
OpenBSD 6.4 released - fcambus
https://www.openbsd.org/64.html
======
Fnoord
Undeadly.org mentioned the following highlights:

"Selected highlights include:

* Support has been added for qcow2 images and external snapshots in vmm(4)/vmd(8).

* "join" has been added for Wi-Fi networks.

* Security enhancements include unveil(2), MAP_STACK, and RETGUARD. Meltdown/Spectre mitigations have been extended further, and SMT is disabled by default.

* rad(8) has replaced rtadvd(8).

* bgpd(8) has undergone numerous improvements, including the addition of support for BGP Origin Validation (RFC 6811). smtpd.conf(5) uses a new, more flexible grammar.

* For the first time, there are more than 10,000 (binary) packages (for amd64 and i386)." [1]

[1]
[https://www.undeadly.org/cgi?action=article;sid=201810181400...](https://www.undeadly.org/cgi?action=article;sid=20181018140057)

~~~
Rondom
LWN has a good article about unveil() which also discusses the approaches
taken in the Linux world.

[https://lwn.net/Articles/767137/](https://lwn.net/Articles/767137/)

------
technofiend
I haven't taken the time to write this up, but one of the handy things about
OpenBSD is you can take a small 16GB USB stick, format it with one small FAT
partition and copy the installer to that. Then you boot the installer on your
Ubiquiti Edge Router and install OpenBSD to the unpartitioned space.

With a little work you can have your own caching DNS server including domain
blocks for tracking sites and if you want privoxy or a squid proxy. It's also
easy to set up your own root CA and switch over to certificate-based
authentication for wireless clients as long as the wireless base station
supports radius.

I haven't published a tech note on it yet because Android still complains
about importing self-signed certificates even when you import the root CA.

~~~
jlg23
To be fair: you can do that with probably any unixoid OS. IMHO, it is just
much easier with BSDs because a) documentation of how to do it is much easier
to access than on linux or the other two(TM) and b) BSDs tend to follow the
KISS-principle - meaning: even with the superb documentation one can just read
the posix shell scripts to save some time.

~~~
technofiend
>To be fair: you can do that with probably any unixoid OS

Totally.

------
atjamielittle
Time to update your BCHS stack:
[https://learnbchs.org/index.html](https://learnbchs.org/index.html)

~~~
LeonM
That's pretty sweet! Although C is possibly the worst language to build web
applications..

~~~
beefhash
I see your C and raise you a COBOL[1,2].

[1]
[http://www.coboloncogs.org/INDEX.HTM](http://www.coboloncogs.org/INDEX.HTM)

[2] [http://adrianzandberg.pl/cobol-on-
wheelchair/](http://adrianzandberg.pl/cobol-on-wheelchair/)

------
hn17
I used OpenBSD for some time as a platform for a hobby servers around version
4. It is very stable, has low hardware requirements for a base system (I had
running WordPress on 32MB RAM and Pentium 200 MMX to my amusement), has very
fast and powerfull firewall / packet filter. It is one of the most elegant
operating systems I've ever used. Simple in use but has huge functionality. I
second that documentation is one of the best. Must try it again maybe on
desktop this time.

------
reinhardt1053
The new unveil(2) system call is now available. Discussed previously:
[https://news.ycombinator.com/item?id=18194008](https://news.ycombinator.com/item?id=18194008)

------
RandomTisk
I run OpenBSD as my border firewall which it handles very well.

One thing I wish that OpenBSD devs would change in their philosophy is the
--help messages. Many commands simply offer a list of switches, as if that's
somehow helpful. Sometimes you need the detail in a man page, but a lot of
times you don't and it would save so much time and energy to have a succinct
list in the --help message itself.

# syspatch --help usage: syspatch [-c | -l | -R | -r]

~~~
AndyMcConachie
Read the manpage.

One thing I really dislike about modern UNIXes is their lack of decent
manpages in place of standins like --help.

I _love_ the BSDs and especially OpenBSD for their attention to manpages. It's
the main reason why I don't use Linux anymore unless I have to.

Adding detailed --help messages would take time away from maintaining
manpages, it also presents a duplication of information. If you want to know
what the switches do, read the manpage.

~~~
atmosx
How do you live without docker containers? The fact that docker doesn’t run on
BSDs is what drove me away.

~~~
yellowapple
...the same way the world has managed to survive for decades without Linux
containers in general (let alone specific wrappers around that like Docker
is)?

With OpenBSD specifically, you can get 90% of the way there with chroots,
standard process isolation, and a bit of shell scripting to handle deployment
automation.

Yeah, Docker's cool, but it's really not that hard to run multiple
applications/services on the same physical machine while keeping them from
clobbering each other or the OS in general (step 1 being to make sure each
service/daemon is running under its own minimally-privileged user).

~~~
toyg
_> With OpenBSD specifically, you can get 90% of the way there with chroots,
standard process isolation, and a bit of shell scripting_

This is a classic case of "THAT HackerNews response to Dropbox" [1].

If it's that easy, why isn't there a prepackaged wrapper with simple switches,
rather than leaving developers to fight for themselves among piles of custom
hacks?

The problem is not just deployment, the Docker differentiation is
simplification of the development pipeline. OpenBSD should seriously look at
their story in that area, because it's one of the few where they could still
potentially compete (because Docker is still fundamentally a pile of hacks,
and pretty insecure too).

Unless, of course, everyone is happy to remain "the little project that could"
and crack jokes like the BCHS stack.

[1]
[https://news.ycombinator.com/item?id=9224](https://news.ycombinator.com/item?id=9224)

~~~
smhenderson
_OpenBSD should seriously look at their story in that area, because it 's one
of the few where they could still potentially compete (because Docker is still
fundamentally a pile of hacks, and pretty insecure too)._

I’m pretty sure the Open BSD developers are completely comfortable with their
story. They develop this software for themselves first. If you like it and
it’s useful to you you are welcome to it. If not, look elsewhere. That’s been
their working philosophy all along and if you ask me that’s what makes it so
great to use. Every piece of the system is carefully thought out and organized
so it doesn’t suffer from nearly as much feature creep as other systems.

And as far as setting up chroit and isolating processes; it’s not hard and
sometimes you don’t need someone else to write a script for you when you can
do it yourself in 10 steps or less.

~~~
toyg
_> I’m pretty sure the Open BSD developers are completely comfortable with
their story._

They were pretty comfortable with their patching story -- until enough people
complained and lo, syspatch(8) appeared.

Beyond the posturing, nobody likes to run a project that nobody else uses; and
sometimes even _lusers_ are right.

 _> Every piece of the system is carefully thought out and organized_

I am not saying they should rush out a crap docker clone, but rather a
"carefully thought out and organized" docker alternative.

 _> you can do it yourself in 10 steps or less._

It's still 5x the steps you need with docker. As I said, it's about simple
reproducibility rather than just isolation. Even if it were easy to write my
own docker-compose (and indeed many people argued the same, when docker first
emerged, because it actually _was_ little more than shell scripts), having one
well-defined set of tools helps tremendously with kickstarting adoption and to
avoid reinventing the wheel every few weeks.

~~~
ams6110
I would be surprised if user complaints were the motivation for syspatch. More
likely, the author built something he found useful, and contributed it to the
project.

Most of the time on the openbsd email list, when a "user" suggests a feature
or asks for a change to something, the reply is something along the lines of
"sounds great, where is your patch?"

~~~
sverige
Exactly this. Unless of course you became an Iridium level donor with the
caveat that someone promised to build a Docker clone for you.

Edit: And in response to toyg's comment, here is a link to a video of a talk
by the developer in question, who mentions in passing that he builds things
for OpenBSD that help him put it into production. This is less than a minute
into his talk. Please educate yourself about the project before making
ridiculous demands on the devs' time and falsely assigning wrong motives to
them. It's unfriendly.

[https://archive.fosdem.org/2018/schedule/event/openbsd_base_...](https://archive.fosdem.org/2018/schedule/event/openbsd_base_system_maintenance_made_easy/)

~~~
toyg
_> Please educate yourself about the project _

Oh, I am educated enough, don't worry. Which is why I was so surprised to see
it finally adopt a solution for a problem that had been pointed out for 20
years, after spending those 20 years replying to everyone that it was just
_the wrong thing to do in principle_.

 _> It's unfriendly_

It's also unfriendly to gaslight away blatant problems, for whatever reason,
until they get fixed -- at which point they are admitted as actual problems.
Then again, OpenBSD is hardly a friendly project, culturally speaking.

~~~
exikyut
I've read through this subthread with objective concern.

A criticism that seems fair has been presented here in a benign, non-
antagonizing manner, and I am very perplexed as to why all comments arguing in
favor of that view have been anonymously downvoted wholesale without anything
approaching sufficient substantive explanation.

This is not the kind of behavior that (the) HN (community) is respected for.

Let me sum up what I see here.

\- Someone argues in favor of Docker, and are downvoted by enough people their
comment turned grey. I think this means it's at -5 or -10 or something. So, no
explanation, no comments; just downvotes.

\- The one reply that goes into a bit detail comes from a traditionalist UNIX
standpoint, and is a bit passive-aggressive. (This comment isn't grey.)

\- The next reply frames the parent as "THAT HackerNews response to Dropbox",
and highlights that the implied simplicity and sense of "only one obvious way
to solve this problem" is in fact not implied and that significant wheel-
reinvention must (and presumably has) be done "on the ground". Docker's
simplicity is highlighted along with its insecurity. This comment is grey.

\- The next reply further brushes-off the stated arguments by (passive-
aggressively) noting that the project seems successful enough, and maybe
that's because they actually have it figured out. (This comment isn't grey.)

\- I read the next reply as a gentle reminder of the importance of remaining
relevant going forward - and the fact that this doesn't necessarily mean
ground-up reinvention. This comment is also grey.

What is going on here?!

A nontrivial number of comments in this thread, and the other OpenBSD threads
I've seen, are basically all chanting about OpenBSD's perfection.

Good customer service, good social skills and forward thinking are some of the
most fundamental aspects of commercial success. Does open source think it can
get away with "no shirt, no shoes" just because it's free? :(

------
brynet
Announcement mail: [https://marc.info/?l=openbsd-
tech&m=153987076201158](https://marc.info/?l=openbsd-tech&m=153987076201158)

This is the 45th release of OpenBSD!

------
tyfon
* PIE support for the m88k platform.

I'm quite amazed that there exists hardware where they can test this! Maybe
there are some embedded systems still using motorola chips?

Anyway, OpenBSD is great. I'm running it on my router and it also powers my 96
mb ram dual pentium pro 200 mhz computer from the 90s :) That computer also
has a quantum fireball 20 gb disk as it's main storage, another thing I am
amazed that still runs..

Donate to this project, it deserves it!

~~~
notaplumber
A dedicated developer is keeping it alive by maintaining support for the OMRON
LUNA-88K & LUNA-88K2 Unix workstations from Japan.

[https://www.openbsd.org/luna88k.html](https://www.openbsd.org/luna88k.html)

OpenBSD also used to run on Motorola's 88k VME boards, but the mvme88k port
was discontinued after 5.5.

[https://www.openbsd.org/mvme88k.html](https://www.openbsd.org/mvme88k.html)

If you have any spare parts/systems, I suspect aoyama@ would be interested in
hearing from you.

------
zdw
> Because Simultaneous MultiThreading (SMT) uses core resources in a shared
> and unsafe manner, it is now disabled by default. It can be enabled with the
> new hw.smt sysctl(2) variable.

Is this on all architetures or just Intel's Hyperthreading? I'd imagine that
other CPU's with hardware threads (especially the 4 and 8 way Sparc T series)
would be quite hobbled in terms of performance with this change.

~~~
bjpbakker
Should be specific to Intel's Hyperthreading, according to the ml announcement
[0]

[0] - [https://marc.info/?l=openbsd-
tech&m=153504937925732](https://marc.info/?l=openbsd-tech&m=153504937925732)

(edit: words)

------
deskdrawer
My biggest turnoff with OpenBSD is the more complicated package management if
you want to have new versions and security updates beyond the versions
packaged with the release. As far as I know you either have to stay on the
bleeding edge with -current, build packages yourself, or trust a third party
(M:Tier) to build for you, who last I checked were behind on firefox builds.
I'd love to someday run it on my laptop though.

~~~
4ad
The best part of OpenBSD (to me), as opposed to say, FreeBSD is that pkg -u
only brings in security fixes, instead of unrelated crap I don't want.

When I want new packages, I'll upgrade the operating system. I very much
appreciate the stability of packages during a release cycle.

~~~
JdeBP
This is very probably because you have

    
    
        url: "pkg+http://pkg.freebsd.org/${ABI}/latest",
    

in your configuration file instead of (say)

    
    
        url: "pkg+http://pkg.freebsd.org/${ABI}/release_3",

~~~
4ad

        url: "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly"
    

This is the default configuration.

~~~
JdeBP
Not originally it wasn't. That was a change in 10.2 .

* [https://forums.freebsd.org/threads/a-mini-faq-on-pkg.49694/p...](https://forums.freebsd.org/threads/a-mini-faq-on-pkg.49694/page-2#post-339590)

* [https://lists.freebsd.org/pipermail/freebsd-ports-announce/2...](https://lists.freebsd.org/pipermail/freebsd-ports-announce/2014-April/000079.html)

~~~
4ad
It's the default now, and 10.2 was released over three years ago. What exactly
is your point?

~~~
JdeBP
That your configuring your system to be on these update cycles is very
probably why your system is on these update cycles. This should have been
abundantly clear.

------
chousuke
I run OpenBSD on my router and it's great. It was refreshing to not need
Google for figuring out how to set things up, because _everything_ is in the
included manual pages, which often do a great job explaining new concepts.
Want a quick intro to OSPF? man ospfd

I don't think I'll run OpenBSD as a desktop OS unless performance drastically
improves, but it's staying on my router for the foreseeable future.

~~~
appleflaxen
can you elaborate on your performance concerns?

------
fosco
in similar news openssh [0] released a new version recently. noticed 7.7
[1]applied to this openbsd release

[0]
[https://www.openssh.com/txt/release-7.8](https://www.openssh.com/txt/release-7.8)

[1] [https://www.openbsd.org/plus64.html](https://www.openbsd.org/plus64.html)

~~~
brynet
OpenSSH 7.9 should follow the OpenBSD release.

~~~
brynet
[https://www.openssh.com/releasenotes.html#7.9](https://www.openssh.com/releasenotes.html#7.9)

------
h1d
Interesting, I've been running Linux for 15 years, yet I can't understand how
to upgrade from 6.3, which I just installed on a cloud server, to 6.4 by
reading the official document.

(Specifically the part "instruct the boot loader to boot this kernel" because
it says to type in the file name during the boot process, which is not exactly
easy on a remote machine.)
[https://www.openbsd.org/faq/upgrade64.html](https://www.openbsd.org/faq/upgrade64.html)

I have a lot of respect to OpenBSD devs when people don't contribute back much
even if they use OpenSSH everyday but a bit more friendliness doesn't hurt to
let people try it out more.

~~~
ahriman
Do you have console access, via VNC for example?

If so, download the new bsd.rd image and place it in /

Reboot, and at the boot prompt type:

boot bsd.rd

Then follow the prompts.

~~~
h1d
Yes, I was struggling to do this from the remote shell but I had remote access
to the console to specify the ram disk to get through the upgrade process but
I'd consider I'm one of the lucky ones when providers like AWS doesn't have
that feature to access boot process in real time.

------
ttul
I am so tempted to install this after a 15 year break...

~~~
enriquto
You can try it right now inside virtualbox, and 20 minutes later you realize
that it is has all you need. After a few days, you'll notice that you spend
most of your time inside the virtual machine, and then it makes sense to turn
your setting upside down and work directly on the saner system.

~~~
JoachimS
How well does the inverse works - running VMs in OpenBSD to use Windows,
Linux? Is it for example possible to run Virtualbox with good performance in
OpenBSD?

I'm tempted at using OpenBSD as OS, but need to run things like MS Office. A
VM is probably the easiest way to do that.

~~~
ch_123
There is an OpenBSD-specific hypervisor (vmm) in recent releases.

I cannot comment on whether it is suitable for running VMs at this time.

~~~
yellowapple
From what I've gathered (and experienced last time I've tried it), Windows
support is nonexistent right now. That might change eventually, but OpenBSD
and Linux (and I think NetBSD?) are the initial targets.

QEMU is available in packages/ports, though; while almost certainly slow, it's
a start. VirtualBox on Linux requires a kernel module, so unless someone
manages to port that to OpenBSD (which would translate to adding it to
OpenBSD's kernel, which doesn't support loadable kernel modules anymore), that
one probably ain't an option.

------
liv-io
what a great day, thanks so much OpenBSD developers! I have to update some
Ansible roles this weekend :)

------
toyg
Syspatch working out of the box! That’s really big news, in my book.

Guess I should give OBSD another chance...

------
_zachs
Back in college our OS course used OpenBSD and I had a great time learning
kernel development. Too bad I'm heavily invested in Arch right now!

------
makz
Impressive work what the openbsd folks do. Kudos.

------
mruts
Linux is a depressing mess after you've used OpenBSD. Such a high quality
system, with stellar documentation. It's unfortunate that Linux has become so
popular even though the BSD's are so much better. A bad historical accident.
Damn you Linus...

~~~
heywire
Is OpenBSD suitable for use on a laptop? I have a Dell Latitute 7370 running
KDE Neon, and it runs really well. All hardware is supported, battery life is
on-par with Windows, etc. Would OpenBSD work well on this laptop?

~~~
johnnycarcin
I'd like to hear about this as well. OpenBSD has been on my list of "to try"
for quite awhile but the app/package thing has been a big question mark for
me.

I _really_ enjoy being able to apt-get or brew install pretty much any of the
applications out there and am a bit worried about how that experience would be
on OpenBSD. I guess the best way to find out would be to try it eh? :)

~~~
magnetic
There is the core install and then packages that you can add just as easily as
apt-get.

~~~
ahje
Does that apply to updates as well?

~~~
sverige
Yes. syspatch and pkg_add -u handle updates.

