
Why OpenBSD Rocks - ProfDreamer
https://why-openbsd.rocks/fact/
======
vbezhenar
I can confirm that acme-client so far is the only sane client I've seen. No
nonsense of multi-megabyte downloads of endless Python scripts or esoteric
bash scripts. Just good old C tool as it should be. Every *nix should use it
by default.

~~~
pjmlp
I am not a big fan of C, but those Python/JavaScript based GUIs that fade to
black at every button click really make me miss the days when all GUI tooling
in UNIX was written in C.

------
apostacy
I totally respect OpenBSD and their commitment to security and stability.
However, the thing holding me back is that they've dropped some features over
the years that I relied on.

I used OpenBSD on a netbook and it was awesome. But I really needed 32-bit
Linux binary compatibility, and I was also one of the 3 people who used
bluetooth. Both of these features were removed entirely. I wish there was a
way I could "live dangerously" and have access to them again. I would love to
have access to bluetooth based serial terminals, and use my favorite keyboard.

------
doublepg23
I was actually playing with OpenBSD while stuck with the flu.

The good:

* ifconfig handling everything is brilliant. Having one tool to do networking, including WiFi(!) is great.

* the documentation is good. `man -k` normally gets you what you need.

* "base builds base" is pretty cool. I managed to rebuild base on a 1GHz single core BeagleBone Black in 48hrs.

the bad:

* Performance. I didn't think this would be a huge issue, however it's _much_ slower than Trisquel, Parabola and GuixSD running GNOME on a x200. WiFi also seemed slow.

* IPv6 seemingly didn't work, even when verifying my ifconfig setup.

* Filesystem. I don't expect them to add ZFS due to code size and license, but still using UFS is laughable. UFS seemed to have I/O deficiencies which exacerbated the performance issue.

* the _other_ documentation. While the manpages are good, information on the internet can be contradictory depending on it's age.

* No lsblk. This is more of a nitpick, but there is seemingly no way to get the right name for a disk without parsing through `dmesg` and guessing with partition number.

* pkg_add. It's extremely slow compared to apt even and separates it's parts out for seemingly no reason. Package management in general is somewhat awful.

~~~
h1d
I wonder though, if they don't have the manpower to optimize for desktop
usages, why don't they stick to server only?

I've tried to use it on a server some months ago (trying out OpenBSD every few
years because I do like the philosophy) but things behaved odd and slow, so I
just used FreeBSD and problems disappeared.

I'd like to see a completely server focused one instead of trying to do it all
and keep issues hanging loose.

~~~
ben_bai
Because they believe in dogfooding their software. So developers run it on
their desktops, as well as on their servers.

------
avar
Why does file(1)[1] need its own chroot sandbox instead of using the
pledge(2)[2] facility. They say:

> Think of the following: You download a random file from the internet and
> analyze it using file. If file has a security hole (local code execution for
> example), he can run attacks with his prepared file. Thats why the file
> utility is sandboxed and chrooted by default.

Isn't that exactly the sort of case where file(1) would open(2) the downloaded
file and its own database, and then proceed to drop all other access
privileges before doing any of the parsing of the untrusted file?

1\. [https://why-openbsd.rocks/fact/file/](https://why-
openbsd.rocks/fact/file/)

2\. [https://why-openbsd.rocks/fact/pledge/](https://why-
openbsd.rocks/fact/pledge/)

~~~
gbrown_
> Why does file(1)[1] need its own chroot sandbox instead of using the
> pledge(2)[2] facility.

It does use pledge(2) these days, those references are to how file(1) was
sandboxed before. Why the author has linked to that I don't know.

~~~
avar
Yeah, on closer inspection their page describing the sandbox links to the CVS
commit where the sandbox implementation was deleted in favor of tame(2), the
predecessor of pledge(2).

------
JohnFen
Since SystemD has become so prevalent in Linux, I've been looking longingly at
BSD. The only problem is that I have a large number of machines that I'd need
to move over, and it's a pretty intimidating amount of work. But I'm planning
on beginning the move, one system at a time...

~~~
jolmg
It impresses me that the hate for systemd persists even after so much time has
passed. I thought it was just inertia.

I see systemd as a framework to define and control services that is much more
robust than the old system that relied on scripting conventions. Why the hate?
What's people's ideal here?

~~~
enriquto
I am a newcomer to hating systemd. At first I was indifferent, an init system
cannot be so bad after all.

Fuck that. In the last two years, they have changed at least three times the
way that the option to delete the /tmp dir is specified. I understood the
configuration, edited it so that it did not delete the /tmp dir automatically;
and then, upon an innocent update the old config is overridden and the /tmp
dir is magically cleaned! This is infuriating. I have never felt actual,
physical, rage against any software in 25 years of using computers. That is,
until I met systemd!

I do not really care whether the init system is written in C or scripts. But
please, allow me to follow a simple logic. Scripts maybe are not very elegant,
but I can follow the init process end-to-end and understand where it does
that. I have honestly tried to do that with systemd and it is impossible. And
I am quite proficient in reading C code and bash scripts. I have a lot of
patience and I am willing to spend a few hours of my free time to understand
how a program is configured, by reading code if necessary. But this stuff is
just batshit crazy.

I can hear in my mind the smug voices of systemd developers saying "but why do
you even want to not delete the tmp files". That's not the fucking point
motherfuckers! I just want to control my computer.

~~~
redsavagefiero
A systemd conceptually is quite a good idea. However systemd is not that
systemd. Much rather go with rc.conf + script approach, disable all systemd
services, lock selinux against systemd socket activations and run a purpose
controlled environment. Avoiding systemd does force one to not use Linux as a
desktop..oh well.

~~~
enriquto
> Avoiding systemd does force one to not use Linux as a desktop

Why do you say that? You can even use gnome without systemd, but there are
still other desktops.

~~~
redsavagefiero
I have't looked at it rcently but the last time I checked systemd was the
'nice to have' that was mandatory for some of the software I associate with a
fully fuctional desktop which is not just a WM, DE (or not) and basic
applications like xterm , vim, etc...But you are right. You can run the linux
desktop like its 2007 without systemd on select distributions without screwing
around too much...of course don't add new software without researching
dependencies and default build options or you may end up with the worst of
systemd dependencies anyway. At that point I just run KDE on FreeBSD.

------
teknopurge
Anything that matters for us runs either on OpenBSD or behind it. almost 20
years now. Zero fucks given. Theo is the type of dev manager I want for my
projects.(aggressive, opinionated, solid)

------
Tepix
Nice list. They may want to take Spectre off the list, however. It seems only
hardware fixes actually work:
[https://arxiv.org/pdf/1902.05178.pdf](https://arxiv.org/pdf/1902.05178.pdf)

Signify sounds great. It has been ported to Linux:
[https://github.com/Blitznote/signify](https://github.com/Blitznote/signify)

------
asveikau
I like openbsd and have used it happily for a long time, but it's not fair to
list sysmerge and syspatch as selling points. If we are being honest, other
systems have long had more automatic upgrade procedures and these two tools
are essentially minimalist ways of solving the problems with the old way.

------
claudiawerner
I found OpenBSD to be pretty amazing, and after trying it now and then I
finally loaded it onto my x220 to use it daily. Things worked fine, but I
realized the battery life was poor (even using the functionality, I think in
tpm, which regulates the clock speed to be slower) and support for what I
began to need (like the Eclipse IDE) was shoddy. Unlike many others, I don't
have much to say about the documentation, but that's also an endorsement for
the system itself - I didn't need to access it more than once or twice.

Support for other file systems, which is a part of life for me, was pretty
lacking; for me, ext4 write support and fat32 read/write isn't essential but
would have been enough to stop me from moving back to GNU/Linux.

In the end, it looks like a great system but it just didn't fit my needs, just
as, for instance, NixOS (and Guix) didn't fit my needs when I wanted a custom
XKB layout.

~~~
Isobit
Haven't tried a custom layout myself (only xkbOptions), but it should be
fairly straightforward to use a custom xkb layout with NixOS:
[https://nixos.wiki/wiki/Keyboard_Layout_Customization](https://nixos.wiki/wiki/Keyboard_Layout_Customization)

------
nwmcsween
The points aren't OpenBSD specific though:

* ASLR - every modern OS has some form of this.

* FDE - there are reasons (IIRC) FDE is better at FS level than block so this is sort of a negative.

* LibreSSL - OpenSSL API is still a tire fire.

* PIE - Possible on IIRC fbsd, nbsd, linux, etc.

* UTF-8 only libc - there are issues here, such as strcasecmp.

* noexec - IIRC this has been cross OS since the dawn of time (at least early 2000's).

* pledge - pledge is cool, I'm trying to implement something similar using google kafel and a macro that turns `vow(id, kafel_string, flags)` into a compile time bpf filter.

* strlcpy - is sort of junk as it has to iterate over ALL of src so for example strlcpy(d, "superlongstring...", 2) will read all of "superlongstring..."

------
technofiend
If you want to use Ubiquiti hardware but not Vyatta, OpenBSD supports the
Octeon processor [1]. In particular the edgerouter lite can be swapped to
OpenBSD [2] for the cost of the right USB stick [3] and a console cable [4].

Some people find the ERL's performance isn't sufficient to pass packets and
also host services such as radius or that the passive heat management on the
edgerouter isn't sufficient. In that case Protectli.com [5] makes appliances
with monster heat sinks on top and despite running an old ATOM processor can
push data at gigabit speeds [6] thanks to onboard Intel NICs.

Finally you can just grab any refurb wintel box, add a couple of Intel NICs
and throw away the windows license.

The great thing about OpenBSD is particularly for its typical roles of
firewall, load balancer, edge gateway, authentication server, etc it doesn't
require much CPU or storage.

I recently rebuilt a laptop with Windows from a USB 3 stick to an Intel M.2
NVME SSD. It took less than 5 minutes to go from booting to install to reboot.
OpenBSD's footprint is so small you'll see similar build times particularly
when you leave off X Window.

[1] [https://www.openbsd.org/octeon.html](https://www.openbsd.org/octeon.html)

[2] [https://codeghar.com/blog/openbsd-network-gateway-on-
edgerou...](https://codeghar.com/blog/openbsd-network-gateway-on-edgerouter-
lite.html)

[3]
[https://www.amazon.com/dp/B013CCTM2E/ref=cm_sw_em_r_mt_dp_U_...](https://www.amazon.com/dp/B013CCTM2E/ref=cm_sw_em_r_mt_dp_U_UewECb3Q86NVG)

[4]
[https://www.amazon.com/dp/B01N0LMWGQ/ref=cm_sw_em_r_mt_dp_U_...](https://www.amazon.com/dp/B01N0LMWGQ/ref=cm_sw_em_r_mt_dp_U_wgwECbSVDAYK5)

[5] [https://protectli.com/4-port/](https://protectli.com/4-port/)

[6] [https://tech.mangot.com/blog/2018/11/08/showing-a-gigabit-
op...](https://tech.mangot.com/blog/2018/11/08/showing-a-gigabit-openbsd-
firewall-some-monitoring-love/)

------
snazz
It does _just work_ (TM). Brightness and volume hotkeys work out of the box,
without a desktop environment (even on the console). WiFi, including
autojoining, works using a single ifconfig command or configuration file.
Suspend/resume works on my laptop without any configuration.

If you’re using it on a laptop, just make sure to use an older, less
ultrabook-like machine and you’ll be good.

~~~
gilrain
If you're willing to use old hardware for compatibility, any of the major *nix
flavors just work.

~~~
snazz
True. I was still impressed with how well-thought-out the laptop features were
without a desktop environment. I think it would be harder to get the same on
Linux without manually configuring the hotkeys and dealing with
wpa_supplicant.

------
wtmt
What are the desktop GUI environments or window managers available on OpenBSD
that are comparable to those on Linux? I see a mention of running X as a user,
but nothing more.

What about desktop hardware support? Does it have working drivers for
different WiFi chipsets, video cards, trackpad, etc. (referring only to x86
based systems)?

~~~
dijit
>What are the desktop GUI environments or window managers available on OpenBSD
that are comparable to those on Linux?

I'll answer this honestly;

All of the X11 based ones until SystemD and wayland came about are essentially
supported or working. Gnome created a hard dependency on systemd and thus
can't be used any longer on openbsd.

Wayland (and thus; Sway) is not supported by OpenBSD.

But i3, xmonad, KDE4, XFCE4 and cwm are all running flawlessly and I used them
before on OpenBSD myself.

I think even Budgie works, but I've not tried that myself.

> What about desktop hardware support?

Hardware support is obviously up to whatever you have. I can only share my
experiences and I had a thinkpad x201. Which was obviously very well
supported.

However there is a caveat to that: the drivers were indeed supporting the
hardware very well BUT OpenBSD does not support bluetooth in any form (citing
the fact that bluetooth is a horrible standard and implementing it simply; has
never been done and would be hard/impossible).

WiFi was relegated to 802.11g (not 802.11n despite my hardware supporting it).
Support for N was added a couple of years ago (after it had been widely
adopted for more than half a decade by other OS's) I wouldn't hold my breath
for AC support given that.

~~~
brynet
> Gnome created a hard dependency on systemd and thus can't be used any longer
> on openbsd.

This isn't true, OpenBSD has GNOME 3.30.2 in ports. It maintains patches to
keep it working for users, who can install it with the meta package: pkg_add
gnome

6.4 has 3.28.2 in packages:
[https://www.openbsd.org/64.html](https://www.openbsd.org/64.html)

Antoine Jacoutot is the maintainer.

~~~
dijit
Oh, Amazing, I stand corrected. Thank you Antione!

------
KAKAN
I use FreeBSD. It works fine, and I've configured it to be secure. Is there
any reason for me to move over to OpenBSD ? I don't care about minimal or some
reasons like that, I already have Alpine linux for that. Any other reason(s) ?

~~~
asveikau
I've used both as desktop systems. I can't really quantify it, but I feel like
OpenBSD "feels" better on a laptop or desktop. Maybe because their developers
focus more on that as opposed to thinking only of servers? I don't know.
Anecdotally, I have had a few systems where wifi or graphics work better, or
sooner, on OpenBSD. Sometimes FreeBSD support has appeared later in these
cases. (eg. A few years ago, FreeBSD's Intel graphics driver was way behind,
but it's since caught up.)

But there are downsides. Upgrading OpenBSD can feel painful to the point where
I put it off (though it's getting better). You may have to randomly re-write a
config file at upgrade time, or sometimes release-to-release they will remove
useful features, like Linux emulation a few years ago. FreeBSD ports and pkg
sometimes has stuff that I don't see in OBSD's ports tree.

I think to answer the question you'd need to take a look at what features,
hardware support, and ports you need, and how well OpenBSD does or doesn't
suit it. Maybe try out OBSD on a USB stick or something and see how you like
it.

------
verbatim
How many of these items are not also available in a standard Linux
configuration?

~~~
moviuro
* KARL

* LibreSSL (most Linux distros use OpenSSL, YMMV)

* License (GPL, GPL everywhere)

* PID randomization

* Priv sep (for some package managers, for example)

* Swap encryption (probably opt-in, so not default)

* UTF-8 only

* W^X Memory

* autoinstall (though ansible and co. might help)

* base system (it's GNU/Linux after all, not just GNU nor Linux -- some outliers)

* doas(1) (yeah, sudo(1) was made in OpenBSD, but they ditched it)

* pf ([http://man.openbsd.org/pf.conf.5](http://man.openbsd.org/pf.conf.5))

* pledge

* signify (most distros use GnuPG instead) (though porting it should be a breeze)

* unveil

Unveil, pledge, and co. probably have AppArmor/SELinux counterparts, but
adding layer upon layer make the whole thing brittle. Unveil, pledge, etc. are
built-into all base utils (see also base system concept)

------
srfilipek
RETGUARD isn't mentioned, which is curious.

Guess I'll need to submit a merge request.

------
gbrown_
A more comprehensive list
[https://www.openbsd.org/innovations.html](https://www.openbsd.org/innovations.html)

~~~
knorker
I like how they list W^X as an innovation.

1) It's not W^X. W^X implies read-only pages are not possible, and they are.

2) They "invented" that, what 5-10 years after Linux?

~~~
admax88q
> It's not W^X. W^X implies read-only pages are not possible, and they are.

What? W^X implies that Write and Execute or mutually exclusive, can't have
both active at the same time.

> They "invented" that, what 5-10 years after Linux?

It's not so much that they "invented" it, but that they're much more diligent
about making sure all the base system and ports use it. It's enforced that
unless your file-system is mounted with "wxallowed" then any process that
tries to mark a page both writeable and executable will fail.

~~~
knorker
> What? W^X implies that Write and Execute or mutually exclusive,

The truth table for XOR also says that "neither write nor execute" is
impossible.

> It's not so much that they "invented" it, but that they're much more
> diligent about making sure all the base system and ports use

They've definitely taken it further, and turned on by default and all that,
which is great.

However they _did_ at the time say that they both invented it, and that it
couldn't be done on x86. Of course grsec had been doing it, including on x86,
for many years. Theo's defense of why they've not done things Linux has done
is that they're not interested in Linux, and don't look at it. Which is an
interesting way to assure you're "state of the art"; don't look at what others
are doing.

So both at the time and now they say they "invented" it.

Later of course they "invented" how to do it on x86, too.

------
Jenz
Wow! OpenBSD _security_ rocks!

------
meruru
I really, really want to use OpenBSD. I love everything they make. The one
thing that keeps me on FreeBSD/Linux is ZFS support.

~~~
karlmcguire
I really want to use OpenBSD too, the only thing keeping me on FreeBSD is
proprietary Nvidia support.

------
legosteen11
I wanted to install and try OpenBSD on my Librebooted Thinkpad T60, but
unfortunately it is not possible to use full disk encryption with a non-custom
Libreboot rom (you apparently need SeaBios instead of Grub2 for this to work).
I find it quite sad, because I think Libreboot + OpenBSD would be the ultimate
security and privacy-focused combo.

~~~
poolsuite
Let's hope they support RISC-V

------
upofadown
sndiod is pretty nice...

Dead simple. Fixed latency that you set when you run the sound daemon. Same
API with the sound daemon in or out. You can yank it out and the programs get
to use the same interface for both audio and mixer. So nothing like the
pointless ALSA mixing interface laying around when you run pulseaudio. It all
works transparently.

------
srfilipek
> Xserver without root permissions

There must have been a regression. There still was lingering suid root
binaries that OpenBSD got bit by recently.

I mean, it was security fix #1 for release 6.4:
[https://www.openbsd.org/errata64.html](https://www.openbsd.org/errata64.html)

~~~
chousuke
AFAIK that suid binary was used to enable starting the X server without a
display manager. It still actually ran as non-root.

~~~
ben_bai
It was setuid root but dropped privilege, but the dropping privilege came
after parsing the command arguments and doing initialization, so there was a
small time window while it still runs as root and in that time it could be
tricked into overriding any file.

------
zolotarev
Why OpenBSD?
[https://rgz.ee/openbsd/why.html](https://rgz.ee/openbsd/why.html)

See also: [https://rgz.ee/openbsd/](https://rgz.ee/openbsd/)

------
adulau
OpenBGPD is missing from the list. It's a great piece of software.

------
jimmy1
Many of the items on this list seem to be some variation of "random place in
memory so attackers can't guess"

It sounds nice, but can someone explain if there are any downsides?

~~~
snazz
Slightly slower? Mechanical hard drive boot times aren’t the best, but they’re
quite acceptable with an SSD. For my desktop use, OpenBSD seems plenty fast.

~~~
futureastronaut
I think you're confusing topics, randomized address space != random disk
reads.

Edit: To answer GP's question, you're probably already incurring a cache miss
if you're pointer chasing so in most cases there should be no effect on
performance.

~~~
oherrala
No, OpenBSD randomizes symbols on kernel and some libraries (for example
libc). This randomization is done on boot.

From
[https://www.openbsd.org/innovations.html](https://www.openbsd.org/innovations.html):

> Library order randomization: In rc(8), re-link libc.so, libcrypto, and ld.so
> on startup, placing the objects in a random order. Theo de Raadt and Robert
> Peichaer, May 2016, enabled by default since OpenBSD 6.0 and 6.2.

and

> Kernel relinking at boot: the .o files of the kernel are relinked in random
> order from a link-kit, before every reboot. This provides substantial
> interior randomization in the kernel's text and data segments for layout and
> relative branches/calls. Basically a unique address space for each kernel
> boot, similar to the userland fork+exec model described above but for the
> kernel. Theo de Raadt, June 2017.

------
ur-whale
How is NVidia GPU support on OpenBSD? Will OpenBSD run GPU-accelerated
TensorFlow or Torch?

~~~
swixmix
OpenBSD is written by OpenBSD devs for OpenBSD devs. Generally, if you're the
only dev who wants it then it's up to you to do it. If you let it go stale
then there's a good chance it'll be removed.

------
swills
How is OpenBSD performance these days?

~~~
snazz
Plenty serviceable as a desktop. That said, I run pretty lightweight software.
As with most OSs, an SSD is recommended. I made sure to pick out hardware
knowing it would be compatible; that might be the bigger issue.

~~~
zokula
If your operating system needs an SSD than you need a better operating system.

~~~
ben_bai
It runs on Luna-88k and people use it.

------
jwmjj
>If you install a library, there is no split between library and header files.
There is no zlib-dev package as an addition to zlib. You get everything at
once.

And that's good?

~~~
cat199
well, it's what happens if you actually install a package from source, and so
is congruent with what it really means to 'install <package X>'

seems preferable to accepting arbitrary segmentation of packages into subsets
based on some random package maintainers preference..

also, it's not 1993 and having 100kb of headers on my system is not really a
big deal.

~~~
defanor
But at the same time there are modern general purpose systems (Alpine in
particular, and Debian when it comes to GNU documentation) that wouldn't even
install documentation together with software. Priorities seem to vary quite a
bit.

~~~
JdeBP
That's a red herring. Debian's problems with such documentation were largely
the licences that it comes under, often requiring doco to be separately
packaged so that it could be placed in the "non-free" section. It is not
omitted by default _because it is doco_. It is omitted by default because the
Debian people do not classify it as free content.

------
knorker
Last time I tried the full disk encyrption [sic] it was an awful setup
compared to Linux.

> [https://why-openbsd.rocks/fact/meltdown-spectre/](https://why-
> openbsd.rocks/fact/meltdown-spectre/)

Uh, yeah. They did that, just like Linux did before them. I especially like
the reply to the announcement that was "uh… I hope you didn't spend these two
months coming up with that solution. We already did that for Linux, so you
could have just asked".

~~~
johnr2
> They did that, just like Linux did before them. I especially like the reply
> to the announcement that was "uh… I hope you didn't spend these two months
> coming up with that solution. We already did that for Linux, so you could
> have just asked".

Linux developers were told about meltdown/spectre right away, but OpenBSD
wasn't told until the end of the embargo over two months later.

[https://www.itwire.com/security/81338-handling-of-cpu-bug-
di...](https://www.itwire.com/security/81338-handling-of-cpu-bug-disclosure-
incredibly-bad-openbsd-s-de-raadt.html)

~~~
knorker
I think you misunderstood my whole point.

It appears that OpenBSD chose to spend months starting from scratch
researching exactly what needed to be mapped in virtual memory, instead of
just confirming the x86/x64 platform needs that were already researched and
published by that time.

I'm not talking about the two months (or whatever it was) Linux had as head
start. I'm talking about the post-publication ~two months.

