I used to use OpenBSD extensively in my job because of the awesomeness of PF but later moved on to big iron F5 and Cisco gear. In this new age of NSA wiretaps and cloud based services built around advertising and tracking however, OpenBSD feels more relevant than ever. I'd like to give it a shot as a desktop again.
So, who makes a modern laptop with good OpenBSD hardware compatability?
It works like a charm on any intel i-series CPU with integrated intel HD graphics and most intel wireless chipsets (excluding the newer AC* versions).
I use it exclusively on servers, and on all laptops/desktops I use for real work. Its a breath of fresh air! No bloat, no evil, gets the job done - Not to mention some lovely features such as Full (no unencrypted boot slice) disk encryption via softraid, a completely unprivileged X server (with KMS supported GPUs), and a brilliant set of simple and solid daemons included in the base system.
The only time I'll switch away is to use linux - The two reasons there being 1) High-end Gaming, 2) Virtualization.
I heard this and installed OpenBSD on my thinkpad only to find out there is no support for nVidia. I suppose you need ATI or Intel video to get a working X.
Debian doesn't support them with a big binary blob; by default, it supports nvidia chips with an open-source driver (nouveau), which works fine for most things other than 3d gaming. It just hasn't been ported to OpenBSD yet, though there is interest in doing so [1].
On a laptop I'go with linux any day. I don't feel like any BSD was/is intended to be run on laptops, not if you don't wanna lose time in extensive configuration to make everything (almost) work.
If it wasn't intended to be run on laptops, why do most OpenBSD devs run it on their laptops? Why does it have graphics drivers with LVDS output? Touchpad support? Why does it have X with multiple window managers and OpenGL with 3D acceleration? KMS? ACPI suspend & hibernate? Sound daemon? Disk encryption?
There are a lot of features that make mostly (only?) sense on laptops, and the developers spend a lot of effort to make sure it works. It'd be absurd to claim the system is not intended to run on laptops.
I've run OpenBSD on my netbook for years. And it works pretty damn well, right out of the box.
Was thinking the same thing myself. I keep thinking recent MacBook Airs would make a good candidate--reasonably standard Intel hardware, decent components, tons of systems in the wild. Hence my comment about trim support for SSDs.
People mustn't expect everything to ever work straight out of the box on anything. Much like you have to install the Lenovo PM driver on windows, you have to config apm on OpenBSD.
In that case, things like Mikrotik's would be considered as "big iron". (I happen to be a big Mikrotik fan)
Just making the case that "just buy Cisco" doesn't do anyone really any good in a very wide market with a lot of very good options - sometimes paying for the brand doesn't mean you are getting something better.
you are getting "market familiarity" meaning they aren't beholden to you or your "crank" operating system and any schmo with a CC can bilk/bill them for support.
Can anyone speak to SSD in OpenBSD? My understanding is that trim support is not supported in OpenBSD (http://daemonforums.org/showthread.php?p=51377). That makes me a little worried about the potential to wear out an SSD drive in a workstation. The thread I linked discusses reducing some writes by using softdeps and the like, is that enough to make this a non-issue?
In general I wouldn't trust random forums for information about OpenBSD. People tend to repeat stuff long after its true. Send a message to misc@ or tech@openbsd.org and you'll hear directly from the devs.
Just make sure your partitions are 4k aligned to minimized write amplification. Many openbsd devs use SSDs. I've used one with openbsd for years without problems. Honestly it's a requirement given the shortcomings of ffs.
I've been away from OpenBSD for a while, and was just googling to try to get a starting basis. Thank you for pointing me to the 4k alignment issue. This thread (http://openbsd.7691.n7.nabble.com/SSD-disk-alignment-td75046...) seems to suggest that OpenBSD will try to align to 4k boundaries by default. Is that correct?
For the moment, just make sure you leave a slice of the SSD unused. You could also on occasion backup the OpenBSD install, replace it with an empty ext4fs and fstrim it via a livecd, then restore the OpenBSD install.
I can understand not supporting tape installation (although aren't tapes still used in large, serious, high-power businesses as backup media?), but why remove FTP? Granted, it's objectively a horrible protocol, but is the FTP client code more likely to be an attack surface than the HTTP client code? If you're after security, isn't it more secure to remove all network installation and force people to use only physical media which they obtained from a secure and trusted source?
That surprised me, too, because in 2013 I was installing from FTP. But mostly from habit.
I'm hoping it's because they are going to be using HTTPS with pinned certs to ensure you are downloading from a proper mirror. But that's hope, not actual knowledge.
There's FTP/S (and RFC-4217, and not SFTP), which uses an SSL session negotiated inside of an FTP session. I don't know if there's a client/server combo that supports pinning, but this much at least exists.
Frankly, if I was looking to implement this, I'd start with SFTP/SCP. FTP/S is, at best, a rarely implemented kludge.
My point is that tape isn't dead, that it's still a viable way to store large amounts of data, like a full OS install with lots of ports to go along with it.
You're not wrong, per se, but be aware that the sweet spot for tape storage has skewed to 100's of TB through PB range. Last time I checked, the smallest tape drive you could buy as new production is 1.6TB and costs more than $1k. So...tape is definitely not dead, it's just not something that makes a lot of sense for installing an OS any more, relative to a US$10 USB stick, $.25 DVD or $50 external 500GB hard drive. And, anecdotally, the number of "hobbyist" tape users for other than bulk backups seems to have dropped from "some" 20 years ago to "LOL you use tape LOL" today.
Insert standard disclaimer about it being open source and if someone wanted to resurrect tape install more power to them, etc.
"Major internal refactoring to begin to make part of OpenSSH usable as a library. So far the wire parsing, key handling and KRL code has been refactored. Please note that we do not consider the API stable yet, nor do we offer the library in separable form."
This is intriguing. I would certainly like to know more about what is happening with this.
Public keys are intended to be public. So long as you're not transmitting them over the same connection as the one you're using them in, you're golden.
That problem can be solved by retrieving the key out of band. If you're that worried about it, use a VPN to verify that the key you're seeing is the right key. That will vastly increase the difficulty of pulling off a successful attack. They'd have to MitM both connections, as well as the connection you're using to download the software, in order to compromise it.
"IPv6 is now turned off on new interfaces by default."
I have had to remove the IPv6 option from my kernels because enabling IPv6 by default (which to me seems like a "policy" decision) has become so pervasive. Nice to see this change; here's hoping other OS's follow suit.
Log message:
Remove SRP and Kerberos support from libssl. These are complex protocols
all on their own and we can't effectively maintain them without using them,
which we don't. If the need arises, the code can be resurrected.
Or in Theo's words:
It is crap. Eventually we recognize the risk is to high.
Another relevant commit message, with a fun quote:
Log message:
The complexity and quality of kerberosV and the fact that almost
nobody is using it doesn't justify to have it in base - disable and
remove it. If the 2 two people who use it still want it, they can
make a port or recompile OpenBSD on their own.
There is a quote in theo.c from August 2010: "basically, dung beetles
fucking. that's what kerberosV + openssl is like".
Discussed with many. Tests by henning@ reyk@ and others.
ok deraadt@ henning@
I recommend you take a look at the whole message, it'll give you a vague idea of how big the code base was. Keep in mind that this particular commit was followed by a lot of smaller commits removing remnants of kerberos that had kinda spread all over the system...
Off by default makes much sense given it is another vector to attack. If not needed then why be on and more likely to just use IPv4 over even touching IPv6.
Of the two remotely exploitable OpenBSD holes in the default install, one was from IPv6. But it was ~7 years ago, so it's weird that they waited until now to turn it off by default.
Not just a vector of attack, it also causes performance and connectivity problems when misconfigured. As long as there is no critical mass for IPv6, it's not worth the headache. I know that if everyone had that attitude, IPv6 will never get critical mass, and that is exactly what I'm rooting for. I don't care for toasters with IP addresses.
Well I noticed today that some random hotel in Germany I was thinking of staying at was on ipv6, and it is way more popular than IE6... People want connected devices, in way more numbers than there are ipv4 addresses, and end to end connectivity is the internet.
I'd say putting mobile devices behind carrier-grade NAT goes a long way.
> end to end connectivity is the internet.
It was definitely the original idea of the internet, but I'd say it no longer is the reality.
People want to access Google and Facebook. The vast majority of users don't need or want their device to be directly reachable from the internet but communicate through cloud services.
End to end connectivity is the Internet.... and by contrast, privately addressed networks are not on the Internet but must reach it via gateways.
Reaching one another via centralized services rather than distributed federation is a problem, not a solution, in communications protocol design. See also: Everyone Hates Facebook.
You are stating an opinion/ideal as fact. If you'd look at actual data, you'd see that the vast majority of internet use by consumers is client to server, not peer to peer traffic (e.g., youtube vs. bittorrent), which means there is no need to be "on the internet" for most people. Distributed federation is great and it does not require end-to-end connectivity for everyone.
> See also: Everyone Hates Facebook.
I don't know in what kind of bubble you are living but 1.3 billion people are on Facebook; whether it's cool to hate it is not germane to the topic at hand.
I'll point out that much of the reason for most traffic on the Internet being client-server is that most users are behind home routers which make P2P traffic difficult or impossible, slowing innovation dramatically. IPv6 could solve this by giving every computer their own IP address on the actual Internet. Sticking with IPv4 continues to slow innovation.
Also note that most uses of p2p are illegal. Then again, much of youtube use is just as illegal -- but people assume (correctly) that they won't be sued for watching or downloading something from youtube (youtube might, or uploaders might -- in theory).
So, users are stuck behind asymmetric dsl lines, behind poorly functioning NAT routers and couldn't use p2p for what they want to use p2p for ... legally.
There are exceptions of course, like this project:
But after decades of stagnation, and even regression, in the ISP industry -- getting working p2p solutions to catch on is an uphill struggle. And when people don't have software they can, or want, to run as a service -- the demand doesn't exist either.
Contrast this with how people used to run their own BBS back in the day...
I don't think the client-server model is popular because people are behind home routers, but because it reflects the inherent asymmetry of producers and consumers. People being behind home routers is not a cause of that, but a state of affairs that is not-noticed by or tolerable for most because of this asymmetry. This asymmetry is not caused by any technical limitation; even on Wikipedia, which is probably the prototypical crowdsourced site, editors are vastly outnumbered by readers.
I don't disagree with the ideal of everyone being able to serve their own content directly to the internet, I just don't think it reflects reality, specifically the abilities and inclinations of most people. I'm curious how people come to hold on to such beliefs when they are so incongruous with actual human behavior.
> People being behind home routers is not a cause of that, but a state of affairs that is not-noticed by or tolerable for most because of this asymmetry.
I would say that a great many things are not noticed by or are tolerated by the majority, and it's only when they're presented with a better solution do they notice.
Even client-server business models can benefit from peer-to-peer communications. The most obvious is media providers using their clients' connections to avoid having to maintain as large a CDN, and to cut some costs that way. If someone's listened or watched something near you, you can download from them instead.
And then there's all sorts of systems which really could be truly peer-to-peer, from social networking to a replacement for ebay.
Which means we'll have toasters sporting some proprietary, dumber-than-IPv6, less-functional-than-IPv6, less-secure-than-IPv6, IP address equivalent on the IoT. With DRM preventing you from toasting bread not approved by the vendor. Because there will come a point where buying a toaster without IoT enablement (in the future, toast marketing is nichy but profitable) will be about as easy as buying a 2014 production TV that doesn't sport cable hookups.
No need for anything proprietary, IPv4 + NAT suffices. Solves the common problem of me accessing the toaster, and leaves the less common problem of remote toaster operation to some kind of tunnel. IoT and everything getting an IPv6 address are interesting ideas, I just doubt whether people care about it enough for it to pan out. If it's not really necessary, it's difficult to justify the cost of switching.
HP300 and MVME68K are 68K. I occasionally crank up the latter for shits and grins, but support is far more a labor of love than for any utility these platforms might have left. See also: VAX.
I think for companies that still do this, they acknowledge that the impetus for buying a CD is more for collection/novelty purpose than actual usefulness. My question is whether there are any more effective ways of generating some kind of profit that actually involves giving something extra to the user, whether physically or digitally.
So, who makes a modern laptop with good OpenBSD hardware compatability?