Linked by Eugenia Loli on Sat 12th Aug 2006 19:07 UTC
OpenBSD OpenBSD strives to be the most secure UNIX derivation. Design principles, such as code auditing, extensive use of encryption, and careful configuration choices, combine to ensure OpenBSD's secure by default philosophy holds true. This article gives you a close look at the operating system so secure that it was once banned for use in a DEF CON competition, where crackers go after each other's systems.
Thread beginning with comment 151759
To read all comments associated with this story, please click here.
Correctness matters
by eMagius on Sat 12th Aug 2006 19:37 UTC
eMagius
Member since:
2005-07-06

While the OpenBSD team appears to be most concerned with security, much of that is a natural byproduct of a struggle towards correctness. That's the beauty of OpenBSD -- not merely that it is secure, but that it is designed to be clean, comprehensible, and correct from the ground up. That includes drivers -- no binary blobs here.

Others could take a hint.

Edited 2006-08-12 19:39

Reply Score: 5

v RE: Correctness matters
by TDavis on Sat 12th Aug 2006 23:14 in reply to "Correctness matters"
RE: Correctness matters
by poohgee on Sun 13th Aug 2006 02:03 in reply to "Correctness matters"
poohgee Member since:
2005-08-13

Certainly agree - I wish there really was more concern about security for Linux kernel not just addon projects to patch things .

The constant security anouncements for the kernel (& the rest) constantly remind me of the lack of security focus in Linux & how OpenBSD has the philosophy Id actually like to see in Linux .

I guess that it is ,like bug fixing ,another one of these things less rewarding than adding fancy new features.

The "Linux is secure mantra" is kind of hollow with constant security advisories compared to OpenBSD & exploits which are possible on Linux ,OSX & Windows.

Just IMO ;)

Reply Parent Score: 5

RE[2]: Correctness matters
by smitty_one_each on Sun 13th Aug 2006 03:55 in reply to "RE: Correctness matters"
smitty_one_each Member since:
2005-07-07

I submit that there is a problem space, with reasonable tradeoffs in several dimensions, and that the whole FOSS realm is better for having a spectrum of approaches.

OpenBSD, in my admittedly brief experience, can be very finecky about the hardware in use. A choice in favor of OpenBSD might be a choice against that really cutting-edge hardware. Truly, YMMV.

Reply Parent Score: 2

Lettherebemorelight Member since:
2005-07-11

The "Linux is secure mantra" is kind of hollow with constant security advisories compared to OpenBSD & exploits which are possible on Linux ,OSX & Windows.

You are ignoring the context. The mantra you are talking about is just in relation to Windows. Im quite sure no one who knew what they were talking about was ever trying to suggust that it was perfect, or more secure than BSD.

Reply Parent Score: 3

RE[2]: Correctness matters
by netpython on Sun 13th Aug 2006 07:28 in reply to "RE: Correctness matters"
netpython Member since:
2005-07-06

how OpenBSD has the philosophy Id actually like to see in Linux .

If you compare FC5 and OpenBSD there'sn't much difference when you do a non GUI install.

OpenBSD can't possibly audit all the packages from ports only the default install which is pretty useless for a desktop.When you install more packages to make for example a somewhat equivalent desktop you are just as vulnerable as any other linux desktop with the same packages installed.Maybe more vulnerable because there's a significant smaller team that audit.

Exellent secure server OS nonetheless.

Reply Parent Score: 5

RE: Correctness matters
by binarycrusader on Sun 13th Aug 2006 04:00 in reply to "Correctness matters"
binarycrusader Member since:
2005-07-06

Agreed. However, in the spirit of "correctness matters," it's important to note that OpenBSD cannot rightfully be called the "Most Secure Unix OS." Notably because it is not UNIX. It is UNIX-like, and provides many of the features that UNIX provides, but it does not comply with the Single UNIX Specification standards.

So, arguably, with only a handful of true UNIX operating systems left, such as: Mac OS X (which as of Leopard will be certified -- see Apple website), Solaris, HP-UX, AIX, SCO UNIX, and maybe one or two others I can't think of at the moment -- which of those is the most secure? That would be a very interesting thing to find out.

While OpenBSD isn't really UNIX, its contributions are certainly invaluable and its work should not be ignored .

Edited 2006-08-13 04:07

Reply Parent Score: 3

RE[2]: Correctness matters
by galvanash on Sun 13th Aug 2006 17:15 in reply to "RE: Correctness matters"
galvanash Member since:
2006-01-25

The "Single Unix Specification" has become about as relevent nowadays as the Common Desktop Environment (CDE)... Very few people care anymore. And really, the only reason OpenBSD and the other BSDs are not already certified is:

a. It costs ALOT of money.
b. The developers dont really care.

The differences between the different BSDs and different Linux distros is in reality quite a bit less than the differences between the different "blessed" versions of Unix... So what is the point of the standard? Posix compliance is much more important and pretty much all the BSDs and Linux manage to be pretty good about that.

Reply Parent Score: 5

RE[2]: Correctness matters
by iangibson on Sun 13th Aug 2006 22:00 in reply to "RE: Correctness matters"
iangibson Member since:
2005-09-25

Okay: how about instead of calling it the "Most Secure Unix OS", we simply call it the "Most Secure OS"?!

Reply Parent Score: 2

RE: Correctness matters
by postmodern on Sun 13th Aug 2006 13:32 in reply to "Correctness matters"
postmodern Member since:
2006-01-27

Sadly in their obsession towards "correctness" the rest of their system has become static. Their installer has always been a spartan CUI, the ports system is a standard BSD setup and updating the entire system is a total pain. What should be noted is that one must balance correctness (read: rigidity) with expansion (read: flexibility). It is not a binary choice, both must be paid attention to.

Now I'm not complaining about lack of eye-candy or happy GUIs to hold my hand, I'm just noting a lack of progress in logical features which benefit both the user and the administrator. That said, their security is still very impressive.

Reply Parent Score: 2

RE[2]: Correctness matters
by Bink on Sun 13th Aug 2006 14:34 in reply to "RE: Correctness matters"
Bink Member since:
2006-02-19

Quick rebuttal…

FWIW, I, and others, am quite pleased the installer can still fit on a single floppy and, while more people might not take advantage of it, you can also do a headless installation via a serial console—and I hope this doesn’t change in the future just to appease the fashion gods. This is one of the quickest installers I’ve ever used and, to be quite honest, it does exactly what an installer is supposed to do—get the OS on the box, quickly. If I want pretty things or feel like making massive customizations, I can easily do so after the OS is installed. So, many actually consider this installer far ahead in terms of “progress in logical features which benefit … the administrator”—OpenBSD has never been geared towards the users of Windows-land.

As for the ports systems, what more do you really want than “pkg_add [enter name of software package here]” and quickly watching the software and all its dependencies get downloaded and properly installed? How much easier can they make it? Windows doesn’t even do this.

And as for updating the entire system, I’ll concur, but I don’t consider it a “total pain.” OpenBSD is somewhat known for its lack of hand holding, but you are still only a quick “cvs sync,” recompilation of the kernel and recompilation of userland away from updating. So, there are three simple steps—which can be readily automated with a little scripting.

For the tasks and user base that OpenBSD is best suited for, there is consistent progress and “it Just Works” features throughout the OS. My proverbial two cents…

Reply Parent Score: 5

RE[2]: Correctness matters
by psygbert on Sun 13th Aug 2006 16:11 in reply to "RE: Correctness matters"
psygbert Member since:
2006-05-29

and an addition to what Bink has said, i think a simple steps like these:

export PKG_PATH=/path/or/url/to/new/packages
pkg_add -u -F upgrade

is not a painful way to upgrade packages.

and i think the openbsd team should not change their installer either. its small and fast. its very rational and logical, a simple understanding of the english language is all it takes to install openbsd. ports install can always be done after the base installation.

rest of the system become static? how? there's many innovation happening in openbsd (e.g. pf, CARP, OpenBGPD, OpenVRRP, good wireless device support, etc.)

Reply Parent Score: 4