News: 1728556271

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Version 7.6 – the 'OpenBSD of Theseus' – released

(2024/10/10)


OpenBSD is arguably the most secure general-purpose OS for general-purpose computers. This version has better laptop support, includes more Arm64 kit, and brings hardware-accelerated video playback.

[1]OpenBSD version 7.6 is the latest release of what is very probably the most secure member of the great Unix family. (Although the [2]NetBSD folks dispute that , but it wouldn't be a Unix-like system without internecine disagreement.)

[3]

The full FVWM-based glory of an OpenBSD 7.6 desktop, with a file manager and htop - xlick to enlarge

Project lead Theo de Raadt termed this release the [4]OpenBSD of Theseus . With version 7.6, there are no unmodified files left from the original code forked from NetBSD 1.0 in 1995. The reference is to the [5]Ship of Theseus ; a less classical alternative is "my grandfather's axe", but since the last remaining bit that was removed was an ancient Greek quiz, as [6]described on Hacker News , it's an undeniably appropriate allusion.

There is a full [7]list of changes for those keen to know what's new. Suffice to say that it tightens up security in lots of areas. There's improved support for technologies such as AMD Secure Encrypted Virtualization, including supporting it in [8]vmm , OpenBSD's integral hypervisor. OpenBSD supports a remarkable [9]14 different architectures , and each release tends to improve hardware support. In parallel with [10]FreeBSD's efforts to improve laptop support , OpenBSD too is working on it too. This version has better support for deeper sleep states, which use less power. This version also has wider Arm64 support; the release notes call out that it has "Added Qualcomm Snapdragon X Elite (X1E80100) support".

Switching customers from Linux to BSD because boring is good [11]READ MORE

Saying that, this does not mean that you can just pop it onto a laptop and get a lightweight graphical desktop. It does include several of common desktops – and unlike FreeBSD, the default installation will, if you want, install the [12]Xenocara X11 server and leave you with a graphical login screen and a working [13]FVWM session. A GUI desktop is not really the sort of usage model it's aimed at, but it can do it.

The Register regularly takes a look at what's happening in the OpenBSD world, and we looked at [14]version 7.1 , [15]version 7.2 and most recently [16]version 7.5 . Emboldened by our experiences with previous releases, we installed OpenBSD 7.5 on bare metal on a geriatric Thinkpad W500 – and in case that sounds too easy, it's dual-booting with Windows, NetBSD and two Linux distros.

OpenBSD is in some ways all about managing your expectations: yes, it's a Unix-like OS, and yes, it runs on commodity PC-class hardware, even including Apple Silicon Macs and some other more PC-like Arm64 hardware. But it's extremely restrictive by design, little third party software supports it, and part of the secret of its surprisingly wide hardware support is that there are entire classes of hardware it simply doesn't support, including Bluetooth.

[17]

So, yes, if you have, say, an old M1 Mac mini lying around, you can install OpenBSD on it – but you won't be able to use the Apple-supplied pointing device, keyboard, or headphones with it. You will need old-style wired ones. Simply not supporting the entire industry standard protocol for connecting to wireless peripherals would, we suspect, come as a surprise to most ordinary computer owners. Bluetooth is so ubiquitous, most smartphones no longer even offer headphone sockets. Conversely, when the Reg FOSS desk asked a couple of OpenBSD maintainers about its missing Bluetooth support, they reacted with surprise that this should be considered noteworthy.

[18]

The OpenBSD upgrade process is a single command, which asks no questions. Not even "Are you sure?" - click to enlarge

To try out the new release, we fired up our OpenBSD 7.5 Thinkpad and tried an in-place upgrade. There is a built-in command to do this, called [19]sysupgrade . We checked the [20]space requirements , which were just enough, and experimentally tried to invoke it without parameters. To our slight surprise, it just went ahead and did it, without any further prompts. Including not asking for confirmation. Including a system reboot. This is not an OS for the incautious. It worked perfectly smoothly; on reboot, the bootloader noticed that an upgrade was in progress and completed it without any intervention. When it's done, you just have to issue the command pkg_add -Uu to update your packages and the job's a good one.

The test machine is an old one, with a Core 2 Duo, so extensive benchmarking would be a waste of everyone's time. To test hardware-accelerated video playback, though, we tried playing a Youtube video. It worked fine, and incidentally we discovered that we had working sound support and that our dedicated volume-control keys worked. Before the upgrade, playback used an average of 89 per cent of one CPU core; afterwards, it still worked just the same, but in the included Firefox 130, it only used some 45 per cent CPU. Playback was smooth but the Youtube stats said it was consistently dropping a few frames, both before and after.

[21]

[22]

We've left our bare-metal setup fairly unornamented, in part because OpenBSD defaults to a quite complex partitioning arrangement. We gave it a 32GB primary partition, and it split this up as follows: thinkpad-w500$ df -h

Filesystem Size Used Avail Capacity Mounted on

/dev/wd0a 986M 248M 688M 27% /

/dev/wd0n 7.4G 227M 6.8G 4% /home

/dev/wd0d 1.8G 5.8M 1.7G 1% /tmp

/dev/wd0f 3.5G 1.5G 1.8G 45% /usr

/dev/wd0g 986M 329M 608M 36% /usr/X11R6

/dev/wd0h 4.1G 924M 2.9G 24% /usr/local

/dev/wd0m 5.7G 2.0K 5.4G 1% /usr/obj

/dev/wd0l 1.8G 2.0K 1.7G 1% /usr/src

/dev/wd0e 2.8G 10.4M 2.6G 1% /var

There are valid reasons for this complexity – for instance, the different volumes have different permissions, which prevents an attacker from executing files in much of the filesystem. The downside is that here, with only 3.2GB of operating system in 32GB of space, we have just 608MB of space for graphical apps, so there isn't room to install even a lightweight desktop such as Xfce. The installation program is a moderately terrifying affair of cryptic prompts with extremely terse responses, and one misplaced character will destroy everything on your drive, so adjusting this allocation remains beyond us at our meager level of skills.

OpenBSD is a strange beast. It's hard work and very little third party software supports it. We recently wrote about how [23]BSD is boring in the good way , and while our article didn't specifically name-check OpenBSD, Stefano Marinelli's talk did. He mentioned one of its strong points: "OpenBSD as network/firewall entry points". He elaborated:

By implementing an OpenBSD system, I often don't need to install any additional packages. When it's time to upgrade, it's simple and secure. When a vulnerability emerges, I'm often fortunate to read "OpenBSD is excluded from this issue because it eliminated this risk X years ago…"

This is both the strength and the weakness of OpenBSD. If you want a clean, minimalist system, then almost everything you need is right there in the OS; but conversely, if you want anything else that isn't in its repositories, then at best you'll likely have to find source code and compile it yourself. Few third party programs support it, but that means that upgrades are simple and straightforward and reliable, because there are few to no external components to complicate matters. (Trying to simplify installing external software in ways that they won't break upgrades is one of the [24]reasons tools like Snap and Flatpak exist .)

[25]NetBSD 10 proves old tech can still kick apps and take names three decades later

[26]Germany's Sovereign Tech Fund throws cash at FreeBSD and Samba

[27]OpenBSD 7.5 locks down with improved disk encryption support and syscall limitations

[28]The quest to make Linux bulletproof

It is clean and simple to the point of being austere. For instance, we couldn't email a screenshot to ourselves from our FreeBSD machine. As far as we can tell, this is because Firefox isn't allowed to browse the local filesystem, which breaks adding an attachment.

If extreme cleanliness and austerity sound like your sort of thing, then maybe we're wrong: maybe you will like OpenBSD. Most people probably won't, but we're glad it exists and we wish that a bit more of the internet's infrastructure ran on it. With stronger safer servers running OpenBSD, there would be fewer [29]hucksters shilling blockchain projects at industry conferences. ®

Bootnote

Although our OpenBSD skills are extremely minimal, in the interests of representation, we should note that, yes, this particular vulture is exclusively black-clad, and does eschew both wireless peripherals and Bluetooth audio devices. We are effete and decadent enough to enjoy graphical file managers in preference to a bare [30]Korn shell , though.

Get our [31]Tech Resources



[1] https://www.openbsd.org/76.html

[2] https://www.theregister.com/2024/04/17/30yo_netbsd_releases_v10/

[3] https://regmedia.co.uk/2024/10/09/openbsd_76_dtop.png

[4] https://undeadly.org/cgi?action=article;sid=20240824114631

[5] https://www.britannica.com/topic/ship-of-Theseus-philosophy

[6] https://news.ycombinator.com/item?id=41333100

[7] https://www.openbsd.org/plus76.html

[8] https://man.openbsd.org/vmm.4

[9] https://www.openbsd.org/plat.html

[10] https://www.theregister.com/2024/10/01/freebsd_and_samba_funding/

[11] https://www.theregister.com/2024/10/08/switching_from_linux_to_bsd/

[12] https://xenocara.org/

[13] https://www.fvwm.org/

[14] https://www.theregister.com/2022/04/22/openbsd_71_released_including_apple/

[15] https://www.theregister.com/2022/10/21/openbsd_72_released/

[16] https://www.theregister.com/2024/04/12/openbsd_75_disk_encryption/

[17] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zwf6Kh54Ytz0ztFCF7Uh7gAAAAg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[18] https://regmedia.co.uk/2024/10/09/obsd_7-6_upgrade.png

[19] https://www.openbsdhandbook.com/upgrade/

[20] https://www.openbsd.org/faq/upgrade76.html

[21] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zwf6Kh54Ytz0ztFCF7Uh7gAAAAg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[22] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zwf6Kh54Ytz0ztFCF7Uh7gAAAAg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[23] https://www.theregister.com/2024/10/08/switching_from_linux_to_bsd/

[24] https://www.theregister.com/2023/02/16/bulletproof_linux/

[25] https://www.theregister.com/2024/04/17/30yo_netbsd_releases_v10/

[26] https://www.theregister.com/2024/10/01/freebsd_and_samba_funding/

[27] https://www.theregister.com/2024/04/12/openbsd_75_disk_encryption/

[28] https://www.theregister.com/2023/02/16/bulletproof_linux/

[29] https://www.theregister.com/2024/07/02/foss_ai_blockchain/

[30] https://man.openbsd.org/ksh.1

[31] https://whitepapers.theregister.com/



F. Frederick Skitty

The lack of Bluetooth support in OpenBSD is because the protocol is essentially broken. The OpenBSD developers concluded that it's impossible to write a secure Bluetooth stack, so removed the support they had at that point.

Joe W

Interesting (and, unfortunately) sound reasoning.

I'd still like to have it. I like having a wireless headset...

Now I need to dust off one of my old laptops and give it a try. On that machine, bluetooth has never been working for me (not reliably, that is), so nothing really lost...

Charlie Clark

I don't think the protocol is broken - in many ways it's a far better protocol than say WiFi or, heaven forfend, RFID– but it's known to have vulnerabilities, especially in the way OpenBSD defines them.

Spazturtle

The actual spec doesn't matter when nobody implements it correctly, for example even the base audio codec SBC is incorrectly implemented on almost all Bluetooth stacks which kills it's quality. When correctly implemented SBC is actually higher quality than aptX HD.

https://forum.hifiguides.com/t/sbc-xq-when-sbc-is-better-than-ldac-since-2019/42108

Rich 2

I’ve no idea about The security aspects of Bluetooth but my experience (and I’m sure I’m not alone here) as a user of it is that it’s still flaky as hell and if it works at all, you’re doing well

I remember someone telling me years ago about his experience working with a Bluetooth driver stack. He said the the spec had many many issues and was basically crap

Throatwarbler Mangrove

[1]obxkcd

[1] https://xkcd.com/2055/

Ship of Theseus

Aladdin Sane

Trigger's broom, Shirley?

Re: Ship of Theseus

Anonymous Coward

"Shirley? My name's Rodney. It's always been Rodney."

"So why do they call you Dave, then?"

It's a great OS so long as you're only using facilities in the base

BinkyTheMagicPaperclip

*no* ports. *no* packages. If you stick to that you're golden. Same as FreeBSD.

Built in tmux. Easy administration from ssh. Painless upgrades. syspatch to fix security issues in base. Generally decent documentation.

However as an end user system, not so much. There is currently a Firefox 0 day (update your Firefox!). Both OpenBSD and FreeBSD have updated their ports tree.

This does not extend to packages. You need to recompile from scratch using ports. Not quick, convenient, incredibly easy, or kind to the environment (thousands of people recompiling, rather than just one updating packages and everyone downloading).

Re: It's a great OS so long as you're only using facilities in the base

BinkyTheMagicPaperclip

This is for FreeBSD, not OpenBSD, but *expletive* seriously?

===> Checking if py311-wheel is already installed

/usr/ports/Mk/Scripts/create-manifest.sh: cannot create /usr/ports/devel/py-wheel/work-py311/.metadir.py311-wheel/+MANIFEST: Permission denied

*** Error code 2

(running as root)

Uninstalling and re-installing Firefox *breaks Chrome*. Slow clap, well done, and you wonder why Linux has flatpaks?

Re-install Chrome from packages to post this. Run a 'make re-install' on Firefox. It's now getting further.

With Windows you can download and be up and running again in a minute, none of this pathetic *expletive* messing around.

Busy recompiling and having to answer pointless queries about which build options I want, including *building all of LLVM* on a system that is as powerful as a quite decent system from 2008. Good job I'm not doing anything utterly critical on this box, it's not as if it's inconvenient to have an insecure browser or be without programs *for hours* is it?

pkg remove py39-wheel-0.43.0 as it conflicts with py3-11-wheel to get further. Then the same with other python packages. *why am I having to do manual dependency management?*

Re: It's a great OS so long as you're only using facilities in the base

Charlie Clark

I think you hit the nail on the head: a secure and easy to maintain system with limited functionality. Makes it well-suited to certain types of servers. But this is also makes it an excellent testbed for ideas about improving security. And, given the common userland for the BSDs, this makes it easy for the others to adopt things are they're developed, tested and verified.

The multiplatform support is largely a heritage from NetBSD but it's nice to see they continue to work on it.

Re: It's a great OS so long as you're only using facilities in the base

BinkyTheMagicPaperclip

I think at this stage the multi platform support is no longer a NetBSD heritage - many of the older platforms simply do not have enough power or memory to run modern OpenBSD (back when they still supported SGI systems, whilst it was generally low on memory usage you needed somewhere in the region of 300MB to do a relocation recompile of the kernel for kernel components on each boot for security. This took *minutes* on an O2 and ate CPU too).

The new platforms such as targeting modern POWER systems aren't influenced from NetBSD, various newer architectures have been brought up from scratch. The documentation and tools on how to do this are still much better for NetBSD, as far as I know, though.

OpenBSD with OpenSMTPD

Sudosu

Should be your next self hosted email server.

I also like it for WordPress.

Eventually I will be looking at options to use it as a reverse proxy.

I have not tried out the virtualization but may give the tires a kick to see what it is like to manage.

Haven't tried it as a "desktop" OS. Per the article, it is a bit limited on that front.

OpenBSD is a somewhat obscure, and reasonably secure OS; it likely won't be attacked nearly as much, and even if it is, it can reasonably defend itself.

cat /usr/local/share/doc/pkg-readmes/firefox

keithpeter

Quote from OA

"It is clean and simple to the point of being austere. For instance, we couldn't email a screenshot to ourselves from our FreeBSD machine. As far as we can tell, this is because Firefox isn't allowed to browse the local filesystem, which breaks adding an attachment."

On OpenBSD save attachment from (presumably) your webmail viewed in firefox to ~/Downloads. You might need to create the ~/Downloads directory first if you are using fvwm or cwm. In xfce4 it is already there. Then (I imagine) include jpeg in your article in the usual way.

Also museum quality Thinkpad X61s core-duo with xfce4, only issue so far is LibreOffice is a tad too heavy and not happy with 4Gb Ram/spinning rust.

Quote from the pkg-readme for firefox

"By default, only ~/Downloads and /tmp can be written to when downloading files, or when viewing local files as file:// URLs."

And yes, you can change that setting so Firefox can save to anywhere.

Icon: blue trousers, green jumper and greyblueish fleece jacket. No black.

Be free and open and breezy! Enjoy! Things won't get any better so
get used to it.