
OpenBSD 5.6: What will be there - lelf
http://www.openbsd.org/56.html
======
chrissnell
I used to use OpenBSD extensively in my job because of the awesomeness of PF
but later moved on to big iron F5 and Cisco gear. In this new age of NSA
wiretaps and cloud based services built around advertising and tracking
however, OpenBSD feels more relevant than ever. I'd like to give it a shot as
a desktop again.

So, who makes a modern laptop with good OpenBSD hardware compatability?

~~~
sudowhodoido
Lenovo X201 works well. Not exactly modern but a nice machine and more than
adequate.

~~~
eropple
_Caveat laptopor._ I installed OpenBSD on my X201 just to give it a shot, and
the battery life is _atrocious_.

~~~
adamrt
[http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-
current/man8/...](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-
current/man8/amd64/apm.8?query=apm&sec=8)

This may help. Using `apm -C` or `apm -A`

~~~
sudowhodoido
This.

People mustn't expect everything to ever work straight out of the box on
anything. Much like you have to install the Lenovo PM driver on windows, you
have to config apm on OpenBSD.

This is also well known.

Quick howto which covers the basics:
[http://geekyschmidt.com/2011/03/27/openbsd-laptop-mini-
howto](http://geekyschmidt.com/2011/03/27/openbsd-laptop-mini-howto)

~~~
nodata
They certainly can expect that, remember how it was before when nothing worked
out of the box?

~~~
sudowhodoido
Yes. Even worse than that, I remember when the box contained a pile of bits
and you had to sift through piles of manuals to assemble it all first.

------
peatmoss
Can anyone speak to SSD in OpenBSD? My understanding is that trim support is
not supported in OpenBSD
([http://daemonforums.org/showthread.php?p=51377](http://daemonforums.org/showthread.php?p=51377)).
That makes me a little worried about the potential to wear out an SSD drive in
a workstation. The thread I linked discusses reducing some writes by using
softdeps and the like, is that enough to make this a non-issue?

~~~
dmm
In general I wouldn't trust random forums for information about OpenBSD.
People tend to repeat stuff long after its true. Send a message to misc@ or
tech@openbsd.org and you'll hear directly from the devs.

Just make sure your partitions are 4k aligned to minimized write
amplification. Many openbsd devs use SSDs. I've used one with openbsd for
years without problems. Honestly it's a requirement given the shortcomings of
ffs.

~~~
peatmoss
I've been away from OpenBSD for a while, and was just googling to try to get a
starting basis. Thank you for pointing me to the 4k alignment issue. This
thread ([http://openbsd.7691.n7.nabble.com/SSD-disk-alignment-
td75046...](http://openbsd.7691.n7.nabble.com/SSD-disk-alignment-
td75046.html)) seems to suggest that OpenBSD will try to align to 4k
boundaries by default. Is that correct?

------
cbd1984
I can understand not supporting tape installation (although aren't tapes still
used in large, serious, high-power businesses as backup media?), but why
remove FTP? Granted, it's objectively a horrible protocol, but is the FTP
client code more likely to be an attack surface than the HTTP client code? If
you're after security, isn't it more secure to remove _all_ network
installation and force people to use only physical media which they obtained
from a secure and trusted source?

[http://mywiki.wooledge.org/FtpMustDie](http://mywiki.wooledge.org/FtpMustDie)

~~~
danielweber
That surprised me, too, because in 2013 I was installing from FTP. But mostly
from habit.

I'm hoping it's because they are going to be using HTTPS with pinned certs to
ensure you are downloading from a proper mirror. But that's hope, not actual
knowledge.

~~~
cbd1984
> HTTPS with pinned certs

Is there an FTP equivalent of this?

~~~
kjs3
There's FTP/S (and RFC-4217, and _not_ SFTP), which uses an SSL session
negotiated inside of an FTP session. I don't know if there's a client/server
combo that supports pinning, but this much at least exists.

Frankly, if I was looking to implement this, I'd start with SFTP/SCP. FTP/S
is, at best, a rarely implemented kludge.

------
itwontdie
"Major internal refactoring to begin to make part of OpenSSH usable as a
library. So far the wire parsing, key handling and KRL code has been
refactored. Please note that we do not consider the API stable yet, nor do we
offer the library in separable form."

This is intriguing. I would certainly like to know more about what is
happening with this.

------
sigjuice
Should information like this be provided over an insecure HTTP connection?

    
    
        signify(1) pubkeys for this release:
        base: RWR0EANmo9nqhpPbPUZDIBcRtrVcRwQxZ8UKGWY8Ui4RHi229KFL84wV
        fw: RWT4e3jpYgSeLYs62aDsUkcvHR7+so5S/Fz/++B859j61rfNVcQTRxMw
        pkg: RWSPEf7Vpp2j0PTDG+eLs5L700nlqBFzEcSmHuv3ypVUEOYwso+UucXb

~~~
vinceguidry
Public keys are intended to be public. So long as you're not transmitting them
over the same connection as the one you're using them in, you're golden.

~~~
dbpatterson
The point of HTTPS is not to hide things, it's to prevent tampering... Which
seems relevant when transmitting checksums.

~~~
vinceguidry
That problem can be solved by retrieving the key out of band. If you're that
worried about it, use a VPN to verify that the key you're seeing is the right
key. That will vastly increase the difficulty of pulling off a successful
attack. They'd have to MitM both connections, as well as the connection you're
using to download the software, in order to compromise it.

------
tedunangst
Why submit this now? The fact that the top item is "..." wasn't a hint it's
not done?

------
jamesaguilar
Fascinating that they removed the agp driver.

------
jingo
"IPv6 is now turned off on new interfaces by default."

I have had to remove the IPv6 option from my kernels because enabling IPv6 by
default (which to me seems like a "policy" decision) has become so pervasive.
Nice to see this change; here's hoping other OS's follow suit.

------
ams6110
_MS-CHAPv1 (RFC2433) support has been removed from pppd(8)._

This is sensible but means I can't use OpenBSD to connect to one of my
client's VPNs. Unless there's another way?

~~~
inopinatus
Untried, but you may be able to just recompile pppd with different options;
the diff seems small.

[http://cvsweb.openbsd.org/cgi-
bin/cvsweb/src/usr.sbin/pppd/M...](http://cvsweb.openbsd.org/cgi-
bin/cvsweb/src/usr.sbin/pppd/Makefile.diff?r1=1.17&r2=1.18)

Worst case scenario you'd have to restore some bits of old source (chap_ms.c
and maybe the necessary md4 routines).

------
enjoy-your-stay
Does anybody know why they are dropping support for kerberos?

I didn't even know there was support for Kerberos in OpenSSl, but it's also
under the LibreSSL bullet points as well.

~~~
clarry
Nobody uses it and it's a lot of code to audit.

    
    
      Log message:
      Remove SRP and Kerberos support from libssl. These are complex protocols
      all on their own and we can't effectively maintain them without using them,
      which we don't. If the need arises, the code can be resurrected.
    

Or in Theo's words:

    
    
      It is crap.  Eventually we recognize the risk is to high.
    

Another relevant commit message, with a fun quote:

    
    
      Log message:
      The complexity and quality of kerberosV and the fact that almost
      nobody is using it doesn't justify to have it in base - disable and
      remove it.  If the 2 two people who use it still want it, they can
      make a port or recompile OpenBSD on their own.
    
      There is a quote in theo.c from August 2010: "basically, dung beetles
      fucking.  that's what kerberosV + openssl is like".
    
      Discussed with many.  Tests by henning@ reyk@ and others.
      ok deraadt@ henning@
    

I recommend you take a look at the whole message, it'll give you a vague idea
of how big the code base was. Keep in mind that this particular commit was
followed by a lot of smaller commits removing remnants of kerberos that had
kinda spread all over the system...

[http://marc.info/?l=openbsd-
cvs&m=139816103911227&w=2](http://marc.info/?l=openbsd-
cvs&m=139816103911227&w=2)

------
brunoqc
I wonder if I should wait for usb storage support on Octeon or if I should
just buy a Soekris. It's for home, nothing big.

------
ancarda
>IPv6 is now turned off on new interfaces by default. Assigning an IPv6
address will enable IPv6 on an interface.

Why?

~~~
Zenst
Off by default makes much sense given it is another vector to attack. If not
needed then why be on and more likely to just use IPv4 over even touching
IPv6.

~~~
andreasvc
Not just a vector of attack, it also causes performance and connectivity
problems when misconfigured. As long as there is no critical mass for IPv6,
it's not worth the headache. I know that if everyone had that attitude, IPv6
will never get critical mass, and that is exactly what I'm rooting for. I
don't care for toasters with IP addresses.

~~~
justincormack
Well I noticed today that some random hotel in Germany I was thinking of
staying at was on ipv6, and it is way more popular than IE6... People want
connected devices, in way more numbers than there are ipv4 addresses, and end
to end connectivity is the internet.

~~~
andreasvc
I'd say putting mobile devices behind carrier-grade NAT goes a long way.

> end to end connectivity is the internet.

It was definitely the original idea of the internet, but I'd say it no longer
is the reality. People want to access Google and Facebook. The vast majority
of users don't need or want their device to be directly reachable from the
internet but communicate through cloud services.

~~~
inopinatus
On the contrary, the statement seems correct.

End to end connectivity is the Internet.... and by contrast, privately
addressed networks are not on the Internet but must reach it via gateways.

Reaching one another via centralized services rather than distributed
federation is a problem, not a solution, in communications protocol design.
See also: Everyone Hates Facebook.

~~~
andreasvc
You are stating an opinion/ideal as fact. If you'd look at actual data, you'd
see that the vast majority of internet use by consumers is client to server,
not peer to peer traffic (e.g., youtube vs. bittorrent), which means there is
no need to be "on the internet" for most people. Distributed federation is
great and it does not require end-to-end connectivity for everyone.

> See also: Everyone Hates Facebook.

I don't know in what kind of bubble you are living but 1.3 billion people are
on Facebook; whether it's cool to hate it is not germane to the topic at hand.

~~~
vertex-four
I'll point out that much of the reason for most traffic on the Internet being
client-server is that most users are behind home routers which make P2P
traffic difficult or impossible, slowing innovation dramatically. IPv6 could
solve this by giving every computer their own IP address on the actual
Internet. Sticking with IPv4 continues to slow innovation.

~~~
andreasvc
I don't think the client-server model is popular because people are behind
home routers, but because it reflects the inherent asymmetry of producers and
consumers. People being behind home routers is not a cause of that, but a
state of affairs that is not-noticed by or tolerable for most because of this
asymmetry. This asymmetry is not caused by any technical limitation; even on
Wikipedia, which is probably the prototypical crowdsourced site, editors are
vastly outnumbered by readers.

I don't disagree with the ideal of everyone being able to serve their own
content directly to the internet, I just don't think it reflects reality,
specifically the abilities and inclinations of most people. I'm curious how
people come to hold on to such beliefs when they are so incongruous with
actual human behavior.

~~~
vertex-four
> People being behind home routers is not a cause of that, but a state of
> affairs that is not-noticed by or tolerable for most because of this
> asymmetry.

I would say that a great many things are not noticed by or are tolerated by
the majority, and it's only when they're presented with a better solution do
they notice.

Even client-server _business models_ can benefit from peer-to-peer
communications. The most obvious is media providers using their clients'
connections to avoid having to maintain as large a CDN, and to cut some costs
that way. If someone's listened or watched something near you, you can
download from them instead.

And then there's all sorts of systems which really could be truly peer-to-
peer, from social networking to a replacement for ebay.

------
skz
Does anyone know off the top of their head how OpenBSD performs on a Samsung
900X?

------
bluehazed
Love the release song for this one.

------
s800
Everything 68k is gone?

~~~
ams6110
Where does it say that?

Edit: If you mean mac68k then yes, but that platform was dropped after the 5.1
release.
[http://www.openbsd.org/mac68k.html](http://www.openbsd.org/mac68k.html)

------
tbrock
Order a CD rom? Talk about out of touch, ouch.

~~~
doomrobo
I think for companies that still do this, they acknowledge that the impetus
for buying a CD is more for collection/novelty purpose than actual usefulness.
My question is whether there are any more effective ways of generating some
kind of profit that actually involves giving something extra to the user,
whether physically or digitally.

