OpenBSD: Otherwise known as Marmite

There are a lot of misconceptions about OpenBSD, chief of which is that it’s bulletproof. Well, the default install has had “only two remote holes, in a heck of a long time”, however those of us on planet Earth realise that few people stick to the default install in the first place. If you need your system to do anything aside from being a router or text-only web browser, then sure, default works handily.

The rest may get tedious so feel free to browse away now.

Security is a process

I’ve lost count of how many times this has come up, but it still bears repeating.

It’s not a destination. Never has been and never will be considering vulnerabilities are discovered all the time in other software needed to turn the afore-mentioned brick into a house. Just because you run a very secure OS, doesn’t mean anything else running on it won’t break and let in something bad through the cracks.

From the FAQ :

The packages and ports collection does NOT go through the same thorough security audit that is performed on the OpenBSD base system. Although we strive to keep the quality of the packages collection high, we just do not have enough human resources to ensure the same level of robustness and security.

Introducing any new software to the machine, regardless of a tar download or ports, will create potential vulnerabilities which the sysadmin has to keep an eye on, apply patches and chroot as necessary. I’m sure I don’t need to go over backing up before applying said updates as that’s just common sense.

Current vs Stable

Current is more likely to break, but you also get fixes fairly quickly. Stable is slower to get fixes, but is less likely to break in the first place.

This is pretty much true of any of the BSDs or really most of the Linux distros for that matter so plan accordingly.

Don’t choose current just for needless features on a production system.  Make an informed decision on whether you’re using the full capabilities of a current branch before using it. I generally stick to stable for production systems unless there’s a feature absolutely needed that’s not in stable, which is very rare.

RTFM

The FAQ, the manual and the mailing list are your friends so don’t ignore them.

Always treat these sources from the project site as your primary references. There are many wonderful tutorial sites on the net about configuring, securing (see above), and otherwise using OpenBSD, but the main sources provided on the project site are still your most reliable, up-to-date, and complete reference. Also it has, by far, one of the most comprehensive manuals for an open source project.

I’m by no means an OpenBSD expert, but I’m patient when it comes to learning and I don’t get embarrassed about asking questions if I don’t know something. You never stop learning.

That said, people who say “OpenBSD is pretty easy” or equivalent are pretentious and condescending. OpenBSD has a steep learning curve and downplaying that with statements attesting ease of use only serve to frustrate and offend people just getting into it. It gets “easier” as time goes by and  as you get familiar with the environment, you will end up with a lot of capability in a very secure and stable system.

It takes a lot of reading and familiarization to get your feet wet and even if you come from a *nix background, it never hurts to read-up. OpenBSD’s strong points are security, consistency and predictability. The last two really help when learning the system.

People within the Linux and BSD community can only help their platform of choice by getting rid of the condescension toward novices.

It’s Marmite (I.E. It works for me)

OK, I get it. You don’t have to go on-and-on about how hard it is and how you just don’t understand or how anyone can use it vs, say, another BSD or Linux distro to get the same, if not better, functionality for the same effort.

If any of the other BSD or Linux flavor floats your boat, well then, more power to you.

I’ve been using Nginx + MySQL + PHP + OpenBSD on one particular production site for quite a while and I’ve been very happy. Maintenance has rarely been a problem, albeit it’s more involved due to chrooting, but I’ve had no complaints so far with the site breaking.

If anyone asks me and if it’s appropriate, this is what I’d recommend, not just on security grounds, but also because I found it consistent and reasonably straightforward to keep secure for the forseeable future. And I’m using it on that production site because it was appropriate for my situation.

Quit trying to convert people to your religion in regular face-to-face conversations saying your Kool-Aid is better for everything. You just sound like a bunch of intolerant morons; as if we needed more of those these days. If what someone does with their system isn’t your cup of tea, but doesn’t affect your system or what you do, then mind your own damn business.

Linux vs BSD comparisons?

I’ve gone over this so many times in real life, I don’t have the energy to do it again, but I will say this. Apples and Oranges — Linux is a kernel and you have a zillion different distros (Operating Systems) that use said kernel which specialize in different things or you can roll out your own. Choose or build carefully.

As for how I feel about other people’s opinions on what I choose; I’ll let Denny Crane explain :

Advertisements

GPL vs BSD

Here we go again!!

I know I will probably stir up the the sediment all over again, but this has to be clarified. If anything because this came up at work yet again. And It’s quite frightful at how ill informed people are on these licenses.

(This will be long and tedious, so feel free to browse away now)

Let’s clarify a few important points right here…

The GPL is not about “freedom”

In fact, the word “freedom” doesn’t even belong in there. The problem is that the GPL, and indeed many software projects that use it, has been turned a religion. And like all religions, it contradicts itself in sentiment… repeatedly.

I don’t have any problem with someone using the GPL in their work, and I’ve been happy using GPL’d products. But I will not treat this license as something it isn’t. That is, a doctrine on freedoms. A license is a license, and by definition all licenses carry restrictions. The GPL carries a particularly ridiculous combination of doctrine, philosphy, and law. Sounds like religion to me…

“The licenses for most software and other practical works are designed to take away your freedom to share and change the works”

The GPL does exactly the same, in that developers have to release every bit of derived or modified code under GPL or face legal action. That is a restriction placed upon the developers and distributors.

“To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others.”

 
So you’re forcing the code to be free because you recieved it free?
You’re denying some of the developers’ rights to give more rights to users?
That’s a lot like “peace… through superior firepower”.

Where’s the developers’ freedom to not distribute the code when distributing the product? Or does that get swept under user rights? I didn’t realise there were different standards for developers and users when it came to “rights”.

The freedom to distribute code or programs is, and has always been, a choice. Much like selling cake vs selling the cake with the recipie. A baker may choose to do both or only one, however, the customer is not forced to do the same by eating the cake thereby entering into a binding contract with the baker. If the customers decide to make cake using improvements to the same recipie, then they’re automatically forced to sell it with the improvements in the recipie?

That’s what the GPL really is. A binding contract : That is a set of restrictions on those who use, develop or modify content licensed under it. It is not now or has ever been a formula on “freedom”. The GPL is not the definition of “generocity” that is giving without expecting any return. I hope all you GPL advocates would stop treating it as such and call it what it is. A license and a binding contract. Nothing more.

If you try to pass it off as anything other than that, then you have problems.

I’m well aware of the motivation of using the GPL and, in theory, it is a noble cause. You’re trying to ensure that quality code remains free and any quality modifications are returned to the community without becoming invisible. While distributing products for free or profit, you also want to ensure the sources are available to the community.
But let’s not call this “freedom”. Free code is just that… free code.

If someone modifies some code and chooses not to distirbute it for free or profit, it still becomes invisible to the community. So this is only for those who choose to distribute their work anyway.

The BSD is not about “freedom” either

It’s about not getting involved in what the end user chooses to do with their copy of the sources and protecting the developers from harm. It’s none of their duty nor concern to police the actions of users.

Specifically, the ISC License…
The only usage restrictions are the disclaimer and copyright.

Copyright (c) Year(s), Company or Person’s Name

Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

That’s it!
That’s the whole license.

Notice anything about “freedom” or philosophical ramblings?
Notice anything other than what the license is about and the criteria?
NO!

Unlike the GPL, the BSD license doesn’t pretend to be something it isn’t and users of BSD license are well aware that, like all licenses, it is a binding contract between developers, distributors, and users. They have no delusions about how much “freedom” both licenses afford however the BSD still being a license it still has usage restrictions. Namely the copyright and disclaimer.

Developers using the BSD license don’t care nor want to police the actions of users once the source is copied. They’re not interested in “freedom” through coersion, which is actually slavery. They just want to make sure their products and sources are available from them regardless of need or future availability. If the users want to share their own modifications, then more power to them. But they’ll be damned if it’s by force.

—————

That said, I don’t use the BSD license in examples I’ve posted here. I would have placed them in the public domain if not for one indemnity clause. That’s the only reason every single line of code/HTML/CSS I’ve posted on this blog isn’t in the public domain.

I don’t want to get in trouble when someone using my work didn’t have things go over so well. Except for that, everyone is free to do whatever they please with it. Use it in personal  or professional projects, buy, sell, modify, reverse engineer, give me credit or not give me credit… whatever! I pretty much wash my hands of any responsibility after it’s posted. I don’t expect anything in return.

I’m not forcing anyone who uses any of my examples to treat their work as I do mine. In fact, I’m not forcing anyone to do anything at all with it or while using it. With the exception of the indemnity clause, there is no “law” involved in the source.

I only require anyone using my examples to agree to the following disclaimer :
THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

That’s it! That’s the sum total of the “restrictions” I place on anyone using my examples. Keen observers will note, it’s identical to the disclaimer in the ISC license as I want to make sure that I don’t tread around on someone else’s needs while protecting myself.

In that aspect, it’s the closest I could come to placing everything in the public domain.

Public Domain : That’s freedom, folks.

A utopia by choice is heaven. A utopia by force is hell.