
OpenBSD 6.7 - stargrave
https://marc.info/?l=openbsd-announce&m=158989783626149&w=2
======
q3k
That's an impressive changelog. I'm excited about the new ARM SBC drivers and
seemingly improved RPKI flow for OpenBGPd. I should try running a toy route
server on an RPi4 with OpenBSD/OpenBGPd, or a full DFZ router.

------
gen3
Here’s the download page and poster.
[https://www.openbsd.org/67.html](https://www.openbsd.org/67.html)

------
dilandau
Looks like a great release, thank you.

OpenBSD is one of the last really good choices for an operating system, in my
opinion. Redhat, the pretentious gnome developers, canonicals latest folly,
proliferation of systemd cancer (homed being the latest abomination)... All
these things take away from the user's freedom.

I hope OpenBSD continues for decades to come.

------
__aabb
Thank you! I installed OpenBSD again this year after I rage-quit Ubuntu. It is
a delightfully clean OS where the important things just work.

Highly recommended for everyone to try out.

~~~
mrweasel
I have a co-worker who describe OpenBSD as: "The least stupid operation system
you can install".

~~~
smhenderson
Just curious, did he really say "operation system" or was that a typo/auto
correct thing in your post?

I ask because I had a coworker/friend years ago from Ukraine and that's what
he called it. My other friend and I who worked with him could not get him to
say operating system no matter how much we poked at him. Anyway, just like the
article itself you brought back a flood of memories so just curious like I
said.

------
cblum
I've played with OpenBSD on a VM a couple times and really liked it, but I'd
like to use it on real hardware and try and force myself to use it as my main
personal system at least for a while as an experiment.

I've often heard that Thinkpads make great OpenBSD laptops. Are there any
models in particular the HN crowd would recommend? In terms of my hardware
needs, I don't really care about graphics like you'd get with an Nvidia card,
but I do need wi-fi since it'd be really hard to set up a wired connection to
my router in my current apartment.

~~~
smhenderson
I've had great luck with T-series ThinkPads. I'm using a T520 as a daily
driver at the moment and I've had no real issues with it. I installed it on an
E series laptop a while ago and had issues with sound (this was a few versions
ago, probably 6.3, and I was just playing around at the time so I never
figured out what the problem was).

Mind you I use this mainly for work so my needs are simple, an editor, a
browser, a compiler and the like. The default window manager cwm makes for a
simple "desktop" for me and the only thing I use at the moment for work that's
not from base is mariadb, vim and firefox (plus dependencies of course). So I
don't have a lot of splashy graphics to load or anything like that and don't
do video or image editing very often. But even if you do need more, the
package repository has a huge selection of programs and in my experience they
all just work when installed.

On the other hand I put Battle for Wesnoth on it and although that's not
really a very graphics intense game it runs great on the laptop.

Overall I really like using it day to day.

~~~
morganvachon
> _The default window manager cwm_

Just a slight correction, if you meant the "default" as in the window manager
that starts on a freshly installed system: It's not cwm but fvwm. With that
said, OpenBSD ships with cwm and it's trivial to switch between the two, but
they are very different.

~~~
smhenderson
Oh, you're right, I'd forgotten that. I think it's so ingrained in me to copy
my dotfiles to a new machine before I do much else that I don't usually ever
see fvwm. I always add myself to doas, move some public keys around, install a
few packages and then copy my dotfiles before I ever launch X for the first
time.

And yes, they are very different. I remember using fvwm fondly on Slackware
Linux back in the mid 90's. I had hours of fun trying to configure it to look
like Windows 95 and populating menus, all in a plain text file, no gui config
available! I think I read somewhere recently that fvwm is still Theo's
preferred WM and that's why it's the default...

~~~
morganvachon
> _I remember using fvwm fondly on Slackware Linux back in the mid 90 's._

Same, well late 90s here, and yep that was my go-to on Slackware, mostly
because it was quite usable out of the box. I eventually went to Blackbox,
then Fluxbox, then Gnome about six months before Pat decided to stop shipping
it. I went to Xfce from there and never looked back (I never liked KDE before
Plasma, and 4.x is still the default in Slackware).

------
genr8
Yesterday, out of sheer coincidence, I thought, you know what "lets check out
OpenBSD again". Went to the homepage, saw the last 6.6 release was 6 months
ago, and thought Hmm thats kinda old. Trawled around on the mirror sites to
download it, and found version 6.7 files were there - a full day early! Not
even timezones could explain it. Release date: May 19. So I downloaded it.

I made my first router with OpenBSD back in 2001, for a job, it was great! But
I got fired for it, because the boss didn't understand how to use a command
line...

I really love the OpenBSD documentation myself though. And how the whole
system is made a way that they want you to understand what its doing. And a
certain nostalgia over all the familiar components that still feel the same.
Its like a time machine. I was transported to the year 2001 when I made that
first router all over again, or earlier. It has that familiar smell to it.
Like a grandma cooking with the same recipe for 25 years. Initial Version 1.1
= 18 October 1995

Now I'm going to investigate using OpenBSD as a GUI desktop, but I have
concerns about Xenocara/X11/Xorg/Xfree86, (idk what to call it) being
insecure: root perms, keyloggers, etc. Can anyone speak on that ? Has OpenBSD
been fixed itself, or is it still using the same flawed codebase. Are there
plans to move to Wayland?

~~~
floatboth
> Are there plans to move to Wayland?

As far as I know, the difficulty on OpenBSD would be input. The Wayland world
relies on evdev, so they either have to patch it to use their interfaces, or
implement evdev.

On FreeBSD, we have a lot of devices supporting evdev :) Including the next
generation HID stack:
[https://github.com/wulf7/iichid](https://github.com/wulf7/iichid) (currently
external, but would be merged into the system eventually)

Also there's device discovery, for which we use
[https://github.com/FreeBSDDesktop/libudev-
devd](https://github.com/FreeBSDDesktop/libudev-devd) to pretend to be udev,
but I suspect the OpenBSD people might not like solutions like that :D
(Actually, does OpenBSD even have anything devd-like that provides hotplug
notifications?)

~~~
genr8
Very helpful thank you. I believe you are correct on all fronts. Does anyone
know if "their interfaces" prevent the Xorg/Xinput keylogger "bug" as is, even
without EVdev or Udev? The man page seems like it does use Xinput, but it also
mentions Xwayland
[https://man.openbsd.org/xinput.1](https://man.openbsd.org/xinput.1) So I
think that if Wayland does work, that interface would take care of the issue.
I am in the middle of something else or I would try and figure it out myself,
but it would take a long time.

~~~
floatboth
No, the "xorg keylogger" issue has nothing to do with the low level stuff
(evdev is how the windowing system gets info _from the kernel_ , udev is how
the windowing system enumerates devices and gets hotplug notifications). The
"xorg keylogger" issue is a fundamental property of _the X11 protocol_ , it's
between the server and clients — all clients get enormous amounts of access to
all kinds of global state over the X11 socket.

------
efiecho
Will OpenBSD 6.5 from this day no longer receive security patches?

~~~
q3k
Yes. Only the two most recent OpenBSD releases receive security and
reliability fixes for the base system. [1]

[1] -
[https://www.openbsd.org/faq/faq5.html#Flavors](https://www.openbsd.org/faq/faq5.html#Flavors)

------
job
If you like the OpenBSD artwork poster - you can support future OpenBSD
artists through the merch shop at
[https://openbsdstore.com/](https://openbsdstore.com/)

~~~
brynet
Just another OpenBSD developer chiming in that this is the official store
link; profits from the sales go towards paying artists for the next release.

The artwork for 6.7 was done by Jonni Phillips!

------
knorker
I just upgraded. What is this 'dt'? The mail linked here says there should be
a bt(5), but
[https://www.openbsd.org/67.html](https://www.openbsd.org/67.html) says dt(5).
In either case neither exists on my new 6.7 system. Nor does btrace(5), which
dt(4) references.

~~~
gbrown_
The phrasing is a little odd but only the driver dt(4) is part of the 6.7
release. The language bt(5) and userland tool btrace(8), whilst in tree, are
not part of this release. The following mailing list posts give an
introduction to these components.

[https://marc.info/?l=openbsd-
tech&m=157920008000433&w=2](https://marc.info/?l=openbsd-
tech&m=157920008000433&w=2)

[https://marc.info/?l=openbsd-
tech&m=157920081500935&w=2](https://marc.info/?l=openbsd-
tech&m=157920081500935&w=2)

------
vbezhenar
Does anyone know if IPsec IKEv2 daemon can send multiple certificates (chain)?
I tried to setup IPsec VPN with Letsencrypt certificate, but ultimately
failed, because OpenBSD only sent leaf certificate and Windows failed to
recognize it without intermediate. It works for me with strongswan in Linux.

~~~
cat199
havent tried this - but is your iked(8) cert file the full chain or just the
leaf?

if just leaf, maybe try with full?

also haven't tried, but looks like the built in acme-client(1) can be
configured to save the full chain if you're using that for the cert issuing
stuff (acme-client.conf(5))

~~~
vbezhenar
Yes, I tried different variations and even tried to dig into sources, it
seemed at that moment, that it only sends a single certificate. That was 2-3
years ago, I think, so may be that changed.

------
enriquto
If you have already 6.6, you can upgrade by running:

    
    
        doas sysupgrade
    

It is uncanny how well this works. I've never had an ubuntu upgrade work as
seamlessly.

------
thepangolino
I miss not having new release songs.

~~~
job
if you want to record one for the project, let me know! :)

------
sn
prgmr.com has updated it's openbsd installer version to 6.7.

We were a bit surprised to see "Fixed softraid(4) CRYPTO volumes on 4K-sector
disks" in the release notes. We don't have any 4k logical sector drives but
for some reason I thought that was reasonably common in consumer drives these
days.

------
veddox
Probably opening Pandora‘s box here, but I‘ve been wondering for a long time:
why do people still use BSD? If memory serves me right, the *BSDs descend from
the original Berkeley Unix from the 70s - but why stick to that „line of
descent“ rather than going with the newer, Linux, line?

~~~
pwdisswordfish2
Why did Apple choose BSD and not Linux?

Why did Netflix choose BSD and not Linux?

Licensing is often a factor.

The reasons however will not be the same for everyone.

There are more similarities than differences between the two, however one
difference IMO is that BSD has a level of "quality control", especially over
the userland, that Linux does not. I find that my own sensibilities as a user
align better with the relatively small number of people doing "quality
control" and development for BSD projects than with the enormous number of
people who work on Linux -- for me, the number of Linux contributors is too
many to keep track of and I find it difficult to understand what all of their
sensibilities are.

~~~
scns
Whatsapp chose BSD too

~~~
pwdisswordfish2
Good example. There are so many, not all of them are made public.

------
lokl
Where can I find a recent unbiased analysis of OpenBSD vs Debian security?

~~~
q3k
Here's a recent talk evaluating OpenBSD's security mitigations:
[https://www.youtube.com/watch?v=3E9ga-
CylWQ](https://www.youtube.com/watch?v=3E9ga-CylWQ)

The objectivity of it is up to debate though, some argue that it is
biased/unfair.

~~~
lokl
Thanks!

------
elchin
How does security of OpenBSD compare to modern hardened cloud OS kernels?

~~~
throwaway2048
What is a "modern hardened cloud OS kernel"?

~~~
justin66
It's an operating system kernel that can apparently provoke a response from a
number of people in spite of having two buzzwords prefacing it.

------
wolf550e
Why provide that antique gcc? Better to not provide gcc at all, and an ability
to install a recent GCC at user's discretion, than to provide a 12 year old
gcc in the base system.

Why is their clang/llvm stale in a new release?

~~~
4ad
_Provide_ isn't the the right word. GCC is in the base system because some
architectures haven't yet switched to clang, either because clang doesn't
support the architecture, or because the work of switching the toolchain
(which is not trivial) has not been done yet. The system must be able to build
itself, so "better to not provide gcc at all" doesn't make sense.

In the cases where OpenBSD (and FreeBSD) don't yet use clang, they use the
most recent GCC version that was still GPLv2 licensed. GPLv3 is not acceptable
to OpenBSD in the base system.

More recent versions of GCC are _provided_ in the ports system, for users to
install. Those are not used by the base system. The system compilers are
(mostly) for building the system. They don't even search in regular paths
users might expect, like /usr/local. If users need a general purpose compiler,
they can install one from ports.

The situation with clang is similar. OpenBSD uses the last version of
clang/LLVM that was still BSD-licensed. Now LLVM uses the Apache license,
which is not acceptable to OpenBSD in the base system. (However, FreeBSD is
okay with it.)

~~~
genr8
How is the user supposed to navigate all the logistics and technical
ramafications of ethical/political dev / package choices ? Everything has
alternative versions, its hard for me to keep track of who forked what and
why.

~~~
trasz
Generally speaking they don't need to. If you are developing C code and need
some particular compiler version, you just install a package (ie "pkg install
gcc9") and make sure to set CC=gcc9, and that's it.

