
Code rot and why I picked OpenBSD - ezequiel-garzon
http://homing-on-code.blogspot.com/2015/01/code-rot-openbsd.html
======
na85
OpenBSD is really great, and it qualitatively _feels_ really solid and
cohesive. Especially compared to Linux which by comparison feels like a bit of
a clusterfuck at times.

But I just can't switch to OpenBSD as a daily driver yet. The big ones for me
are battery life and responsiveness. Unfortunately compared to Debian I get
almost 2 fewer hours on a single charge, and using OpenBSD's power management
functions makes my i7 thinkpad sluggish and laggy. Noticeably longer delays
when starting applications and whatnot.

I'm sure OpenBSD is a great desktop/server OS but IMHO it's just not there yet
for laptops, which is surprising/disappointing to me because I'd always heard
the OpenBSD guys dogfood their stuff heavily.

~~~
gaius
The solution I have used for this for well over a decade is Windows on the
hardware, then a VM, then my OS of choice running full screen ontop. The
overhead of even semi-modern virtualisation is pretty low, and you benefit
from power management that has thoroughly matured.

~~~
xtrumanx
I tried that out and noticed minification and bundling of my js code taking
several seconds rather than a couple of milliseconds. Am I doing it wrong or
is that to be expected? I was using Ubuntu in virtual box on win8.

~~~
fencepost
Are available hardware virtualization features enabled in the BIOS?

A little digging brings a 9/2014 comparison of virtualization software that
notes VirtualBox as a distant third on performance benchmarks
([http://www.tekrevue.com/parallels-10-fusion-7-virtualbox-
ben...](http://www.tekrevue.com/parallels-10-fusion-7-virtualbox-
benchmark/13/)) and an Ubuntu thread noting that its performance under
VirtualBox leaves much to be desired
([http://discourse.ubuntu.com/t/virtualbox-or-vmware-for-
linux...](http://discourse.ubuntu.com/t/virtualbox-or-vmware-for-linux-on-
windows/1810)).

------
blackhaz
My second development laptop runs FreeBSD - switched away from Debian in 2012.
I wanted to try OpenBSD, however the amount of labor required to simply
upgrade the system (Google "openbsd upgrading") outweighed all benefits for me
at the current point. Also, FreeBSD has pkg, which is a neat binary package
manager - which is important on a desktop/laptop - and it looks like OpenBSD
still uses the old, manual pkg_add way. Maybe I'll try it on the third laptop,
curiosity grows bigger every day for sure.

~~~
clarry
> I wanted to try OpenBSD, however the amount of labor required to simply
> upgrade the system (Google "openbsd upgrading") outweighed all benefits for
> me at the current point.

Are you sure you understood the documentation? Most upgrades are done in ten
minutes, and it's mostly an automated process (the package updates are limited
by your bandwidth of course). Every once in a while something on the system is
changed or removed, and the upgrade guide tells you how to deal with that --
unlike on many other systems, where you upgrade and then find out things have
changed and broken and you have no idea what needs to be fixed.

~~~
blackhaz
Hmm.. Let's take this FAQ, for example:
[http://www.openbsd.org/faq/upgrade56.html](http://www.openbsd.org/faq/upgrade56.html)

To me this looks more "manual" than FreeBSD's freebsd-update. Additionally, if
there's no tool like pkg then upgrading all the user land packages will be
quite an undertaking. A typical desktop/development environment may have about
a thousand of them installed. On FreeBSD, I can do pkg upgrade, and it will
take care of all dependencies pretty much automatically. Is there something
similar available on OpenBSD?

~~~
clarry
Look very carefully. 99% of what happens in the upgrade happens under the
title "Upgrading by install kernel". Literally, you just boot bsd.rd, smash
return a few times, reboot, and you're done.

After that you're into the "final steps" territory. Which means running
sysmerge to merge changes in config files. It's not called openbsd-update, but
freebsd-update requires you to do the same thing.

Typically the only "manual" part is removing some files and users no longer
needed by the new release. Now 5.6 has lots of these files, but it's not
really representative -- most releases have a _much_ shorter list of file
removals. In any case, there are very good reasons for the system _not_ to do
this automatically for you. And, in any case, if you know you haven't done
anything unusual so as to depend on these files, you can get away with copy
pasting these instructions.

At this point you update your packages with pkg_add -u. Just as you would have
to on freebsd...

~~~
feld
> Literally, you just boot bsd.rd, smash return a few times, reboot, and
> you're done.

No, you're not done. You've merely dropped a new OS onto an old OS. It's now
an exercise to the user to figure out how to remove all the files leftover
from the old OpenBSD release. Leaving older libraries around is dangerous as
programs could link against them long after they've been retired potentially
exposing you to vulnerabilities that you didn't think you were exposed to
anymore.

The correct way to upgrade OpenBSD is to do a clean install. Hopefully someday
they'll support a tool like "freebsd-update" which handles all of this for the
user.

~~~
tedunangst
Removing files is included for completeness (because people kept asking for
it), but it's hardly necessary. Just glancing at the list reveals half the
files are old man pages; there's little harm in retaining them. Even libraries
aren't a problem; the linker won't use old versions.

~~~
feld
If you're custom building any software you could end up making a mistake
though. Not everything a user may want to use is in packages/ports. I end up
building several things manually because they're not in ports.

But you're right, removing files documented.

------
fubarred
Code rot: LOL and amen. I had to (help) make a nuclear reactor simulator work
on Win32. 30+ megalines of Fortran developed by mostly nuclear engrs over
three decades. Thankfully it worked in reasonable time by disabling swapping.

------
bootload
_"... At my previous job I worked with a 2 mln LoC code base for a core
banking system. ... Imagine working with a code-base, that's layer upon layer
of quick fixes. Imagine being woken up at 3 am to diagnose & resolve an issue
with it. ... The company wasn't really affected by heartbleed. ..."

AND

"... OpenSSL code base, counting how much resources are needed to plumb it
into shape, how the original maintainers - let's not go there. Let's say
'didn't do a great job'. ..."_

Does anyone see the disconnect here?

~~~
mulander
I'm the author of the article. Can you elaborate more clearly on what you are
pointing out?

~~~
bootload
Hi @mulander, this is a good read (quickly went thru your other posts as
well).

The point I wanted to make was the bank code base described in the article
reads like it's insecure (no mention of it being exploited). The article then
describes using Unix variants at home, [0] though not which one. I assume
Linux. Usable, permissive and open, Linux has always been inherently insecure.
Then the article goes on to describe finding of OpenBSD, post Heartbleed.

The question I asked myself: _" How does a smart capable person as yourself,
miss security being the heart of the operating system and programming while
working on core bank systems?"_ Is this atypical? That's the crux I've what
struck me. The dis-joint between the description of what represents a secure,
large code base and the personal move to OpenBSD.

From what I understand OpenBSD, a bastard child of 386BSD [1] was a deliberate
move to build a secure and audited and most importantly free operating system.
This is such a contrast to the cruft described in the article. Maybe that's
the point of the article, a growing awareness that fast a moving code-base
left unchecked, comes at a cost. It has to change and it can be done.

[0] I fully endorse this btw. A linux user since '95, I love how I could use
lots of different hardware with it. Linux is also fast. Fast to use, fast to
install software. Fast. Secure it is not. I got sick of trying to secure my
boxes and started using OpenBSD. Read about my pathetic attempts to install it
on old hardware
<[http://monkey.org/openbsd/archive/misc/0310/msg01026.html>](http://monkey.org/openbsd/archive/misc/0310/msg01026.html>)

[1] P57, Tovalds & Diamond, 'Just for Fun', "One BSD derivation in particular
is worth mentioning. I was the 386BSD project by Bill Jolitz based on the BSD
code-base, distributed over the Internet. It was later to fragment and become
the freely available BSD favors-NetBSD, FreeBSD, and OpenBSD".

~~~
mulander
Hi @bootload, I deeply appreciate your response. It's sometimes hard to read
between the lines as English is not my native language.

I'll try to put some more light and perspective into how my previous work
place 'ticked' and how I intended to outline my passage to OpenBSD in the
article.

My previous workplace was a large corporation. I were literally on the clock
accounting for every 0.25h of work I did. You were not allowed to touch a
single line of code unless you had billed hours against that task (contract
with a client, bug report from a client). This literally meant that doing
comprehensive code reviews or reworking a particularly nasty part of the code
was not possible. There was a 'process' for doing code reviews but it was so
bureaucratic that going through the paper work you had to submit after one
took 0.5h-2h but the time you had for a code review was counted as a
percentage of the time it took someone to produce or alter the code. So if you
reviewed a change that took 1h - you had 10 minutes to do the code review and
all the alloted paperwork.

I don't want to speak about the quality of the code base in detail due to
obvious reasons but I can assure you that people working on it are really
experienced and know what they are doing. Most of the problems and the
humongous technical debt is years of corporate culture. Did I mention that the
banking system I worked on was born around 15 years ago?

During my 7 years at that job. I had the chance to refactor code once. In my
first 3 months of working there since I was not yet on the 'clock'. When I was
at my leaving period I was given a free hand and was took off the clock again.
This allowed me to really look at the code, analyze potential problems and
actually react on them. People that are still working on it don't have that
privilege on a daily basis.

The stab at Linux was actually accidental :) I use Linux personally since late
90s. What I mostly pointed out was some of my bad hardware choices in the
passage and how OpenBSD drives me more into actually diving into the code
contrasted to all the years I solely used Linux.

You are correct that my 'evolution' towards tighter, smaller and correct
implementations drew me towards OpenBSD. I think I had that feeling for a long
time but hopefully you understand that it's not always in the hands of the
programmer himself to call the shots and do things right. What I really loved
though was auditing and removing a ton of cruft in one code base while OpenBSD
did the same with LibreSSL :)

Hope this answers your question.

~~~
bootload
@mulander

 _"... I were literally on the clock accounting for every 0.25h of work I did.
..."_

That is a revelation. Please follow with more articles like this.

I like to think the development of software as something akin to making music.
If startups are Punk, big business is Pop. Manufactured Pop. It makes a lot of
money and does the job, but at it's core the product sounds crap and devoid of
time for creativity.

There was one guy who was a natural at playing guitar, a born player. He
started in school and went on to be a top session player for a commercial
company in the UK. It got to the point where he would turn up and be handed a
folder of music and would have to play it on the spot, no practice, just play.

At that point he realised he was just a highly skilled session player,
churning out _muzac_. He quit. That man was Jimmy Page who went on to play in
Led Zeppelin.

Understanding how these musicians/programmers make the choices and tradeoffs
to create, be it commercial _muzac_ or punk rock, hearing about this trade-
craft is good value.

------
Scarbutt
Is the performance of the JVM/PostgreSQL/NGINX on OpenBSD the same as on
Linux? Are there any reliable OpenBSD VPS providers?

~~~
toyg
I'm using Vultr.com but I installed as "Custom ISO" since they didn't have a
5.6 option at the time.

~~~
devicenull
The main reason why it's not an official image is OpenBSD doesn't seem to
support any sort of online disk resizing.

Operating systems get deployed from an image, and typically expand the own
partitions to fill up the disk... OpenBSD can't do this, which makes things
pretty tricky.

------
MBCook
The article advises paying attention to the mailing lists.

Is there a LWN style product covering OpenBSD (possibly with free/net as
well?)

~~~
clarry
Not exactly LWN, but you can find a good sum-up of interesting
news/changes/discussions concerning all the BSDs here:
[http://www.dragonflydigest.com/](http://www.dragonflydigest.com/)

I also watch tedu's blog
([http://www.tedunangst.com/flak/](http://www.tedunangst.com/flak/)) and the
OpenBSD tag on lobsters.

~~~
protomyth
For [http://www.dragonflydigest.com](http://www.dragonflydigest.com) I find
the "Lazy Reading" articles to be some really great pointers to all types of
cool articles. The "In Other BSDs" is a great survey of the BSD news
highlights.

For general news, undeadly is in my rss feeds. I also like the BSD Now and
bsdtalk podcasts. BSD Now is from two folks from PC-BSD and FreeBSD, but
covers the other BSDs as well.

~~~
stefeneh
BSD Now is from three people, the third of which seems to be more of an
OpenBSD person. That balances the news out a little more I suspect.

~~~
protomyth
They do a pretty good job, although the interview with the FreeBSD security
person who didn't want to get contaminated by the OpenBSD code was painful. I
really wish they had challenged that statement.

------
pakled_engineer
avoid nvidia if switching to OpenBSD, you miss out on dropping all X privs
[http://undeadly.org/cgi?action=article&sid=20140223112426&mo...](http://undeadly.org/cgi?action=article&sid=20140223112426&mode=expanded)

~~~
yellowapple
Not to mention that Nvidia cards don't play nicely with non-Linux (or OSX)
Unixen in general.

------
serve_yay
Everybody is piling garbage on top of garbage, then taking the money and
running. Don't be the schmuck who chooses to die on some godforsaken hill to
make a point about software quality. When it starts to smell, move on. Is this
world suboptimal? Yes, it is.

~~~
marktangotango
I worked at a place like that once. The application was the definition of lava
layers. It was my second gig so I hustled, got uo to speed fast, and really
impressed my boss. Found the exact same situation, crap on crap, features that
never worked, features that were sold but never implemented, hand rolled
transaction framework, a real pile of sh*t. At a year went out and lined up
another job then gave notice.

Long story short, and against my better judgement i stayed, for a 50% raise
and a promotion.

------
ams6110
I love OpenBSD and I use it as my desktop OS at work and at home. But there
are a couple of inaccuracies in this piece.

 _In OpenBSD you are encouraged to run current._

What they actually say[1] is:

    
    
      The name -stable refers ONLY to the API and
      operations of OpenBSD not changing, not the
      overall reliability of the system. In fact,
      if things go as desired, the -current flavor
      of OpenBSD, on its way to becoming the next
      -release, will be an improvement in reliability,
      security and overall quality over the previous
      -release and -stable.
    

What is implied is that sometimes things don't go as desired; -current
sometimes has issues. They are almost always quickly fixed, but if you depend
on as near as possible certainty that an update won't break anything, you
should run -stable.

 _If OpenBSD states that something is configured then it works and will remain
working flawlessly or will only get better over time._

Not guaranteed. I remember somewhere in the 4.x series my NIC driver was
removed from the release build. I updated, and suddenly had no network access.
My fault for not reading the release notes, but they don't always support
old/obscure hardware forever. More recently, support for some older Microsoft
VPN protocols was removed. It was because they were insecure, but this changed
the way I had to interoperate with one of my client's internal networks.

[1]: [http://www.openbsd.org/stable.html](http://www.openbsd.org/stable.html)

------
yellowapple
I've been using OpenBSD for about a year now. It's still not _quite_ my daily
driver (it's running on one of my three main workstations - a PowerBook G4 -
but not on my desktop or my other laptop, both of which are still running
GNU/Linux - Slackware and openSUSE, specifically and respectively), but it's
certainly the OS of choice for my servers.

OpenBSD appealed to me as a Linux user for the same reasons why Linux appealed
to me as a Windows user. I was tired of bugginess, and just wanted things to
work. Unfortunately, I still have the same obstacles migrating to it from
Linux as I had migrating to Linux from Windows - namely, hardware support and
gaming - that keep it from being my dream OS; however, it's still the OS I
like to use when I need to get real work done (just as GNU/Linux was the OS I
liked to use when I needed to get work done, back when I was still a
Linux/Windows dual-booter so many years ago).

Even with those shortcomings, my PowerBook G4 is currently my favorite
machine. There are some kinks, to be sure (power management is non-op, so I
can't put the laptop to sleep), but with OpenBSD and WindowMaker, it's pretty
rock-solid despite its age.

The nice thing about OpenBSD is that the devs aren't afraid of breaking
backwards-compatibility if needed. They've already solved the 2038 problem as
of 5.5, for example; with Linux's policies on backwards-compatibility, that'll
be a nightmare to fix on 32-bit Linux systems (and even other BSDs, if I
understand correctly). To me, that's awesome; I'll take a minor flag day to
clean-reinstall my servers _now_ over a major flag day to hack together some
kind of band-aid "fix" _later_ any day, and it's nice to know that, should I
setup a server right now, it won't spontaneously vomit all over itself in 20
years or so due to it suddenly thinking it's 1970 again.

------
emidln

        Lesson 1 sources on the hdd
        This might sound simple but in a long time I didn't feel     so connected to my OS. Having the sources for every piece of software I use around made things really different. How? I'm  actually looking at them
    

I've taken to keeping a ~/code on my machines after experiencing the same
thing with a BSD. It has been life-altering to be able to search
implementation details with a simple :grep in my editor. I typically keep a
copy of OpenBSD sources, along with major libraries for my current target OS
and my dev toolchain (clojure/python(pypy)/clang) around to reference due to
this. OpenBSD sources are kept around because it's cleaner to reference when
I'm simply studying how something might be accomplished (as opposed to loading
up glibc or the linux kernel if I need an implementation detail).

------
Quequau
I've used OpenBSD for years in my router. Something that has given me a bit of
pause recently, is that with all the various espionage revelations coming out
in the past 14-16 months, I had expected the OpenBSD crowd to be out in force
talking up the operating system but they've been surprisingly subdued. Just
makes me wonder...

~~~
glass-
> I had expected the OpenBSD crowd to be out in force talking up the operating
> system but they've been surprisingly subdued

The OpenBSD motto is "shut up and hack". Look at the work that is being done
recently with libressl, openssh, the new httpd, signify, static PIE, xorg
privilege separation etc. etc.

They're letting the code do the talking.

~~~
Quequau
I don't think that the OpenBSD crowd's response to the OpenSSH vulnerabilities
are an example of some motto of "shut up and hack" at all. In fact, I find
their response to demonstrate the difference in reactions that got my
attention.

Heartbleed provoked substantial discussion as well as the LibreSSL project.

~~~
yellowapple
If by "OpenSSH" you actually meant "OpenSSL" (I'm a seasoned sysadmin and I
still get those mixed up in conversation, so don't worry), then yes, the
crowd's response was _certainly_ an example of "shut up and hack": the OpenBSD
devs wrote libressl to replace it, cutting out as much of the insecure cruft
as they physically could.

------
howeyc
I'm curious about the mention of shopping with a bootable usb stick. Has
anyone else tried this? Where can you do such a thing? I'd be afraid of
salesmen thinking I was "hacking" or something.

~~~
dedward
Explain what you are doing and why; if they don't want to let you try it, then
you aren't interested in buying it. It's understandable that, out of
ignorance, they aren't comfortable letting you do that... it's equally
understandable that you wouldn't pay thousands of dollars for something you
can't even play with for a few minutes in the store first.

------
Macha
> I gave my 3 month leave notice to my employer at the end of March 2014.

3 months? That sounds excessive. How much would your employer have been
required to give you if they decided to let you go?

~~~
atsaloli
I left a job after 8 years. It took 3 months to do a thorough knowledge
transfer (documentation and training).

It's a business-critical system so as a professional, I wanted to ensure my
replacement's (and my former team's) success.

I left on very good terms.

