
OpenBSD 6.1 released - gbrown_
https://marc.info/?l=openbsd-tech&m=149191695821636&w=2
======
zdw
My personal favorite from the LibreSSL section:

    
    
        Massive update and normalization of manpages, conversion to mandoc format. Many pages were rewritten for clarity and accuracy.
    

Most of OpenSSL's documentation desperately needed attention and was full of
extremely minor errors that rendered some parts unintelligible - for example,
this confusing single character one that was already fixed in LibreSSL :
[https://github.com/openssl/openssl/commit/a41815f05e71009d2a...](https://github.com/openssl/openssl/commit/a41815f05e71009d2a5148bd30b70f47186ed66b)

------
mrweasel
Sadly I don't often get to play with OpenBSD, but every time I do I'm
impressed by how coherent an operation system it is. You really get the
feeling that the developers care about delivering a system with a unified
expression, where everything is meant to be used together.

It's not just kernel bundled with a bunch of tools/programs which sort of seem
to work together, but not in the same manor. Even FreeBSD have sometimes left
me with the impression that the developers don't care about style and just
import tools or subsystems at leave it at that, rather than making it feel
like it belongs.

~~~
floatboth
Heh, as a FreeBSD user primarily, OpenBSD sometimes feels kinda empty to me.
No ZFS, no DTrace, no jails, no mandatory access control, no CloudABI, no
Linux compat layer…

~~~
milcron
OpenBSD does seem empty by comparison, but it's on purpose.

ZFS is large and complicated. [http://www.tedunangst.com/flak/post/ZFS-on-
OpenBSD](http://www.tedunangst.com/flak/post/ZFS-on-OpenBSD)

DTrace would be nice to have, but I believe there are CDDL license concerns.

Jails are a way of isolating services so that they cannot do (much) damage to
the system in the event they are compromised. The closest alternative in
OpenBSD is probably pledge(2), which allows a program to voluntarily renounce
the ability to invoke a set of syscalls. There is also chroot if all you need
is filesystem virtualization.

MAC can be complicated to implement. This comment explained things very well:
[https://news.ycombinator.com/item?id=8893749](https://news.ycombinator.com/item?id=8893749)

> OpenBSD doesn't support a MAC framework because they believe the best
> approach to security is correctness, rather than trying to achieve security
> by adding features which results in more complexity, making it more
> difficult to ensure correctness. A common mistake people make is thinking
> that OpenBSD's primary goal is security; their primary goal is correctness.
> This just happens to result in better security more often than not.

Linux compat is a similar story. OpenBSD dropped it in the 6.0 release due to
complexity and security concerns.

I don't know a whole lot about CloudABI.

~~~
floatboth
pledge is not similar to jails in any way, jails are "chroot on steroids"
(isolate network, PIDs, users, etc.)

pledge is more similar to Capsicum. It is simpler to implement in some
programs, sure, but:

1) I don't like how pledge just kills the program. Rude. Capsicum refuses the
offending operation.

2) Capsicum has an absolutely brilliant feature for directory access — you
just open() a file descriptor to a directory, then you cap_enter()… and in the
sandbox mode you can use openat() to open files below that directory! This is
just so clever. Meanwhile pledge promised a simple directory whitelist option
that is STILL NOT IMPLEMENTED :(

CloudABI is a portable ABI that can be described as POSIX plus Capsicum minus
anything incompatible with Capsicum. So CloudABI programs start already in
capability mode, expecting necessary file descriptors to be already open
(there's a launcher tool for that). You can just run CloudABI binaries
unmodified on several operating systems and they are _always_ sandboxed, they
have _no_ way to access anything you didn't pass to them. CloudABI is out-of-
the-box supported on FreeBSD, there are kernel patches for NetBSD and Linux,
and a user-mode syscall translator for macOS.
[https://nuxi.nl/cloudabi/](https://nuxi.nl/cloudabi/)

------
ramshorns
It's the first release without an official CD set [1], and OpenBSD was
probably one of the last operating systems to provide official installation
discs. I wonder if they'll start recommending third-party sellers of
installation CDs and DVDs like Debian does [2].

[1] [https://www.openbsd.org/orders.html](https://www.openbsd.org/orders.html)
[2] [https://www.debian.org/CD/vendors/](https://www.debian.org/CD/vendors/)

~~~
jasonkostempski
Weren't these mostly just a nice way to contribute to the project and get
something tangible in return, or did they not sell the disks at a profit?

~~~
qeternity
A three pack of 5.9 disks are being sold for $60...so yeah, I'd say so.

------
hackermailman
Go also now supports pledge
[https://go.googlesource.com/sys/+/8fd966b47dbdd4faa03de0d06e...](https://go.googlesource.com/sys/+/8fd966b47dbdd4faa03de0d06e3d733baeb9a1a9%5E!/)

~~~
equalunique
That's good news

------
l2dy
New syspatch(8) utility for security and reliability binary updates to the
base system.

~~~
parfe
[http://man.openbsd.org/syspatch.8](http://man.openbsd.org/syspatch.8)

Thanks for highlighting this. For me, OpenBSD releases needed so few fixes
that keeping the system up to date wrapped around, and become more of a hassle
to deal with! I'd get an email and have to manually rebuild something.
Watching yet another flood of compiler output started feeling like a huge
waste of time, despite only happening once every month or two.

For personal use, on debian I set a cron job and forget it. This utility hits
the sweet spot to get me running OpenBSD again.

~~~
adamrt
You may already be familiar with but just in case:
[https://wiki.debian.org/UnattendedUpgrades](https://wiki.debian.org/UnattendedUpgrades)

You can specify the types of updates to auto install (ie I use security
updates only automatically).

~~~
currysausage
I keep running into a weird issue where my Debian servers won't shut down ("A
start job is running for Unattended Upgrades") when I enable unattended
upgrades as described at [1]. It is especially weird since my Debian systems
are otherwise pretty bare-bones, yet the issue occurs on several of them. The
solutions listed on Stack Exchange [2] seem rather hacky.

[1]
[https://wiki.debian.org/UnattendedUpgrades#automatic_call_vi...](https://wiki.debian.org/UnattendedUpgrades#automatic_call_via_.2Fetc.2Fapt.2Fapt.conf.d.2F20auto-
upgrades)

[2] [http://unix.stackexchange.com/questions/293804/debian-a-
star...](http://unix.stackexchange.com/questions/293804/debian-a-start-job-is-
running-for-unattended-upgrades)

~~~
voltagex_
That's particularly nasty (and an aspect of systemd that I _really_ don't
like).

I'm not sure this has been reported before / correctly:

[https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=837155](https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=837155) [https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=719597](https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=719597)

Maybe give the maintainers a prod with a link to that thread?

------
jordigh
Aw, no release song yet:

[https://www.openbsd.org/lyrics.html#61](https://www.openbsd.org/lyrics.html#61)

That's usually my favourite part about new OpenBSD releases. :-)

~~~
protomyth
The page updated with "will be released around April 25"

------
sspiff
> The following platforms were retired: armish, sparc, zaurus.

Goodnight, sweet prince.

The Sharp Zaurus was where I first ran OpenBSD.

~~~
i336_
Waaait what??

SPARC is one of the few unencumbered platforms without security bits (Intel ME
or AMD PSP) and GPL cores:
[https://news.ycombinator.com/item?id=11423350](https://news.ycombinator.com/item?id=11423350)

~~~
protomyth
sparc64 is still supported. sparc is the 32-bit port.

[https://www.openbsd.org/sparc.html](https://www.openbsd.org/sparc.html) \-
Discontinued

[https://www.openbsd.org/sparc64.html](https://www.openbsd.org/sparc64.html)
\- Supported

~~~
i336_
Oh. Whoops. Thanks heaps.

------
JdeBP
And NetBSD 7.1 came out a few weeks ago, too:
[https://news.ycombinator.com/item?id=14072284](https://news.ycombinator.com/item?id=14072284)

------
whitepoplar
Maybe this isn't the best place to ask this, but how does OpenBSD handle "real
world" security these days? Last time I checked, OpenBSD was heavily audited,
with emphasis on shipping a secure base system. The problem, to me, is that
every running system in the world has many packages installed to make it
useful as an e.g. server. What use is a secure base system if installable
packages aren't audited to the same degree? Debian handles this by putting all
packages (apart from universe) under the maintenance of the Debian Security
Team. I would love to use OpenBSD, but want to make sure that the extra effort
isn't spent with no real security advantage.

~~~
elchief
There is a lot of functionality in Base that some aren't aware of: ldapd,
httpd, IPSec + iked (VPN), pf (firewall, NAT), dhcpd, ntpd, smtpd, snmpd,
radiusd, relayd (load balancer), tftpd, sshd, nfs, nsd and unbound (DNS)

So, you could run an HTTPS site, with a Perl fastCGI site, sending emails, all
out of Base

Plus you get privsep'd X (xenocara)

~~~
peatmoss
Xenocara may not satisfy performance characteristics the way something like
Wayland is. However, Xenocara is pretty awesome in (I believe) being the only
X11 server to address the somewhat ugly security model of stuff running as
root.

~~~
krakensden
I think most of the popular Linux distributions have been shipping rootless
x11 for a few years now, too. Kernel Mode Setting was the big watershed
feature.

~~~
peatmoss
Interesting, I hadn't known that. Canonical's site indicates that there's some
nuance there depending on the video card model though:

[https://wiki.ubuntu.com/X/Rootless](https://wiki.ubuntu.com/X/Rootless)

Also interesting is that support for rootless (at least in Arch) depends on,
or perhaps was facilitated by systemd:

[https://wiki.archlinux.org/index.php/Xorg#Rootless_Xorg_.28v...](https://wiki.archlinux.org/index.php/Xorg#Rootless_Xorg_.28v1.16.29)

I don't pay as close attention to Linux developments as I should these days!

------
i336_
A (highly subjective) selection of things that seemed interesting, sorted from
most to least noteworthy in my opinion

\--

\- A lot of code has been removed or simplified to make the transition to
multi-processor easier.

\- printf(3) family of formatting functions now report to syslog when the %s
format is used with a NULL pointer.

\- When sending TCP streams they are locally stored in large mbuf clusters to
improve memory management. The maximum TCP send and receive buffer size has
been increased from 256KB to 2MB. Note that this results in a different pf(4)
OS fingerprint for OpenBSD.

\- ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the version in
PuTTY by Simon Tatham. This allows a multiplexing client to communicate with
the master process using a subset of the SSH packet and channels protocol over
a Unix-domain socket, with the main process acting as a proxy that translates
channel IDs, etc. This allows multiplexing mode to run on systems that lack
file-descriptor passing used by current multiplexing code) and potentially, in
conjunction with Unix-domain socket forwarding, with the client and
multiplexing master process on different machines. Multiplexing proxy mode may
be invoked using "ssh -O proxy ..."

\- OpenSSH 7.4: Server support for the SSH v.1 protocol has been removed. {NB,
note the "server" bit - "client" is not mentioned}

\- Support for Linux guest VMs.

\- The performance and concurrency of the malloc(3) family in multi-threaded
processes has been improved.

\- read(2) on directories now fails instead of returning 0.

\- Support for permitting non-root users to mount(8) filesystems has been
removed.

\- Install sets are now fetched over an HTTPS connection by default when using
a mirror that supports it.

\- For incoming TLS connections syslogd(8) can validate client certificates
with a given CA file.

\- nc(1) now also supports OCSP stapling server side, and will show the
stapling information client side.

\- When log files are rotated, newsyslog(8) writes the creation time in UTC
ISO format into the first line.

\--

\- sshd(8): Remove the UseLogin configuration directive and support for having
/bin/login manage login sessions.

\- sshd(8): Add a sshd_config DisableForwarding option that disables X11,
agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else
we might implement in the future. Like the 'restrict' authorized_keys flag,
this is intended to be a simple and future-proof way of restricting an
account.

\- sshd(8), ssh(1): Support the "curve25519-sha256" key exchange method. This
is identical to the currently-supported method named
"curve25519-sha256@libssh.org".

\- Deprecate the sshd_config UsePrivilegeSeparation option, thereby making
privilege separation mandatory. Privilege separation has been on by default
for almost 15 years and sandboxing has been on by default for almost the last
five.

\- SHA512_256 family of functions added to libc.

\- LibreSSL 2.5.3: Massive update and normalization of manpages, conversion to
mandoc format. Many pages were rewritten for clarity and accuracy. Portable
doc links are up-to-date with a new conversion tool.

\--

\- Use a hardware register for the thread pointer on arm for improved
performance in multi-threaded processes.

\- New vmm(4)/ vmd(8): Support was partially integrated in 6.0, but disabled.

\- vmm(4) no longer requires VMX unrestricted guest capability (Nehalem and
later CPUs are sufficient).

\- Support VMs with > 2GB RAM.

\- vmd(8) uses pledge(2) and the fork+exec model.

\--

\- All shared libraries, all dynamic and static-PIE executables, and ld.so(1)
itself use the RELRO ("read-only after relocation") design such that more of
the initial data is protected as read-only.

\- The privileged parent process of syslogd(8) calls exec(2) to reshuffle its
random memory layout.

\- New function recallocarray(3) to reduce the risk of incorrect clearing of
memory before and after reallocarray(3).

\- arm added to the list of archs where the setjmp(3) family of functions
apply XOR cookies to stack and return-address values in the jmpbuf.

\- bioctl(8) now uses bcrypt PBKDF to derive keys for crypto volumes.

\- Partial UTF-8 line editing support for ksh(1) Vi input mode.

\- UTF-8 support in column(1).

\--

Edit: Reordered things a little and grouped things together for legibility

~~~
floatboth
Also:

\- The iwm(4) driver now supports 802.11n MIMO (MCS 0-15).

\- Enforcement of userland W^X on OCTEON Plus and later.

Is the EdgeRouter Lite an Octeon "Plus"?

\- LLVM/Clang 4.0.0 (+ patches)

Looks like they shipped LLVM 4 into an actual stable release before FreeBSD!
(because it's the first LLVM for them)

\- New tpm(4) driver for Trusted Platform Module devices.

But that one was in FreeBSD since 2010 :P

~~~
gbrown_
> Looks like they shipped LLVM 4 into an actual stable release before FreeBSD!
> (because it's the first LLVM for them)

Note it's only in base for the ARM platform.

~~~
yellowapple
I have a feeling that will change in future releases.

------
protomyth
_Support for X550 family of 10 Gigabit Ethernet based devices has been added
to the ix(4) driver._

This is a big help because now I can put in production the SuperMicro E200-8D
I bought to replace our older gateway.

~~~
justinclift
Cool, hadn't seen those before. They look super nifty. :)

------
crasm
Hey, vmm supports linux guests now.

~~~
dromenkoning
Before you start wiping your other hypervisors, please note that it does not
seem to be mature yet

* [https://marc.info/?l=openbsd-tech&m=149048271705188&w=2](https://marc.info/?l=openbsd-tech&m=149048271705188&w=2))

------
throwawayish
Is there a router/firewall distro or administration tool for OpenBSD that's
recommendable (e.g. like pfsense without all the enterprisey bloat, or like
securityrouter without the licensing stuff)?

~~~
protomyth
What problem are you trying to solve. I use it for a firewall and really only
have a couple of files I back up or change.

~~~
throwawayish
I have a Linux-based router/firewall, but it's all configuration files and
stuff. Something with fancy graphs and statistics would be nice :)

~~~
yellowapple
For what it's worth, PF is a lot easier to work with than iptables. The
configuration files involved (namely: pf.conf) are easy to read/write and
well-documented.

------
smhenderson
Nice to see the Hyper-V support in there!

------
elchief
SNI for httpd! Yay

And Postgres 9.6 in packages. Today is a good day

------
Something1234
Do any VPS providers offer an OpenBSD image?

~~~
vasachi
Vultr does. Last time I looked, 6.0.

~~~
radimm
or bring your own ISO

