What every IT person needs to know about OpenBSD (2021)

>I am most sad about libressl, which is highly compatible with openssl yet profoundly better.

>but for unknown reasons this is yet to happen.

The reasons are very known. It's because libressl is not in fact "highly compatible with openssl."

Alpine: https://lists.alpinelinux.org/~alpine/devel/%3CCA%2BT2pCGFeh... (read the whole thread)

Gentoo: https://wiki.gentoo.org/wiki/LibreSSL

OPNsense: https://old.reddit.com/r/OPNsenseFirewall/comments/t4e5cp/op...

> profoundly better

How? Better/newer algorithms? Faster? Cleaner code? Better APIs?

I put OpenBSD on my router earlier this year to get in-kernel NAT64 support and to learn pf, among other things.

I’m massively regretting that choice due to the UFS root filesystem. Power outage? Hope you weren’t planning on your internet coming back up without manual intervention. Get ready to plug that keyboard in and type “fsck” manually at boot, and press “y” a few dozen times while it asks you questions about what to do with corrupted inodes. I hope none of that data is important to the correct operation of the system!

A filesystem lacking journaling support in 2023 is an absolute travesty given that the rest of the world has had this problem solved for 25 years or so.

Agreed and someone is working on the port.

Really hope this lands in -current.

It was updated just last month (June).

https://github.com/kusumi/openbsd_hammer2

Hammer2 might be a bit intrusive in the FS subsystem. Less than ZFS, for sure, but is not a trivial task.

Looks great in reader mode too. Thanks for your attention to structure and formatting :)

A more significant issue, in my experience, is that a lot of useful nonstandard APIs simply do not exist on the BSDs, under any name - or worse, exist with unstable names, so you have to #ifdef your source code to make it work with more than one release. There is no equivalent to Linux's "we do not break userland".

FreeBSD is generally assumed to be the least painful, but I usually don't even bother with that these days. If someone cares they can do the work.

In contrast, I find the installer refreshing. Yes, it's text-based, but it's streamlined and for most use cases all you have to do is hit Enter at the prompts. As for the partitioning, I don't know when you last installed OpenBSD, but, with the auto partitioning, you just hit Enter as well. If you wanted to customize the partitioning, it is a bit daunting for the uninitiated, but after you do it a few times it really is just as streamlined as the rest of the installer.

For me it was the other way around. In 2000/2001 I had zero experience with anything *nix apart from a couple of failures to get anything Linux to run, but on the first try with OpenBSD I managed to get it up and running in no time. I've always considered their installer to be simple, explaining, understandable and straightforward.

It's like an filter to determine whether the user is worthy enough to use OpenBSD. Last time I used OpenBSD must have been back in 2000, 2001. Extremely well built system and the impact it has had on the world is mind blowing. I later changed to FreeBSD which had a bigger community and better support for graphics drivers, etc.

The auto partitioning is a bit of a mess for sure.

Really no idea why it insists on splitting it into 5 partitions when just a seperate /usr/local mounted with the wxallowed flag is mostly fine.

Other than that though it's mostly just hitting enter a bunch of times if you ever want to give it a shot again.

the bit that resulted in me removing it from all my routers/firewalls was having to run "make world" and rebuild the entire OS to install security fixes

not at all practical on a router with a underpowered cpu and little disk

apparently the developers have had a change of heart here (previously they didn't believe in providing binaries for security fixes)

With OpenBSD in particular I like it because from the default install it's got a built in web server [1] which can handle most use cases. I can pretty much just put it anywhere and trust in the secure defaults that it provides, throw my own software on that server, and then have a pretty good standard from OS level to my own software on how secure that's going to be. It doesn't change much [2].

Linux doesn't really offer that. Yeah it's got PACKAGES that offer web server solutions (apache, nginx, whatever else) but then I gotta maintain those. I find myself having to patch everything on my OpenBSD boxes way less if I stick to how it seems to be intended to be used - When all I've got to maintain are my own secure os installation + configuration, and my own software that I wrote myself, literally no packages, it's really cool.

[1] https://man.openbsd.org/httpd.8

[2] https://www.openbsd.org/errata73.html

They're best suited for people who had a good experience with a BSD in the 90s and are sentimental about that. Otherwise, there's really no reason to go with them over a Linux system.

That's how I used CheatEngine back in the day. You would probe the game's memory looking for a value you can control (like health, item count, etc.) then increment/decrement it in game until you reliably found which location in memory was changing. Then you'd save it with a name and enjoy your cheat.

You're right! Moreover that's sort of how all exploits work if you really zoom out.

this works against exploits that need that offset pointer to to run any code at all

but doesn't work against something the user is voluntarily injecting as the user is quite happy to run the offset pointer locating code

Most games already use this (not as a security feature, but because the OS applies ASLR to them).

Is it better than sliced bread, no. But it does some things better than other systems.

First, it feels small enough that I understand what’s going on while still providing valuable services out of the box - a web server, load balancer/proxy, etc.

But more importantly the pieces all play together to make a unified system: the load balancer can do layer 3 by interacting with the system firewall, httpd works with the built in ACME client for TLS. All those pieces benefit from being part of the system as a whole, by having very consistent tooling and support - things are named very consistently and share flags across the system, and are backed by very high quality manpages.

Simply put it’s not perfect, nor revolutionary, but it gets a lot of things right.

Do you expect every article to assume that everyone reading it is ignorant of the topic? Then we would have same lines of introductory text in most articles which would be time-wasting since you can go and google the software that you don't know about.

It is just a linux distro. Not a handsome one either. "Every" IT person needs to learn how to use Windows Server first before jumping onto these things because 90%+ companies are using Windows Server.

> There is nothing that every IT person _needs_ to know about OpenBSD.

I absolutely agree. Such clickbait headlines are often strange. For a more macabre example, consider the headline "10 [things] you can't live without". This means that if you don't own these ten things, you will die.

It is a little weird seeing Peter N. M. Hansteen of all people use a clickbaity headline, but it's still not a bad thing to be aware of at least. The man will evangelize his favorite thing, he's a nice fellow.

I think OpenBSD will still be relevant outside of its own OS realm as long as people are still using software that comes from the project (openssh, tmux etc).

> Most probably do not know it exists, and there is no consequence.

i can relate with the first part, but the second seems rather far fetched

I agree. To underline the futility of this article, the factoid it leads with was how many years OpenBSD has been around. That bit of trivia is completely irrelevant and has no technical meaning or direct implication. No one ever asked during unscheduled downtime "quick, does anyone know how many years OpenBSD has been around for?"

Every single time I see something related to BSDs, I think the same. How tiring...

For more than a decade, every single thing related to BSDs has been largely irrelevant. Every. Single. Thing.

Nobody cares about that, the only thing BSDs had was their license (vs. the GPL), and that's not entirely clear to have been good at all for the ecosystem (because, clearly, Linux has enjoyed a much greater development). Nowadays, even in embedded it's either Linux or RTOS, nothing like BSDs at all, so the GPL is clearly a non-issue.

From the chronological perspective of a few months! Not even a year.

FreeBSD has certainly received a lot more development hours compared to NetBSD.

It would be interesting to read a write-up one day where all the BSDs say what they grew since their initial releases.