from Hacker News

Why OpenBSD Rocks

by ProfDreamer on 3/1/19, 1:35 PM with 105 comments

  • by vbezhenar on 3/1/19, 5:00 PM

    I can confirm that acme-client so far is the only sane client I've seen. No nonsense of multi-megabyte downloads of endless Python scripts or esoteric bash scripts. Just good old C tool as it should be. Every *nix should use it by default.

  • by doublepg23 on 3/1/19, 10:23 PM

    I was actually playing with OpenBSD while stuck with the flu.

    The good:

    * ifconfig handling everything is brilliant. Having one tool to do networking, including WiFi(!) is great.

    * the documentation is good. `man -k` normally gets you what you need.

    * "base builds base" is pretty cool. I managed to rebuild base on a 1GHz single core BeagleBone Black in 48hrs.

    the bad:

    * Performance. I didn't think this would be a huge issue, however it's much slower than Trisquel, Parabola and GuixSD running GNOME on a x200. WiFi also seemed slow.

    * IPv6 seemingly didn't work, even when verifying my ifconfig setup.

    * Filesystem. I don't expect them to add ZFS due to code size and license, but still using UFS is laughable. UFS seemed to have I/O deficiencies which exacerbated the performance issue.

    * the other documentation. While the manpages are good, information on the internet can be contradictory depending on it's age.

    * No lsblk. This is more of a nitpick, but there is seemingly no way to get the right name for a disk without parsing through `dmesg` and guessing with partition number.

    * pkg_add. It's extremely slow compared to apt even and separates it's parts out for seemingly no reason. Package management in general is somewhat awful.

  • by apostacy on 3/1/19, 4:02 PM

    I totally respect OpenBSD and their commitment to security and stability. However, the thing holding me back is that they've dropped some features over the years that I relied on.

    I used OpenBSD on a netbook and it was awesome. But I really needed 32-bit Linux binary compatibility, and I was also one of the 3 people who used bluetooth. Both of these features were removed entirely. I wish there was a way I could "live dangerously" and have access to them again. I would love to have access to bluetooth based serial terminals, and use my favorite keyboard.

  • by JohnFen on 3/1/19, 4:29 PM

    Since SystemD has become so prevalent in Linux, I've been looking longingly at BSD. The only problem is that I have a large number of machines that I'd need to move over, and it's a pretty intimidating amount of work. But I'm planning on beginning the move, one system at a time...

  • by avar on 3/1/19, 2:12 PM

    Why does file(1)[1] need its own chroot sandbox instead of using the pledge(2)[2] facility. They say:

    > Think of the following: You download a random file from the internet and analyze it using file. If file has a security hole (local code execution for example), he can run attacks with his prepared file. Thats why the file utility is sandboxed and chrooted by default.

    Isn't that exactly the sort of case where file(1) would open(2) the downloaded file and its own database, and then proceed to drop all other access privileges before doing any of the parsing of the untrusted file?

    1. https://why-openbsd.rocks/fact/file/

    2. https://why-openbsd.rocks/fact/pledge/

  • by teknopurge on 3/1/19, 4:54 PM

    Anything that matters for us runs either on OpenBSD or behind it. almost 20 years now. Zero fucks given. Theo is the type of dev manager I want for my projects.(aggressive, opinionated, solid)

  • by Tepix on 3/1/19, 2:06 PM

    Nice list. They may want to take Spectre off the list, however. It seems only hardware fixes actually work: https://arxiv.org/pdf/1902.05178.pdf

    Signify sounds great. It has been ported to Linux: https://github.com/Blitznote/signify

  • by asveikau on 3/1/19, 3:43 PM

    I like openbsd and have used it happily for a long time, but it's not fair to list sysmerge and syspatch as selling points. If we are being honest, other systems have long had more automatic upgrade procedures and these two tools are essentially minimalist ways of solving the problems with the old way.

  • by claudiawerner on 3/1/19, 2:13 PM

    I found OpenBSD to be pretty amazing, and after trying it now and then I finally loaded it onto my x220 to use it daily. Things worked fine, but I realized the battery life was poor (even using the functionality, I think in tpm, which regulates the clock speed to be slower) and support for what I began to need (like the Eclipse IDE) was shoddy. Unlike many others, I don't have much to say about the documentation, but that's also an endorsement for the system itself - I didn't need to access it more than once or twice.

    Support for other file systems, which is a part of life for me, was pretty lacking; for me, ext4 write support and fat32 read/write isn't essential but would have been enough to stop me from moving back to GNU/Linux.

    In the end, it looks like a great system but it just didn't fit my needs, just as, for instance, NixOS (and Guix) didn't fit my needs when I wanted a custom XKB layout.

  • by snazz on 3/1/19, 2:14 PM

    It does just work (TM). Brightness and volume hotkeys work out of the box, without a desktop environment (even on the console). WiFi, including autojoining, works using a single ifconfig command or configuration file. Suspend/resume works on my laptop without any configuration.

    If you’re using it on a laptop, just make sure to use an older, less ultrabook-like machine and you’ll be good.

  • by nwmcsween on 3/1/19, 9:01 PM

    The points aren't OpenBSD specific though:

    * ASLR - every modern OS has some form of this.

    * FDE - there are reasons (IIRC) FDE is better at FS level than block so this is sort of a negative.

    * LibreSSL - OpenSSL API is still a tire fire.

    * PIE - Possible on IIRC fbsd, nbsd, linux, etc.

    * UTF-8 only libc - there are issues here, such as strcasecmp.

    * noexec - IIRC this has been cross OS since the dawn of time (at least early 2000's).

    * pledge - pledge is cool, I'm trying to implement something similar using google kafel and a macro that turns `vow(id, kafel_string, flags)` into a compile time bpf filter.

    * strlcpy - is sort of junk as it has to iterate over ALL of src so for example strlcpy(d, "superlongstring...", 2) will read all of "superlongstring..."

  • by technofiend on 3/1/19, 5:02 PM

    If you want to use Ubiquiti hardware but not Vyatta, OpenBSD supports the Octeon processor [1]. In particular the edgerouter lite can be swapped to OpenBSD [2] for the cost of the right USB stick [3] and a console cable [4].

    Some people find the ERL's performance isn't sufficient to pass packets and also host services such as radius or that the passive heat management on the edgerouter isn't sufficient. In that case Protectli.com [5] makes appliances with monster heat sinks on top and despite running an old ATOM processor can push data at gigabit speeds [6] thanks to onboard Intel NICs.

    Finally you can just grab any refurb wintel box, add a couple of Intel NICs and throw away the windows license.

    The great thing about OpenBSD is particularly for its typical roles of firewall, load balancer, edge gateway, authentication server, etc it doesn't require much CPU or storage.

    I recently rebuilt a laptop with Windows from a USB 3 stick to an Intel M.2 NVME SSD. It took less than 5 minutes to go from booting to install to reboot. OpenBSD's footprint is so small you'll see similar build times particularly when you leave off X Window.

    [1] https://www.openbsd.org/octeon.html

    [2] https://codeghar.com/blog/openbsd-network-gateway-on-edgerou...

    [3] https://www.amazon.com/dp/B013CCTM2E/ref=cm_sw_em_r_mt_dp_U_...

    [4] https://www.amazon.com/dp/B01N0LMWGQ/ref=cm_sw_em_r_mt_dp_U_...

    [5] https://protectli.com/4-port/

    [6] https://tech.mangot.com/blog/2018/11/08/showing-a-gigabit-op...

  • by wtmt on 3/1/19, 2:36 PM

    What are the desktop GUI environments or window managers available on OpenBSD that are comparable to those on Linux? I see a mention of running X as a user, but nothing more.

    What about desktop hardware support? Does it have working drivers for different WiFi chipsets, video cards, trackpad, etc. (referring only to x86 based systems)?

  • by KAKAN on 3/1/19, 6:02 PM

    I use FreeBSD. It works fine, and I've configured it to be secure. Is there any reason for me to move over to OpenBSD ? I don't care about minimal or some reasons like that, I already have Alpine linux for that. Any other reason(s) ?

  • by verbatim on 3/1/19, 2:40 PM

    How many of these items are not also available in a standard Linux configuration?

  • by srfilipek on 3/1/19, 3:16 PM

    RETGUARD isn't mentioned, which is curious.

    Guess I'll need to submit a merge request.

  • by gbrown_ on 3/1/19, 3:25 PM

  • by meruru on 3/1/19, 3:36 PM

    I really, really want to use OpenBSD. I love everything they make. The one thing that keeps me on FreeBSD/Linux is ZFS support.

  • by upofadown on 3/2/19, 12:12 AM

    sndiod is pretty nice...

    Dead simple. Fixed latency that you set when you run the sound daemon. Same API with the sound daemon in or out. You can yank it out and the programs get to use the same interface for both audio and mixer. So nothing like the pointless ALSA mixing interface laying around when you run pulseaudio. It all works transparently.

  • by Jenz on 3/1/19, 4:07 PM

    Wow! OpenBSD _security_ rocks!

  • by legosteen11 on 3/1/19, 8:59 PM

    I wanted to install and try OpenBSD on my Librebooted Thinkpad T60, but unfortunately it is not possible to use full disk encryption with a non-custom Libreboot rom (you apparently need SeaBios instead of Grub2 for this to work). I find it quite sad, because I think Libreboot + OpenBSD would be the ultimate security and privacy-focused combo.

  • by srfilipek on 3/1/19, 3:09 PM

    > Xserver without root permissions

    There must have been a regression. There still was lingering suid root binaries that OpenBSD got bit by recently.

    I mean, it was security fix #1 for release 6.4: https://www.openbsd.org/errata64.html

  • by zolotarev on 3/1/19, 3:57 PM

  • by adulau on 3/1/19, 9:10 PM

    OpenBGPD is missing from the list. It's a great piece of software.

  • by jimmy1 on 3/1/19, 2:15 PM

    Many of the items on this list seem to be some variation of "random place in memory so attackers can't guess"

    It sounds nice, but can someone explain if there are any downsides?

  • by ur-whale on 3/1/19, 8:48 PM

    How is NVidia GPU support on OpenBSD? Will OpenBSD run GPU-accelerated TensorFlow or Torch?

  • by swills on 3/1/19, 3:18 PM

    How is OpenBSD performance these days?

  • by jwmjj on 3/1/19, 2:53 PM

    >If you install a library, there is no split between library and header files. There is no zlib-dev package as an addition to zlib. You get everything at once.

    And that's good?

  • by knorker on 3/1/19, 3:54 PM

    Last time I tried the full disk encyrption [sic] it was an awful setup compared to Linux.

    > https://why-openbsd.rocks/fact/meltdown-spectre/

    Uh, yeah. They did that, just like Linux did before them. I especially like the reply to the announcement that was "uh… I hope you didn't spend these two months coming up with that solution. We already did that for Linux, so you could have just asked".