I can confirm that acme-client so far is the only sane client I've seen. No nonsense of multi-megabyte downloads of endless Python scripts or esoteric bash scripts. Just good old C tool as it should be. Every *nix should use it by default.
I am not a big fan of C, but those Python/JavaScript based GUIs that fade to black at every button click really make me miss the days when all GUI tooling in UNIX was written in C.
I was actually playing with OpenBSD while stuck with the flu.
The good:
* ifconfig handling everything is brilliant. Having one tool to do networking, including WiFi(!) is great.
* the documentation is good. `man -k` normally gets you what you need.
* "base builds base" is pretty cool. I managed to rebuild base on a 1GHz single core BeagleBone Black in 48hrs.
the bad:
* Performance. I didn't think this would be a huge issue, however it's much slower than Trisquel, Parabola and GuixSD running GNOME on a x200. WiFi also seemed slow.
* IPv6 seemingly didn't work, even when verifying my ifconfig setup.
* Filesystem. I don't expect them to add ZFS due to code size and license, but still using UFS is laughable. UFS seemed to have I/O deficiencies which exacerbated the performance issue.
* the other documentation. While the manpages are good, information on the internet can be contradictory depending on it's age.
* No lsblk. This is more of a nitpick, but there is seemingly no way to get the right name for a disk without parsing through `dmesg` and guessing with partition number.
* pkg_add. It's extremely slow compared to apt even and separates it's parts out for seemingly no reason. Package management in general is somewhat awful.
I wonder though, if they don't have the manpower to optimize for desktop usages, why don't they stick to server only?
I've tried to use it on a server some months ago (trying out OpenBSD every few years because I do like the philosophy) but things behaved odd and slow, so I just used FreeBSD and problems disappeared.
I'd like to see a completely server focused one instead of trying to do it all and keep issues hanging loose.
I totally respect OpenBSD and their commitment to security and stability. However, the thing holding me back is that they've dropped some features over the years that I relied on.
I used OpenBSD on a netbook and it was awesome. But I really needed 32-bit Linux binary compatibility, and I was also one of the 3 people who used bluetooth. Both of these features were removed entirely. I wish there was a way I could "live dangerously" and have access to them again. I would love to have access to bluetooth based serial terminals, and use my favorite keyboard.
Since SystemD has become so prevalent in Linux, I've been looking longingly at BSD. The only problem is that I have a large number of machines that I'd need to move over, and it's a pretty intimidating amount of work. But I'm planning on beginning the move, one system at a time...
> Since SystemD has become so prevalent in Linux, I've been looking longingly at BSD.
After ~20 years of using Debian, I switched my desktop PC to OpenBSD about a year ago due to concerns about the direction Linux has taken (eg. systemd).
It was easier to set up the kind of minimalist desktop I like than on Debian, where I have to change a lot of defaults (eg. switching to sysvinit). The package manager is great, and there are ~10k packages available for 6.4. I'm now looking at switching my server to OpenBSD. I'm keeping some dedicated audio workstations on Linux for now (need the raw performance and drivers), but my impression of OpenBSD so far has been very good.
OpenBSD caveats: Video and audio can be a little glitchy. Releases are only supported for one year. ABI can change between releases. There's no filesystem journal. The only non-BSD filestems supported are msdos and ext2fs (and read/write speeds on those are slow).
It impresses me that the hate for systemd persists even after so much time has passed. I thought it was just inertia.
I see systemd as a framework to define and control services that is much more robust than the old system that relied on scripting conventions. Why the hate? What's people's ideal here?
On the off-chance you're somehow unaware and are running Debian: with Devuan it's almost just a repository change and an "apt-get dist-upgrade" away (depending on which release you are upgrading from a few manual actions, which are documented, might be required).
Systemd is indeed prevalent, but you can very well use linux without it (and it is much better!)
I use daily two fine linux distributions that do not have systemd: void and slackware. It is a real pleasure to run htop and see that all the running processes do not even fill a 25-line terminal.
I installed Debian on a virtual machine the other day and, frankly, it felt a lot like using Solaris: a weird init system paired with unintuitive commands for manipulating network interfaces. All that said, it worked well in my testing, and I would use when hardware or software compatibility demanded it.
Why does file(1)[1] need its own chroot sandbox instead of using the pledge(2)[2] facility. They say:
> Think of the following: You download a random file from the internet and analyze it using file. If file has a security hole (local code execution for example), he can run attacks with his prepared file. Thats why the file utility is sandboxed and chrooted by default.
Isn't that exactly the sort of case where file(1) would open(2) the downloaded file and its own database, and then proceed to drop all other access privileges before doing any of the parsing of the untrusted file?
Anything that matters for us runs either on OpenBSD or behind it. almost 20 years now. Zero fucks given. Theo is the type of dev manager I want for my projects.(aggressive, opinionated, solid)
I like openbsd and have used it happily for a long time, but it's not fair to list sysmerge and syspatch as selling points. If we are being honest, other systems have long had more automatic upgrade procedures and these two tools are essentially minimalist ways of solving the problems with the old way.
I found OpenBSD to be pretty amazing, and after trying it now and then I finally loaded it onto my x220 to use it daily. Things worked fine, but I realized the battery life was poor (even using the functionality, I think in tpm, which regulates the clock speed to be slower) and support for what I began to need (like the Eclipse IDE) was shoddy. Unlike many others, I don't have much to say about the documentation, but that's also an endorsement for the system itself - I didn't need to access it more than once or twice.
Support for other file systems, which is a part of life for me, was pretty lacking; for me, ext4 write support and fat32 read/write isn't essential but would have been enough to stop me from moving back to GNU/Linux.
In the end, it looks like a great system but it just didn't fit my needs, just as, for instance, NixOS (and Guix) didn't fit my needs when I wanted a custom XKB layout.
It does just work (TM). Brightness and volume hotkeys work out of the box, without a desktop environment (even on the console). WiFi, including autojoining, works using a single ifconfig command or configuration file. Suspend/resume works on my laptop without any configuration.
If you’re using it on a laptop, just make sure to use an older, less ultrabook-like machine and you’ll be good.
* FDE - there are reasons (IIRC) FDE is better at FS level than block so this is sort of a negative.
* LibreSSL - OpenSSL API is still a tire fire.
* PIE - Possible on IIRC fbsd, nbsd, linux, etc.
* UTF-8 only libc - there are issues here, such as strcasecmp.
* noexec - IIRC this has been cross OS since the dawn of time (at least early 2000's).
* pledge - pledge is cool, I'm trying to implement something similar using google kafel and a macro that turns `vow(id, kafel_string, flags)` into a compile time bpf filter.
* strlcpy - is sort of junk as it has to iterate over ALL of src so for example strlcpy(d, "superlongstring...", 2) will read all of "superlongstring..."
If you want to use Ubiquiti hardware but not Vyatta, OpenBSD supports the Octeon processor [1]. In particular the edgerouter lite can be swapped to OpenBSD [2] for the cost of the right USB stick [3] and a console cable [4].
Some people find the ERL's performance isn't sufficient to pass packets and also host services such as radius or that the passive heat management on the edgerouter isn't sufficient. In that case Protectli.com [5] makes appliances with monster heat sinks on top and despite running an old ATOM processor can push data at gigabit speeds [6] thanks to onboard Intel NICs.
Finally you can just grab any refurb wintel box, add a couple of Intel NICs and throw away the windows license.
The great thing about OpenBSD is particularly for its typical roles of firewall, load balancer, edge gateway, authentication server, etc it doesn't require much CPU or storage.
I recently rebuilt a laptop with Windows from a USB 3 stick to an Intel M.2 NVME SSD. It took less than 5 minutes to go from booting to install to reboot. OpenBSD's footprint is so small you'll see similar build times particularly when you leave off X Window.
What are the desktop GUI environments or window managers available on OpenBSD that are comparable to those on Linux? I see a mention of running X as a user, but nothing more.
What about desktop hardware support? Does it have working drivers for different WiFi chipsets, video cards, trackpad, etc. (referring only to x86 based systems)?
>What are the desktop GUI environments or window managers available on OpenBSD that are comparable to those on Linux?
I'll answer this honestly;
All of the X11 based ones until SystemD and wayland came about are essentially supported or working. Gnome created a hard dependency on systemd and thus can't be used any longer on openbsd.
Wayland (and thus; Sway) is not supported by OpenBSD.
But i3, xmonad, KDE4, XFCE4 and cwm are all running flawlessly and I used them before on OpenBSD myself.
I think even Budgie works, but I've not tried that myself.
> What about desktop hardware support?
Hardware support is obviously up to whatever you have. I can only share my experiences and I had a thinkpad x201. Which was obviously very well supported.
However there is a caveat to that: the drivers were indeed supporting the hardware very well BUT OpenBSD does not support bluetooth in any form (citing the fact that bluetooth is a horrible standard and implementing it simply; has never been done and would be hard/impossible).
WiFi was relegated to 802.11g (not 802.11n despite my hardware supporting it). Support for N was added a couple of years ago (after it had been widely adopted for more than half a decade by other OS's) I wouldn't hold my breath for AC support given that.
I use FreeBSD. It works fine, and I've configured it to be secure.
Is there any reason for me to move over to OpenBSD ? I don't care about minimal or some reasons like that, I already have Alpine linux for that. Any other reason(s) ?
I've used both as desktop systems. I can't really quantify it, but I feel like OpenBSD "feels" better on a laptop or desktop. Maybe because their developers focus more on that as opposed to thinking only of servers? I don't know. Anecdotally, I have had a few systems where wifi or graphics work better, or sooner, on OpenBSD. Sometimes FreeBSD support has appeared later in these cases. (eg. A few years ago, FreeBSD's Intel graphics driver was way behind, but it's since caught up.)
But there are downsides. Upgrading OpenBSD can feel painful to the point where I put it off (though it's getting better). You may have to randomly re-write a config file at upgrade time, or sometimes release-to-release they will remove useful features, like Linux emulation a few years ago. FreeBSD ports and pkg sometimes has stuff that I don't see in OBSD's ports tree.
I think to answer the question you'd need to take a look at what features, hardware support, and ports you need, and how well OpenBSD does or doesn't suit it. Maybe try out OBSD on a USB stick or something and see how you like it.
* signify (most distros use GnuPG instead) (though porting it should be a breeze)
* unveil
Unveil, pledge, and co. probably have AppArmor/SELinux counterparts, but adding layer upon layer make the whole thing brittle. Unveil, pledge, etc. are built-into all base utils (see also base system concept)
Dead simple. Fixed latency that you set when you run the sound daemon. Same API with the sound daemon in or out. You can yank it out and the programs get to use the same interface for both audio and mixer. So nothing like the pointless ALSA mixing interface laying around when you run pulseaudio. It all works transparently.
[+] [-] vbezhenar|7 years ago|reply
[+] [-] pjmlp|7 years ago|reply
[+] [-] doublepg23|7 years ago|reply
The good:
* ifconfig handling everything is brilliant. Having one tool to do networking, including WiFi(!) is great.
* the documentation is good. `man -k` normally gets you what you need.
* "base builds base" is pretty cool. I managed to rebuild base on a 1GHz single core BeagleBone Black in 48hrs.
the bad:
* Performance. I didn't think this would be a huge issue, however it's much slower than Trisquel, Parabola and GuixSD running GNOME on a x200. WiFi also seemed slow.
* IPv6 seemingly didn't work, even when verifying my ifconfig setup.
* Filesystem. I don't expect them to add ZFS due to code size and license, but still using UFS is laughable. UFS seemed to have I/O deficiencies which exacerbated the performance issue.
* the other documentation. While the manpages are good, information on the internet can be contradictory depending on it's age.
* No lsblk. This is more of a nitpick, but there is seemingly no way to get the right name for a disk without parsing through `dmesg` and guessing with partition number.
* pkg_add. It's extremely slow compared to apt even and separates it's parts out for seemingly no reason. Package management in general is somewhat awful.
[+] [-] upofadown|7 years ago|reply
Turning on soft dependencies can help:
* https://www.openbsd.org/faq/faq14.html#SoftUpdates
[+] [-] h1d|7 years ago|reply
I've tried to use it on a server some months ago (trying out OpenBSD every few years because I do like the philosophy) but things behaved odd and slow, so I just used FreeBSD and problems disappeared.
I'd like to see a completely server focused one instead of trying to do it all and keep issues hanging loose.
[+] [-] JdeBP|7 years ago|reply
[+] [-] apostacy|7 years ago|reply
I used OpenBSD on a netbook and it was awesome. But I really needed 32-bit Linux binary compatibility, and I was also one of the 3 people who used bluetooth. Both of these features were removed entirely. I wish there was a way I could "live dangerously" and have access to them again. I would love to have access to bluetooth based serial terminals, and use my favorite keyboard.
[+] [-] JohnFen|7 years ago|reply
[+] [-] johnr2|7 years ago|reply
After ~20 years of using Debian, I switched my desktop PC to OpenBSD about a year ago due to concerns about the direction Linux has taken (eg. systemd).
It was easier to set up the kind of minimalist desktop I like than on Debian, where I have to change a lot of defaults (eg. switching to sysvinit). The package manager is great, and there are ~10k packages available for 6.4. I'm now looking at switching my server to OpenBSD. I'm keeping some dedicated audio workstations on Linux for now (need the raw performance and drivers), but my impression of OpenBSD so far has been very good.
OpenBSD caveats: Video and audio can be a little glitchy. Releases are only supported for one year. ABI can change between releases. There's no filesystem journal. The only non-BSD filestems supported are msdos and ext2fs (and read/write speeds on those are slow).
[+] [-] jolmg|7 years ago|reply
I see systemd as a framework to define and control services that is much more robust than the old system that relied on scripting conventions. Why the hate? What's people's ideal here?
[+] [-] craigsmansion|7 years ago|reply
[+] [-] enriquto|7 years ago|reply
I use daily two fine linux distributions that do not have systemd: void and slackware. It is a real pleasure to run htop and see that all the running processes do not even fill a 25-line terminal.
[+] [-] KAKAN|7 years ago|reply
[+] [-] Crontab|7 years ago|reply
[+] [-] gjs278|7 years ago|reply
[+] [-] avar|7 years ago|reply
> Think of the following: You download a random file from the internet and analyze it using file. If file has a security hole (local code execution for example), he can run attacks with his prepared file. Thats why the file utility is sandboxed and chrooted by default.
Isn't that exactly the sort of case where file(1) would open(2) the downloaded file and its own database, and then proceed to drop all other access privileges before doing any of the parsing of the untrusted file?
1. https://why-openbsd.rocks/fact/file/
2. https://why-openbsd.rocks/fact/pledge/
[+] [-] gbrown_|7 years ago|reply
It does use pledge(2) these days, those references are to how file(1) was sandboxed before. Why the author has linked to that I don't know.
[+] [-] teknopurge|7 years ago|reply
[+] [-] Tepix|7 years ago|reply
Signify sounds great. It has been ported to Linux: https://github.com/Blitznote/signify
[+] [-] asveikau|7 years ago|reply
[+] [-] claudiawerner|7 years ago|reply
Support for other file systems, which is a part of life for me, was pretty lacking; for me, ext4 write support and fat32 read/write isn't essential but would have been enough to stop me from moving back to GNU/Linux.
In the end, it looks like a great system but it just didn't fit my needs, just as, for instance, NixOS (and Guix) didn't fit my needs when I wanted a custom XKB layout.
[+] [-] Isobit|7 years ago|reply
[+] [-] snazz|7 years ago|reply
If you’re using it on a laptop, just make sure to use an older, less ultrabook-like machine and you’ll be good.
[+] [-] gilrain|7 years ago|reply
[+] [-] nwmcsween|7 years ago|reply
* ASLR - every modern OS has some form of this.
* FDE - there are reasons (IIRC) FDE is better at FS level than block so this is sort of a negative.
* LibreSSL - OpenSSL API is still a tire fire.
* PIE - Possible on IIRC fbsd, nbsd, linux, etc.
* UTF-8 only libc - there are issues here, such as strcasecmp.
* noexec - IIRC this has been cross OS since the dawn of time (at least early 2000's).
* pledge - pledge is cool, I'm trying to implement something similar using google kafel and a macro that turns `vow(id, kafel_string, flags)` into a compile time bpf filter.
* strlcpy - is sort of junk as it has to iterate over ALL of src so for example strlcpy(d, "superlongstring...", 2) will read all of "superlongstring..."
[+] [-] technofiend|7 years ago|reply
Some people find the ERL's performance isn't sufficient to pass packets and also host services such as radius or that the passive heat management on the edgerouter isn't sufficient. In that case Protectli.com [5] makes appliances with monster heat sinks on top and despite running an old ATOM processor can push data at gigabit speeds [6] thanks to onboard Intel NICs.
Finally you can just grab any refurb wintel box, add a couple of Intel NICs and throw away the windows license.
The great thing about OpenBSD is particularly for its typical roles of firewall, load balancer, edge gateway, authentication server, etc it doesn't require much CPU or storage.
I recently rebuilt a laptop with Windows from a USB 3 stick to an Intel M.2 NVME SSD. It took less than 5 minutes to go from booting to install to reboot. OpenBSD's footprint is so small you'll see similar build times particularly when you leave off X Window.
[1] https://www.openbsd.org/octeon.html
[2] https://codeghar.com/blog/openbsd-network-gateway-on-edgerou...
[3] https://www.amazon.com/dp/B013CCTM2E/ref=cm_sw_em_r_mt_dp_U_...
[4] https://www.amazon.com/dp/B01N0LMWGQ/ref=cm_sw_em_r_mt_dp_U_...
[5] https://protectli.com/4-port/
[6] https://tech.mangot.com/blog/2018/11/08/showing-a-gigabit-op...
[+] [-] wtmt|7 years ago|reply
What about desktop hardware support? Does it have working drivers for different WiFi chipsets, video cards, trackpad, etc. (referring only to x86 based systems)?
[+] [-] dijit|7 years ago|reply
I'll answer this honestly;
All of the X11 based ones until SystemD and wayland came about are essentially supported or working. Gnome created a hard dependency on systemd and thus can't be used any longer on openbsd.
Wayland (and thus; Sway) is not supported by OpenBSD.
But i3, xmonad, KDE4, XFCE4 and cwm are all running flawlessly and I used them before on OpenBSD myself.
I think even Budgie works, but I've not tried that myself.
> What about desktop hardware support?
Hardware support is obviously up to whatever you have. I can only share my experiences and I had a thinkpad x201. Which was obviously very well supported.
However there is a caveat to that: the drivers were indeed supporting the hardware very well BUT OpenBSD does not support bluetooth in any form (citing the fact that bluetooth is a horrible standard and implementing it simply; has never been done and would be hard/impossible).
WiFi was relegated to 802.11g (not 802.11n despite my hardware supporting it). Support for N was added a couple of years ago (after it had been widely adopted for more than half a decade by other OS's) I wouldn't hold my breath for AC support given that.
[+] [-] zolotarev|7 years ago|reply
For example:
# pkg_add gnome
Ethernet drivers: https://man.openbsd.org/?query=ethernet&apropos=1&sec=4
Wireless drivers: https://man.openbsd.org/?query=wireless&apropos=1
Video drivers: https://man.openbsd.org/?query=video+driver&apropos=1&sec=4&...
[+] [-] KAKAN|7 years ago|reply
[+] [-] asveikau|7 years ago|reply
But there are downsides. Upgrading OpenBSD can feel painful to the point where I put it off (though it's getting better). You may have to randomly re-write a config file at upgrade time, or sometimes release-to-release they will remove useful features, like Linux emulation a few years ago. FreeBSD ports and pkg sometimes has stuff that I don't see in OBSD's ports tree.
I think to answer the question you'd need to take a look at what features, hardware support, and ports you need, and how well OpenBSD does or doesn't suit it. Maybe try out OBSD on a USB stick or something and see how you like it.
[+] [-] verbatim|7 years ago|reply
[+] [-] moviuro|7 years ago|reply
* LibreSSL (most Linux distros use OpenSSL, YMMV)
* License (GPL, GPL everywhere)
* PID randomization
* Priv sep (for some package managers, for example)
* Swap encryption (probably opt-in, so not default)
* UTF-8 only
* W^X Memory
* autoinstall (though ansible and co. might help)
* base system (it's GNU/Linux after all, not just GNU nor Linux -- some outliers)
* doas(1) (yeah, sudo(1) was made in OpenBSD, but they ditched it)
* pf (http://man.openbsd.org/pf.conf.5)
* pledge
* signify (most distros use GnuPG instead) (though porting it should be a breeze)
* unveil
Unveil, pledge, and co. probably have AppArmor/SELinux counterparts, but adding layer upon layer make the whole thing brittle. Unveil, pledge, etc. are built-into all base utils (see also base system concept)
[+] [-] srfilipek|7 years ago|reply
Guess I'll need to submit a merge request.
[+] [-] gbrown_|7 years ago|reply
[+] [-] knorker|7 years ago|reply
1) It's not W^X. W^X implies read-only pages are not possible, and they are.
2) They "invented" that, what 5-10 years after Linux?
[+] [-] meruru|7 years ago|reply
[+] [-] karlmcguire|7 years ago|reply
[+] [-] upofadown|7 years ago|reply
Dead simple. Fixed latency that you set when you run the sound daemon. Same API with the sound daemon in or out. You can yank it out and the programs get to use the same interface for both audio and mixer. So nothing like the pointless ALSA mixing interface laying around when you run pulseaudio. It all works transparently.
[+] [-] Jenz|7 years ago|reply