This points out something we forget at times: being a fan of a thing shouldn't mean we have to suffer for it.
NetBSD doesn't have GPU compute capabilities, plus browser DRM is a PITA, so I run macOS, too. If I have to choose between not doing a thing at all and doing it in a less enjoyable environment, it's only my own foot that suffers were I to choose not doing it at all.
What really matters here is that systems shouldn't crash or panic at all, ever, or if they do, the filesystems used shouldn't lose data or otherwise become corrupt. We left the lack of memory protection in the '80s (some of us the '90s), so there's no excuse if the hardware isn't faulty.
So I have to wonder why the OpenBSD folks, who prioritize security over speed, for example, wouldn't prioritize stability over everything except possibly security (I'd rather a panic than a compromise) and spend some energy looking in to these issues and fix them?
Why wouldn't any filesystem corruption (which could have security implications if the corruption can be controlled) and/or data loss be considered a sign of other deep issues and be made a high priority at OpenBSD?
Perhaps Solène's writeup will be a good wake-up call for the OpenBSD people.
I suspect a lot just comes down to manpower... While extremely important the FS currently works "good" enough (although there were/are efforts to port HAMMER2).
But I share the frustrations, all these little papercuts really add up and I only use OpenBSD in server settings nowadays
Good enough? As far as I could gather, they never implemented FFS/UFS journaling and removed support for soft updates. If that’s incorrect, I apologize for this comment.
So, they basically have a filesystem that operates like it did in the ninetees, unclean shutdown and you have to go through a full fsck and hope for the best. Most people who used some Unix before journaling would never want to go back.
Softdep is a significant impediment to progressing in the vfs layer
so we plan to get it out of the way. It is too clever for us to
continue maintaining as it is."
From OpenBSD developer Marc Espie, :
"The big issue with softdep is that it has tendrils everywhere, and since we didn't convince Kirk* to move over to OpenBSD, it tends to be a big hindrance in fixing everything else instead of helping.
The buffercache, the pagedaemon, the swapper, unlocking subsystems.
Hopefully, all these have a chance of being done by a human with softdep gone."
* Kirk being Marshall Kirk McKusick (FreeBSD) developer and creator of Soft Updates
A quick check of openbsd-cvs shows they're still removing softdep/soft updates stuff a year later. [2]
Sorry to see Solène Rapenne move on, I wish her success going forward. She has been a great asset to the OpenBSD team. But glad she will still try and help them out a bit.
But in a way she has a point :( Just a few weeks ago I had a panic with 7.6 and half my files in /home disappeared. In the past I never lost data on an fsck, plus I never had a panic in many years. But glad I clone /home to another device daily :)
But I still will use OpenBSD for testing items I develop on Linux. It is a great help finding issues where Linux will ignore some bugs I insert.
There are many issues that can cause problems, I have seen worse things happen at work over the decades. In this case, I fully believe it is a one-off occurrence.
On my other Laptop, and old T420 with only OpenBSD, I never had a panic or lost files. Even after moving to 7.6.
But was saying, I can see her point when your professional livelihood depends upon what system you use.
> flatpak: I really like software distribution done with flatpak, packages are all running in their own namespace, they can't access all the file system, you can roll back to a previous version, and do some interesting stuff
As of today flatpak still has holes you can drive a truck through.
I still don't understand the slapdash approach the desktop Linux crowd took, Qubes is a much better approach. Such unprofessional software engineering pervades FLOSS with the worn and tired "but it's a hobby project" when it's a core dependency necessary for international corporate, government, and military strategic systems. (I also don't understand the lack of appropriate support for critical projects either, but it makes sense because of decline, entitlement, corruption, and greed.)
I had to shout and scream at docker early on for container image integrity, but that fell on deaf ears. Heck, Python even threw away GPG to roll their own sketchy setup and Ruby doesn't even care about package integrity or supply chain attacks.
Perhaps it's the "corporate, government and military strategic systems" doing it wrong, if they choose to rely on a hobbyist project? Not the hobbyist publishing their sources?
Could you link some related Flatpak issues where this happens? I've been under the impression that security under bwrap could be relatively acceptable and mostly the same as running containers (aside from all the portals).
I haven't been using Flatpak, but was recently thinking about it.
flatpack for isolation is a joke. All the file duplication, none of the security. Not to mention nothing that depends on camera, screen cap, etc will ever get close to working.
Just accepting there's no easy solution, and do aparmour+firejail. It's awful user experience, but at least only once per application. Then it is perfect. There should be a distro like qubes but where everything must have either a firejail profile or a hardened systemd unit file (which is the worse designed/documented thing in the universe, taking the place of X11). That would be the ideal world.
To be hones I appreciate flatpak for software distribution. Afaik (correct me if I’m wrong) some degree of security is implemented through selinux (i’m on fedora).
Yes, you are technically right, but you are wrong only in the sense that most packs either do not ship with a selinux policy or ship with some just-added-whatever policy.
> I appreciate flatpak for software distribution
Flatpack is for distributors. Not end users or for the benefit of the end system running them. There are already too much written about this. The lax state of selinux policies is also a result of this focus.
PS: you will see my top comment get downvoted by the distributors who enjoy to offload the burden to end users, without offering any counter argument.
best argument I've heard against my points so far. but still, since the other solutions require the same amount of work for isolation, the only real benefit of flatpak is bundling soon-to-be-outdate dependencies.
Something like 99% of the use cases I've seen for OpenBSD are servers that have no keyboard, mouse, video, audio or other plugged into them. It's completely unsurprising that bluetooth and gamepad support isn't a priority.
> It's completely unsurprising that bluetooth and gamepad support isn't a priority.
The Bluetooth stack on linux is literal code trhown away from qalcomm (or was it broadcom?) with dbus on top. But since they dumped it as GPL it won't reach BSDs.
Hard disagree here. I run FreeBSD and OpenBSD both since 20+ years. My current laptop has FreeBSD installed and OpenBSD virtualized for the better wifi drivers. FreeBSD is the clear leader on the desktop.
FreeBSD is acceptable, but if you need features like suspend, it can be quite a hassle, and you might be fortunate if your hardware is compatible. On the other hand, OpenBSD has strong advantages for me as an out-of-the-box desktop system, allowing you to avoid the hassle of enabling services. Unfortunately, all the BSDs seem to still carry a 90s vibe.
Makes sense. I've always assumed that OpenBSD has a very narrow use case anyway. I love it for a network firewall because the configuration files are sane and easy to understand (stares at systemd networkd). I set it and forget it.
it is easier to setup a openbsd vm and have it handle all the network routing and wireguard stuff, than it is to simply disable the unrequested zeroconf stuff included in systemd-networkd/resolvd.
I personally think systemd, which I despise, won and effort would be better allocated trying to improve it (e.g. ripping the zero conf stuff from it to begin with)
The name is familiar, I learned a couple of things from Solène in the Qubes OS forums. Many thanks in case you see this.
I think OpenBSD has a big advantage (to me at least) that it’s the OS I really want to use, but I could never find a place for it for the reasons described. It just doesn’t fit my use cases except on the philosophy department!
In fact I had to leave Qubes OS for different reasons: strange behavior with USB devices, perceptible latency, would not sleep properly when running on battery, Windows VM would freeze on wake up from sleep. Small things but very annoying.
Maybe I just got bad luck with hardware (Thinkpad X260), or I just don’t have the time to troubleshoot it anymore.
Anyway, I’m having a great honeymoon period with OpenSuse now. I’ve chosen it mainly for great filesystem snapshot support. It seems this time everything missing on the repositories are covered on flatpak, and things that usually give me trouble (for example IME support) simply worked. I loved the Xfce theme. I’ll probably be staying for a while.
Journaling filesystems have been around for decades now; I don't think I've had a data loss incident since I stopped using Windows 98? I know it's volunteer driven but it seems like working on data integrity might be more of a benefit for security than some of the gimmicks like TRAPSLED.
OpenBSD had Soft Updates, which isn't really journaling but sort of similar. It was suppose to help with with file system integrity, in the case of crashes. OpenBSD removed it last year because it got in the way of VFS updates, and was hard for the team to maintain[1].
I love OpenBSD, but it really does need a modern filesystem. The current team might be to small or just not have the right people to do a new filesystem. HammerFS2 could maybe be ported (and one has to wonder if that's not one of the thing that would requires VFS layer updates). Much of the current work on filesystems are being poured into GPL licensed code or ZFS, which also have an unfortunate license, so OpenBSD either has to borrow HammerFS, or do their own thing, which they probably don't have the resources for.
BSDs bet on permissive license hoping companies would drop code on them. Turned out companies were either using linux or dumping abandoned code as GPL to strategically keep out of competitors.
BSD licenses were a thing before GPL lost the final battle, when linus accepted the tainted-kernel compromise. Now it's a relic of a bygone time, which show allegiance to a side on a war that no longer matters.
> I don't think I've had a data loss incident since I stopped using Windows 98?
Data loss from a kernel crash or power loss, sure, have not seen that in some time.
However data loss from disk failure is something I've seen in the current century. I started using ZFS in my home network when I began to see that at home. I haven't had anything major that ZFS with redundancy couldn't recover since.
The journal does what it's supposed to, doesn't it? I.e: keep the file system from breaking on panics, or power loss. Sure it doesn't protect you against a corruption bug in LVM et al., but that doesn't make it useless.
Yes, if you search for people trying to mount a LUKS volume image readonly to then try (somewhat successfully in my case) to get data from the journal or run destructive fsck operations, you will find lots and lots of examples.
> If you have SSD->LUKS->GPT->LVM->Ext4, then a bug on any of the (newer, buggier) components before your journaled FS means you lost data
And yet it's never happened to me. Dozens upon dozens of systems. Linux or Windows or Mac for that matter.
I've toted around a laptop with whole disk encryption for > 15 years and never lost data. Not once. Even after a forced power off.
I have, however, lost data to major FS corruption on an OpenBSD system with no encryption whatsoever. More than once. Still using ancient MBR and legacy boot because, well, OpenBSD.
> I've toted around a laptop with whole disk encryption for > 15 years and never lost data.
me too. Until I did. Negative anecdotes in a discussion about rare events are unhelpful.
My point is not that journaling is useless and should be dropped (I only use openBSD in things that are either readonly storage or virtualized on a host which does have proper FS). My point is that the "new setup" used by most distros introduced a lot of things that are above the journal. We have been rocking FDE for over 10yr, but the mass of people with crappy hardware and who just unplug their computers are only exposed to FDE for the past couple years.
My experience with LUKS robustness is less so, but I've uncleanly powered off many a laptop with BitLocker, FileVault, and commercial encryption with no ill effects.
> Still using ancient MBR and legacy boot because, well, OpenBSD.
All this does is tell me you're young for such a hostile tone towards recently dominant, mildly deprecated tech. It wasn't too long ago that UEFI didn't really work well. I did 3 BIOS to UEFI migrations in the last year or so, on Linux, FreeBSD and Windows, because those machines booted bios up to recently.
I like Linux a lot but personally I am starting to get frustrated with rootless containers. It is frustrating one has to have higher privileges running the container to make it have its own IP address inside the container. It's frustrating you cannot have the container read and write on the filesystem as the UID running the container unless the process inside is root.
I might have a better experience with VMs but every system seems like a lot of effort to just get something running. And after that the object is not as disposable as I'd like. My favorite tool for VMs so far is Incus. I'm planning on looking into Firecracker this weekend for fun.
Unrelated, but regarding:
> I understand it can make some people angry as they have to learn how to use it.
I don't think that's a significant part of what is upsetting anyone.
It seems her biggest issue by far is bad VM hosting, followed by the filesystem (the latter being possibly an hardware compat issue). Everything else seems tertiary or downstream from the big one.
Better VM hosting would enable a big usecase directly, enable the software separation she likes, ameliorate a good part of the battery issues (as that's what she often uses the OS for), and with passthrough maybe even help work around the other hw support issues.
Given how critical virtualization is to security anyway, it sounds like a topical thing for OpenBSD folks to put directly into the OS (a la bhyve).
> I have grievances against OpenBSD file system. Every time OpenBSD crash, and it happens very often for me when using it as a desktop, it ends with file corrupted or lost files. This is just not something I can accept.
Doesn’t openbsd use a fancy-ish ZFS type file system?
I have the same grievance with XFS on Linux though. For as much as people say how awesome it is, the few nodes I have running XFS are the least reliable pieces of garbage on a hard power off and a pain to get back up (if I don’t just nuke it anyway)
I wonder if xfs caused all of my disk reliability issue when I used it inside longhorn. Never again will I trust my data to either of those systems. Maybe one of them is innocent, but I don't care.
Also FWIW, I use OpenBSD as my daily driver, and I like it especially due to the security (I separate user-level activities, including net browsing, by account), and have not had the crashing or filesystem issues, fortunately. Her points are probably valid though, as my demands of the system are less than hers.
I keep a special laptop for all financial stuff. It is not that expensive and the inconvenience is limited. And on it I have CubesOS, but I guess OpenBSD would also be a good choice.
I assume you meant QubesOS not CubesOS which I don't know of. You can totally run QubesOS as a host, it helps for hardware compat and fs perf/stability, and run OpenBSD alongside Fedora or Debian VMs as guests.
> I need to experiment and learn with a lot of stuff, this includes OCI containers
OK understandable ofc.
> Running virtual machines on OpenBSD is really limited, running programs headless with one core and poor performance is not a good incentive to work at staying sharp.
Can someone explain this a bit more? I mean: I also run both VMs and OCI containers (well, Docker really atm) but what's that about "headless with one core" OpenBSD thing?
OpenBSD can run a VM but it's limited to one core and there can be no GPU passthrough? Is that what she means? That she can only access the VMs through the network?
No GPU passthrough would indeed be kinda a deal breaker for me too.
> I moved from OpenBSD to Qubes OS for almost everything
(a bit of a rant but it's related to TFA from a "what a dev may need" point of view)
I like that Qubes OS focuses on security, something which, for example, Proxmox seems to have an interest approaching about zero. Sure you can contenairize and virtualize but the Proxmox host itself, the "hypervisor" has countless ports open by default "because you'll need them for insecure lots of insecure protocols here and the entire Proxmox security seems to rely on only the firewall. Firewall which, moreover, sometimes resets by itself to "ACCEPT" everything by default.
I run Proxmox on a server and I did a proof-of-concept, running Proxmox as my desktop, using GPU passthrough from a VM to my main display (requires quite a bit of setup and settings and may or may not work on some hardware, but it's darn sweet when it works: one GPU for the host, one GPU for the guest(s)). It works. I know some are using that setup (including some Proxmox devs) on their workstation. But, sheesh, does the Proxmox team seem to care more about a shiny UI than security.
So, basically to be too far from TFA: leaving OpenBSD (considered to be ultra secure) for QubeOS... Does QubeOS really deliver more on security compared to another efficient alternative, like Proxmox? (don't get me wrong: I know that QubeOS is meant to be a desktop, which Proxmox not so much... I just wonder if QubeOS is really secure compared to OpenBSD).
In this day and age of AI models (for those who want to run some locally) requiring fat GPUs and lots of configuration on the software side and with the pace at which new models are coming out, I think nothing beats an hypervisor and VMs using GPU(s) passthrough. This way you can quickly test new models, install tens of them, backup working VMs or containers, etc.
I can see how OpenBSD is negatively affected by that: a 4090 or 5090 (or two in the same machine FWIW: a friend of mine runs just that, two 4090 using GPU passthrough) is quite something. The world, atm, shifted towards GPU. That's why NVidia is enjoying such a market cap.
Although Bluetooth and gamepad do not matter, it looks like OpenBSD may be missing something here if the GPU and GPU passthrough story is subpar.
In a "the world is moving" way.
At least in my case, after reading a TFA like this, I don't see why I'd run OpenBSD... Except as a firewall in front of my Proxmox machines (which badly need that) ; )
P.S: don't mistake this rant for me not loving Proxmox. It's just that I wished they cared less about "shiny" and "convenience" and more about not opening every single port and service under the sun on the host. Something which QubeOS may be better at.
And losing files after a crash is something that hasn't happened to me for at least a decade (not with NTFS,ZFS(FreeBSD),UFS2(FreeBSD), ext4 or XFS), maybe rip out soft updates was a bad idea?
I adore OpenBSD because it's so lightweight, but I dropped it for FreeBSD when the same hardware couldn't max out a 1 gigabit connection running OpenBSD but could with Free. Since then they have made network changes so I'll probably try again even though the bar's moved and now I need 2.5 gigabit connections to be saturated. Happy to give it a chance anyway.
I just remember considering it for routing/firewalling duties about 2007, grabbing then-current performance optimization guide, and finding whole chapter in how to force irq sharing so that interrupts from any NIC will trigger driver code from all NICs...
I can't argue about gamepad support although I would say it is less desktop territory than console/steam machine territory. But for bluetooth support there are definitely good workaround with those usb class compliant soundcards that autoconnect to nearby bt headset/speakers.[1]
[1] I assume you would want to use bluetooth for audio only because anything else usually sucks and can be done better/faster/more reliably with wifi or USB.
NetBSD doesn't have GPU compute capabilities, plus browser DRM is a PITA, so I run macOS, too. If I have to choose between not doing a thing at all and doing it in a less enjoyable environment, it's only my own foot that suffers were I to choose not doing it at all.
What really matters here is that systems shouldn't crash or panic at all, ever, or if they do, the filesystems used shouldn't lose data or otherwise become corrupt. We left the lack of memory protection in the '80s (some of us the '90s), so there's no excuse if the hardware isn't faulty.
So I have to wonder why the OpenBSD folks, who prioritize security over speed, for example, wouldn't prioritize stability over everything except possibly security (I'd rather a panic than a compromise) and spend some energy looking in to these issues and fix them?
Why wouldn't any filesystem corruption (which could have security implications if the corruption can be controlled) and/or data loss be considered a sign of other deep issues and be made a high priority at OpenBSD?
Perhaps Solène's writeup will be a good wake-up call for the OpenBSD people.