Hacker News new | past | comments | ask | show | jobs | submit login
Why OpenBSD Rocks (why-openbsd.rocks)
163 points by ProfDreamer 18 days ago | hide | past | web | favorite | 105 comments

I can confirm that acme-client so far is the only sane client I've seen. No nonsense of multi-megabyte downloads of endless Python scripts or esoteric bash scripts. Just good old C tool as it should be. Every *nix should use it by default.

I am not a big fan of C, but those Python/JavaScript based GUIs that fade to black at every button click really make me miss the days when all GUI tooling in UNIX was written in C.

I totally respect OpenBSD and their commitment to security and stability. However, the thing holding me back is that they've dropped some features over the years that I relied on.

I used OpenBSD on a netbook and it was awesome. But I really needed 32-bit Linux binary compatibility, and I was also one of the 3 people who used bluetooth. Both of these features were removed entirely. I wish there was a way I could "live dangerously" and have access to them again. I would love to have access to bluetooth based serial terminals, and use my favorite keyboard.

Why does file(1)[1] need its own chroot sandbox instead of using the pledge(2)[2] facility. They say:

> Think of the following: You download a random file from the internet and analyze it using file. If file has a security hole (local code execution for example), he can run attacks with his prepared file. Thats why the file utility is sandboxed and chrooted by default.

Isn't that exactly the sort of case where file(1) would open(2) the downloaded file and its own database, and then proceed to drop all other access privileges before doing any of the parsing of the untrusted file?

1. https://why-openbsd.rocks/fact/file/

2. https://why-openbsd.rocks/fact/pledge/

> Why does file(1)[1] need its own chroot sandbox instead of using the pledge(2)[2] facility.

It does use pledge(2) these days, those references are to how file(1) was sandboxed before. Why the author has linked to that I don't know.

Yeah, on closer inspection their page describing the sandbox links to the CVS commit where the sandbox implementation was deleted in favor of tame(2), the predecessor of pledge(2).

I was actually playing with OpenBSD while stuck with the flu.

The good:

* ifconfig handling everything is brilliant. Having one tool to do networking, including WiFi(!) is great.

* the documentation is good. `man -k` normally gets you what you need.

* "base builds base" is pretty cool. I managed to rebuild base on a 1GHz single core BeagleBone Black in 48hrs.

the bad:

* Performance. I didn't think this would be a huge issue, however it's much slower than Trisquel, Parabola and GuixSD running GNOME on a x200. WiFi also seemed slow.

* IPv6 seemingly didn't work, even when verifying my ifconfig setup.

* Filesystem. I don't expect them to add ZFS due to code size and license, but still using UFS is laughable. UFS seemed to have I/O deficiencies which exacerbated the performance issue.

* the other documentation. While the manpages are good, information on the internet can be contradictory depending on it's age.

* No lsblk. This is more of a nitpick, but there is seemingly no way to get the right name for a disk without parsing through `dmesg` and guessing with partition number.

* pkg_add. It's extremely slow compared to apt even and separates it's parts out for seemingly no reason. Package management in general is somewhat awful.

I wonder though, if they don't have the manpower to optimize for desktop usages, why don't they stick to server only?

I've tried to use it on a server some months ago (trying out OpenBSD every few years because I do like the philosophy) but things behaved odd and slow, so I just used FreeBSD and problems disappeared.

I'd like to see a completely server focused one instead of trying to do it all and keep issues hanging loose.

Because they believe in dogfooding their software. So developers run it on their desktops, as well as on their servers.

>UFS seemed to have I/O deficiencies which exacerbated the performance issue.

Turning on soft dependencies can help:

* https://www.openbsd.org/faq/faq14.html#SoftUpdates

IPv6 works. One of my WWW site's servers is an OpenBSD system, quite happily serving it up over IPv6.

Since SystemD has become so prevalent in Linux, I've been looking longingly at BSD. The only problem is that I have a large number of machines that I'd need to move over, and it's a pretty intimidating amount of work. But I'm planning on beginning the move, one system at a time...

> Since SystemD has become so prevalent in Linux, I've been looking longingly at BSD.

After ~20 years of using Debian, I switched my desktop PC to OpenBSD about a year ago due to concerns about the direction Linux has taken (eg. systemd).

It was easier to set up the kind of minimalist desktop I like than on Debian, where I have to change a lot of defaults (eg. switching to sysvinit). The package manager is great, and there are ~10k packages available for 6.4. I'm now looking at switching my server to OpenBSD. I'm keeping some dedicated audio workstations on Linux for now (need the raw performance and drivers), but my impression of OpenBSD so far has been very good.

OpenBSD caveats: Video and audio can be a little glitchy. Releases are only supported for one year. ABI can change between releases. There's no filesystem journal. The only non-BSD filestems supported are msdos and ext2fs (and read/write speeds on those are slow).

> There's no filesystem journal

That's one that has been sticking out to me lately. Both NetBSD and OpenBSD, as much as I like them, lack a modern filesystem..

This is true if by modern filesystem you're thinking something comparable to ZFS.

On the other hand, if it's the lack of journaling that's a turn-off, seriously consider soft updates (softdep). Despite being seemingly an evolutionary dead end due to implementation complexity demands (basically, it's only feasible to implement at the level where it's possible to diagram out implied dependencies between all primitive operations), it is still in some respects superior to the journaling approach.

In any case, I find that, from reading the design, it feels more elegant and fundamentally right.


It impresses me that the hate for systemd persists even after so much time has passed. I thought it was just inertia.

I see systemd as a framework to define and control services that is much more robust than the old system that relied on scripting conventions. Why the hate? What's people's ideal here?

I am a newcomer to hating systemd. At first I was indifferent, an init system cannot be so bad after all.

Fuck that. In the last two years, they have changed at least three times the way that the option to delete the /tmp dir is specified. I understood the configuration, edited it so that it did not delete the /tmp dir automatically; and then, upon an innocent update the old config is overridden and the /tmp dir is magically cleaned! This is infuriating. I have never felt actual, physical, rage against any software in 25 years of using computers. That is, until I met systemd!

I do not really care whether the init system is written in C or scripts. But please, allow me to follow a simple logic. Scripts maybe are not very elegant, but I can follow the init process end-to-end and understand where it does that. I have honestly tried to do that with systemd and it is impossible. And I am quite proficient in reading C code and bash scripts. I have a lot of patience and I am willing to spend a few hours of my free time to understand how a program is configured, by reading code if necessary. But this stuff is just batshit crazy.

I can hear in my mind the smug voices of systemd developers saying "but why do you even want to not delete the tmp files". That's not the fucking point motherfuckers! I just want to control my computer.

A systemd conceptually is quite a good idea. However systemd is not that systemd. Much rather go with rc.conf + script approach, disable all systemd services, lock selinux against systemd socket activations and run a purpose controlled environment. Avoiding systemd does force one to not use Linux as a desktop..oh well.

> Avoiding systemd does force one to not use Linux as a desktop

Why do you say that? You can even use gnome without systemd, but there are still other desktops.

I have't looked at it rcently but the last time I checked systemd was the 'nice to have' that was mandatory for some of the software I associate with a fully fuctional desktop which is not just a WM, DE (or not) and basic applications like xterm , vim, etc...But you are right. You can run the linux desktop like its 2007 without systemd on select distributions without screwing around too much...of course don't add new software without researching dependencies and default build options or you may end up with the worst of systemd dependencies anyway. At that point I just run KDE on FreeBSD.

The big problem with relying on scripting conventions isn't the scripting; it's the lack of a solid foundation to build those scripts from, requiring each script to separately implement service management, probably by copy-paste. What systemd gets right on that front is that you do need a daemon, preferably rooted in init, to spawn services so that they run in a clean, consistent environment.

Beyond that, systemd's extensive scope creep makes the system less robust and more complex than it could be, compared to predecessors which some of us have been working with over a decade, such as the daemontools family (runit, s6, nosh &c.) of supervision systems.

On the off-chance you're somehow unaware and are running Debian: with Devuan it's almost just a repository change and an "apt-get dist-upgrade" away (depending on which release you are upgrading from a few manual actions, which are documented, might be required).

Yes, thank you. I run Debian and am well aware of Devuan (I'm running it on two machines right now).

However, I have doubts about Devuan as a long-term solution, and it's a long-term solution that I'm seeking.

I had the same concerns and held off until Wheezy LTS ran out.

I had some reservations about what seemed to be an "angry" fork and its longevity, but so far, Devuan's been up to date, and last I heard most of the acrimony has dissipated up to the point where Devuan was about to get involved in the sysvinit maintenance of Debian itself.

So I don't know about the real long-term, but it appears they are serious about producing and keeping up a distribution.

Gentoo. Going on 2 decades.

Systemd is indeed prevalent, but you can very well use linux without it (and it is much better!)

I use daily two fine linux distributions that do not have systemd: void and slackware. It is a real pleasure to run htop and see that all the running processes do not even fill a 25-line terminal.

A large majority of enterprise shops won't steer away from Ubuntu, Arch, SuSE or Red-Hat, so...

Take a look at GhostBSD while you're at it. I wouldn't recommend OpenBSD for normal day-to-day usage....

There are several BSDs that it is worth looking at, beyond looking at only one. TrueOS, DragonFly BSD, MirOS BSD, GhostBSD, MidnightBSD, NetBSD, FreeBSD.

I hadn't heard of GhostBSD. I'll have to set up a test system for that, too. Thanks!

I installed Debian on a virtual machine the other day and, frankly, it felt a lot like using Solaris: a weird init system paired with unintuitive commands for manipulating network interfaces. All that said, it worked well in my testing, and I would use when hardware or software compatibility demanded it.

gentoo has openrc

Anything that matters for us runs either on OpenBSD or behind it. almost 20 years now. Zero fucks given. Theo is the type of dev manager I want for my projects.(aggressive, opinionated, solid)

I like openbsd and have used it happily for a long time, but it's not fair to list sysmerge and syspatch as selling points. If we are being honest, other systems have long had more automatic upgrade procedures and these two tools are essentially minimalist ways of solving the problems with the old way.

Nice list. They may want to take Spectre off the list, however. It seems only hardware fixes actually work: https://arxiv.org/pdf/1902.05178.pdf

Signify sounds great. It has been ported to Linux: https://github.com/Blitznote/signify

I found OpenBSD to be pretty amazing, and after trying it now and then I finally loaded it onto my x220 to use it daily. Things worked fine, but I realized the battery life was poor (even using the functionality, I think in tpm, which regulates the clock speed to be slower) and support for what I began to need (like the Eclipse IDE) was shoddy. Unlike many others, I don't have much to say about the documentation, but that's also an endorsement for the system itself - I didn't need to access it more than once or twice.

Support for other file systems, which is a part of life for me, was pretty lacking; for me, ext4 write support and fat32 read/write isn't essential but would have been enough to stop me from moving back to GNU/Linux.

In the end, it looks like a great system but it just didn't fit my needs, just as, for instance, NixOS (and Guix) didn't fit my needs when I wanted a custom XKB layout.

Haven't tried a custom layout myself (only xkbOptions), but it should be fairly straightforward to use a custom xkb layout with NixOS: https://nixos.wiki/wiki/Keyboard_Layout_Customization

The points aren't OpenBSD specific though:

* ASLR - every modern OS has some form of this.

* FDE - there are reasons (IIRC) FDE is better at FS level than block so this is sort of a negative.

* LibreSSL - OpenSSL API is still a tire fire.

* PIE - Possible on IIRC fbsd, nbsd, linux, etc.

* UTF-8 only libc - there are issues here, such as strcasecmp.

* noexec - IIRC this has been cross OS since the dawn of time (at least early 2000's).

* pledge - pledge is cool, I'm trying to implement something similar using google kafel and a macro that turns `vow(id, kafel_string, flags)` into a compile time bpf filter.

* strlcpy - is sort of junk as it has to iterate over ALL of src so for example strlcpy(d, "superlongstring...", 2) will read all of "superlongstring..."

If you want to use Ubiquiti hardware but not Vyatta, OpenBSD supports the Octeon processor [1]. In particular the edgerouter lite can be swapped to OpenBSD [2] for the cost of the right USB stick [3] and a console cable [4].

Some people find the ERL's performance isn't sufficient to pass packets and also host services such as radius or that the passive heat management on the edgerouter isn't sufficient. In that case Protectli.com [5] makes appliances with monster heat sinks on top and despite running an old ATOM processor can push data at gigabit speeds [6] thanks to onboard Intel NICs.

Finally you can just grab any refurb wintel box, add a couple of Intel NICs and throw away the windows license.

The great thing about OpenBSD is particularly for its typical roles of firewall, load balancer, edge gateway, authentication server, etc it doesn't require much CPU or storage.

I recently rebuilt a laptop with Windows from a USB 3 stick to an Intel M.2 NVME SSD. It took less than 5 minutes to go from booting to install to reboot. OpenBSD's footprint is so small you'll see similar build times particularly when you leave off X Window.

[1] https://www.openbsd.org/octeon.html

[2] https://codeghar.com/blog/openbsd-network-gateway-on-edgerou...

[3] https://www.amazon.com/dp/B013CCTM2E/ref=cm_sw_em_r_mt_dp_U_...

[4] https://www.amazon.com/dp/B01N0LMWGQ/ref=cm_sw_em_r_mt_dp_U_...

[5] https://protectli.com/4-port/

[6] https://tech.mangot.com/blog/2018/11/08/showing-a-gigabit-op...

It does just work (TM). Brightness and volume hotkeys work out of the box, without a desktop environment (even on the console). WiFi, including autojoining, works using a single ifconfig command or configuration file. Suspend/resume works on my laptop without any configuration.

If you’re using it on a laptop, just make sure to use an older, less ultrabook-like machine and you’ll be good.

If you're willing to use old hardware for compatibility, any of the major *nix flavors just work.

True. I was still impressed with how well-thought-out the laptop features were without a desktop environment. I think it would be harder to get the same on Linux without manually configuring the hotkeys and dealing with wpa_supplicant.

What are the desktop GUI environments or window managers available on OpenBSD that are comparable to those on Linux? I see a mention of running X as a user, but nothing more.

What about desktop hardware support? Does it have working drivers for different WiFi chipsets, video cards, trackpad, etc. (referring only to x86 based systems)?

>What are the desktop GUI environments or window managers available on OpenBSD that are comparable to those on Linux?

I'll answer this honestly;

All of the X11 based ones until SystemD and wayland came about are essentially supported or working. Gnome created a hard dependency on systemd and thus can't be used any longer on openbsd.

Wayland (and thus; Sway) is not supported by OpenBSD.

But i3, xmonad, KDE4, XFCE4 and cwm are all running flawlessly and I used them before on OpenBSD myself.

I think even Budgie works, but I've not tried that myself.

> What about desktop hardware support?

Hardware support is obviously up to whatever you have. I can only share my experiences and I had a thinkpad x201. Which was obviously very well supported.

However there is a caveat to that: the drivers were indeed supporting the hardware very well BUT OpenBSD does not support bluetooth in any form (citing the fact that bluetooth is a horrible standard and implementing it simply; has never been done and would be hard/impossible).

WiFi was relegated to 802.11g (not 802.11n despite my hardware supporting it). Support for N was added a couple of years ago (after it had been widely adopted for more than half a decade by other OS's) I wouldn't hold my breath for AC support given that.

> Gnome created a hard dependency on systemd and thus can't be used any longer on openbsd.

This isn't true, OpenBSD has GNOME 3.30.2 in ports. It maintains patches to keep it working for users, who can install it with the meta package: pkg_add gnome

6.4 has 3.28.2 in packages: https://www.openbsd.org/64.html

Antoine Jacoutot is the maintainer.

Oh, Amazing, I stand corrected. Thank you Antione!

Also, perhaps crucially depending what you own and whether you're willing to change it, OpenBSD does not support Nvidia cards. So if you want a desktop with GPU acceleration, you'll need to be using Intel or AMD graphics.

> Wayland (and thus; Sway) is not supported by OpenBSD.

Is this lack of support philosophical or due to prioritization?

I highly doubt it's ideological; OpenBSD does not like X11 for the obvious reasons.

I use FreeBSD. It works fine, and I've configured it to be secure. Is there any reason for me to move over to OpenBSD ? I don't care about minimal or some reasons like that, I already have Alpine linux for that. Any other reason(s) ?

I've used both as desktop systems. I can't really quantify it, but I feel like OpenBSD "feels" better on a laptop or desktop. Maybe because their developers focus more on that as opposed to thinking only of servers? I don't know. Anecdotally, I have had a few systems where wifi or graphics work better, or sooner, on OpenBSD. Sometimes FreeBSD support has appeared later in these cases. (eg. A few years ago, FreeBSD's Intel graphics driver was way behind, but it's since caught up.)

But there are downsides. Upgrading OpenBSD can feel painful to the point where I put it off (though it's getting better). You may have to randomly re-write a config file at upgrade time, or sometimes release-to-release they will remove useful features, like Linux emulation a few years ago. FreeBSD ports and pkg sometimes has stuff that I don't see in OBSD's ports tree.

I think to answer the question you'd need to take a look at what features, hardware support, and ports you need, and how well OpenBSD does or doesn't suit it. Maybe try out OBSD on a USB stick or something and see how you like it.

How many of these items are not also available in a standard Linux configuration?


* LibreSSL (most Linux distros use OpenSSL, YMMV)

* License (GPL, GPL everywhere)

* PID randomization

* Priv sep (for some package managers, for example)

* Swap encryption (probably opt-in, so not default)

* UTF-8 only

* W^X Memory

* autoinstall (though ansible and co. might help)

* base system (it's GNU/Linux after all, not just GNU nor Linux -- some outliers)

* doas(1) (yeah, sudo(1) was made in OpenBSD, but they ditched it)

* pf (http://man.openbsd.org/pf.conf.5)

* pledge

* signify (most distros use GnuPG instead) (though porting it should be a breeze)

* unveil

Unveil, pledge, and co. probably have AppArmor/SELinux counterparts, but adding layer upon layer make the whole thing brittle. Unveil, pledge, etc. are built-into all base utils (see also base system concept)

RETGUARD isn't mentioned, which is curious.

Guess I'll need to submit a merge request.

A more comprehensive list https://www.openbsd.org/innovations.html

I like how they list W^X as an innovation.

1) It's not W^X. W^X implies read-only pages are not possible, and they are.

2) They "invented" that, what 5-10 years after Linux?

> It's not W^X. W^X implies read-only pages are not possible, and they are.

What? W^X implies that Write and Execute or mutually exclusive, can't have both active at the same time.

> They "invented" that, what 5-10 years after Linux?

It's not so much that they "invented" it, but that they're much more diligent about making sure all the base system and ports use it. It's enforced that unless your file-system is mounted with "wxallowed" then any process that tries to mark a page both writeable and executable will fail.

> What? W^X implies that Write and Execute or mutually exclusive,

The truth table for XOR also says that "neither write nor execute" is impossible.

> It's not so much that they "invented" it, but that they're much more diligent about making sure all the base system and ports use

They've definitely taken it further, and turned on by default and all that, which is great.

However they did at the time say that they both invented it, and that it couldn't be done on x86. Of course grsec had been doing it, including on x86, for many years. Theo's defense of why they've not done things Linux has done is that they're not interested in Linux, and don't look at it. Which is an interesting way to assure you're "state of the art"; don't look at what others are doing.

So both at the time and now they say they "invented" it.

Later of course they "invented" how to do it on x86, too.

Note it says W^X since release 3.3. That was in May 2003. Nearly 16 years ago.

When OpenBSD was preaching about W^X and things like -fstack-protector, they really were novel ideas and Linux hadn't yet picked them up.

That's just not true.

By default in an OS distribution, yes I do believe so. But by the time OpenBSD introduced it I'd been running it on Linux for years.

I'm not wet behind the ears, here. I've been running OpenBSD since 2.1.

The innovation is using W^X systemwide, which is harder than having W^X support in kernel, and system that does not fully take advantage of it. And W^X is definitely a catchier name than ~(W&X) :-)

It's catchy, yes. But it's still technically wrong.

I don't dispute that OpenBSD pushed execution prevention (and many other things) in the default OS system wide. But it's pretty dishonest to say that they "invented" it. Which they explicitly did at the time, and that the article does now.

> It's not W^X. W^X implies read-only pages are not possible, and they are

What? That doesn't seem implied to me-- just means a page can't be w and x at the same time.

Technical interpretation of the name would indeed exclude it: if W=false, and X=false, then W^X does not hold (W^X also evaluates to false).

No. As far as I know, OpenBSD was the first OS with W^X enabled, followed by Windows.

That's an extremely narrow definition of the word "invent".

They adapted it to OpenBSD and I do credit them for doing great work being the first to do it by default in a vanilla OS install, sure.

Which Linux distributions use W^X system-wide?

What exactly are you saying they "invented"?

Wow! OpenBSD _security_ rocks!

I really, really want to use OpenBSD. I love everything they make. The one thing that keeps me on FreeBSD/Linux is ZFS support.

I really want to use OpenBSD too, the only thing keeping me on FreeBSD is proprietary Nvidia support.

I wanted to install and try OpenBSD on my Librebooted Thinkpad T60, but unfortunately it is not possible to use full disk encryption with a non-custom Libreboot rom (you apparently need SeaBios instead of Grub2 for this to work). I find it quite sad, because I think Libreboot + OpenBSD would be the ultimate security and privacy-focused combo.

Let's hope they support RISC-V

sndiod is pretty nice...

Dead simple. Fixed latency that you set when you run the sound daemon. Same API with the sound daemon in or out. You can yank it out and the programs get to use the same interface for both audio and mixer. So nothing like the pointless ALSA mixing interface laying around when you run pulseaudio. It all works transparently.

> Xserver without root permissions

There must have been a regression. There still was lingering suid root binaries that OpenBSD got bit by recently.

I mean, it was security fix #1 for release 6.4: https://www.openbsd.org/errata64.html

AFAIK that suid binary was used to enable starting the X server without a display manager. It still actually ran as non-root.

It was setuid root but dropped privilege, but the dropping privilege came after parsing the command arguments and doing initialization, so there was a small time window while it still runs as root and in that time it could be tricked into overriding any file.

OpenBGPD is missing from the list. It's a great piece of software.

Many of the items on this list seem to be some variation of "random place in memory so attackers can't guess"

It sounds nice, but can someone explain if there are any downsides?

software written in other environments may fail due to assumptions of non randomness, and so need patching to work on openbsd.

on the upside, these changes often improve overall security of the code and are merged upstream so those using other OS's benefit.

Slightly slower? Mechanical hard drive boot times aren’t the best, but they’re quite acceptable with an SSD. For my desktop use, OpenBSD seems plenty fast.

I think you're confusing topics, randomized address space != random disk reads.

Edit: To answer GP's question, you're probably already incurring a cache miss if you're pointer chasing so in most cases there should be no effect on performance.

No, OpenBSD randomizes symbols on kernel and some libraries (for example libc). This randomization is done on boot.

From https://www.openbsd.org/innovations.html:

> Library order randomization: In rc(8), re-link libc.so, libcrypto, and ld.so on startup, placing the objects in a random order. Theo de Raadt and Robert Peichaer, May 2016, enabled by default since OpenBSD 6.0 and 6.2.


> Kernel relinking at boot: the .o files of the kernel are relinked in random order from a link-kit, before every reboot. This provides substantial interior randomization in the kernel's text and data segments for layout and relative branches/calls. Basically a unique address space for each kernel boot, similar to the userland fork+exec model described above but for the kernel. Theo de Raadt, June 2017.

How is NVidia GPU support on OpenBSD? Will OpenBSD run GPU-accelerated TensorFlow or Torch?

OpenBSD is written by OpenBSD devs for OpenBSD devs. Generally, if you're the only dev who wants it then it's up to you to do it. If you let it go stale then there's a good chance it'll be removed.

How is OpenBSD performance these days?

Plenty serviceable as a desktop. That said, I run pretty lightweight software. As with most OSs, an SSD is recommended. I made sure to pick out hardware knowing it would be compatible; that might be the bigger issue.

If your operating system needs an SSD than you need a better operating system.

It runs on Luna-88k and people use it.

>If you install a library, there is no split between library and header files. There is no zlib-dev package as an addition to zlib. You get everything at once.

And that's good?

well, it's what happens if you actually install a package from source, and so is congruent with what it really means to 'install <package X>'

seems preferable to accepting arbitrary segmentation of packages into subsets based on some random package maintainers preference..

also, it's not 1993 and having 100kb of headers on my system is not really a big deal.

But at the same time there are modern general purpose systems (Alpine in particular, and Debian when it comes to GNU documentation) that wouldn't even install documentation together with software. Priorities seem to vary quite a bit.

That's a red herring. Debian's problems with such documentation were largely the licences that it comes under, often requiring doco to be separately packaged so that it could be placed in the "non-free" section. It is not omitted by default because it is doco. It is omitted by default because the Debian people do not classify it as free content.


my point is this is the package maintainer interjecting their own notions of what a package is into what is actually provided by the upstream source. the only 'package X' that is 'correct' w/r/t original author is the one that provides exactly what the source based install provides, anything else is maintainer bias. (which isn't inherently bad; just providing a counterpoint as above claim was questioning)

> And that's good?

I don't know about good or bad, but for people like me, it's certainly convenient.

There indeed are some points in the list that don't seem good or bad, but rather somewhat unusual. And even some that seem usual, as mentioned in another comment here. Probably a more suitalbe title would be "an OpenBSD outline".

Last time I tried the full disk encyrption [sic] it was an awful setup compared to Linux.

> https://why-openbsd.rocks/fact/meltdown-spectre/

Uh, yeah. They did that, just like Linux did before them. I especially like the reply to the announcement that was "uh… I hope you didn't spend these two months coming up with that solution. We already did that for Linux, so you could have just asked".

> They did that, just like Linux did before them. I especially like the reply to the announcement that was "uh… I hope you didn't spend these two months coming up with that solution. We already did that for Linux, so you could have just asked".

Linux developers were told about meltdown/spectre right away, but OpenBSD wasn't told until the end of the embargo over two months later.


I think you misunderstood my whole point.

It appears that OpenBSD chose to spend months starting from scratch researching exactly what needed to be mapped in virtual memory, instead of just confirming the x86/x64 platform needs that were already researched and published by that time.

I'm not talking about the two months (or whatever it was) Linux had as head start. I'm talking about the post-publication ~two months.

Just because the idea is known doesn't make it trivial to implement in a completely different kernel.

I think you misunderstood my whole point.

It appears that OpenBSD chose to spend months starting from scratch researching exactly what needed to be mapped in virtual memory, instead of just confirming the x86/x64 platform needs that were already researched and published by that time.

Now full disk encryption is pretty simple: https://rgz.ee/openbsd/install.html

That's very relative.

Sure, it does look better now, and I'm fine with this setup being a bit annoying since it's a one-time thing.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact