OpenBSD 7.5 Released

Slashdot reader Mononymous writes: The latest release of OpenBSD, the FOSS Unix-like operating system focused on correctness and security over features and performance, has been released. This version includes newer driver support, performance improvements, stability fixes, and lots of package updates. One highlight is a complete port of KDE Plasma 5.

You can view the announcement and get the bits at OpenBSD.org.
Phoronix reports that with OpenBSD 7.5 "there is a number of improvements for ARM (AArch64) hardware, never-ending kernel optimizations and other tuning work, countless package updates, and other adjustments to this popular BSD platform."

"Correctness"

[thegarbz]

In the eyes of whom?

Re: "Correctness"

[Slashythenkilly]

Do you ever look around and think, "hmmm...maybe im the problem?"

Re:

[bill_mcgonigle]

You need to explain why this earthquake was *directly under* your boy's NJ home.

Not "close" but literally within the margin of error of measurement.

Re:"Correctness"

[iggymanz]

"code correctness" means bug and vulnerability free.

Re:

[Anonymous Coward]

People who don’t need rust.

Nice

[ArchieBunker]

I’ve been using OpenBSD for firewall and server duty since the 2.x days. Sunday seems like a good day to do an upgrade.

Re:

[KirbyCombat]

I started on 2.1. Very fond memories.

Re:

[iAmWaySmarterThanYou]

Uh, fond? When they forced a binary change, I switched to FreeBSD. That was nice. OBSD was just painful.

Re:

[flyingfsck]

Yup - OpenBSD is also screaming fast compared to most Linux distros.

Re:

[PDXNerd]

OpenBSD has its strengths but screaming fast compared to most Linux distros? This is laughable. I would say openbsd is more secure by default and in general than the average linux desktop is but I'm not even sure of that in the year 2024...

This benchmark is a few years old but this has not changed, except maybe to skew a bit more in linux's favor - https://www.phoronix.com/revie... [phoronix.com]

Again there are places where OpenBSD has its strengths but I'm not even sure its faster as a firewall at this point.

Re:

[Joey Vegetables]

The CPU for most of my workloads is usually waiting for user input, network packets, or I/O. It wouldn't matter if OpenBSD were marginally slower. I'd still give it serious consideration in any sort of exposed-to-the-Intarwebs server duty.

And no crappy systemd or xz libs in sshd

[gweihir]

I am seriously considered replacing one of my Linux boxes with an OpenBSD one.

Re:And no crappy systemd or xz libs in sshd

[drinkypoo]

I ran OpenBSD back in the day, bought the CD and even the tee shirt. I used it as a firewall for a moment, but a bug in an incredibly common Intel NIC driver that would eventually render interfaces inoperative until a reboot drove me back to Linux. This gave me the opinion that unless you are the same guy who is fixing problems in the OS, OpenBSD is not for you. I suspect you could do some of that work, but do you need another hobby?

If I were building a network-connected system I expected not to be able to upgrade for years, I might still consider OpenBSD. It would probably be the best bet for surviving the experience. But the Linux ecosystem is just too much stronger in general due to it being more popular; So much software is developed on Linux and is a PITA to run anywhere else that I have to have a compelling reason to run anything else.

Re:

[gweihir]

Hmm. The other thing I am considering is compiling sshd from sources myself. This time I would not have gotten hit (I have no servers with systemd on Debian or Devuan), but I am massively opposed to patching crap, or anything really, into sshd. Doing so is simply insane and should only ever, if you really must do it, be done in a special, non-default sshd package that comes with clear warnings.

Does anybody know whether Gentoo patches sshd or gives you a choice? Devuan unfortunately does patch a version of l

Re:

[phantomfive]

If you run into hardware problems on OpenBSD, you can run the OS inside a VM for a small performance hit.

Re:

[drinkypoo]

If you run into hardware problems on OpenBSD, you can run the OS inside a VM for a small performance hit.

The only significant appeal of OpenBSD is security, and that appeal is lost when not running it on the bare metal. There is literally no reason to run it in a VM. By the time I'm resorting to a VM, I am already gaining separation, and I might as well just put Linux in the VM too.

The biggest problem (IME) with OpenBSD is hardware support, and this is caused by developers not giving a shit about users' problems; When you report a problem the obsd devs just want to know when you're providing a patch. The answe

Re:

[Anonymous Coward]

The biggest problem (IME) with OpenBSD is hardware support, and this is caused by developers not giving a shit about users' problems; When you report a problem the obsd devs just want to know when you're providing a patch. The answer to that is never, that's not in my wheelhouse and I am not going to spend the time trying to figure it out anyway.

Another way to look at it is that there's an extremely small number of developers in their core team, all volunteers, and all tasked with spending much more than 24 hours a day worth of work pouring over others source code for bugs and security risks to fix, and/or on their own software projects from scratch while also going over each character multiple times to ensure the same.

This is just the unfortunate situation when so few people are working towards more than just the promise of security.

That said, you

Re:

[drinkypoo]

It just rubbed me the wrong way to hear someone say they don't care about your problems while spending more time than is available concerning themselves with that whole "security" thing people seem to keep saying they want.

I'm not mad at any of the obsd devs and I wish them well, my point is that the end result of the various decisions made is that most people are probably better off using something else. If the devs aren't willing to prioritize fixes for ultra-common hardware (it was a cheap and common Intel PCI 100bT NIC, and it worked fine with Linux!) then the obvious result will be that it will impact a significant percentage of the potential user base.

Re:

[phantomfive]

The real problem is that most people don't actually care about security. A surprising number of websites I know about have had a bug where you can log into any account with an empty password. They had unit tests so they assumed everything was fine, but...

If people cared about security, there would be more developers building drivers for OpenBSD.

Re:

[dougmc]

If you want to compile OpenSSH from scratch who cares if a specific distribution gives you the option? You're just going to not install their package or rip it out, and install your own.

Compiling such things isn't hard -- it's typically some variation of "wget tarball, extract tarball, cd into directory created, ./configure ; make ; make test ; make install" though OpenSSH might need a bit more configuration tweaking than that to work with whatever you're trying to slap it into -- or that might work as-is

Re:

[gweihir]

Well, ssh is the one service you really need to expose generally if you run any servers (I do). So, no, this is not closing the barn after the horse has escaped. Ssh maintenance in some distros (Debian among them) has obviously gotten really sloppy and intellectually lazy, and I can fix _that_ for myself. Hopefully the people responsible for the stupidity of patching things into sshd will either wake up or get replaced and then I can trust the distro-package again.

As to compiling myself, I am not worried ab

Re:

[dougmc]

To answer some other parts of this that I forgot in my other comment, I've never used Devuan, but it's described as :

Devuan GNU+Linux is a fork of Debian without systemd that allows users to reclaim control over their system by avoiding unnecessary entanglements and ensuring Init Freedom.

... so if you're looking to keep things simple, keeping systemd out sounds like a big step in that direction, so choosing Devuan over Debian should be a big step in that direction.

But if the system doesn't have systemd, how can it possibly "patch a version of libsystemd into sshd"? Is systemd in there after all somehow anyways?

Re:

[drinkypoo]

But if the system doesn't have systemd, how can it possibly "patch a version of libsystemd into sshd"? Is systemd in there after all somehow anyways?

Nope. One of the GP's other posts address this: the apparent libsystemd0 linked to sshd is actually part of the stub library that Devuan uses to replace parts of systemd, along with other distributions which eschew it. In general that's probably a more accurate description of what Devuan is: Debian with systemd stubbed out. That's why I (and others) run it instead of Debian with another init system installed; if you don't then you start running into problems with all the software that expects systemd and yo

Re:

[Joey Vegetables]

According to what I've read, including this [gentoo.org], Gentoo doesn't patch its sshd to integrate with systemd, and is likely not vulnerable for multiple reasons, but to be cautious, they have masked the vulnerable versions, and recommend downgrading to 5.4.x, and I believe emerge sync + emerge -upv world will do that for you.

Re:

[ArchieBunker]

I ran into an issue with a NIC as well and contacted the mailing list. The devs sent me a patch to try which fixed the problem and it was merged into the next release. Did you ever submit a bug report?

Re:

[drinkypoo]

Did you ever submit a bug report?

I don't remember. After I contacted the devs and was brushed off, I moved on.

Re:

[Big Hairy Gorilla]

xz problem is not a linux problem per se, afaik, the xz libs are systemd dependent... So.. use Devuan. We've been using it in production in my shop these days, server and desktop/xfce for several years now.

Re:

[gweihir]

Devuan sshd pulls in libsystemd, so something was patched in there as well. Not good. The only somewhat good thing is that the Devuan libsystemd does not pull in the xz library. Incidentally, the same happens on a non-systemd Debian installation. But sshd still gets patched in both and I really do not like that.

But yes, while I have done non-systemd Debian installations so far, I now have one Devuan installation since a few months and I think I will completely move over.

You are correct that this is really a

Re:

[Big Hairy Gorilla]

are you sure? just ran this on an up-to-date laptop (edited for readability)

root@vivo# cat /etc/os-release
PRETTY_NAME="Devuan GNU/Linux 4 (chimaera)"
NAME="Devuan GNU/Linux" ...
root@vivo# dpkg -l ssh
ii ssh 1:8.4p1-5+deb11u3 all secure shell client and server (metapackage)

root@vivo# dpkg -l libsystemd
dpkg-query: no packages found matching libsystemd

Just checked a daedalus machine: results same

root@zeno-54:~/Desktop
# cat /etc/os-release
PRETTY_NAME="Devuan GNU/Linux 5 (daedalus)"

root@zeno-5

Re:

[drinkypoo]

This fucking site.

I just tried to respond in kind and my post was blocked by the shitty filter.

I am running Devuan 5 with openssh-server and ldd `which sshd` shows that indeed libsystemd is linked in there.

Re:

[gweihir]

It is actually part of libelogind0, see my other answer. But this shows sshd got patched for some questionable convenience and that patching enabled a security catastrophe which was narrowly averted. Not good at all.

Re:

[iggymanz]

why are you guys run bleeding edge stuff? you came close to getting cut, the usual production used distros didn't have to worry

Re:

[gweihir]

I am not running bleeding edge stuff. Why would you think I was?

Incidentally, everybody using an sshd that pulls in liblzma still has to worry. There may be more crap buried in there. The thing discovered was just the obvious attack and it was not very well hidden.

Re:

[drinkypoo]

Presumably, you have checked all other packages to ensure nothing is hidden in them, poorly or not?

Not all other packages are one of the services most commonly exposed through a firewall, and depended upon to provide secure communications for other services. We are talking here specifically about one of the services which it is most important to preserve security in, and equating that with other services is ignorant at best, or more probably disingenuous given that your posting anonymously is a probable sign that you know what you are implying is ridiculous. My only point of curiosity is whether that kno

Re:

[gweihir]

The other aspect is that "Jia Tan" could well have placed more subtle things earlier when he contributed things. Being careful about anything one known bad actor has done is quite different from being universally paranoid. The incompetent (and the one you answered to clearly is) never get such things.

In this case, the point to relax is when everything Jia Tan has contributed is ripped out and replaced or very carefully reviewed, not before. The point to relax futher is when stupid, lazy distro maintainers h

Re:

[drinkypoo]

why are you guys run bleeding edge stuff?

Thank you for informing us that you have no idea what we (or you) are talking about. Devuan 5 is based on Debian 12, which is the stable version. And it removes the newer and shittier init system and replaces it with the old one. It is exactly the opposite of bleeding edge.

Re:

[gweihir]

Ah, that was what this person thought. Makes sense. Somebody that does not know Debian/Devuan at all may mistakenly think that the newest stable Debian/Devuan versions are "bleeding edge" when that is not true at all. This person obviously has never heard of the unstable and testing versions of Debian.

Re:

[iggymanz]

I know Debian, Devuan, and derived Ubuntu and Mint *really* wel.

you almost reaped what you sowed. your distro of choice had bleeding edge crap in it.

Re:

[gweihir]

Nope. Obviously you do _not_ know what you are talking about.

Re:

[iggymanz]

yet you had the bleeding edge xz library

again, why are you running the bleeding edge crap?

Re:

[gweihir]

Nope. I do not and did not have the xz library affected by the currently known attack. Now you are just hallucinating.

Re:

[drinkypoo]

We don't, and we aren't. You simply failed to follow the conversation. This is something of a pattern for you. Are you reading only on the mobile interface? That version has important defects which make depending on it ridiculous. It is only useful for casual use and dashing off quick comments, which it is particularly good for in fact because it doesn't honor the posting delay you get on the other interfaces.

Re:

[gweihir]

I am sure, I checked it a few days back when the xz attack became public on a current Devuan Daedalus (and on a non-systemd Debian, same result).

root@p4:~# cat /etc/os-release | grep PRETTY
PRETTY_NAME="Devuan GNU/Linux 5 (daedalus)"

root@p4:~# ldd /usr/sbin/sshd | grep libsystemd
libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0

That library is not systemd. It is in libelogind0, which is a replacement for some systemd functionality. It does not

Unix-like?

[Can'tNot]

Do I have my terminology confused, is OpenBSD only "Unix-like"? Do the Berkley Unixes not count as real Unixes anymore?

Re:

[JBeretta]

I had the same thought.... I've always had the opinion that the BSDs are just as much UNIX as any of the commercial versions (IRIX, AIX, HP-UX, etc)

Commercial Unix

[JBMcB]

I consider modern BSD to be closer to the traditional commercial UNIX releases than Linux, as they consider the base OS as a single release instead of a bunch of independent packages (kernel, glibc, coreutils, svsvinit, e2fsprogs, sed/gawk/grep/patch/make/etc....)

Re:

[JBeretta]

Of course they are.. Linux is Unix-like.. It was created to act like Unix... But it was never supposed to be a Unix.

BSDs, on the other hand, are derived from the original System V source....

Re:

[iggymanz]

nope, BSD are derived from 4.4 BSD, the at&t sys V is another branch from which the proprietary Unix come like Solaris, AIX, HPUX, IRIX

Re:

[tlhIngan]

Of course they are.. Linux is Unix-like.. It was created to act like Unix... But it was never supposed to be a Unix.

The problem is, UNIX-like is a big group. There are many OSes that implement the SUS (Single UNIX Specification, formerly known as POSIX) APIs. This include many including Windows NT back in the day, to BeOS to many others including QNX. These implement the APIs, which is a very loose standard, since one could also consider modern Windows as doing same - either using a library liek Cygwin to

Re:

[drinkypoo]

There are many OSes that implement the SUS (Single UNIX Specification, formerly known as POSIX) APIs. This include many including Windows NT back in the day

Not really. NT only supported POSIX.1 when the world had already moved on to POSIX.2.

Though it should be noted that BSD exorcised the last of the AT&T source code some time in the 90s.

Yes, we call that version 4.4-lite [gunkies.org].

Re:

[drinkypoo]

On one hand, BSD is real UNIX, in that it was called BSD UNIX and the current *bsds are all descended from that software (BSD 4.4-lite) directly, and on the other hand nobody has paid for you to use the OPEN Group's trademark on UNIX(tm) so it's not legally literally UNIX(tm) at this point.

I would call it all-caps UNIX, though.

Re:

[serviscope_minor]

Do the Berkley Unixes not count as real Unixes anymore?

Not according to the Open Group who managed to get ownership of the name and will charge you an arm and a leg to certify as Unix (tm).

According to Dennis Ritche, yes it is and so is Linux.

I know who's opinion I give more weight to.

The really important thing

[Opyros]

No new song? [openbsd.org]

I'm still waiting for...

[sinkskinkshrieks]

... TdR to invent a Rust-/Go-like language to redo the entire OpenBSD codebase in something other than C. Because if you want correctness, security, and formal verification, it's going to take such an effort because C itself is doomed and a contributing factor to most, if not all, security vulnerabilities.