
Software developed or maintained by the OpenBSD project - yarapavan
http://www.openbsd.org/innovations.html
======
lloydde
I thoroughly enjoyed Theo de Raadt recent talk, "Pledge: A new security
technology in openbsd". It left me itching to try OpenBSD.

"Pledge() is designed as a mitigation rather than a cure-all, de Raadt
explains, but it's a mitigation with an interesting approach: a process or
application stipulates the system services it needs, and if it steps beyond
its boundaries, it's killed."
[http://www.theregister.co.uk/2015/11/10/untamed_pledge_hopes...](http://www.theregister.co.uk/2015/11/10/untamed_pledge_hopes_to_improve_openbsd_security/)

Hackfest 2015: Theo de Raadt presented "Pledge: A new security technology in
openbsd"

video:
[https://www.youtube.com/watch?v=F_7S1eqKsFk](https://www.youtube.com/watch?v=F_7S1eqKsFk)

slides:
[http://www.openbsd.org/papers/hackfest2015-pledge/index.html](http://www.openbsd.org/papers/hackfest2015-pledge/index.html)

~~~
rlpb
This sounds exactly like seccomp and seccomp-bpf in Linux, so I don't think
the feature is special to OpenBSD. Chrome uses it, for example.

From
[https://wiki.mozilla.org/Security/Sandbox/Seccomp#Intro_to_s...](https://wiki.mozilla.org/Security/Sandbox/Seccomp#Intro_to_seccomp_and_seccomp-
bpf)

"Seccomp stands for secure computing mode. It's a simple sandboxing tool in
the Linux kernel, available since Linux version 2.6.12. When enabling seccomp,
the process enters a "secure mode" where a very small number of system calls
are available (exit(), read(), write(), sigreturn()). Writing code to work in
this environment is difficult; for example, dynamic memory allocation (using
brk() or mmap(), either directly or to implement malloc()) is not possible.

Seccomp-BPF is a more recent extension to seccomp, which allows filtering
system calls with BPF (Berkeley Packet Filter) programs. These filters can be
used to allow or deny an arbitrary set of system calls, as well as filter on
system call arguments (numeric values only; pointer arguments can't be
dereferenced)"

~~~
allep
Pledge is much easier to user that seccomp-bpf and is now forced in more than
half of the binary distribuited in the base system. Also, there is a big
difference between having a technology and enforcing the technology: Seccomp
has been included in linux for a very long time, but is ignored by most
developers and not used except in specific instances (ie chrome as you pointed
out)

------
dbalan
Migrated my personal thinkpad to OpenBSD, other than firefox coughing up now
and then - its been smooth so far.

Installing was a breeze, the man pages are well written, never had to run to
google much except while partioning.

Also: Never knew sudo was a openBSD project.

~~~
INTPenis
Didn't openbsd attempt to rewrite sudo recently? There was a point about
simplifying its configuration syntax.

Also, as a long time BSD fanboy, I've never considered OpenBSD to be a desktop
OS. It's a great OS that I use on routers and servers, but never a desktop. I
had a period where I used FreeBSD on my laptop but once I went Linux, I never
looked back.

~~~
dwc
Have you tried OpenBSD for desktop? FreeBSD on the desktop is, well, a pain.
Hence PCBSD. But OpenBSD is actually pretty good at being a desktop, as long
as you can live without some things like Flash and other things that will
never be there.

~~~
floatboth
PC-BSD is "the Ubuntu of BSD" – a preconfigured GUI, a GUI app "store" etc. If
you can install OpenBSD, you don't need it.

FreeBSD on the desktop is not a pain!

~~~
dwc
FreeBSD on the desktop used be take a fair amount of fiddling. If that's no
longer true then that's awesome! :)

~~~
vive-la-liberte
A major cause of pain people are hit by when they try to use an operating
system other than Windows is that they are uninformed about hardware
compatibility. Frequently, when someone wants to try out a new OS, they'll try
to install on their desktop/laptop/whatever and they will be frustrated to
find a broken mess.

The correct way to get started with a new OS is to first try it out in a
virtual machine. If you find that you enjoy using it, buy compatible hardware
and go metal.

------
myztic
I want to write some general things about OpenBSD / the OpenBSD Communtiy I
realized while I gave it a spin just this month (in no particular order):

-) they are a "pressure cooker" for development, if they have to brake something in order to advance they will. way different mindest when you compare it to the linux kernel or FreeBSD. this does not mean it's unstable, but from version to version they might radically change something.

-) they strip down their system, if they don't like a license they don't implement it, and if something is too complicated / too big, they don't implement it. one of the contra-zfs-in-openbsd arguments (besides the license) quite simply is: it's so much code, it's so huge, it would be such an immense amount of work to audit it and to really really understand every single part of it.

-) openbsd runs on so many architectures partly because it allows them to catch more bugs. some weird bug you might encounter only while trying to install the system over network on machine xyz that nobody really uses anymore... running on so many multiple architectures gives them more input.

-) openbsd-community is way less elitist than people say/think it is. they expect you to have read the manpages (and they made such an effort to make them as good as possible), to maybe search on the internet yourself, to have tried some things out and to know how to use mailing lists, not too much in my opinion. they probably don't even mind the stigma of being elitists, as it keeps newcomers away. getting help is a privilege, not a fundamental right of every user.

-) they want others to use their tools. while it is probably unfair considering how many tools they provide and how little funding they get, nevertheless they actually genuinely are happy that their tools are used, which is an awesome mindset. but that probably is generally a bsd-license vs gpl kind of thing.

-) run your own sh*t! while many freebsd devs are simply using macs and running freebsd on their servers, openbsd developers are heavily encouraged to run openbsd everywhere they have the chance of doing so. you will find that most (maybe all) devs run it themselves on their notebook/desktop or at least on some of their private machines, which is awesome.

Some further resources:

-) openbsd faq [http://www.openbsd.org/faq/](http://www.openbsd.org/faq/) (especially section 1, 8, 9)

-) [http://www.openbsd.org/ftp.html](http://www.openbsd.org/ftp.html) just give it a spin, why not? run it as virtual machine and play around, some hours worth while

~~~
myztic
EDIT (for some reason I can't edit above):

-) and just for fun [https://www.youtube.com/watch?v=BlgdvSNpi60](https://www.youtube.com/watch?v=BlgdvSNpi60) (I love that video for some reason :D)

~~~
ElijahLynn
Good watch, thanks!

------
janvdberg
I'm always so surprised that OpenBSD seems to have a much smaller/tighter
group of people working on the core[1]. Yet they seem to keep up and not only
that, but also lead the way in some case (e.g. LibreSSL).

([1] Especially compared to the Linux kernel. Looking at maillist activity or
number of different people, the Linux kernel seems to have a lot more people
working on it).

~~~
gecko
It's worth remembering that OpenBSD does less--by design. There is no
ZFS/Btrfs; there is no LVM; there is no SEOpenBSD, there is no support for
mobile phone drivers, and so on. Linux can do many, many things that OpenBSD
cannot do, and is making no effort to try to do.

But _this is a good thing._ It's _why_ you're seeing OpenBSD "keep up":
they've decided to keep things as simple as possible to enable them to be as
secure as possible while still being a real unix, and what you're seeing is
the fruit of that decision. The small team can now keep itself incredibly
relevant, and can relatively easily stay on top of things in that space. The
simplicity means fewer bugs and better security design, and more time to focus
on third-party ecosystem support (e.g., LibreSSL, SSH, and so on).

In other words: it's not that OpenBSD is truly keeping up with Linux in
general. In a very real sense, it isn't. What it _is_ doing is keeping up, and
even surpassing it, in a few very important, very key areas, and that in turn
is keeping OpenBSD incredibly useful and incredibly relevant.

------
vog
It is really impressive how much you can streamline and simplify a Unix system
if you can afford to cut off legacy stuff. It's also great to see that stuff
being spread outside the OpenBSD world.

~~~
krylon
Among the Linux-users I know, OpenBSD has a reputation for being very cryptic
and, well, hardcore.

I am not really certain why. The installer is kind of spartan, yes, but it is
not difficult to figure out. And not only is the system pretty simple, the
documentation is really good, too.

I recently inherited an old laptop that would have ended up in the trash
otherwise, and I installed OpenBSD on it. The battery is busted,
unfortunately, but otherwise installing the system and setting up XFCE was
pretty straightforward.

The community can be a little tough on newbies at times, but if one plays by
their rules, they are a very friendly and helpful bunch.

~~~
gnuvince
> The installer is kind of spartan, yes, but it is not difficult to figure
> out.

In fact, it asks the same questions as a typical Ubuntu install: keyboard
language, timezone, username + password, partitioning, network. They throw in
a couple more questions about enabling NTP and SSH.

> And not only is the system pretty simple, the documentation is really good,
> too.

I think that newer users of Linux are not used to searching for documentation
in man pages, instead they go look for an answer they can copy-paste off of
Stack Overflow.

~~~
vog
_> I think that newer users of Linux are not used to searching for
documentation in man pages, instead they go look for an answer they can copy-
paste off of Stack Overflow._

Unfortunately, we see this for (some, newby) system administrators, too. I
guess this is the typical issue with "getting it work" versus "getting it
right".

~~~
moviuro
What about docker .vs. real system administration?...

~~~
chousuke
You know, if you use Docker for the right reasons, in the right way, it can be
a real time saver.

I'm not really sold on the way Docker specifically tries to be fire-and-forget
easy (it often succeeds in being silly and you have to work around it), but
containers are good.

There's a lot of very useful software that just expects that it can do
whatever it wants on a system, like install its own dependencies from git, run
its own version of python etc.

You may want to run such software in production and it is an absolute
maintenance nightmare if you install all the dependencies via package
management. Upgrading starts with rebuilding and repackaging all dependencies.
Not fun, and not a good use of time.

For such software, containers make it feasible to administer as somewhat
manageable units: You create the Dockerfile or whatever to install the
software you want, and run the resulting image on a host, and bring
configuration in via puppet or something. Then, when you need to upgrade, you
rebuild your image and deploy it on the host; rollbacks are trivial, as is
scaling, or creating test environments.

You can of course achieve the same sort of thing with virtual machines
providing you have good orchestration. However, often a deployment can consist
of multiple software components that are separate units, but can (or must)
share a single host.

I think so long as Linux containers don't actually offer real security, that's
the niche where they are useful.

------
brakmic
A wonderful OS!

As a student I installed our faculty's firewalls based on PF, CARP (for
failovers), Snort etc.

I wrote even a few articles on BGPD, Spam-Greylisting, Snort Intrusion
Detection for a (now defunct) IT magazine from Germany :)

Those were the times, indeed....now back to JavaScript ;)

------
Hydraulix989
I used to host my personal web site on a Gateway 2000 beige box running
OpenBSD installed on floppies. Those were the days.

~~~
gnuvince
For almost 10 years, the router at my parents' was my first PC (a Pentium 75
MHz with 16 MB of RAM and a 1 GB hard drive) running OpenBSD 3.0 or 3.1; I
installed it, configured it, put it in a closet in the basement and didn't
have to touch it until it died.

------
acd
Thanks to the OpenBSD developers!

------
TallGuyShort
Surprised to see Niels Provos' name on that list so many times. Honeyd (and
the associated book: Virtual Honeypots) was also developed by him and is quite
interesting for anyone with an interest in cybersecurity.

------
logicallee
Projects maintained by OpenBSD developers outside OpenBSD

* Sudo (...1980...)

wow. I didn't even think about sudo like that...

~~~
txutxu
Not only that, the guidance you get (first root email, man afterboot, etc)
enforces you to use a limited user instead of root and to learn about sudo.

OpenBSD now is using 'doas' instead of sudo (so the guidance you get points to
'doas', not to 'sudo').

When I did first try openbsd in the 4.x series, it was using sudo.

------
biot
With regards to malloc, what is the benefit of "random (delayed) free"?

~~~
chrismsnz
Not 100% sure, but I think this is to mitigate exploitation of UAF (Use After
Free) flaws.

Adding an unpredictable delay in between when an application frees some
memory, and it becomes available for reuse elsewhere will likely reduce the
window of vulnerability where an exploit may be able to leverage the issue.

------
thomashabets2
> W^X: First used for sparc, sparc64, alpha, and hppa in OpenBSD 3.3. Today,
> most architectures implement it.

Oh come ON! Is OpenBSD still pretending they: a) invented this b) understood
it (said "X is impossible" when PAX already did it)

Really, OpenBSD? Really?

Theo and friends explicitly say they don't look at what Linux does, which does
explain that they can claim that they are first. 1) Don't look for or at state
of the art. 2) Pretend you're doing state of the art, since you've not seen
the others.

~~~
noqax
The PAX/grsec people generally appear confounded by this, claiming their patch
was first and that they were #1. The reality is that even today their patches
remain largely uncommitted _patches_ , and as a community, they didn't push as
hard as OpenBSD did and continues to do with upstream projects. They much
rather publicly attack OpenBSD, which has historically ignored them preferring
to do actual work.

The software ecosystem as a whole has gained far more from OpenBSDs efforts
than that of the PAX/grsec teams.

~~~
the_why_of_y
This is ridiculous. Since OpenBSD started as a fork of NetBSD, one could
similarly claim that innovations in OpenBSD are irrelevant if they have not
been picked up and integrated by NetBSD.

------
akkadmed
OpenBSD does well for the areas it focuses on. It's easy to admire a project
that has a narrow focus. The accolades always appear to come from those with
the least amount of experience with it however. "I use it for a high
performance firewall for my mom" "It's great as a desktop on my old laptop,
that I do nothing with." It's like hearing someone praise Steve Jobs for
inventing Photoshop, merely because they use it on a Mac. Fire up a high
performance database on OpenBSD that uses a production equivalent of modern
data. Setup a fileserver on nfsv3, use sshfs, or run the latest Linux version
of <insert anything here>. Then talk about your experiences. "We are secure
because we don't support firewire/bluetooth" is an invalid argument.

~~~
dwc
You're implying that OpenBSD is a toy OS. It's not. There are people using it
for real work under real load. Is it the fastest? Nope. If you're spec'ing out
a server and cutting edge performance is your major concern then you should
pick something else. But that's not the only criterion in real production
environments. There are roles where OpenBSD is not only an acceptable choice,
but the best choice. As always, it's about the best tool for the job. No tool
is the best for _every_ job.

~~~
akkadmed
Have you ever used it in any of these roles you speak of? What was your
experience?

~~~
dwc
Yes, I have. My experience was good. It's easy to install, configure, and
maintain, and it's rock solid. But it's not the only tool in my toolbox.

