
An Introduction to OpenBSD [video] - asicsp
https://blog.lambda.cx/posts/openbsd-introduction-talk/
======
brobdingnagians
I've grown to love OpenBSD recently (and BSDs in general). I started life
using Windows all the time, switched to Linux when I went to university, had a
fling with Macs for a few years, then almost exclusive with Linux again for
years. In the last several years I discovered the BSDSs, and OpenBSD is now my
daily driver. It is so beautifully simple. Configuring a secure server is
easy. The config files are consistent. It just works.

I highly recommend installing and playing around with it. Like Lisp, even if
you don't go permanent with it, the encounter will change how you think and
what you expect in terms of elegance from every other system you use.

~~~
valarauko
I've been on linux for many years, and have been growing curious about BSDs,
but confused over the various BSDs variants. I'm still unclear of how exactly
BSDs are superior to linux. Could you shine a light on the different BSDS, and
perhaps a recommendation?

~~~
owenmarshall
The biggest thing you'll find over Linux (IMO) is the advantage of having one
team build things. Linux the OS is actually the Linux kernel + userspace
software, and those pieces are built independently. With the BSDs, the team is
building the userspace and kernel together. You end up with a small, well-
designed system that fits together nicely.

As an example, OpenBSD gives you a HTTP server, load balancer, and firewall
right out of the box – and they all make use of pledge(2) and privsep and
other security designs in a very consistent manner. And the documentation for
the whole system is top-notch: you can read their manpages and not have to
resort to Googling things.

I'd recommend you spin up OpenBSD on a VPC (try Vultr or DigitalOcean) and
kick it around.

~~~
danieldk
_Linux the OS is actually the Linux kernel + userspace software, and those
pieces are built independently. With the BSDs, the team is building the
userspace and kernel together. You end up with a small, well-designed system
that fits together nicely._

That's a blessing and a curse. While the BSD approach leads to more
consistency, the Linux approach allows the ecosystem to move faster. In BSD
projects, progress is often hampered, because proposals to drastically change
subsystems is met with inertia, and then nothing happens. In Linux the inertia
is there, but nobody stops people from implementing an alternative
implementation, because the pieces are relatively decoupled, and then convince
distributions to adopt the replacement.

This is why Linux ecosystem went from System V init -> Upstart -> systemd.
Similarly, X11 -> Mir/Wayland -> Wayland (although Wayland could be adopted as
a default on BSDs as well). Or chroot -> LXC -> Docker (or more generally
cgroups + user namespaces). Although controversial (every change leads to some
controversy), technically systemd and Wayland are substantial improvements to
their predecessors.

Of course, the downside is that the integration is left to the distributors
and the documentation may be inconsistent or uneven.

\---

Another thing to take into accounts when looking at BSDs is that the BSDs have
far fewer contributors than the Linux ecosystem. So, you might find that it
lacks basic things such as 802.11ac support (though there has recently been
movement in FreeBSD again) or support for the newest GPUs.

------
lsofzz
OpenBSD is also a great choice for a firewall too
[https://www.openbsd.org/faq/pf/](https://www.openbsd.org/faq/pf/)

~~~
brobdingnagians
Highly recommend "The Book of PF" for anyone looking into OpenBSD as a
firewall. Lots of nice information in one place and helps showcase how
fantastic pf is.

------
protomyth
I use it for our network services except for file storage or required OS of a
software vendor[1]. It is supper easy to setup and now the upgrade story is
much easier, it really is a minimum maintenance OS. Regenerating the system
and putting back the files needed to run is very straightforward.

1) I once thought enterprise software was the worst imaginable, but nothing
compares to government required software that only runs on Windows 2003.

------
jayp1418
I think presentation got one thing wrong. npf (NetBSD's pf) is not coded on
based on OpenBSD's pf.

~~~
rjsw
NetBSD used to contain an old copy of pf as well as ipf and npf.

------
gbrown_
OpenBSD does not do KASLR as far as I'm aware.

~~~
nargek
OpenBSD does have Kernel Address Randomized Link (KARL) since 6.2 [1].

[1][https://www.openbsd.org/62.html](https://www.openbsd.org/62.html)

~~~
gbrown_
Yes which the linked piece covers but it also says OpenBSD does _both_ KASLR
and KARL.

~~~
brynet
Yes the author is incorrect in their slides, OpenBSD has userland ASLR, it
uses both PIE by default and also created static-PIE, which are self-
relocating executables. There's also been a considerable effort to convert
OpenBSD's already privsep daemons to the fork+exec model, most having been
completed, expanding upon initial work done on sshd over 16 years ago.

------
traceroute66
OpenBSD is great. Except for Theo.

If you question Theo on anything, even something reasonable, you will incur
his wrath, and that of his henchmen (the clique of project devs that surround
him).

Case in point is the whole "Funding our Electricity" thing: (a) Theo insists
on keeping their test lab in his own house (b) Theo insists on supporting
obscure archaic architectures (c) Theo claims on list to have incurred 20,000
dollars of electricity that year (d) Theo refuses to answer reasonable
questions, such as cost breakdown, why the equipment can't be moved elsewhere,
why the insistent on obscure architectures. Or when he does answer its
essentially "my way or the highway".

OpenBSD is great, no doubt about that. But the whole Theo & friends clique
needs to change.

~~~
lizknope
I think this is his equipment rack in his basement from 2009. The image is
from the official OpenBSD web site.

[http://www.openbsd.org/images/rack2009.jpg](http://www.openbsd.org/images/rack2009.jpg)

Security is an important issue to them so they feel they need physical direct
control of the hardware and don't want it located somewhere else.

Also some of the equipment is old and may not survive being transported.

I remember them saying taht alignment and endian issues can only be found when
compiling and running on the actual hardware. Cross compile to a different
arch and emulators don't catch the same bugs.

~~~
wil421
No wonder someone mentioned how expensive his electricity bills were. Some of
those older machines eat some power. I was looking at old Silicon Graphics
servers but the noise and power consumption was too much.

~~~
cbm-vic-20
That's some "cops kick down the door to shut down your illegal marijuana grow
operation" level of electricity use.

------
rawoke083600
OpenBSD is brilliant and I'm sure it runs on a multitude of network hardware,
that you don't even know you encounter on a daily basis !

Given that this is HN, many of the readers might already know the "story" and
I'm sure it has be told many many times... but I will tell it anyway since
it's so funny (to me at least). Also we probably should not admire or approve
of this sorta behaviour.

Right so disclaimer out of the way, the story goes that:

Someone once incurred Theo de Raadt(Main guy at OpenBSD) ire by asking the
wrong question at the wrong time, and Theo de Raadt hacked his router and
remotely remapped his keyboard.

Now that is funny - Wrong but funny:)

~~~
Simon_says
Given that that anecdote is a criminal allegation against a living person, you
should provide a source or STFU.

~~~
jascii
It is only a criminal allegation if there were indeed laws against it at the
time and in the jurisdiction at hand.

Playing "practical jokes" with each others systems was a fairly common
occurrence in the hacker-scene back in the day...

~~~
rawoke083600
Exactly THIS! I remember "taking over IRC channels" back in the 90's remember
"ping flood", only to lost it again a few hours later. Guess you had to be
there to appreciate the time and the culture.

It was a joke and not a declaration of war or a "federal crime". When did
geeks get so serious :/

