
OpenBSD 6.5 - vetelko
http://openbsd.org/65.html
======
pimeys
Been running 6.5 snapshots in my travel laptop for some weeks and everything
just works. The laptop is a ThinkPad X200 which is a bit slow for my needs,
but upgrading it to ThinkPad X230 later this week should help.

I really enjoy how simple the system is after all these years with Linux. I
will always continue using Linux in my main computers, but for surfing, some
hobby programming and as a travel OS OpenBSD definitely won me over.

And I guess it runs quite nicely in the X250 and T450 tier already, maybe even
newer ThinkPads. And when I say runs, I mean runs much nicer than many Linux
distributions with their default installation.

~~~
sdfsdfsdfsdf3
Odd that you put this on a the travel laptop and not the desktop, I imagine
most OS polygot its the inverse for things like battery life, touchpad
drivers, webcam driver. Am curious why not make the switch on desktop? Same
semantics? Same dotfiles?

Do you use the same window manager across both linux and openbsd?

Also what's the "much nicer" you refer to.. Please sell me

~~~
pimeys
Oh, I need Docker a lot. And our target platforms are Linux and OSX, so I just
want to have some kind of standard OS on Desktop.

Also stuff like Signal, Spotify etc. I still haven't been able to get running
on OpenBSD, maybe some day...

Nicer in a way that setting up the wifi, suspend et. al. just works. And is
very easy.

~~~
fulafel
All the OS X users seem to be content running Docker in a Linux VM. It's more
secure that way too, fitting with OpenBSD mentality :)

Doesn't help with the desktop OS part though.

~~~
pimeys
OpenBSD does not yet have kvm support, so you can run qemu, but it'll be very
slow.

~~~
gbrown_
OpenBSD has its own hypervisor these days
[https://www.openbsd.org/faq/faq16.html](https://www.openbsd.org/faq/faq16.html)

~~~
infiniteseeker
Do you know how VMM performance compares to something like KVM2?

~~~
dijit
KVM has more than a decade of performance enhancements from companies like
rhel/intel/google.

It will definitely perform better. But that doesn't mean you shouldn't
experiment and see if the performance hit is something you can accept.

------
ixtli
Of all of the places a Bee and Puppycat fan might expect to find Natasha
Allegri's work ... release art (?!) for OpenBSD 6.5 is perhaps the last I
would have expected.

~~~
cpach
I love it when software projects does whimsical artwork like this :)

~~~
ixtli
It's pretty great. As someone said below: I'd buy a tshirt.

~~~
neilv
There's a funny story by Linda Branagan, of an earlier BSD T-shirt:
[https://www.astro.umd.edu/~avondale/extra/Humor/ComputerHumo...](https://www.astro.umd.edu/~avondale/extra/Humor/ComputerHumor/Daemons.html)

~~~
ixtli
This confirms a whole host of my baseless presuppositions about things. Mostly
Texas.

~~~
neilv
The story is written so well, I'm not sure it's not a bit embellished. :)

Anyway, there's all kinds of people, everywhere, and I don't think those two
characters are representative of Texas as a whole. Texas has a lot of
diversity, a lot of good work comes out of there, and people are generally
decent and not like the extremes that sometimes percolate to the TV news.

Also, to the extent that Texans overall might tend to have qualities like,
e.g., valuing principles and individual responsibility, I think that's good
input to have, in a diverse marketplace of ideas (even though it might not be
quite my own current thinking).

(Please pardon the straight response, on a humor tangent, but I felt a little
bad when I realized I'd invoked a stereotype, and I felt I should clarify.)

------
jancsika
Oh my, what is the story behind the piece of artwork in this release?

The buzz around OpenBSD always led me to believe it's developed by mole people
who subsist on cryptographically secure random donations of soda crackers and
water.

Yet here on their release page is a big beautiful image that _precedes_
technical release desiderata.

Can more projects do more beautiful artwork like this?

Also, can I support OpenBSD by buying a tshirt with this artwork on it?

Edit: Just noticed that the stem of the "p" in "OpenBSD" is not obscured by
the underline (at least in Chrome). That, along with the italic "Open" with
non-italic "BSD" is quite aesthetically pleasing. Is this due to a design whiz
who got interested in BSD, or is this just HTML5 doing its thing?

~~~
naniwaduni
> Edit: Just noticed that the stem of the "p" in "OpenBSD" is not obscured by
> the underline (at least in Chrome). That, along with the italic "Open" with
> non-italic "BSD" is quite aesthetically pleasing. Is this due to a design
> whiz who got interested in BSD, or is this just HTML5 doing its thing?

This is just Chrome's default rendering of underlines, which occurs even with
no explicit styling:

    
    
        data:text/html,<u>upu
    

In my opinion, it's a cute stylistic effect which looks nice in headers &c.,
but feels inappropriate in running text. An odd default.

------
justinsaccount
> First release of unwind(8), a validating, recursive nameserver for
> 127.0.0.1. It is particularly suitable for laptops moving between networks.

When systemd-resolvd was first released it was the biggest mistake ever to
write a new recursive resolver instead of using unbound or dnsmasq. Also since
DNS ".. wasn't broken, so it did not need fixing".

I wonder if unwind will be received with the same hostility.

~~~
asveikau
OpenBSD has done a few of these daemons over the years, where they reject
existing popular implementations to do their own with their own priorties. I
started typing a list but really there are too many, big and small. They tend
to have the OpenBSD minimalist, security focused, "no bullshit" approach.

It's not very much like systemd.

~~~
kbenson
In a way, OpenBSD isn't really written in C. It's written in a special subset
of C that uses some different, more secure core functions and any where any
trade-off for performance instead of security is ruthlessly weeded out when
reviewed by the people involved.

I'm of the opinion that using C and C++ for future major work where there's
not good reasons forcing you to is more trouble than it's worth, but I
wouldn't mind if it was all done with the care and attention the OpenBSD
developers put into their projects.

~~~
tptacek
While I'm generally sold on the OpenBSD strategy of replacing mainstream
daemons with stripped down secure versions, I don't think it is at all
reasonable to suggest that OpenBSD's library idioms mean it's implemented in
something other than C (nor would it be reasonable to say that about Dan
Bernstein's software, which goes even further in this direction). It's still
C, and it still has memory corruption vulnerabilities.

~~~
kbenson
Sure. I just meant that since they adopt and _enforce_ the usage of secure
equivalents to some common functions (e.g. some string utilities), and along
with very strictly enforced rules about how code gets accepted, it's about the
best we can expect in some situations. Not everyone is willing to consider
using something other than C. I think the pragmatic approach is to point to C
projects that have been largely successful in their security approach. If it
causes them to adopt the onerous requirements for safe C, or to reevaluate
their position, I count those both as positive outcomes.

------
bigato
> Xorg(1), the X window server, is no longer installed setuid. xenodm(1)
> should be used to start X.

That is really great!

~~~
snazz
Does this mean that I can’t startx on a machine that I rarely use X on? Is a
display manager now required for running X?

From a security standpoint this makes sense, of course, but how are you
supposed to deal with a half-desktop-half-server system?

~~~
crest
No. It just means that startx no longer requires root to start X. It removes
setuid root from one more executable.

~~~
snazz
Even better. Then it’s a win-win.

~~~
snazz
I was incorrect: It appears that you do in fact need root to run startx now:

(quoting the faq page for upgrade65):

 _Xorg(1). The Xorg binary is no longer installed setuid, so startx(1) can no
longer be used by non-root users. The xenodm(1) display manager has to be used
instead._

------
doodpants
> Released May 1, 2019

Woah, it's from the future!

~~~
CameronNemo
I have done this before. Marked a release in the changelog set to two weeks in
the future, then installed from master and made sure nothing broke during
those two weeks.

------
eb0la
What!? They don't have OpenBSD t-shirts anymore !?!?!?!?! My old OpenBSD 2.3
tshirt (the wireframe daemon) will die soon and I need a replacement!

~~~
moviuro
[https://www.openbsd.org/artwork.html](https://www.openbsd.org/artwork.html)

> [...] This artwork emblazoned CDs and posters up until version 6.0, after
> which we stopped producing product and only release software on the
> internet.

See also [0]; you should be able to make your own t-shirt with official logos,
and donate as usual [1,2,3]

[0] [https://marc.info/?l=openbsd-
misc&m=155439809001096&w=2](https://marc.info/?l=openbsd-
misc&m=155439809001096&w=2)

[1]
[https://www.openbsd.org/donations.html](https://www.openbsd.org/donations.html)

[2]
[https://www.openbsdfoundation.org/campaign2019.html](https://www.openbsdfoundation.org/campaign2019.html)

[3]
[https://www.openbsdfoundation.org/donations.html](https://www.openbsdfoundation.org/donations.html)

~~~
kbenson
What with the artwork thumbnails for the first row of the "CD-Rom era" (6.0 -
5.2) not matching the artwork shown at the top of the linked page when you
click it? Some of those look really interesting, but you get something
entirely different when you try to find a larger version.

------
ptidhomme
Just to say I also love this OS, although I'm very far from a hardcore hacker.

It just worked out of the box on that generic unbranded laptop I retrieved (no
touchpad though). I use Xfce wich is well integrated, and the package manager
is plain simple and easy.

Definately better experience than my previous Linux ones. Some penalty on
performance though.

PS : I've put it on my Raspberry Pi too.

------
fstephany
This is some serious OpenBSD artwork. I would love that they reconsider the
'no product' policy. I understand the logistical nightmare of pressed CDs
though...

~~~
badsectoracula
Well, at this point it'd be pressed dual layer blu rays though, i downloaded
the entire version and just the amd64 directories are around 45GB in size. I
do not understand why they feel the need to associate OS versions with 3rd
party packages though, why have an OpenBSD 6.5 version of -say- the 0ad game
instead of an OpenBSD version of it that you say it needs at least OpenBSD 6.5
(or whatever) version to run?

(same question about Linux distros in general, FWIW... i just do not see the
point of packaging so much stuff for a single OS version, it is like if
Windows did the same thing - ignoring licensing - Windows 10 would include
Photoshop, Steam, DOOM, Visual Studio, Maya, 3ds max and pretty much every
other program with a bit of popularity ever made)

Well, at least a single arch version still fits on a single disk medium, last
time i checked Debian needed several DL BDs (although perhaps a single BDXL
disk, once they become available, will work... assuming we also ever burners
for those).

~~~
brohee
Packages are dependant on certain version of system librairies, and binary
compatibility isn't a huge concern from version to version.

~~~
badsectoracula
Hence the "needs at least" part, or does OpenBSD break backwards compatibility
in every version for every package?

~~~
yellowapple
OpenBSD is particularly aggressive about breaking backward-compatibility, yes.
For example: the switch to a 64-bit time_t on 32-bit systems to stay ahead of
the Year 2038 problem.

------
Accacin
As a long time Linux user, I keep thinking about trying a BSD variant, but I
get hung up on two things. 1) Which do I pick? NetBSD? OpenBSD? 2) Hardware?
I'm thinking about an old ThinkPad for programming, and it looks like OpenBSD
at least should run fine on that. What's hardware support like overall?

~~~
pimeys
I just got a ThinkPad X230 with an IPS screen and an i7 CPU for 180 euros.
It's the last one with a non-ULV CPU, which means it's still quite fast. And
it all works perfectly, except maybe the bluetooth and fingerprint reader.
With a 9-cell battery you'll get easily enough hours of usage, with apmd I'm
clocking around 5-6 hours, which is fine for my use.

~~~
emgee_1
Openbsd does not support Bluetooth

------
reacharavindh
I use OpenBSD as firewall appliance, router, SSH bastion, even a general
purpose terminal server that takes care of a few cron automated bash scripts.

For the typical workstation - being able to run Linux VMs, Docker/Containers
are a blocker for me to use OpenBSD. The closest I have got to the OpenBSD
experience is with Void linux. No Systemd, No frills minimal Linux. It is as
safe/bloated/feature rich as you configure it to be.

------
brobdingnagians
Good to see another version of OpenBSD out. I love it for servers, the easy
setup, solid package management, and security are first rate. The only reason
I can't switch to it for desktop is that the Jetbrains IDEs have some issues
due to no OpenBSD support Pty libraries, so debugging doesn't work, otherwise
I'd be a full convert.

------
gfiorav
I know this is pretty much a blanket question I could make about any distro
but:

Can anyone here share their "switch to BSD" story and what advantages it
offered over their departing distro?

~~~
ben_bai
[https://runbsd.info/](https://runbsd.info/)

------
quotemstr
Still no unified buffer cache. :-( The lack of coherence and memory reuse
between mmap(2) and read(2) is my single biggest beef with OpenBSD right now.
It's a great system in terms of robustness, documentation, and philosophical
unification. It's a shame its kernel still thinks Ronald Reagan is president.

~~~
DblPlusUngood
What coherence is lacking? OpenBSD supports msync(2), which is the only POSIX
mechanism I know of for ensuring coherency between read(2) and shared file
mappings. Otherwise relying on unspecified behavior sounds dangerous.

~~~
quotemstr
Oh, come on. Every other system in common use is fully coherent. POSIX
allowing OpenBSD's behavior doesn't make that behavior a good idea or a
quality implementation.

~~~
DblPlusUngood
OpenBSD's choice is arguably reasonable, given their prioritization of
security, since it reduces opportunities for user programs to corrupt kernel
memory.

What is the problem with OpenBSD's plan for coherency? Why is the burden of
explicitly calling msync(2) too much?

~~~
quotemstr
> reduces opportunities for user programs to corrupt kernel memory

I don't see how it could. Kernel data structures don't go on pagecache pages.

> OpenBSD's choice is arguably reasonable

At a human level, the OpenBSD people have spent way too much time coming up
with rationalizations for their obsolete VM design to back down now. Whether
OpenBSD's VM subsystem is good or not, their pride will force them to keep
claiming that it's good, practically forever.

~~~
DblPlusUngood
> I don't see how it could. Kernel data structures don't go on pagecache
> pages.

Kernel data structures could end up on a pagecache page: all it takes is a
reference counting bug and the page could be reallocated in the kernel heap,
which is directly mapped by user space. Keeping user-mapped pages and
pagecache pages distinct makes this less likely.

I am otherwise not convinced that there is an actual problem with OpenBSD's
coherency plan.

------
crehn
I know it's often mentioned, but I love the simplicity of OpenBSD. Thank you
all for the great work.

~~~
arendtio
Well, simplicity is one thing, but I was shocked to learn that it doesn't even
come with the complete POSIX toolbox (e.g. out of the box awk is missing). And
finding out that `ftp` also handles http and https was a bit weird too.

To some extent, I like that simplicity too (especially security wise) but I
wonder if they are taking it too far.

~~~
tedunangst
How did you manage to get an OpenBSD install that didn't include awk?

~~~
arendtio
I downloaded install64.iso started it and entered the shell. Next, I entered
'awk' and got the response:

sh: awk: not found

Maybe their live cd doesn't include the whole 'base' set?

~~~
tedunangst
The installer is not a live CD. It's only enough tooling to install openbsd.

~~~
arendtio
Okay thanks, unexpected but good to know (at >340MB I would have expected a
complete base system at least). Do you know if there is some up to date
OpenBSD live CD somewhere?

~~~
yellowapple
At >340MB it does indeed have a complete base system. You just have to install
it somewhere first :)

I don't know of any up-to-date prebuilt live CD/USB images, but I do know of
guides to create them from another OpenBSD install (e.g. one in a VM):
[https://www.alti.at/knowhow/obsdlivecd/](https://www.alti.at/knowhow/obsdlivecd/)

------
alecco
> ROP mitigations in clang(1) have been improved, resulting in a significant
> decrease in the number of polymorphic ROP gadgets in binaries on i386/amd64.

Does anybody know if there's a writeup somewhere? Or what are the commits to
look at.

~~~
colinhb
I haven’t followed this work but Todd Mortimer’s slides[1] from last year
stuck with me as a good introduction.

[1]
[https://www.openbsd.org/papers/eurobsdcon2018-rop.pdf](https://www.openbsd.org/papers/eurobsdcon2018-rop.pdf)

------
rooam-dev
Sorry for noob question, but why would one use OpenBSD instead of FreeBSD? I
like latter, but also hear good things about former, although there are some
limitations (e.g. no ZFS).

Thank you in advance.

~~~
CameronNemo
Strengths of OpenBSD:

* security -- the code is audited and hardened to a greater degree than any other general purpose OS on the planet (embedded safety critical microkernel systems would be the exception)

* routing suite -- one of the most well integrated open source routing suites out there (alternatives include BIRD and free range routing / quagga)

* firewall -- their firewall is flexible, fully featured, and easy to configure. It has been adopted by other _BSDs, but development and new features happen in OpenBSD first.

Weaknesses of OpenBSD:

_ performance -- security is valued over optimized code, so the OS will not be
as efficient or handle as many connections as a Linux or FreeBSD server could

* lack of ZFS

Compared to OpenBSD, FreeBSD has a slightly worse firewall implementation
(originally sourced from OpenBSD), better networking and computing
performance, and ZFS.

What type of device are you considering using OpenBSD or FreeBSD for?

~~~
rooam-dev
Not sure what device, it depends what it would allow me to do. Thank you.

------
oil25
Replying from the latest -current snapshot on my desktop (AMD Ryzen 7 / B450
chipset / ECC RAM) and have nothing but good things to say about OpenBSD. As
others have iterated, this operating system is extremely reliable, secure by
default, very well documented, and I have not found performance to be an issue
whatsoever. Definitely recommend everyone, especially Linux users, to check it
out!

------
cpach
The pvclock driver seems neat.

[https://www.mail-
archive.com/tech@openbsd.org/msg49128.html](https://www.mail-
archive.com/tech@openbsd.org/msg49128.html)

Does anyone know if that driver eliminates the need for doing NTP sync in the
guest VM?

~~~
JdeBP
On Linux, for information, the systemd people aim for guest services that
synchronize to the host clock to prevent the use of (S)NTP clients.

* [https://unix.stackexchange.com/a/467632/5132](https://unix.stackexchange.com/a/467632/5132)

------
mugwort13
This is a better link. [https://marc.info/?l=openbsd-
announce&m=155611207805565&w=3](https://marc.info/?l=openbsd-
announce&m=155611207805565&w=3)

------
bitmadness
I don't think it has been actually released yet... The main page is still
pointing to OpenBSD 6.4, and the 6.5 page says it will be released on May 1.

------
xyproto
The list of available applications look promising! I think I would miss Sway
and perhaps even Docker, though.

I am impressed that OpenBSD comes with Go 1.12.

~~~
jedisct1
OpenBSD ports are always very up to date. In snapshots, packages are
frequently updated before most Linux distributions, including Arch.

------
mtron_
> MariaDB 10.0.38

Can anyone share some insight why OpenBSD does not provide a more recent
MariaDB Version ?

~~~
mtron_
ok, found it.

[http://openbsd-archive.7691.n7.nabble.com/Update-MariaDB-
fro...](http://openbsd-archive.7691.n7.nabble.com/Update-MariaDB-
from-10-0-33-to-10-2-10-td330155.html#a330318)

10.2 is a no go for us as the new client library requires atomic ops killing
the client library on a handful of archs.

------
dcbadacd
Why doesn't OpenBSD do KASLR?

~~~
tedunangst
The typical approach of sliding the kernel around only offers limited benefit.
One leaked address and you're done.

The current approach, called KARL, relinks the kernel so that while it may
load at the same address, symbols internally do not have the same offset.
Learning the address of _printf_ will not reveal the address of _malloc_ and
so forth. In the context of kernel defense, I would argue this is more
effective.

Also, simply as a practical matter, the bootloader and kernel are tightly
coupled in ways that make altering the load address a nontrivial endeavor.

~~~
dcbadacd
Why not both KARL and KASLR though?

~~~
ben_bai
KARL also includes a random offset in front of the kernel, and the bootstrap
code is unlinked once the machine has booted.

    
    
        |---------------kernel-----------------|
        |-boot-|-rnd offset-|--running kernel--|

------
3xblah
Up until now (see rdsetroot), OpenBSD never had an equivalent to mdsetroot
(NetBSD)?

~~~
brynet
It did, it was just not installed by default, it was originally only available
at build-time (as eflrdsetroot).

This just promoted it to a regular base utility, and also it was rewritten
using libelf(3).

------
BasicObject
Can anyone share if Surface Go support has improved with this release?

------
notananthem
Haven't OpenBSD'd since high school, gonna give it a spin.

------
Paianni
The artwork makes me think of MIKA's 'Lollipop' mv.

------
dhqdx
No songs now?

------
ernst_klim
>HOWTO upgrade

>Remove files no longer included in the current release of perl(1):

Do they consider this a production-grade operating system or a toy one? Why
couldn't it be done with a package manager?

~~~
brynet
Because perl is part of the base system, and not a package, harmless files are
typically not removed by the OpenBSD Installer.

You don't have to remove those files, the upgrade guide simply indicates
they're no longer required.

~~~
ernst_klim
Sure, but manual upgrades with `tar'ring userspace, copying kernel and
removing files seems abysmally error-prone to me.

~~~
brynet
You're reading the manual upgrade guide, for remote systems where you would
otherwise cannot boot the ramdisk kernel to upgrade, which handles all of that
for you.

If you have console access to the machine, serial or glass. Things are far
easier.

~~~
tedunangst
More evidence the hard way instructions should simply be deleted.

~~~
smhenderson
Don't let one guy ruin it for the rest of us!

Thanks for your work on OpenBSD Ted.

