There are a lot of misconceptions about OpenBSD, chief of which is that it’s bulletproof. Well, the default install has had “only two remote holes, in a heck of a long time”, however those of us on planet Earth realise that few people stick to the default install in the first place. If you need your system to do anything aside from being a router or text-only web browser, then sure, default works handily.
The rest may get tedious so feel free to browse away now.
Security is a process
I’ve lost count of how many times this has come up, but it still bears repeating.
It’s not a destination. Never has been and never will be considering vulnerabilities are discovered all the time in other software needed to turn the afore-mentioned brick into a house. Just because you run a very secure OS, doesn’t mean anything else running on it won’t break and let in something bad through the cracks.
From the FAQ :
The packages and ports collection does NOT go through the same thorough security audit that is performed on the OpenBSD base system. Although we strive to keep the quality of the packages collection high, we just do not have enough human resources to ensure the same level of robustness and security.
Introducing any new software to the machine, regardless of a tar download or ports, will create potential vulnerabilities which the sysadmin has to keep an eye on, apply patches and chroot as necessary. I’m sure I don’t need to go over backing up before applying said updates as that’s just common sense.
Current vs Stable
Current is more likely to break, but you also get fixes fairly quickly. Stable is slower to get fixes, but is less likely to break in the first place.
This is pretty much true of any of the BSDs or really most of the Linux distros for that matter so plan accordingly.
Don’t choose current just for needless features on a production system. Make an informed decision on whether you’re using the full capabilities of a current branch before using it. I generally stick to stable for production systems unless there’s a feature absolutely needed that’s not in stable, which is very rare.
The FAQ, the manual and the mailing list are your friends so don’t ignore them.
Always treat these sources from the project site as your primary references. There are many wonderful tutorial sites on the net about configuring, securing (see above), and otherwise using OpenBSD, but the main sources provided on the project site are still your most reliable, up-to-date, and complete reference. Also it has, by far, one of the most comprehensive manuals for an open source project.
I’m by no means an OpenBSD expert, but I’m patient when it comes to learning and I don’t get embarrassed about asking questions if I don’t know something. You never stop learning.
That said, people who say “OpenBSD is pretty easy” or equivalent are pretentious and condescending. OpenBSD has a steep learning curve and downplaying that with statements attesting ease of use only serve to frustrate and offend people just getting into it. It gets “easier” as time goes by and as you get familiar with the environment, you will end up with a lot of capability in a very secure and stable system.
It takes a lot of reading and familiarization to get your feet wet and even if you come from a *nix background, it never hurts to read-up. OpenBSD’s strong points are security, consistency and predictability. The last two really help when learning the system.
People within the Linux and BSD community can only help their platform of choice by getting rid of the condescension toward novices.
It’s Marmite (I.E. It works for me)
OK, I get it. You don’t have to go on-and-on about how hard it is and how you just don’t understand or how anyone can use it vs, say, another BSD or Linux distro to get the same, if not better, functionality for the same effort.
If any of the other BSD or Linux flavor floats your boat, well then, more power to you.
I’ve been using Nginx + MySQL + PHP + OpenBSD on one particular production site for quite a while and I’ve been very happy. Maintenance has rarely been a problem, albeit it’s more involved due to chrooting, but I’ve had no complaints so far with the site breaking.
If anyone asks me and if it’s appropriate, this is what I’d recommend, not just on security grounds, but also because I found it consistent and reasonably straightforward to keep secure for the forseeable future. And I’m using it on that production site because it was appropriate for my situation.
Quit trying to convert people to your religion in regular face-to-face conversations saying your Kool-Aid is better for everything. You just sound like a bunch of intolerant morons; as if we needed more of those these days. If what someone does with their system isn’t your cup of tea, but doesn’t affect your system or what you do, then mind your own damn business.
Linux vs BSD comparisons?
I’ve gone over this so many times in real life, I don’t have the energy to do it again, but I will say this. Apples and Oranges — Linux is a kernel and you have a zillion different distros (Operating Systems) that use said kernel which specialize in different things or you can roll out your own. Choose or build carefully.
As for how I feel about other people’s opinions on what I choose; I’ll let Denny Crane explain :