OpenBSD 7.3 Released (openbsd.org) 135
metrix007 writes: OpenBSD, the OS that earned an exaggerated reputation for security simply by disabling services by default, has released version 7.3. Plenty of new improvements and bug fixes including to the editor, although still no real security features to help lock down a system, no virtual machine support for non-OpenBSD guests and no modern file system.
Bitter much? (Score:5, Interesting)
Just use Linux. Or Windows. No need for such bitterness.
Re: (Score:2)
Re: (Score:3)
... who is bitter? You were literally the first poster.
You didn't even read the summary?
Re: (Score:2)
On slashdot, joking right ? I think we are lucky if people even reads the Title.
Like the articles, these days no one reads the summary.
Re: (Score:2)
On slashdot, joking right ? I think we are lucky if people even reads the Title.
Like the articles, these days no one reads the summary.
You must be new here. Your first response should have been a wild misunderstanding of what I said complete with straw-man argument proving I was wrong... ;)
Re: Bitter much? (Score:2)
Re: (Score:2)
"He used to be enthusiastic and passionate, and it's nice to see that side of him, before he decided he wanted to compete with and outdo Theo de Raadt for being the cuntiest and most needlessly antagonistic OSS project leader."
msmash should be ashamed for feeding the troll.
Re:Bitter much? (Score:5, Informative)
Re: (Score:2)
Waaayyyyyyy back in the day Slashdot was instrumental in establishing OpenBSD’s exaggerated reputation for security. One that a lot of people still get caught up in even though no serious OS has shipped with a half dozen pointless services running in well over a decade.
To be fair to obsd it also had pf which is also no longer a big deal.
But it’s nice to see people finally admitting obsd isn’t special in 2023.
Re: (Score:3)
I am sure you a great security expert, just like 99% of people on /.
Re: (Score:2)
At the time obsd was doing things much better than other unixes I might as well have been neo just for understanding ARP and buffer overflows. Your account is old enough that you know this is true.
Re: (Score:2)
I play a dangerous hacker on TV, but that's about it.
Re: (Score:3)
Can you decode 256 bit AES encrypted data in realtime while the hexdump is scrolling by on the screen like Travolta did in one of his movies?
If so I have an old file for you. I forgot the password.
Re: (Score:2)
Re: (Score:2)
Hahah honestly probably not. I probably wouldn’t normally like a submission like that but it’s nice to see someone speaking the truth. I used obsd a long time ago and reinstalled it maybe 10 years ago and was very unimpressed. Like it was no different than when I ran it in the late 90s. It’s supposedly got better in since 2010 and I hope it continues to get better.
Re: Bitter much? (Score:2)
Pf is very nice. It's so much nicer to use than iptables.
I think you forgot openssh though. The Linux works utterly depends on openssh.
Re: (Score:2)
Yup. That is the reason I ran it on a SBC firewall years ago. For a single use smallish appliance OpenBSD is not bad.
Re: (Score:2)
Re: (Score:2)
I wonder what's the current thing that we'll be saying in 5 years that "we have it too now", that OBSD users have now.
We got all that stuff a long time ago bro. Probably the next advancement we’ll steal from obsd is having no drivers for anything.
Re: (Score:2)
no serious OS has shipped with a half dozen pointless services running in well over a decade.
No, with Windows and many Linux distros it's more like two or three dozen pointless services.
Seriously (Score:2)
This is why I used the serious qualifier. :)
Re: (Score:2)
Re: (Score:2)
And it will be Ad Hominem when I point out you’re implying Windows95 is a real OS and we can safely wave you away.
But in our hearts we know.
Re: (Score:2)
Re:Bitter much? (Score:5, Funny)
Sounds like Theo was fucking OP’s wife or something. Perhaps Theo called him a bad name on a mailing list?
Re: Bitter much? (Score:2)
They called him a bad name? That narrows it down to anyone that ever posted anything on there openbsd mailing list.
I like openbsd as software and the things that came out of the project, but Theo has a reputation for being abrasive in the extreme.
Re: (Score:2)
There must be more to it than that (the 2nd part), because if everyone whom Theo ever called a bad name came posting bitterness-infused /. stories, we would read nothing else for a couple months.
Re: (Score:2)
Re:Bitter much? (Score:4, Funny)
Re:Bitter much? (Score:5, Interesting)
Exactly, this is the strangest 'story' ever. If they hate OpenBSD that much, why even post it? I love OpenBSD, I have a bunch of servers on it. I love the fact that there is no concept of 'locking down the system' there because it is the system that is locked by default, it is a vault in itself. The FS works, I have services running on it that I *need* and that I *approve* of.
Re: (Score:2, Informative)
I don't think I really expected the story to get accepted? I know it was snarky, I posted it before going to bed...didn't really think it would go through, figured someone else would also submit it and that that story would go through.
As for the system being locked by default - not really. Quoting from another comment, but OpenBSD bets everything on eliminating all bugs, and provides very little to help lock down the system if there are bugs.
Re: (Score:2)
Ah, we get to meet the poster. Who proceeds to inform us that he sunk to the level of the person he was attacking because he did not think it would be posted and.. it was late? Huh?
If you think you can get away with simple using “right before I go to bed, and I did not think you were listening anyways!” as an excuse to throw insults at your wife/GF you are going to die a lonely man. Maybe you should just not talk not talk to people like that?
Re: (Score:2)
Not sure why you're taking it so personally and trying to equate a snarky summary with domestic violence.
That's pretty weird.
Re: (Score:2)
Well, there's no such thing as bad publicity, only publicity.
Theo (and his attrocious bunch of mini-me's) owe you a beer for bringing attention to their system (which has become rather boring and technically uninteresting, with their obsession on theoretical & dogmatic rather than real-life attacks, and their silly voodoo remedies)
Why lock it down when you can just pull the plug?
Re:Bitter much? (Score:4, Interesting)
Yep, and for those of us that actually understand technology we will continue to rely on the rock solid security provided by the hard working OpenBSD team.
Articles like this make me almost understand Theo attitude.
Re: Bitter much? (Score:2)
By your measure of security. The claim of only 2 bugs in the default install is real.
SELinux is an ugly train wreck. It's that what you are saying openbsd is missing?
Re: (Score:2)
No, by any objective measure of security.
Auditing to eliminate bugs is great, but you also need things in place in the event a bug gets exploited that you didn't find and fix yet.
SELinux wouldn't jive well with OpenBSD at all, but a much more simplified version, maybe something closer to AppArmor might be a good fit. At the moment they have pledge and unveil which isn't particularly useful for software that doesn't take advantage of it. Maybe something like Landlock adapted for OpenBSD would also be a good
Re: (Score:2)
You realize Slashdot doesn't support unicode right? Your comments are a mess.
That aside, unveil is not at all the same thing, since it requires software to opt in. That's a fundamentally different approach quite useless for trying to protect against software that doesn't bother to make use of unveil, like pretty much everything on github and any commercial software.
I can feel it (Score:4, Funny)
Re: (Score:2)
With this new release we're fast approaching critical momentum for Linux.
2024 will be the year of the Linux desktop. Soon it will be shoulder to shoulder with Windows XP installations.
I see the humor, but unfortunately also feel compelled to point out that BSD is not Linux.
Both are Unixes though (as is macOS).
Re: I can feel it (Score:2)
Re: (Score:2)
Shame really because I really liked Windows Phone
wut (Score:5, Insightful)
I'm not going to say OpenBSD's claims to security aren't exaggerated, but this is just petty. This feels like OP is still upset that Theo de Raadt won't pointlessly incorporate Rust into the base tree for reasons.
Re:wut (Score:4)
That language in the summary is pretty darn weasly.
It would be 'interesting' to see a real apples to apples BSD vs Linux comparison. Like take CVS that apply to an contemporary GNU/Linux environment with an LTS kernel, make sure the kernel is compiled with stuff for which thier is no option to build without, there is a direct parity with BSD, or a nearly 1:1 feature analog with BSD. Similar for user land, comporable feature sets in terms of build options and include components for the gnu user land vs bsd packages.
Really see which system comes out better.
Obsd does not represent bsd (Score:2)
obsd is way behind in features. Last I played with it was during the lulzsec saga and it’s improved since then but it would have taken a superhuman effort to close the gap between obsd and the other BSDs or Linux.
It’s the least feature rich of any mainstreamish BSD.
Re: (Score:2)
Re: (Score:2)
Well the above poster is talking about comparing BSD with Linux in a thread about obsd so it’s worth informing him that obsd is probably not a good candidate for making that comparison for the reasons you’ve just stated.
Re: (Score:2)
Re:wut (Score:5, Informative)
Let me put it this way: if you take a look at some mailing lists like OSS, where people discuss things they actually know, you will note OpenBSD is one of the OS they go back to constantly.
And the refrain is: "Oh yeah, OpenBSD disabled this, or corrected this, or implemented this 3 years ago".
Maybe you don't like OpenBSD programmers or BDFL for their abrasive personalities, but they are way ahead of Linux in many ways.
Re: (Score:2)
Like what?
Re: (Score:2)
"Oh yeah, OpenBSD disabled this, or corrected this, or implemented this 3 years ago".
That hasn't been true for a very long time.
Re: (Score:2)
It's not a competition. A criticism can stand on its own and remain true, regardless of if there are 'worse' alternatives out there or not.
Re:wut (Score:5, Funny)
"the OS that earned an exaggerated reputation for security simply by disabling services by default"
And yet it took Windows many years to figure this out...
Windows wasn’t even a discussion. (Score:2)
No. Windows is still fucked. If it suits Microsoft’s 5 year plan to keep everyone running a service that like 1% of users have any need for they’ll do it. At the time that obsd earned it’s rep windows security was like a door tied shut with a bit of twine. Like I’m not going to break in because it would take effort and I don’t care about your stash of Pam Anderson nudes enough to try.
The thing was most unixes and serious devices of the era would happily ship with chargen, e
Re: (Score:2)
Rust? That sounded like the OP is still butthurt about OpenBSD not adopting Systemd, or even that Emacs is still port and not a package!
Been A While Since I Played With A *BSD (Score:2)
Guess it's time to fire up a VM and see what it has to offer.
"Simply by disabling services" (Score:5, Informative)
They did way more work than that.
https://en.wikipedia.org/wiki/... [wikipedia.org]
If you want to make a case for an "exaggerated reputation", a better line of attack is how much the rest of the world has caught up on stack protection, API control, and so on over the decades.
Re: (Score:2)
You don't even get an ssh server by default, but you do get a firewall. How many fewer services do you want?
Re: (Score:2)
Yeah, sure, and you are a security expert.
Re: (Score:2)
> Yeah, sure, and you are a security expert.
NSA has a 60-page PDF on turning off unneeded Windows services.
It's not actually to make it easier for them to hack you.
Re: (Score:2)
Why does it say on page 2 to turn on the "NSA Backdoor" Services?
A bit unusual, no? Maybe it's a fireball thing.
Re: (Score:3)
And you think the NSA is interested in helping YOU secure YOUR Windows installation?
Oh, you swet summer child...
internet (Score:4, Insightful)
Did the internet turn everyone into an anti-social crank?
Re: (Score:2)
Yes it really has.
Re: (Score:3)
Stop talking to me! ;)
Re:internet (Score:4, Interesting)
Re: (Score:2)
I don't really use Linux much aside from Void or Alpine, and otherwise I use NetBSD (which actually has some practical security features that OpenBSD would do well to incorporate).
spicy commentary (Score:3)
"the OS that earned an exaggerated reputation for security simply by disabling services by default"
Dayyyyyyum son!
I'm sure Poettering has a plan to replace it... (Score:4, Insightful)
But, right now, the Unix world relies on openssh - an integral part of that "exaggeratedly secure" OS.
Re:I'm sure Poettering has a plan to replace it... (Score:4, Informative)
This. 1000 times this. Use OpenSSH? You are using something that is part of a great OS, named OpenBSD.
Re: (Score:2)
OpenSSH is absolutely fantastic, and the best thing to come out of the OpenBSD project for sure.
Nothing except everything in the "Security" list (Score:5, Informative)
But what else have the romans ever done for us?
Security improvements:
These can still benefit from switching to --execute-only binaries if the cpu generates different traps for instruction-fetch versus data-fetch. The VM system will not allow memory to be read before it was executed which is valuable together with library relinking. Architectures switched over include loongson.
ld.so(1) and crt0 register the location of the execve(2) stub with the kernel using pinsyscall(2), after which the kernel only accepts an execve call from that specific location.
sshd random relinking at boot: Randomly relink and install sshd(8), resulting in a sshd binary with unknown address layout after every reboot.
Just upgraded (Score:5, Interesting)
I just upgraded to 7.3 from 7.2. I thought the upgrade could not get easier then the last time. This time the upgrade was just typing 1 command, reboot then 2 commands. No questions.
Based upon that, I would not be surprised if the commands are typed automatically for me :)
For the summary, it comes across bitter. Just go here:
https://undeadly.org/cgi?action=front
to learn what the OpenBSD team is doing for us. OpenBSD even provides high quality utilities for Linux. But the Linux people do all the can to lock the BSDs out of various programs (ie: wayland and more). Instead they live like no other system matters.
For example, without OpenBSD Linux would not have a good sshd. But the BSD people needs to copy graphic routines from Linux and re-write because they are filled with linuxisms. And many times that is impossible.
Re: (Score:2)
the Linux people do all the can to lock the BSDs out of various programs (ie: wayland and more). Instead they live like no other system matters.
No problem, I'm using Linux and yet I'm still not using Wayland. Why? Because KDE still doesn't work reliably with it. (It allegedly works best with recent nvidia, which I do have, but I'm not in a rush to beta test anything but games and drupal modules.)
Re: (Score:3)
Wayland is a system so superior to X that it's now taken over a decade for it to stagger into an unreliable and feature poor replacement despite heavy pushing by the largest Linux company and virtual abandonment of X.
Turns out all the "not our problem" crap like screen recording etc is actually a problem if it doesn't work.
Re: (Score:3)
Same here - 1st OpenBSD machine updated from 7.2 to 7.3, without a hitch and without any issue. Beautiful OS, through and through, way more reliable than any Linux out there.
Really? (Score:5, Interesting)
How does this axe grinding bullshit get through moderation???
Re: (Score:2)
How does this axe grinding bullshit get through moderation???
Are you serious? What moderation? This is Slashdot, after all.
What a silly summary (Score:3)
How did this post get approved with such a childish summary?
Re: (Score:2)
The children in charge approving the other children.
Anyone using OpenBSD in production? (Score:2)
I am very used to Debian and GNU/Linux, I must admit I have been wondering who and how are you using OpenBSD in production?
How do you patch and update the system without apt update?
And why OpenBSD instead of Linux or Free/DragonflyBSD?
Please do not understand my question wrong, I love what the OpenBSD team has contributed over decades. I genuinely do not know and I am too used to Debian. That is why I ask.
Re: (Score:2)
I use OpenBSD as my mail server. Patches and updating are done by running "syspatch" which applies patches, much like "apt update" does on Debian. Note that it only updates the parts of OpenBSD that are considered part of "base," not packages from ports. If there were a major update to my mail software that I just had to install ASAP as opposed to waiting for the semi-yearly OS release, I could build from source I suppose. It's never come up as an issue for me.
I use OpenBSD because I like how all of its com
Re: (Score:3)
Not exactly production but I have used OpenBSD since the 2.3 days for my personal firewall/server/shell box. Back in the old days you had to patch things manually but now you just run syspatch and new patches are downloaded and installed. Same with upgrades, I will run sysupgrade and it will download the new packages, reboot, and install them. Couldn't be easier. I like OpenBSD because it has a small footprint and I add software as necessary. Unlike Linux they don't fiddle with how things are set in /etc ev
Re: (Score:2)
Agreed. And I wouldn't even care, if the BSDs were doing the same thing, but they aren't. It's like Linux programmers are going out of their way to be incompatible.
Re: (Score:2)
In production, pretty much anything that has to run reliably and without a hitch for years.
Firewalls, routers, DNS server, Email server, all of these running CARP to cluster these functions and prevent service interruption. SSH boxes as well
On OpenBSD, you don't have 'apt', you have 'pkg_add' for applications (pkg_add -i vim to install vim, for instance) 'syspatch' to apply security patches and 'sysupgrade' to upgrade from one version to the next. I have just used sysupgrade to upgrade machines from 7.2 to
Re: (Score:2)
Everything that you do with OpenBSD, you can do with Linux, including having a hardened security installation - it just comes 'out of the box' with all the security bells and whistles
This is patently untrue. Linux has a lot more bugs and sloppy design decisions, but has far more security features.
OpenBSD puts a lot of effort into writing clean codes and eliminating bugs, but is sorely lacking in security features.
Re: (Score:2)
Add me to the list of people who was using it for a router at my company. Unfortunately, I discovered OpenBSD uses up a lot of CPU for networking. I changed it to FreeBSD and the CPU usage decreased by quite a bit.
But op... (Score:3)
OP and OpenBSD (Score:3)
philosophically speaking (Score:2)
having things turned off by default is useful
Need a moderation option for OP (Score:2)
So much bitterness. Get out the other side of the bed tomorrow.
WTF are you smoking? (Score:3)
WTF is wrong with this idiot? The *ENTIRE* OS is fucking locked down, and he wants some idiot scripts to do more "lock down"? Are you that fucking stupid?
Re: (Score:2)
The entire OS is barely locked down, stop being such a zealot.
When OpenBSD had that remote root hole in the default install, if someone got root, there had absolute free reign.
OpenBSD has nothing to really protect against that, at least nothing close to what Linux offers.
Securelevels, pledge, unveil, chroot, none of that is sufficient.
gnarsh (Score:2)
although still no real security features to help lock down a system, no virtual machine support for non-OpenBSD guests and no modern file system.
All of which can be summed up as:
a) OpenBSD is already so far ahead in security, it's actually difficult to improve it further
b) there's a (security) reason to not do that. You'll figure it out eventually, roughly a few days after your (non-OpenBSD) system gets owned.
I'm a huge fan of OpenBSD not despite but because I've been a vocal supporter of a competing thingy - SELinux - from back when it was young, it wasn't yet built into distributions and the default configuration wasn't yet "we have this theoretic
Re: (Score:2)
I've had discussions with you in the past, and despite you having a career in infosec (as do I), you made it clearly you have a pretty poor understanding of unix type OS security concepts, and this post is no exception.
OpenBSD is great for writing clean code and trying to prevent bugs, but it offers almost nothing in the event that there is a bug. chroots and securelevels and such are inadequate, while pledge and unveil require the developer to opt-in.
Honestly, If I wanted a BSD that I could feel more confi
R&D (Score:2)
Re:Weird post (Score:5, Insightful)
I find configuring any Linux system to be ridiculously over-complicated compared to my beloved FreeBSD. You don't just put stuff in fstab and have it mount, your interfaces are configured in ten different places with a million weird options, you use GUIDs everywhere because for some reason things don't have stable names, and all the configuration files that systemd places everywhere that requires obscure knowledge to figure out. It takes me ten times as long to fix any problem on a Linux system than on my FreeBSD systems. You guys are just xkcd/927 it out year after year after year, it's quite hilarious if you think about it. All that wasted time and energy.
The decision to mix non-base packages with /usr instead of isolating them to /usr/local is at once immensely frustrating and also mindblowingly stupid. In FreeBSD, I can mount / and /usr readonly and still install/packages as long as /var and /usr/local are rw. If I want to build ports or system, just add /usr/ports (or use poudriere), /usr/src and /usr/obj -- all mount points that will never pollute my base system. I just don't get how any self-respecting OCD can stand Linux. It's like reading bad code.
I could go on and on, but over 20 years ago I switched from Linux to FreeBSD and instantly knew that someone or group of someones had really thought out all the details in exactly the obsessive-compulsive way they should have. It's beautiful, absolutely beautiful. On the other hand, a Linux distribution is what you get if a bunch of software is haphazardly glued together over and over. You probably think this is hyperbole, but it's that different. Sure you can just ignore this and use your ready-to-go distro, but under the hood it's still there.
Re: (Score:2)
And we know that stuff simply never breaks and is easier to setup and manage. And when it dies break....
Re: (Score:2)
You said windows > Linux.
Re: (Score:2)
They [OpenBSD] have a track record. A lot of people who work in computer security look up to them.
Unlike you, random /. user named "polotheclown".