Tag Archives: openbsd

OpenBSD, a surprise

puflogh1000X248I will start this blog talking about OpenBSD, a very nice and often controversial Unix system that has really captivated me when all I wanted from it was a quick firewall.

News about OpenBSD are usually about its proactive security or the perceived toxicity of it’s leadership, so I will refrain from talking about any of that. Instead, I will focus on how someone that used linux for more than 15 years would feel when interacting with it for the first time.

It first should be noted that the base system is very compact but functional – a somewhat common feature with other BSDs, but even more so with OpenBSD because the team is very small. In the BSD world, the entire base system is kept under the same source tree. This is in contrast to the typical Linux distribution which is built from sources scattered around upstream developers, which then get configured and patched by the distribution maintainers. By doing this, the BSD developers can have a very integrated system, where every component is developed amongside the rest of the system, which is great for consistency and security.

For anything not in the base system, volunteers maintain a set of binary packages and a “ports tree”. The ports tree is based on the FreeBSD one, just a set of makefiles, patches and instruction on how to fetch and build the binary packages which are then installed, with dependency checking. The user can choose between installing a binary package directly or using the ports tree to build from source. Also in contrast from the typical Linux distribution, the packages get installed to /usr/local, since they are not technically part of the monolithic operating system. In Linux, /usr/local is typically populated by programs built from source without any sort of package management. Since I’m a Gentoo Linux user, using the ports tree was straightforward for me.

The installation and configuration are incredibly easy, everything is very well explained and no problems ocurred. It was also very fast, it even autoconfigured my wi-fi connection during installation, asking just for the SSID and WPA passphrase. This is great, most operating systems just try to run DHCP on the interface as if it was a wired connection and we generally have to put the installer in the background and configure a wireless connection from the console. (I’m looking at you, NetBSD.)

This was to be expected, however. I’ve heard more than once that OpenBSD developers tend to used notebooks for development, so their support for wi-fi and notebook hardware in general is very good, even ahead of Linux. Sometimes even Linux wi-fi drivers are derived from OpenBSD.

This brings me to another surprise, it detected and configured the Radeon GPU on the notebook. Another benefit of open source: wi-fi drivers in Linux benefit from OpenBSD and GPU drivers in OpenBSD benefit from the Linux DRM (Direct Rendering Manager – not the evil DRM) infrastructure. I don’t know about the GPL vs. BSD licensing in these matters.

With that all said, OpenBSD apparently makes a very fine and secure desktop operating system. I wasn’t expecting this and it was a great surprise. Very secure base system with driver support for lots of stuff (maybe not the latest and greatest, but just give it time) and a huge (9000+) package collection, plus a great documentation and easy configuration.

Speaking about documentation and configuration, OpenBSD takes the saying that BSDs have great documentation and takes it one step further, every single question I had was already answered in manpages and the two FAQs (OpenBSD FAQ and PF FAQ), meaning that I didn’t once had to ask google or someone else. In less than an hours I had the firewall installed on the notebook hardware (low power usage) with PF configured and the wi-fi acting as an access point, effortlessy.

Which brings me to the last point of this post: security updates. Since the team is very small, this is an area that suffers a lot, in my opinion. Firstly, security updates are only available for the -current branch and the last stable release. Second, the security updates are only released in source form. Yes, you have to recompile to get security updates for the system and for the binary packages you may have installed. For stuff compiled through the ports tree it’s okay, you installed from source anyway. But here we have no choice, it’s source only. Thankfully the system is very secure and security updates are few and far between, and you can analyze each one carefully and see if it applies for your use case, and even create release packages on you fastest system to install on the other ones. But still, a bummer in an otherwise very fine system – I loved it anyway!