This is probably the single coolest feature of OpenBSD: “Also, Chromium on OpenBSD recently got unveil support. If you run it with --enable-unveil, Chromium will be prevented (at the OS level) from accessing anything other than your ~/Downloads folder.”
Does anyone know how this works with profiles / cache? Does this force something like incognito mode? Also does this mean you can't upload / select files outside of the Downloads folder?
That's really too bad -- are there no other FBSD alternatives that are maintained?
Also -- I am going to get flamed for this -- but a GPL license would have forced Google to upstream their Capsicum changes wouldn't it -- whereas the BSD license doesn't have such a mandate.
The GPL doesn't force people to upstream their changes, although it often has that affect. The GPL only forces you to give source downstream. If your customers never share the source with anyone else (and your upstream is not one of your customers) then your upstream will never get the changes. A good example of this is the game TOME. It has downloadable content that is licensed under the GPL. You get the source code when you buy the DLC. I've never seen anyone distribute it, though (and it's highly frowned upon in the community). The author has a weird idea of the GPL, though, so I don't think he really understands that anyone is allowed to distribute that code.
But in practice people usually freely distribute GPL code, so it's impossible to stop your upstream from eventually getting it.
it would be somewhat counterproductive to introduce yet another sandboxing mechanism, just to work around a problem created by upstream - especially in case of mechanism as awesome as Capsicum :-)
Yes, the GPL license would force them to share their changes. Thing is, they wanted to upstream them anyway - AFAIK the problem is on the other (accepting) side.
Yes, i guess there is little doubt that capsicum is the superior (compared to seccomp) capabilities framework, but if it's not used outside of FreeBSD's base, (e.g. ssh, bhyve, etc.) then it is indeed a shame.
That's pretty cool. I wish Chromium supported this on Linux too. It seems more like a Chromium feature than an openbsd feature to me though? Linux programs installed via say flatpak have this on by default.
unveil(2) is an OpenBSD-specific feature, although you could accomplish something very similar with Linux and another sandboxing tool (or SELinux, but that might be overkill). I highly recommend you read the man page for unveil(2), it's very cool: https://man.openbsd.org/unveil
Yes, I am aware. I thought it was pretty obvious that when I said "it's a chrome feature" I didn't mean "unveil(2)" but being able to restrict access to the filesystem. Which is possible with both linux and openbsd, of course. Alas, the downvoters seem to disagree.
Yes, Ubuntu has it enabled by default - so Snaps are first class citizens on Ubuntu. I think the upcoming release of Debian may also have AppArmor by default.
> many features that require toil to achieve on FreeBSD, such as suspend on lid close, working volume buttons, and decent battery life, work out of the box on OpenBSD
Suspend on lid close worked out of the box for me on FreeBSD, on a ThinkPad X240. (Well, almost out of the box — had to disable the TPM in the firmware setup, otherwise the TPM would prevent it from waking up.)
There's NO WAY battery life could be better on OpenBSD though. OpenBSD is not even tickless!!
I measured the power consumption of the SoC with Intel's pcm tools, it's ~1W when idling in GUI on FreeBSD. Does OpenBSD even have pcm.x? ;)
> There's NO WAY battery life could be better on OpenBSD though. OpenBSD is not even tickless!!
FWIW FreeBSD idled hot on my thinkpad x201 and x201s, where openbsd did not. I got more battery from a slim Linux than openBSD, but FreeBSD was by far the worst for battery life if you're comparing them.
Yes. I was looking at power optimisations at the time and those were suggestions. The issue was an idle load of 1.0 (nothing was noticably taking cpu), and when I say idle I mean there was nothing being drawn on screen and the browser was closed.
I like how most of the configuration in this setup is very similar to how I configured systems as far back as mid-nineties. Most applications have a simple single config file, and a single responsibility, true to Unix' philosophy. My window manager needs haven't really changed during all this time. Add a nice launcher that indexes your system and you have most of everything you will need.
It's worth noting that SoftRAID for encryption is mutually exclusive with SoftRAID for redundancy: "Note that "stacking" softraid modes (mirrored drives and encryption, for example) is not supported at this time."[1]
On my desktop, I tried installing TrueOS and FreeBSD but kept having trouble with the install, then the applications and KDE, then the drivers, things were wonkie. Installed OpenBSD a couple of times and it all (mainly) just worked. Eventually just stayed with OpenBSD and have been very happy, especially with the excellent documentation, ease of installation and ease of use. I heard the FreeBSD devs don't use it on their personal comps as much as OpenBSD devs do, and what kind of sealed the deal for me. Thinking back, it was even easier than most Linux installs I've done.
Thanks for the feedback! I've added a tidbit about syspatch, and also warned users about the (somewhat unusual) state of updates for third-party packages on OpenBSD:
Ive tried a BSD laptop before, and my concerns always boil down to the same nonsense...can anyone offer some advice?:
- how do i read ext4/fat/etc usb sticks from coworkers.
- is 3d or video support good with AMD?
- soundcard and full disk encryption? what about EFI boot?
- reading ext4 is possible but hard (OpenBSD doesn’t support journaling filesystems); you’re better off with ext2 or FAT
- video support with AMD GPUs is good, much better than NVIDIA
- OpenBSD has a good sound stack that supports most audio systems
- full disk encryption is easy to set up and mentioned in the article
- UEFI and GPT work wonderfully on recent versions
Question. I find it exceedingly useful that Mac OS has readline keybindings enabled in most (all? I can't think of any counterexamples, including the Spotlight overlay) of its text fields: control-A is head of line, control-E is end of line, etc. I've been using control-N and control-P to move between lines while editing this comment; it's simply a text field in Firefox.
Is it possible to turn on this functionality in OpenBSD?
Yep, cwm is maintained by the OpenBSD devs and is part of base, so you don't have to download a package for it. If you want, though, i3 is only a quick dl away.
I used to have a kind of complicated cwm setup, but I got tired of that and just use XFCE now. It runs great.
Ditto, but with JWM instead of XFCE. Minimalist, a rational set of functionalities, click-to-focus-and-raise, plus a CDE-like colorscheme borrowed from AIX.
As for the file manager, I use noice, but I woudn't mind this ported to OpenBSD:
I can’t decide whether the old motif widgets are ugly as sin or not. But for whatever reason, I find the screenshot of that file manager to be salve for my soul. Probably just nostalgia.
I must say though that I’m just as glad Motif has mostly faded into history. It was... a challenging widget set to work with.
Now, I wish something like GNUStep had caught on. Maybe an independent BSD implementation.
Wow that’s good! I want to get used x220 and new 9 cell battery. If I could pull of 7-9h battery life I would consider it a great success. Btw i would be using only StumpWM, Firefox and Emacs. For media consumption I got MacBooks.
While this is a nice setup in case of a ThinkPad, this doesn't really work out on practically anything else. I get that a lot of the FOSS, or somewhat more specifically, the hardcore users use a ThinkPad, but the rest of the world pretty much doesn't (at least no longer since Lenovo bought IBM's spun-off computer bits). None of this stuff works on the generic MS Surface or Apple Mac stuff you see in 99% of the use cases where people are capable of installing an OS at all.
As nice as mobile support in OpenBSD is, and as nice as this guide is, it's still super niche :(
Apple is 10.4% of the current market. Lenovo who you think nobody uses anymore is 20.8% twice as popular as apple. The surface is some fraction of the aprox 11% other.
Remember we all live in bubbles. I couldn't have pulled marketshare out of my rear either I had to look it up.
Perhaps those global numbers are relevant, I don't know. I don't see them (Lenovo) deployed that widely in my work environments (four companies, employed by one, servicing three others) I mostly see Apple, HP and Dell, and the odd Lenovo on-demand. Keep in mind that this is also in environments where docking stations are on the way out, which seems to correlate to certain device choices (I've read a few blogs about that, not sure which ones as it was a few months ago).
Maybe the market share assumes consumer and low-end models?
Actually, OpenBSD does work on the Microsoft Surface Go, thanks to Joshua Stein's driver work [0]. You're right that many systems will require a more in-depth setup than the ThinkPad in the article (Broadcom wireless and NVIDIA graphics are a challenge in particular), but many laptops work much better than you would expect.
I've had good luck getting it to boot on older Mac hardware; newer systems (especially with the T2 chip) may be harder.
I know some people consider lack of Bluetooth support a show-stopper, and maybe for some of them it actually is, and is actually worth the downsides of Bluetooth, but I think the practical effect is actually much smaller than one might think. While some needs are only filled by specific products, and those products only come with Bluetooth support for connectivity, most needs people imagine when bringing up lack of native Bluetooth support are easily supported (perhaps even better) with other connectivity options, and Bluetooth really does come with substantial downsides even on platforms that support it.
I, for one, have yet to encounter a "need" for Bluetooth that is not better filled by something other than system-native Bluetooth support, and am happy to avoid the negatives (e.g. security issues) by avoiding Bluetooth-only products. The one case in my life where the only option is Bluetooth is something that that is designed to connect to my Android smartphone, which is not (yet?) ready for OpenBSD anyway.
Your specific examples are special cases. The Surface is essentially a “Windows 10 machine”, and while Apple permits installation of Windows on Macs, other operating systems are specifically not supported. (And macOS is already BSD-esque anyway.)
These instructions will work fine on any normal, generic, PC laptop.
Unless you're on older unsupported macbooks, I'm not sure I'd run something that wasn't macOS unless under a VM. That's just me. Although, I don't like a lot of the direction, or lack of with macOS.
I'll probably put a new system together around mid next year (leaning Ryzen 2 near release). Will decide on Hackintosh, Linux or BSD at that time. Most likely hackintosh, but who knows. Linux (Elementary and Ubuntu) are finally around where I would want it for a primary desktop.
I was merely stating the general work-machine distribution in my direct and indirect environment. Perhaps they are special cases from the OS standpoint, but from the people point of view, those are the devices they have.
Every time someone posts something about OpenBSD, there is someone who will post how hardware support is a problem.
Maybe, not everything is supported, but on ThinkPad, almost all (if not all) hardware is supported, yes (lots of developers use these machines). However, I've run OpenBSD on very cheap laptops also, with the only thing unsupported usually being the wifi. This is easily solvable by buying a cheap/supported USB dongle for $10 or less.
OTOH, I've tried the most common Linux distro on a ThinkPad last week, and I couldn't even install because of the installer crashing (no, before anyone asks, the integrity was checked and it was OK).
> However, I've run OpenBSD on very cheap laptops also, with the only thing unsupported usually being the wifi. This is easily solvable by buying a cheap/supported USB dongle for $10 or less.
Are you saying that 10 USD is a show-stopper for you, or did you just not finish reading before you commented?
WiFi works fine on many non-ThinkPad laptops without any USB adapter, by the way. It's mostly Broadcom that causes issues.
As mentioned in TFA, running OpenBSD on mainstream, not-bleeding-edge PC laptops is pretty easy. I've been doing it with such machines (Dell, Compaq, ThinkPad, and most recently HP) for eight years. The last few years especially it has been easier to run OpenBSD than most Linux distros, actually. Hardly niche.
OpenBSD has been the most trouble-free laptop install choice I've ever had the pleasure to enjoy, and the smoothest upgrade experience without reinstalling as well (including upgrades of Windows, MacOS, and DOS).
I suppose it depends on your environment. In coffee shops and non-business-enterprise-y-buildings I mostly see cheap ass Acer, HP and Toshiba models for about 70% of the time, the remainder are Apple, Dell and the odd Surface.
I see more non-ThinkPads than ThinkPads, in coffee shops, in small consultancies, in startups, and in corp teams, but I see more ThinkPads than any other single brand except Macs, and I only see that many Macs because of all the hipster fullstack devs around me on a day to day basis.
Also X1 Carbon and T4XX series, for light/small laptop types, to say nothing of other X-series ThinkPads. I found a guy on Twitter recently, Roman Zolotarev, who runs a small job board and documents OpenBSD installation, configuration, and so on, for X1 Carbons in excruciating detail -- and apparently the detail is well beyond the needs of the typical install because X1 Carbons are evidently very well supported. My own T4XX is also very well-supported, as are those of other people I know personally who bought ThinkPads in that series for use with FreeBSD and OpenBSD after hearing about my positive experience.
I think most of the enterprises/medium businesses I deal with don't even have contracts with Lenovo at all. Mostly just Dell and HP, and depending on the type of work a lot of Apple too.
My spouse's employer just decided to kill its Dell contract for laptops and go with ThinkPads because Dell's warranty service is so limited/shoddy, and the reason cited is actually a common story. There are more Lenovo enterprise contracts than you think, and those that still use Dell aren't measuring all the costs or are getting very, very special deals.
However, my muscle memory have made it difficult to use ctrl + key versus command + key.
Is there an easy way (for example in Ubuntu?) to remap shortcuts so the copy and paste is command + C and command + V? Also, the ctrl + C should still stop processes in the terminal, so it's not as simple as swapping ctrl and command for all processes... This problem has been bugging me a lot with linux and I finding a solid solution would help a lot of OSX people switch to linux more easily.
doubtful. the command key does not need to exist. every other operating system gets along fine without it. apple is not even consistent either. as soon as you open up their terminal, you’re stuck in this bizarre land where you have to ctrl+c and cmd+c for different tasks. linux splits paste into either a mouse click or shift+insert to avoid all this.
> you’re stuck in this bizarre land where you have to ctrl+c and cmd+c for different tasks
Which I find quite reasonable, personally. If I want to copy text, it's Command-C everywhere in the system, even in the terminal–no Command-Shift-C or similar "hack". If I want to send a SIGINT to a program it's Control-C, as it should be.
> If you're even a little paranoid, you should start by overwriting the disk with random data. We'll assume your hard disk is sd0—you can use dmesg to check. The c suffix is OpenBSD's way of specifying the entire disk.
dd if=/dev/urandom of=/dev/rsd0c bs=1m
Can I check: why would you do this rather than using ATA SECURE ERASE command?
Having a blob of random data on my drive would mean crossing international borders is potentially unpleasant.
MacBook G4 sure... newer ones may have problems.
To new users/new hardware I would recommend an usb stick with the network installer and then try to install to the usb stick and check what is working.
You are tempting me to pick up my 1 of 2 favorite laptops (or both) of ever that I owned: The 12 and 17 inch Aluminum Powerbook G4. Makes me wonder what kind of mods I can do to it now?
Just installed it on a late 2009 MacBook A1342 and everything works except the Broadcom Wi-Fi. Using an external Belkin stick supported by rum(4). Even the NVIDIA GeForce 9400m is functional both on the command line and in Xorg. The touchpad works out of the box with gestures and right-click and scrolling and the whole nine yards.
Newer Macs might be more challenging, with fancy proprietary chips and whatnot.
Be sure to enable apm(4) to not melt through your motherboard.
You don't need a third party blog, it's in the documentation[1]: "All versions of the AMD Athlon 64 processors and their clones are supported."
The other drivers are the ones you need to worry about -- check the man pages, which list the supported hardware. For example: https://man.openbsd.org/radeon.4
The attitude isn't "You shouldn't need documentation". The attitude is "OpenBSD should ship with documentation good enough that nobody feels the need to write up the results of sleuthing around".
Ryzen works great, and will likely improve over time. The Vega GPU that accompanies some models is unsupported, however, if you can get a slightly older AMD card things will be better on the graphics side, but this is only important if you care about some light gaming or desktop frills.
