. In some ways I'm glad that there is a big schism now between the Systemd + Code of Conduct Linux crowd and the *BSD folks. It serves as a good way to distinguish between the different mentalities you find in both camps. In general terms: Linux for the corporate masses and authoritarians and BSD for the freedom loving wizards in caves. To Metrix007 and the /. douches who accepted the TFA with that copy description: eat shit: you're just mad at what Linux has become.
      • I don't really use Linux much aside from Void or Alpine, and otherwise I use NetBSD (which actually has some practical security features that OpenBSD would do well to incorporate).

  • by peterww ( 6558522 ) on Monday April 10, 2023 @01:02PM (#63438814)

    "the OS that earned an exaggerated reputation for security simply by disabling services by default"

    Dayyyyyyum son!

  • by 93 Escort Wagon ( 326346 ) on Monday April 10, 2023 @01:03PM (#63438818)

    But, right now, the Unix world relies on openssh - an integral part of that "exaggeratedly secure" OS.

  • by im_thatoneguy ( 819432 ) on Monday April 10, 2023 @01:03PM (#63438820)

    But what else have the romans ever done for us?

    Security improvements:

    • *Permissions (RWX, MAP_STACK, etc.) on address space regions can be made immutable, so that mmap(2), mprotect(2) or munmap(2) fail with EPERM. Most of the program static address space is now automatically immutable (main program, ld.so, main stack, load-time shared libraries, and dlopen()'d libraries mapped without RTLD_NODELETE). Programmers can request non-immutable static data using the "openbsd.mutable" section, or manually bring immutability to (page aligned heap objects) using mimmutable(2). The main internal data of malloc(3) is marked immutable.
    • *Some architectures now have non-readable code ("xonly"), both from the perspective of userland reading its own memory, or the kernel trying to read memory in a system call. Many sloppy practices in userland code had to be repaired to allow this. The linker (ld.lld(1) or ld.bfd(1)) option --execute-only is enabled by default. In order of development: arm64, riscv64, hppa, amd64, powerpc64, powerpc (G5 only), octeon, and sparc64 (sun4u only; unfinished).
      These can still benefit from switching to --execute-only binaries if the cpu generates different traps for instruction-fetch versus data-fetch. The VM system will not allow memory to be read before it was executed which is valuable together with library relinking. Architectures switched over include loongson.
      ld.so(1) and crt0 register the location of the execve(2) stub with the kernel using pinsyscall(2), after which the kernel only accepts an execve call from that specific location.
    • *Added execve(2) violations of pinsyscall(2) policy to the daily mail, available by setting rc.conf.local(5) accounting=YES.
    • *Added retguard (consistency-check the return address on the stack) to amd64 syscalls.
      sshd random relinking at boot: Randomly relink and install sshd(8), resulting in a sshd binary with unknown address layout after every reboot.
    • *Add another mitigation against classic BROP on systems without execute-only mmu hardware-enforcement.
    • *A range-checking wrapper in front of copyin(9) and copyinstr(9) ensures the userland source address doesn't overlap the main program text and other text segments, thereby making these address ranges unreadable to the kernel. No programs have been discovered which require reading their own text segments with a system call.
    • *On arm64, introduce mitigation of the Spectre-BHB (Branch History Injection) CPU vulnerability by using core-specific trampoline vectors.
    • *Enabled the arm64 Data Independent Timing (DIT) feature in both the kernel and userland on CPUs that support it to mitigate timing side-channel attacks.
  • Just upgraded (Score:5, Interesting)

    by jmccue ( 834797 ) on Monday April 10, 2023 @01:24PM (#63438874) Homepage

    I just upgraded to 7.3 from 7.2. I thought the upgrade could not get easier then the last time. This time the upgrade was just typing 1 command, reboot then 2 commands. No questions.

    Based upon that, I would not be surprised if the commands are typed automatically for me :)

    For the summary, it comes across bitter. Just go here:

    https://undeadly.org/cgi?action=front

    to learn what the OpenBSD team is doing for us. OpenBSD even provides high quality utilities for Linux. But the Linux people do all the can to lock the BSDs out of various programs (ie: wayland and more). Instead they live like no other system matters.

    For example, without OpenBSD Linux would not have a good sshd. But the BSD people needs to copy graphic routines from Linux and re-write because they are filled with linuxisms. And many times that is impossible.

    • the Linux people do all the can to lock the BSDs out of various programs (ie: wayland and more). Instead they live like no other system matters.

      No problem, I'm using Linux and yet I'm still not using Wayland. Why? Because KDE still doesn't work reliably with it. (It allegedly works best with recent nvidia, which I do have, but I'm not in a rush to beta test anything but games and drupal modules.)

      • Wayland is a system so superior to X that it's now taken over a decade for it to stagger into an unreliable and feature poor replacement despite heavy pushing by the largest Linux company and virtual abandonment of X.

        Turns out all the "not our problem" crap like screen recording etc is actually a problem if it doesn't work.

    • by Noryungi ( 70322 )

      Same here - 1st OpenBSD machine updated from 7.2 to 7.3, without a hitch and without any issue. Beautiful OS, through and through, way more reliable than any Linux out there.

  • Really? (Score:5, Interesting)

    by galvanash ( 631838 ) on Monday April 10, 2023 @01:41PM (#63438918)

    How does this axe grinding bullshit get through moderation???

    • by Jerrry ( 43027 )

      How does this axe grinding bullshit get through moderation???

      Are you serious? What moderation? This is Slashdot, after all.

  • by 1s44c ( 552956 ) on Monday April 10, 2023 @01:42PM (#63438928)

    How did this post get approved with such a childish summary?

  • I am very used to Debian and GNU/Linux, I must admit I have been wondering who and how are you using OpenBSD in production?

    How do you patch and update the system without apt update?

    And why OpenBSD instead of Linux or Free/DragonflyBSD?

    Please do not understand my question wrong, I love what the OpenBSD team has contributed over decades. I genuinely do not know and I am too used to Debian. That is why I ask.

    • I use OpenBSD as my mail server. Patches and updating are done by running "syspatch" which applies patches, much like "apt update" does on Debian. Note that it only updates the parts of OpenBSD that are considered part of "base," not packages from ports. If there were a major update to my mail software that I just had to install ASAP as opposed to waiting for the semi-yearly OS release, I could build from source I suppose. It's never come up as an issue for me.

      I use OpenBSD because I like how all of its com

    • Not exactly production but I have used OpenBSD since the 2.3 days for my personal firewall/server/shell box. Back in the old days you had to patch things manually but now you just run syspatch and new patches are downloaded and installed. Same with upgrades, I will run sysupgrade and it will download the new packages, reboot, and install them. Couldn't be easier. I like OpenBSD because it has a small footprint and I add software as necessary. Unlike Linux they don't fiddle with how things are set in /etc ev

      • by Dadoo ( 899435 )

        Linux keeps doing dumb shit like making nslookup and traceroute "legacy" applications now. Ifconfig has gone away and been replaced with "ip" which does exactly the same thing but with a slightly different syntax.

        Agreed. And I wouldn't even care, if the BSDs were doing the same thing, but they aren't. It's like Linux programmers are going out of their way to be incompatible.

    • by Noryungi ( 70322 )

      In production, pretty much anything that has to run reliably and without a hitch for years.

      Firewalls, routers, DNS server, Email server, all of these running CARP to cluster these functions and prevent service interruption. SSH boxes as well

      On OpenBSD, you don't have 'apt', you have 'pkg_add' for applications (pkg_add -i vim to install vim, for instance) 'syspatch' to apply security patches and 'sysupgrade' to upgrade from one version to the next. I have just used sysupgrade to upgrade machines from 7.2 to

      • Everything that you do with OpenBSD, you can do with Linux, including having a hardened security installation - it just comes 'out of the box' with all the security bells and whistles

        This is patently untrue. Linux has a lot more bugs and sloppy design decisions, but has far more security features.

        OpenBSD puts a lot of effort into writing clean codes and eliminating bugs, but is sorely lacking in security features.

    • by Dadoo ( 899435 )

      Add me to the list of people who was using it for a router at my company. Unfortunately, I discovered OpenBSD uses up a lot of CPU for networking. I changed it to FreeBSD and the CPU usage decreased by quite a bit.

  • by dasunt ( 249686 ) on Monday April 10, 2023 @02:53PM (#63439094)
    But op, tell us what you really think of OpenBSD.
  • by jddimarco ( 1754954 ) on Monday April 10, 2023 @02:58PM (#63439110)
    Interesting that the OP dislikes OpenBSD so much that they use its latest release as an excuse to dump on it. Really? To me the post casts more of a negative light on the OP than it does on OpenBSD. Personally, I like OpenBSD enough to host one of its mirrors in my department. It's small, simple, straightforward, sensible about security and written by grownups. I run it on laptops, servers and SBCs. No, I don't try to use it for everything, it's not a full replacement for Linux or Windows or MacOS. That's fine: it's good work, and well worth a look.
  • having things turned off by default is useful

  • So much bitterness. Get out the other side of the bed tomorrow.

  • by the_B0fh ( 208483 ) on Monday April 10, 2023 @09:11PM (#63440032) Homepage
    "still no real security features to help lock down a system"

    WTF is wrong with this idiot? The *ENTIRE* OS is fucking locked down, and he wants some idiot scripts to do more "lock down"? Are you that fucking stupid?

    • The entire OS is barely locked down, stop being such a zealot.

      When OpenBSD had that remote root hole in the default install, if someone got root, there had absolute free reign.

      OpenBSD has nothing to really protect against that, at least nothing close to what Linux offers.

      Securelevels, pledge, unveil, chroot, none of that is sufficient.

  • by Tom ( 822 )

    although still no real security features to help lock down a system, no virtual machine support for non-OpenBSD guests and no modern file system.

    All of which can be summed up as:

    a) OpenBSD is already so far ahead in security, it's actually difficult to improve it further
    b) there's a (security) reason to not do that. You'll figure it out eventually, roughly a few days after your (non-OpenBSD) system gets owned.

    I'm a huge fan of OpenBSD not despite but because I've been a vocal supporter of a competing thingy - SELinux - from back when it was young, it wasn't yet built into distributions and the default configuration wasn't yet "we have this theoretic

    • I've had discussions with you in the past, and despite you having a career in infosec (as do I), you made it clearly you have a pretty poor understanding of unix type OS security concepts, and this post is no exception.

      OpenBSD is great for writing clean code and trying to prevent bugs, but it offers almost nothing in the event that there is a bug. chroots and securelevels and such are inadequate, while pledge and unveil require the developer to opt-in.

      Honestly, If I wanted a BSD that I could feel more confi

  • No matter your feelings about the BSDs, especially OpenBSD, they are often at the forefront of new features that eventually make it to Linux... Linux still treats ext4 and xfs as the new hotness, when FreeBSD has the best ZFS implementation around... And without OpenBSD we wouldn't have LibreSSL or OpenSSH.

Trap full -- please empty.

Working...