OpenBSD 3.0 Release, Interview with Theo

mvw writes: "Here is an interview with OpenBSD's Theo de Raadt. Interesting is his comment on Soft Updates and the comparison to the rivaling Journaling file systems technology. Further he links to a very interesting paper by some Soft Updates researchers." And although OpenBSD 3.0 has an "official" release date of December 1 for whatever reason, it seems to be available by FTP or CD already. Lots of changes since 2.9.

As much as I

As much as I accidently hit the stupid reset button on the front of my computer a Journaling file system would be great. I dont have any exp. with Bsd and was wondering How is the selection of applications for BSD? I dont need alot, A console text editor (Preferably with syntax highlighting), a Graphical Web Browser, an Mp3 player. That is about all I really use on a regular basis.

Re:As much as I

sigh, its been well explained that you don't need a journaling filesystem to be safe with transfering data to the harddrive. In fact, if you're clever enough, you can even get away safely writing without having to hold the entire system up (hence, softupdates). If you actually look through the interview, you'll find Theo actually pointing you to resources that quite seriously make this point (journaling not needed).
take a look at this [theaimsgroup.com]
it can be frustrating being right, all journaling really seems to do is attempt to fix the problems ext2fs has by laying another piece of code on top of it, instead of fixing the primary problem, that is that ext2 is broken as far as the BSD hackers are concerned.
Is waiting for fsck to finish really that much of a problem for you?

Re:As much as I

> Is waiting for fsck to finish really that much of a problem for you?

Yes, actually, when you're dealing with servers with 100's of gigs.

This is a very good thing!

SECURITY FIX: fix buffer overflow reading queue file in lpd

For those running OpenBSD, especially as a gateway/firewall/NAT box, this is an important fix. I am running 2.9 with this patch added, and my snort [snort.org] logs tell me (judging from the number of attempts) that this exploit is a fairly commonly tried one. In November alone, there were at least 30 lpd overflow attempts on my machine. Granted, not most people have lpd open to the world, but I can imagine a few people might want to do remote printing from work, etc.

Re:This is a very good thing!

Why in the name of all that is holy would anyone have lpd running on a firewall?

Fixes

Actually, OpenBSD 3.0 was available for download since nov 25th, and a few patches (security fixes) are already available.
Here is the list: http://www.openbsd.org/errata.html [openbsd.org]

Don't forget to update to OpenSSH 3.0.1

-J

Release Date

And although OpenBSD 3.0 has an "official" release date of December 1 for whatever reason, it seems to be available by FTP or CD already.

Probably because they want to avoid a fiasco like the last tremendous release mess that michael caused [slashdot.org].

It's not uncommon for "official" releases to be after the initial release. It's like when a large department store has a "GRAND OPENING". In many cases, the GRAND OPENING is about a week after the store actually opens. Or if the store opens during the week, the GRAND OPENING will be on that weekend.

The origin of OpenBSD

As I sit here waiting for my copy of OpenBSD 3.0 to arrive, I've been reading the exchange of emails between Theo and the NetBSD core team, which is a history of how OpenBSD came to be.

If you haven't read them before, it's quite a read, and a good lesson of how personal politics can fragment a collaborative project.

Here's the link: http://zeus.theos.com/deraadt/coremail [theos.com]

Re:The origin of OpenBSD

What was amazing to me about them is the fact that Theo proudly links to them as proof that he was being entirely reasonable and they were being discriminatory, but the emails show quite clearly that he was completely unwilling to make a simple promise not to be an asshole after having demonstrated a history of pissing people off.

He's got a right to be an asshole, and god knows I'm the pot calling the kettle black, but to link to those emails and think they provide vindication is heavily disconnected from reality.

Re:The origin of OpenBSD

I read them and got exactly the opposite view. It sounded to me like he was a regular guy getting the shaft and not wanting to take it lying down. And that little clip from IRC where he said:

Then I guess you are just stupid.

That made me laugh like mad. I love it. Sounds like me. Sounds like my friends. Hey, he cycles. He caves. He founds OpenBSD. He speaks his mind. He has a sense of humor. He sounds cool, not like an asshole at all.

Some of the other people I was reading... Like the guy who kept on about professionalism and representing your organization, even in private e-mail... sound like pricks/assholes to me. I've had to deal with people like that -- people who feel like the dollars and the "drive to succeed" are all that matter and that individuality and honesty have no place in America.

But then, I will never sell me soul to my employer or anyone else, no matter how much cash or recognition it would get me. Guess that makes me a commie. ;) Of course, the whole open-source world has been accused of being nothing more than a communist plot...

Rant, rant, yaddah, yadda...

I dig Theo. OpenBSD just scored personality points in my book.

Re:The origin of OpenBSD

Notably absent from the email exchange are any of the emails, ICB logs, or anything that show the basis for the whole problem.

Basically, Theo had a history of being abusive and petty to anyone who didn't meet his standards of cluefulness. He pretty much admits this himself in the interview. This was alienating a large number of NetBSD developers who ended up leaving the project (I was one of them.)

The Core team repeatedly asked him to tone it down; their feeling seemed more of a "anyone who wants to help with NetBSD will be welcome," instead of "You must be this elite to code NetBSD." Theo maintained that he was doing nothing wrong.

Eventually, they shut Theo down, which is where the email thread starts. A large part of the thread deals with Theo's requests to regain CVS access. The Core group was willing to submit his code as patches themselves, but Theo would only submit code if he could have CVS write access. Core was worried that Theo might decide to get "revenge" by damaging the CVS tree; This might seem worry-warting, except they all knew that Theo had been previously fired from a SysAdmin job at the U of C for doing something like that.

Eventually, Theo started OpenBSD and now has his own sandbox where nobody can tell him what to do. In the end, I guess that's good, because both OpenBSD and NetBSD regularly crib from each other's trees anyways and people now get the choice of whether they want to deal with Theo or not.

Sounds like Linux

Poof! the old vm disappears

Why 1st December ...

I think it is an established habits that releases happen on 1st Dec and 1 June every year.

On the plus side, you don't have to answer to the question "when will be the next release" ...

MandrakeBSD?

a) Theo and company (good company) don't need or seek new users just to be popular. They like doing what they do -- I know that. Don't take what I'm about to say as marketing advice to them, so much as a pleasant wish. It doesn't impose an obligation or demand on the OpenBSD guys, and I know it. Still ...

b) I'm surprised (not to say hurt, disappointed and disconsolate) that no one (am I wrong?) has come out with the equivalent of Mandrake to at least one of the BSDs -- and by equivalent I mean in a certain superficial but important way: user-friendly, pretty install, emphasis on user experience, intelligibility.

c) Really, I'm just talking about the install. Something with some graphical flair, built-in help system for new users, and a game or two, or a little slideshow, or some interesting history text files, *something* built in to play while slow parts of the install proceed. No accounting for taste, but I think there are a lot of good graphic artists (all the Ximian stuff, for instance, and many great KDE examples) working in the world of free software. (Hey, I also like the BSD art, so obviously I am open for attack by the art critics;)).

I name Mandrake as my prototype here, just because I happen to like their stuff -- RH also makes a pretty install, not quite as cute, and so do several other distros. But Mandrake is in Walmart, which suits my example ("Walmart: making things accessable to the masses")

Cheers,

Tim

Re:MandrakeBSD?

VMS is the original anti-UNIX. It later added some general POSIXy behaviour simply because everyone was using UNIX. Windows NT also had the stated goal of becoming "a better UNIX than UNIX," but they certainly haven't spent much time actually trying to be Unix compatible. Their POSIX layer is a joke, and they don't even have a decent way to fork() for crying out loud.

Besides, while Microsoft almost certainly is looking into "borrowing" portions of BSD code (which will then magically become innovative), they aren't ever likely to actually release an OS that is Unix like. Part of the fun of the BSDs, Linux, and Commercial Unixen is that it usually isn't too much trouble to port your software from one of these platforms to a different one. This is precisely what Microsoft wants to avoid. Microsoft wants the equivalent of a one way valve when it comes to software portability. They want for it to be easy to port from Unix to Windows, but they want it to be impossible to port from Windows to Unix. Clearly shifting to a BSD based OS would work against them.

Status of the pf packet filter?

What is the status of pf as of now?

Is it stable, secure, and feature complete or is it recommended to install ipf from other sources?

3.0 already?

I though they had just released 2.5 ?
Code at the speed of light!

Interested...

I'm interested in running OpenBSD for my NAT gateway, though I'm left with a lingering issue..
Does OpenBSD include any support for decent irc connection tracking like what is available in iptables for linux? I have people behind the gateway that use DCC within IRC, and without good connection tracking, I'm not sure how to go about securely allowing one or more people to use IRC and have DCC work.
Everything else I plan on using this system for (software RAID, NIS+, samba PDC and fileserver, NFS) seems to be fine, but this one little nitpick of mine may keep me off of OpenBSD.
Also, how is the raid implementation as far as moving the array from one openbsd install to another, and is there any semblance of lvm there? The volume management stuff w/ resizable partitions would be nice, but by no means necessary..

softupdates new?

The blurb on /. home makes it sound like SoftUpdates are something new, which is just being introduced. That stuff's been around for a bunch of years now.

pf : an excellent packet filter

The big new feature in OpenBSD 3.0 is pf.

• Interesting stuff in pf over ipf : the configuration file accepts a very similar syntax, but with very handy shortcuts, especially expansion. For instance you can write { pop,smtp,imap } in a rule to specify a list of ports, instead of creating multiple rules. It also accepts macro substitutions. You can easily write very clean configuration files.
• Interesting stuff in pf over ipfw/ipfiler/iptables :
  • scrub : just give an interface name, and pf will "normalize" everything coming to this interface. Packets will get cleaned up and reconstructed : your local network will only see clean packets, nothing that could be dangerous for badly written IP stacks.
  • tcp state modulation : this feature dynamically remaps tcp sequence numbers, to give the excellent entropy of OpenBSD stack to all your traffic. It means that servers running Windows, badly configured Solaris or older FreeBSD versions can be protected from session hijacking, even through their stack has weak sequence randomization.

pf seems to be very stable so far. Just don't forget to apply the related errata if you're planning to use IPv6.
Another great feature of OpenBSD 3.0 regarding network filtering/routing is the integration of AltQ, that brings quality of service to your IP traffic. It basically has the same (but very flexible and efficient) algorithms and class system that Linux has. But it's very nice to see it in OpenBSD.

Re:pf : an excellent packet filter

* For NAT:

OpenBSD 3.0 has a transparent ftp proxy called "ftp-proxy". You have to run it through inetd (or any super server. I use it with tcpserver) . It listens to a local port, and you just have to redirect outgoing traffic for port 21 to the local ftp proxy port. It allows active and passive connections to NATed internal hosts.

If it can help, my /etc/nat.conf file is :

rdr on vr1 proto tcp from any to any port 21 -> 127.0.0.1 port 8081
nat on vr0 from 10.1.1.0/24 to any -> 195.132.209.36

I start ftp-proxy like this :

/usr/local/bin/tcpserver -H -R -q 127.0.0.1 8081 /usr/libexec/ftp-proxy &

*WARNING*
ftp-proxy has a nice security feature to only accept anonymous sessions (-A). But don't trust it : clients can bypass the restrictions with some buggy servers (the flaw works with proftpd and ncftpd. it doesn't work with pureftpd) .

* For firewalling (without NAT) :

You have to explicitely open some ports for active connections. For the minimum number of ports : choose at least twice the max number of simultaneous sessions you need. Open them on the firewall. Then, force your FTP server to only use these ports. On Pure-FTPd, it's with '-p :', example :

pure-ftpd -4 -p 50000:51000 &

(don't forget '-4' for OpenBSD) .

file systems

could somebody explain, or point me to a site that explains, diferent filesystems. perferable at a 5,000 foot perspective. I want to know about them, and there advantages/disadvantages but I own't be coding them. I would like to make a informed decsion in this matter.
Thank you.

"Don't like my spelling? blame a teacher"

Re:file systems

Some links:

• The article given does some comparisons:
  http://www.usenix.org/publications/library/proceed ings/usenix2000/general/full_papers/seltzer/seltze r_html/index.html [usenix.org]

• Then we have the Matt Dillon Interview, where Soft Updates covered as well (point 3):
  http://www.osnews.com/story.php?news_id=153 [osnews.com]

• Here is a nice french article:
  http://www.freebsd-fr.org/docs/fr/others/systeme-f ichier/ [freebsd-fr.org]

• And this is a series of articles on file systems:
  http://www-106.ibm.com/developerworks/linux/librar y/l-fs7/ [ibm.com]

• This is the original FFS paper:
  http://docs.freebsd.org/44doc/smm/05.fastfs/paper. html [freebsd.org]

ISO download

As Theo says himself in his interview, people who don't like his model of selling the ISOs are free to make their own. This will hopefully quiet the stupidity that usually follows this announcement:

As usual, ISO images here [zedz.net].

I'm waitting on our 3 OpenBSD CDs

We use OpenBSD exclusively for our web servers. We moved our database servers from OpenBSD to Linux. I look foward to migrating our systems (some 2.8, some 2.9, one that I broke trying to do a fancy 2.8->2.9 upgrade...) when our CDs arrived. We figured that we use OpenBSD a lot, owning a bunch of CDs was worth it. Alas, it is is still cheaper than the copies of RedHat that we pick up.

OpenBSD has a real problem that I was never able to resolve, this makes it worthless for a database server. The machine is quite "efficient" with memory, which let it run with very little memory. However, with a lot of memory (our db servers normally have 1.5GB -> 2GB, I LIKE giving PostgreSQL lots of buffers and sortmem) there is little documentation on tweaking the system. I even contacted the developers in charge of the SysV memory support, etc., and they thought I hit the crack rock a little to hard.

For web servers, however, I'm quite comfortable with our OpenBSD servers sitting open on the Internet. I'm terrified of a RedHat box not being hidden. As a result, I keep the database nice and hidden.

Linux blows OpenBSD's performance away. This is a matter of Linux focusing on performance. However, for web servers (that for us just run PHP, mod_rewrite, and some other toys) I don't care... When I need more web serving power, I buy another web server for $2K. Having SSL built in to Apache is nice, and the ports is too fucking slick.

BTW: OpenBSD seems to run quite nicely on my Penguin Computing 1U servers... :)

Alex

I expect to keep our production servers on 2.9 for 2-3 months, but move development to 3.0.

Looking to get into using BSD

I'm interested in getting started with a BSD, but which one I should use I don't know. I'm not that afraid of having to configure hardware myself, but I'd prefer something that makes a reasonable attempt to do that for me.

So.....
1. Which is the easiest/best to get started with?
2. Which has the best documentation
3. Do any of them have compatability with Linux configuration tools like Kudzu and HardDrake?
4. Which one supports the most x86 hardware

TUX2 Phase Tree: Better than Soft Updates

TUX2 Phase Tree: Better than Soft Updates

As Levar Burton says in Reading Rainbow, "but don't take my word for it."

• http://kt.zork.net/kernel-traffic/kt20000814_80. ht ml#1
• http://kt.zork.net/kernel-traffic/kt20001016_89. ht ml#1
• http://kt.zork.net/kernel-traffic/kt20010119_103 .h tml#1
• http://kt.zork.net/kernel-traffic/kt20010702_124 .h tml#10

-l

KDE on PPC?

I'm running OpenBSD 3.0/macppc on my iMac, and can't get KDE to build from the ports collection. Is anyone else having this problem? I CVSed the 3.0 branch of ports, so I don't think it's some weird update issue.

--saint

The reason for the early release:

was that the cd's were available earlier than expected, according to this message from Theo at the OpenBSD Journal.

Btw, the headlines from this site are available as a slashbox, just check the box in your /. preferences [slashdot.org].

Snake_dad (who runs Linux, Winedose, Novell 3.12 and ... OpenBSD :-)

This is a few days old

This news (both Theo interview and others) has been up for a few days on OpenBSD Journal [deadly.org].

Slashdot readers who have made an account and are logged in can customize their display [slashdot.org] to add the headlines from OpenBSD journal and other sites to their main slashdot page, and catch news like this as it happens. It's a neat feature. ;)

Slashdot bias

I'm getting sick of this constant stream of freshmeat-like announcements of Linux-specific junk. You know there's more in the world than just Li... oh, you said OpenBSD! ;-)

-Aaron, who has seen too many serious posts that began with similar statements

The main problem with OpenBSD

I agree that FreeBSD is in deep trouble. And while FreeBSD is beset with its own internal strife, it is not the only BSD to be affected by this cancer.

I read that T.Deraadt email thread when I first looked at OpenBSD, and my initial impression was that Theo had a real baaaaadddd attitude. I do know for a fact that a lot of the NetBSD folks were upset to see him leave and fork off his own version of the OS, and to lose him as a developer. But in reading his email he obviously has a problem with taking any criticism, and had no problem with jumping down someone's throat with a flamethrower and foul language. Denial, its not just a river in Egypt...

Not that I wouldn't use OpenBSD, or any other operating system that met my technical needs, whatever the personality of the people involved. I've dealt with enough bad attitudes from commercial OS vendors in my years in the industry to be able to deal with it if I have to. It just seems that *BSD has an extra heaping helping of bad attitudes that make commercial vendors look like pikers.

If you *really* read that email thread, you would see the attitude loud and clear. "We don't think that it helps anything for you to tell someone he's a f**khead when he's posting a message trying to help with the OS development." "F**K YOU, *I* want control of the source and if you don't like it I'll fork my own off!"

That's my impression of it... He sounded like an immature little upset kid to me. The development of any of the O.S. OS's is a group effort, and having one person think they have all the answers and have to be the one in control is dead wrong. So, now he *has* control of his own fork of BSD, and lost the ability to maintain many of the various platform ports because he has no developers. Thus, the OpenBSD page says that for a VAX port, for instance, "support can be easily ported over from NetBSD". Why these problems are so prevalent under FreeBSD/OpenBSD/NetBSD remains something of a mystery. These systems seem to be self selective in their attraction to weirdos and big egos.

The split had nothing to do with the quality of his coding work, and everything to do with his nasty attitude towards people... and NOT just the people of NetBSD Core, but other people who were just civilians trying to help out, or looking for help. No wonder BSD has lost.

Just installed it...

I recently installed 3.0 to replace a 2.8 that I was using as a firewall. At first I didn't want to upgrade due to ipf and ipnat having been removed (ipnat in particular is quite powerful given its simplicity). Fortunately, pf is quite easy to set up, and I managed to do the switch in the course of one work day (most of it spent installing the OS). I noticed the following gotchas, though:

• with frag/short is gone. if you have it in your rules, you'll have to remove it. I think scrub does the same, though (but correct me if I'm wrong);
• NAT is not quite the same NAT. pf only supports many-to-one at the moment, and the outside address *must* be the machine's external address. If you've used ipchains, you'll recognise this is the same as masquerading.
• pflogd doesn't log to syslog. Instead, it dumps logged packets to a binary file, which you then examine with tcpdump.

However, those are minor issues, mind. In the end, I'm quite pleased with the changes. It "feels" much more stable, for one. And the installer couldn't be any simpler: it sets up your disklabels, formats the partitions, configures your network connections, and downloads the OS, and you only need one floppy for that.

Say it like it is.

From the interview:

Some vague claims have been made that the fuss was over stuff that I said. Well, if anything I said back in those days was a crime against the community, I would say it again. And as anyone on our mailing lists knows, I am not someone to mince words. I say things as they are. Slackers are called slackers, people who can't read manual pages are called losers, and in general, calling things what they are results in developers wasting less time.

You gotta love comments like these! Well, you might not, but I do anyway. I say, why hide behind glossy, laminated marketing? (By the way, I'm not trying to say anything against the NetBSD team. They're good folks and NetBSD is a great product, as is OpenBSD.) All I'm saying is that people should say things as they are. If you can't read a man page, you shouldn't be using a computer! It's as simple as that.

Oh well.

Good read; Proper maintainance.

Theo included a good link [usenix.org] in his interview...

I just finished reading it and it is some wonderful information. Seriously, everybody who runs any of the BSDs or Linux should read this paper. It will give you a much deeper understanding of what's going on and why, and this will lead to better choices when you configure your next box (or maintain those you're running right now). As always, reliable operation of any machine (be it a computer, a car, or a nuclear power plant) depends heavily on knowledgeable use and proper maintainence.

Oh well.

SLACKERS!

You trolls are slacking off! It took you almost 30 minutes to post the *BSD is dead troll on a blatantly obvious BSD article!

Better start beefing your trolls up. You're gonna get overrun by a buncha girly geeks!

-DFW : Jamie banned.

Re:When I installed...

what about a quick search on the jargon file?

http://www.tuxedo.org/~esr/jargon/html/entry/whe el .html

Re:Donations have slumped?

Does Theo frequently act immature online ... sure. But clearly Theo is at least no worse than he was in the past (actually, I think he's matured a bit), and his .. uhm .. social graces aren't exactly a big secret. It makes little sense to reason that this accounts for fewer donations to the project.

It is too bad that OBSD lists/newgroups are often frequented by impressionable Theo-wanna-be's that are under the misimpression that it is cool to be rude. Theo acting alone would just be a curiousity ... Most of the OBSD core developers are generally pretty civil.

As to the lack of SMP support, the OBSD core group's reasoning is pretty sound. They feel that it will introduce security complications, and isn't a big advantage in the roles OBSD generally serves (e.g. firewall; basic web-server; OBSD enthusiast desktop). Since security is their priority, it is ridiculous to critize them for slow progress in SMP support. I believe the official line is the unreligious statement 'if you truely need or want SMP, look elsewhere for now'.

Re:When I installed...

the jargon file being of no help...

users in the wheel group can "take the wheel", as it were. if you're not in wheel, you don't get to drive. wheel is still implemented on openbsd and freebsd (dunno about net)

Re:Donations have slumped?

I've been reading misc for the last two years, and yes, there are a lot of flames. 99% of them are responses to someone who didn't bother to try man -k, the FAQ, the mailing list archives, or including relevant information (like what version of Open on what hardware). If you can't be bothered to try to think about it for yourself, why ask other people to think about it for you? If you ask a question that you tried to answer, chances are you wont get flamed. If the entire message is "how do I configure this?" with no clue as to what this you might be refering to, I hope Theo flames you. Having said that, that 1% or so of flames are people being people. It's not pretty, it's not nice, but it's human nature, there are no mailing lists without flames.

itachi

Re:VA Software confirms.. *BSD is dying

Silly troll. Your miracle was the solar flare that accompanied the announcement of the release of OS X.1. Apple has put OS X (as a secondary dual-boot OS) on hundreds of thousands of Macs since last May, and will be making it the default OS on all machines shipping starting next March. OS X is the mighty sword with which Apple plans to slice and dice Microsoft's monopoly!

In case you didn't even bother to read the title of the parent article (except for the letters "BSD"), OpenBSD 3.0 is going to be released on December 1st. New releases are not a good sign of impending doom. ;) Although I firmly believe that OS X has a special place in Mothra's heart due to its role in her divine plan to save us from an evil monopoly ;), I think it is best to have many versions of BSD, Linux, etc. so there is something to fit everyone's needs and preferences. OS X is great as an end user OS with both commercial and open source applications. OpenBSD is good if you need the security. Linux does great things as an embedded OS (and several other things). Etc. As long as they all play nicely with open standards, they can all coexist happily. The only things that needs to die are Microsoft's bad attitudes and their bugs.

"Mothra, you are Life Eternal! Hear the prayers of your servants. Come back to us from out of the legend. Come and save us with your power of Life!"
- From the US release of "Mothra"

15 days until Mothra returns!

Re:Donations have slumped?

> we don't care if you use OpenBSD
as Theo says, he does it as a hobby and doesn't want to force anyone to use OpenBSD.
The fewer users, the more the developers have time to hack (which is joy for him).
Even I got an answer :)
> journalling is for linux weenies
I liked fewer fsck time, but I have let me persuade by the team. Softupdates are ok.
See the thread on linux-kernel@ (yes I follow l-k, misc@, tech@, source-changes@ and few others) on "Journalling pointless with today's hard drives?"
> what did you do before
4.2BSD FFS
4.4BSD LFS
check it out - LFS is still in the tree (escept for newlfs), albeit defunct.
I tried to get it running, but won't compile.
> bit performance boost on SMP
A Pentium-133 with 64MB RAM can easily saturate a 100Mbps line as web- and fileserver at up to 30% load.
My Pentium-100 (OC'ed 90) with 24MB additionally acts as Samba server and router/NAT/firewall,
and as IPv6 native router + tunnel endpoint.
This box using a Hercules gfx card (oh yes, this thingy at 720x348x1) and a self-built snapshot by anoncvs. It is rock solid, and I regularily hit the power switch by accident.
And my Windoze user profiles are stored on it, and it's my companion on almost any LAN I attend.

> Security
Prove an exploit.