
OpenBSD 5.2 released - protomyth
http://undeadly.org/cgi?action=article&sid=20121101150347
======
dfc
Actual Release Notes: <http://www.openbsd.org/52.html>

Detailed Changelog: <http://www.openbsd.org/plus52.html>

Lyrics for 5.2 Song "Aquarela do Linux":
<http://www.openbsd.org/lyrics.html#52>

------
webber89
I'm confused about something.

OpenBSD is supposedly one of the most secure OSs in existence. So how is it
possible that I cannot find any digital signatures for the downloadable ISOs?
I've been searching all over Google and the mirrors, but nothing has come up.

One person has suggested to just order a CD set from them, but I don't think
that's a good solution. Having a secure verified copy of an OS should not
require ordering a physical "gold master" set of discs to compare against.

I mean, we have all the necessary crypto, and anyone can use it. Generate a
GPG/PGP signature of the install ISO and that's it, you're done. A lot of
people do it - Debian, Ubuntu, CentOS, all the big names... I mean seriously,
even Arch Linux people do it, and until recently they didn't have package
signing (now they do).

I'm not complaining or criticising OpenBSD, I'm just wondering about their
attitude to this aspect of security. I would be very happy if anyone could
elaborate on the topic.

~~~
papsosouid
>Generate a GPG/PGP signature of the install ISO and that's it, you're done.

And you are getting that signature from the same place you are getting the
binaries you are worried about being tampered with? They don't bother with
security theatre because they aren't interested in being performing artists.

~~~
tptacek
Huh? The signing key isn't kept online, unlike the binaries. You "remember"
OpenBSD's key once, and can detect if someone tries to replace it with a
different key.

You thought you were being witty with this "performing artists" stuff, but
really this is just florid ignorance.

~~~
statictype
I think his point was that many people keep the signature in the same place as
the actual binaries (most directories of builds of OSS I've seen have a
tarball and a corresponding hash in the same listing).

I'll admit I'm probably ignorant about this, but I don't see the point in
that. If someone can compromise the binaries, they can also modify the
signature files that are sitting in the exact same place.

~~~
papsosouid
>I think his point was that many people keep the signature in the same place
as the actual binaries

Basically, except I meant the key not the signature.

~~~
tptacek
You get the key once and its fingerprint is published repeatedly.

~~~
papsosouid
And look at all the linux distros that do that. Oh right, they don't. They
just go "here's our public key" and people download it over ftp from the exact
spot they are getting the binaries, do nothing to verify it, and pretend that
got them security. Hence, theatre. Anyone who would actually do it right
already has the tools to do so, ssh public keys work just like pgp public
keys.

~~~
tptacek
You have no idea what you're talking about. Go troll somewhere else.

------
mrweasel
I love the simplicity and consistency of OpenBSD and everytime Ubuntu changes
things like networking or startup script I want to switch out all our servers.

~~~
protomyth
I have used OpenBSD for our servers for a while. It is super easy to setup
(except for the brief fun of partitioning). I did switch to FreeBSD with ZFS
for our samba server because of the partition size limits on OpenBSD.

~~~
dmm
OpenBSD has had FFS2 since 4.2 in Nov 2007. FFS2 doesn't have any functional
partition size limitations.

~~~
jnazario
i think the comment is about the archaic interface to the disk partitioning
that openbsd uses in the installer. it confuses a lot of people.

(former openbsd user, committer, and book author. no, i don't use it any
more.)

~~~
gnu8
I still don't understand this criticism of OpenBSD. I managed to use the
installer to set up a fully partitioned OpenBSD system circa version 2.7 as a
stoned highschool freshman. I think some people just have trouble using
computer programs that require them to use a keyboard and read the
documentation.

~~~
jnazario
maybe. took me a few minutes but honestly it got in a number of peoples' ways
the first time they saw openbsd's installed way back in the day, and they were
no dummies. this is ~1999 mind you, i have no idea since about 2004 what
openbsd has been like to install.

------
3amOpsGuy
nginx made it into the base install? That's another fairly significant, at
least in my mind, vote of confidence for nginx.

~~~
sarnowski
Nginx now overtakes the default Apache 1 as the new httpd on OpenBSD. In the
process of integrating it, OpenBSD already gave back patches for more security
(like chroot support). I am very excited about that decision.

~~~
Rovanion
Any specific reason why they used Apache 1 instead of Apache 2. I guess the
obvious answer would be security but, in what way?

~~~
chrissnell
OpenBSD has maintained their own hardened fork of Apache 1.x for years. I
think that switching to 2.x would be a monumental effort for them and set them
back quite a ways in terms of security. I think that nginx is a great move for
OpenBSD.

~~~
bonetruck
Last I knew, it was less about the effort, more about the license. And if you
really need/want Apache 2, it's available in the ports tree and as a package.
#> pkg_add apache-httpd

------
throwaway54-762
OpenBSD finally got multi-core threading for userspace programs, huh? Welcome
to 2003[0]. (And people say BSD is still alive.)

[0]: <https://en.wikipedia.org/wiki/Native_POSIX_Thread_Library>

~~~
tobiasu
Lame attempt. Sun shipped M*N and 1:1 threading in Solaris 2.2 (1993). HP-UX
followed in 1997.

You're like a grammar Nazi unable to spell check his own posts.

~~~
tytso
Sure, 1:1 threading is in fact very old technology. Which makes it all the
more astounding that the *BSD's haven't managed to get that technology
implemented in their systems until now.

~~~
tobiasu
FreeBSD, NetBSD, DragonFly and OpenBSD do not share the same kernel...

~~~
throwaway54-762
But they share a common, non-restrictive source license. OpenBSD could have
imported 1:1 threading from FreeBSD, which added it earlier.

~~~
zdw
OpenBSD has a huge anti-NIH sentiment. This can be a good thing, as bringing
in code from others = bringing in their bugs as well.

For example, rather than import the quite huge Intel formulated ACPI stack,
they have one of the only non-Intel, non-Windows one out there.

See also their reimplementations or forks of SSH, NTP, SMTP, BGP, etc. all
done with a security focused mindset.

~~~
throwaway54-762
As a result they also have an 8-year stale (and growing) feature set compared
with Linux or FreeBSD. And bringing in used, tested, and maintained code from
others brings in their bugfixes as well as their bugs.

~~~
TallGuyShort
If you want the new features, use the systems that have them. OpenBSD would
have little point to it if it tried to keep up with the Jones'. It has a
unique focus - that's why it's useful to some people.

------
RexRollman
I wish this was installable on the new Chromebooks. I would LOVE to have
OpenBSD installed on a 3G connected device.

~~~
jrockway
Installing all the GUI stuff from ports is kind of painful and mostly defeats
the security guarantees anyway. OpenBSD is the perfect OS for a router.
Everything else is like trying to put square pegs in round holes.

Use FreeBSD on the desktop if you don't like Linux. But I find Debian to be
the easiest-to-use desktop OS. (Unlike Ubuntu, they don't randomly ruin
everything every 6 months, which is kind of nice. But it still stays up to
date with changes that actually matter.)

~~~
4ad
> Unlike Ubuntu, they don't randomly ruin everything every 6 months, which is
> kind of nice

They ruin everything every 2-3 years instead. Not sure which one is better.

