I built my last company on OpenBSD. It was easy to understand the entire system, and secure-by-default (everything disabled) is the right posture for servers. Pledge and unveil worked brilliantly to restrict our Go processes to specific syscall sets and files. The firewall on OpenBSD is miles better to configure than iptables. I never had challenges upgrading them--they just kept working for years.
It's barely usable by itself but I don't think it's an inherent problem of
seccomp-bpf, rather the lack of libc support. Surely the task of "determine
which syscalls are used for feature X" belongs in the software that decides which
syscalls to use for feature X.
Linux is far too bloated to ve run as a secure system and the attack surface of any linux distro, due to the number of kernel modules loaded by default, is very big.
> I built my last company on OpenBSD. It was easy to understand the entire system, and secure-by-default (everything disabled) is the right posture for servers.
That really depends. You could argue a router is a server. OpenWRT has the default of WiFi off for security, which means that if the config is somehow hosed and you have to hard reset the router, you now have an inaccessible brick unless you happen to have a USB-Ethernet adapter on you.
Sensible defaults are much, much better than the absolutionist approach of "disable everything".
Edit: it's so funny to know that all the people slamming the downvote have never hit the brick wall of a dumb default. I hope you stay blessed like that!
> Edit: it's so funny to know that all the people slamming the downvote have never hit the brick wall of a dumb default.
I'll bite. OpenBSD and OpenWRT are different things, and I'm honestly surprised to hear that tech matters enough to you to setup OpenWRT but not enough to own a desktop (or a laptop that doesn't skimp on ports)
They are, but Linux or BSD doesn't matter all that much when it is about the meta case of deciding the defaults.
Funnily enough I feel a BSD is much more suited to modems / routers, if it weren't for HW WiFi support. Yes, I know you can separate your routing and your access point onto different devices.
At any rate I'm just pointing out that that absolutionism is rarely the right answer. It's also pretty telling that people actually went through my comment history to downvote a few unrelated recent comments. Must have hit a nerve.
As far as computing device goed, I prefer not lugging around a plastic brick. And one is bound to either lose or forget a dongle. In which case you get boned by OpenWRT's dumb default.
The reason for that default is that if they set up an open OpenWRT WiFi (or default passworded, think "OpenWRT2025"), in that split 5 minute window before you change it, some wardriver might login and mess with your network.
Obviously the chances of that are rather insignificant. And they could generate a default password based on the hardware. For the real security nuts they could tell them to build an image without default-on WiFi (currently they do the inverse).
Servers I setup in openbsd just keep working, and are an easy patch/upgrade process. Servers I setup in Ubuntu break and have weird patching issues. Maybe it's something I'm doing, but I sure do like that OpenBSD seems a lot easier to just have solid and work indefinitely.
Debian (provided you don't just dump a bunch of 3rd party repos) just upgrades cleanly, we have hundreds of servers that just run unattended-upgrade and get upgraded to new Debian version every 2 years.
I used to have this Debian box (which was a PowerMac G4) in my hallway. It had a 1000+ day uptime, back when this kind of uptime was still cool, or at least I thought it was. At some point it was two major versions behind, and I decided to dist-upgrade it. To my amazement, the upgrade went flawlessly, and the system booted without problems afterward. Debian is just great like that.
Not the Grand Poster, but we use the Debian package "unattended-upgrades" to install security updates automatically on our servers, and send an email if a reboot is required to complete the process (kernel upgrade).
Unattended upgrades could be configured to install more than the security release. Even with the stable release, one can add the official APT source for the Debian backports.
Back to OpenBSD... realize that it has no "unattended upgrades" capability. Until syspatch(8) appeared in 6.x you had to download patches and rebuild kernel and userland to get security fixes. Today, you could run syspatch(8) in a cron job but that only covers the base system. You'd need to handle any installed packages separately. And only the current and immediately previous release are supported at all. There are two releases a year, so you have to upgrade every ~6 months to stay in the support window.
Fortunately, with the introduction of the syspatch(8) and sysupgrade(8) utilities this is much simpler than it used to be. And, release numbers are just sequential with one point number, i.e. 7.0 was just the next release after 6.9, nothing more is implied by the "major" number ticking up.
Debian still has security fixes, and point releases. unattended-upgrades is the package that automates their install.
I think you can also do unattended release upgrades by using the 'stable' release alias in sources. That will probably result in some stuff breaking since there will be package and configuration churn.
Well - I would recommend using a better linux distribution than Ubuntu.
I run just lighttpd these days; used to run httpd before they decided the configuration must become even more complicated. I don't have any issues
with lighttpd (admittedly only few people use it; most seem to now use nginx).
Ubuntu seems to have a trend of taking something that works under Debian and somehow messing that up. Upgrades are one thing but for a while we had separate instruction on how to make Yubikey tokens work under each version of Ubuntu (we used them as smartcards for SSH key auth), while Debian instructions stayed the same...
Update was also hit and miss on user's desktop machines, for a while ubuntu had a nasty habit of installing new kernel upgrades... without removing old ones, which eventually made boot run out of space and poor user usually had to give it to helpdesk to fix.
Tho tbh most of the problems in any distro with packages is "an user installed 3rd party repo that don't have well structured packages and it got messy".
I have used lighttpd in the past but have been using nginx largely because I got used to it because other people chose it.
Now in more of a position to pick for myself, and I wondered how you feel about the pros and cons of lighttpd? I remember quite liking its config at the time.
Long time OpenBSD fan. Used it as my daily driver for years before standardizing all computers at home to macOS. I still think about going back to openBSD one day, but it's no longer very practical as a daily driver.
I want to use OpenBSD for the next project I'm building. However, I can't wrap my head around the old way of doing deployments (before containers). People who've built production grade systems with OpenBSD:
1. How do you deploy software?
2. How do you manage fleets of servers?
3. How do you spin up/turn down servers from cloud providers? (I only know of Vultr who provided an OpenBSD option out of the box).
> Long time OpenBSD fan. Used it as my daily driver for years before standardizing all computers at home to macOS. I still think about going back to openBSD one day, but it's no longer very practical as a daily driver.
It's only practical for hobbyists. I used OpenBSD as a daily driver between 2001-2005. I fought, I suffered, I conquered, and I got tired of not being able to watch video on the web reliably and MacOS in those days was so clean and refreshing. I learned so much, though.
> I want to use OpenBSD for the next project I'm building.
I admire your open-mindedness. But ask yourself:
1. Do you want to have to upgrade fleets of servers every year with no exceptions for extended security support instead of 5 (or more if you're willing to pay) for LTS versions of Linux?
2. Who else will need to support it?
3. You will likely have worse performance if that matters.
> 1. How do you deploy software?
Honestly, not many people create their own services that run on OpenBSD. Those that do use old-school packaging and scripting. Tooling like ansible works.
> 2. How do you manage fleets of servers?
Ansible would be my go-to for classic fleets of servers.
> How do you spin up/turn down servers from cloud providers?
There are ports of cloud-init for OpenBSD. Creating images for third party OSes can be different levels of painful, depending on the cloud provider.
OpenBSD has virtualization out of the box now. Most of the benefit of containers you can get with chroot. I don't know if any of the developers are working on a true container/jail capability.
I'd like to see a more modern performant filesystem with OpenBSD but ffs has never really let me down. Capability for logical volumes and/or live resizing of partitions would be welcome as well.
One of the reasons why I'm using OpenBSD is because it passes what I think of as a litmus test for FLOSS software: can I build the whole thing from scratch, in a short time and with minimal fuss? In the case of OpenBSD, the answer is yes. I can install it on a new machine, fetch the source code from mirrors, do some edits to the source, build a fresh release, write it to a USB stick and boot it on another machine. On my machine, the whole process takes about 10 minutes for the kernel, additional 20 minutes for base and maybe an hour if you add Xenocara. Compare that to Linux distros like Ubuntu or Arch where building from scratch is either discouraged or some fringe activity that requires skimming through wiki articles, forum posts or old Websites on the Wayback Machine.
Gentoo is a Linux rolling release built from source (just recently they gave the option of using binary packages as well). I've ran it on my desktop for years.
I adore openbsd and have been using it since 4.x however it is still slow, not slow to boot or anything like that but if you run it as a web server it manages about half the req/s of Debian. Network performance is also slower than Debian if you're using it as a firewall (but I still prefer it as the syntax of PF is just perfect).
there's a lot of optimisations they don't engage with because it makes the code "ugly" but there's a larger one here, where they disable hyperthreading outright due to side-channel attacks.
It used to be faster than Linux for that, but that's been a while ago.
I moved some stuff away from OpenBSD when the release of Linux 2.4 implemented all missing firewall functionality - but kept others still due to the early issues with the 2.4 kernel. But by the time 2.5 was getting decent - roughly a year before the 2.6 release - in most cases just using Linux with a custom 2.5 kernel was the better option.
You do have to buy more powerful hardware than you otherwise would. I find it worth it to run code I can more easily understand. I agree on Debian as well. My router and laptop are OpenBSD but most vms on my proxmox are Debian.
Agreed. I run my OpenBSD firewall on my odroid h4 - it's relatively cheap and plenty powerful to route gigabit+. I prefer pf and the simplicity of OpenBSD over Debian for such a purpose-built application. For my other "home servers" I simply run Debian as I believe it to be one of the more sane Linux choices for a server-type application.
To be honest I don't really see a reason to use a *BSD system myself other than just for the sake of using something different and less mainstream. FreeBSD had some advantages in the past but nowadays Linux has caught up in features.
When I switched to FreeBSD, it was because of the quality of the documentation. In Linux manpages are a patchwork from various sources, and it shows; it's not rare for a manpage to be missing, obsolete, or to document another similar tool, or to be inacurrate... Much better than in many other OSes, but still nowhere as good as in FreeBSD.
Now that I think of it, when I switched from DOS to Linux it was already because I found manpages amazing. Maybe I've just a soft spot for documentation.
BSD license so you don't have to upstream your stuff would be one. Tho it's not an advantage to *BSD systems, Linux near-forcing vendors to go mainline (as keeping separate kernel tree is PITA) did a lot of good in hardware support.
Not really a problem for users. Only for people who want to redistribute a fork. It matters if you are Apple or Sony, but not for most people.
incidentally, the requirement of the GPL is not to upstream your stuff, but to offer to make the modified source available to anyone you distribute the code to. Often the same in practice, but does not have to be.
I feel like DragonflyBSD is really cool if you want to look at some BSD that offers some advantages and something unique to your day-to-day desktop usage. And I feel like their community is not as toxic as that of FreeBSD and OpenBSD with their holier-than-thou attitude towards Linux.
I'd love it if Gentoo/BSD were a thing once again, I like the BSD concepts but there's nothing like Portage on BSD so far - afaik pkgsrc is nowhere close to it.
>To be honest I don't really see a reason to use a *BSD system myself
I see some reasons:
- the BSD license
- the system is composed of pieces written to work together, it is built from start up as a coherent operating system as opposed to things cobbled together like other UNIX-like OS-es do
I tried using OpenBSD, but the support for some specific things isn't very good. For example, J language support is always missing some packages. I also don't want to, and very much do not want to, use systemd. I finally chose FreeBSD, but I'm using some things from OpenBSD as much as possible, like obhttpd, etc. It feels good now.
GP is referring to the LLM crawler captcha thing. The one with the anime girls in it. It only took a few seconds on my phone, but it's slow on my old ThinkPad.
It's not about keeping spam out of comments, it's about keeping systems and content safe/operational for normal people and more costly or unavailable for the trillion dollar "AI" companies that are shitting all over everything.
Don't blame this on site operators, this is the fault of careless LLM operators knocking down everybody's walls doors and windows to "learn" from their content.
I appreciate that OpenBSD sold its course on security-everywhere.
Unfortunately I also kind of lost faith in the BSD variants. There
are a few minor things such as PC-BSD suddenly vanishing, or years
before NetBSD on their mailing list admitting that Linux outperformed
their "runs on any toaster and other gimmick" strategy. But one of
the key issues I had was this:
I installed it (FreeBSD) on my second computer. I went out of my
apartment and returned hours later. Well, the FreeBSD machine was
no longer running; my linux machine on the other hand is running
non-stop for months, literally. This may be a fluke, perhaps the
computer had a problem - I am not saying this is really what the
BSDs are all about, as I also had them installed before. But then
I also asked myself "why would I want to bother with the BSDs,
if Linux simply runs better?". And I haven't found a good, convincing
answer to that for me to rationalise why I'd still be using the
BSDs. Note: I also use Linux in a non-standard way, e. g. versioned
AppDirs, but essentially Linux is simply more flexible than the BSDs
(that is my opinion) and there are more users too. There will be always
some BSD users, but to me they are like a dying breed. They would need
to market themselves as a "runs outside the nerd bubble as well"; even
Linux is still stuck in its own nerd bubble. You have to break out of
it if you want to really dominate (Linux semi-does it indirectly, e. g.
we can count many smartphones as Linux-driven, but I am still using a
desktop computer system here, so to me this is what really counts, even
if the total number is less than the smartphone users numbers).
What Linux has is mostly better hardware support and on gnome and some distributions they have a software installation tool that look like an app store but that's about it... Everything else is pretty much the same, random people wouldn't figure out a system is freebsd instead of Linux when running same desktop (like plasma).
Which is what makes Linux kernel stand out, as we can see by Sony and Apple contributions upstream.
Had BSD not been busy with AT&T lawsuit, all major UNIXes would probably still be around, consuming whatever was produced out of BSD like the networking code and OS IPC improvements over AT&T UNIX.
Instead sponsoring Linux kernel became the plan B, as means to reduce their UNIX development costs.
> Commercial use began when Dell and IBM, followed by Hewlett-Packard, started offering Linux support to escape Microsoft's monopoly in the desktop operating system market
Ironically the major contributor to many GNU/Linux critical components, Red-Hat, is now an IBM subsiduary, recouping that investment beyond doing only Aix.
It is no accident that all FOSS OSes that came after Linux, none of them has adopted GPL, as big corporations would rather not be obliged by it.
Of course big corporations would rather not be obliged by the GPL. But my feeling is that, if we give them the option to grab the code without contributing back their improvements, they would just do that. In the long run, this risks harming the OSS community, as developers would feel like big corps are being leeches and profiting out of their work without giving anything back.
After all, the GPL forces to contribute back only if you modify and distribute a modified version of the software (the AGPL modified this point, to account for cloud services). A corporation that isn't modifying GPL'd code or isn't redistributing the modified binaries, doesn't incur any additional burden for using a software distributed under the GPL.
It is no accident that Google has removed everything GPL out of Android, falling short of the Linux kernel, and they haven't done the final step with Fuchsia/Zircon mostly due to what appears internal politics.
Just a few hours ago on the irc channel of OpenBSD someone said that OpenBSD is good at not letting a wonky hardware run compared to linux. So you could use the dmesg and ask it in the OpenBSD mailing list and they will point out which wonky hardware is causing trouble and you can replace that problematic part.
I ran OpenBSD current for 6 years and never faced such issue
Years ago (circa ~2005) I was working for a company with a mix of OpenBSD, FreeBSD, Windows, and Linux. I was more of a fan of OpenBSD and I received a lot of grief when the OpenBSD team suddenly ripped out support for one of the Dell hardware RAID controllers (I don't remember which one, but IIRC it was one based on something from Adaptec), claiming they couldn't reliably reverse engineer it to create stable drivers. Their attempts ultimately always ended up with "random" corruption.
A year or so later our main DB on Windows (long story on why we were running windows DBs with most of the other kit being BSD/Linux) had a total corruption incident (it was painful, but we had a replica failover that we recovered from) - turns out we could get an answer from Dell since Windows was obviously supported by Dell themselves. There was a known issue with that model of RAID controller that would result in random and total corruption - and there was no way to fix it in firmware.
I was smug about it, but had to concede that people should still be given an informed choice. IIRC Dell was very quiet about it, which is certainly not "informed choice". Had we known, we'd have shelled out for different hardware for our databases!
To be fair, there was not much Dell could do as their PERC cards were all rebranded Adaptec and later LSI. Adaptec was the gold standard for ages, but I assume was enshitified somewhere along the way. The long term result was that the entire hardware raid world ditched Adaptec for LSI and/or software RAID (eg ZFS). Dell (in those days, not sure if it's still the case) had excellent support. There was a bug on another server model where the onboard video card would eventually fail and fry the motherboard. Even years later out of support, Dell would for free replace it if it failed with whatever new model equivalent existed.
I left the company before things were totally resolved, but I think dell ultimately gave people who complained LSI cards, but it took awhile for those to be designed and manufactured to fit the internal drive slot. Most people who were also using external arrays moved to third party ones or other hardware.
I built my last company on OpenBSD. It was easy to understand the entire system, and secure-by-default (everything disabled) is the right posture for servers. Pledge and unveil worked brilliantly to restrict our Go processes to specific syscall sets and files. The firewall on OpenBSD is miles better to configure than iptables. I never had challenges upgrading them--they just kept working for years.
Finally Linux has something that approaches pledge/unveil: landlock.
Seccomp was never actually usable: https://blog.habets.se/2022/03/seccomp-unsafe-at-any-speed.h...
> Seccomp was never actually usable
It's barely usable by itself but I don't think it's an inherent problem of seccomp-bpf, rather the lack of libc support. Surely the task of "determine which syscalls are used for feature X" belongs in the software that decides which syscalls to use for feature X.
In fact, Cosmopolitan libc implements pledge on Linux on top of seccomp-bpf: https://justine.lol/pledge/
Linux is far too bloated to ve run as a secure system and the attack surface of any linux distro, due to the number of kernel modules loaded by default, is very big.
> The firewall on OpenBSD is miles better to configure than iptables.
That's understating the matter by a huge amount.
pf is easier to read and understand, easier to adjust, more dynamic, and works like every other firewall in the world not based on iptables.
> I built my last company on OpenBSD. It was easy to understand the entire system, and secure-by-default (everything disabled) is the right posture for servers.
That really depends. You could argue a router is a server. OpenWRT has the default of WiFi off for security, which means that if the config is somehow hosed and you have to hard reset the router, you now have an inaccessible brick unless you happen to have a USB-Ethernet adapter on you.
Sensible defaults are much, much better than the absolutionist approach of "disable everything".
Edit: it's so funny to know that all the people slamming the downvote have never hit the brick wall of a dumb default. I hope you stay blessed like that!
> Edit: it's so funny to know that all the people slamming the downvote have never hit the brick wall of a dumb default.
I'll bite. OpenBSD and OpenWRT are different things, and I'm honestly surprised to hear that tech matters enough to you to setup OpenWRT but not enough to own a desktop (or a laptop that doesn't skimp on ports)
They are, but Linux or BSD doesn't matter all that much when it is about the meta case of deciding the defaults.
Funnily enough I feel a BSD is much more suited to modems / routers, if it weren't for HW WiFi support. Yes, I know you can separate your routing and your access point onto different devices.
At any rate I'm just pointing out that that absolutionism is rarely the right answer. It's also pretty telling that people actually went through my comment history to downvote a few unrelated recent comments. Must have hit a nerve.
As far as computing device goed, I prefer not lugging around a plastic brick. And one is bound to either lose or forget a dongle. In which case you get boned by OpenWRT's dumb default.
The reason for that default is that if they set up an open OpenWRT WiFi (or default passworded, think "OpenWRT2025"), in that split 5 minute window before you change it, some wardriver might login and mess with your network.
Obviously the chances of that are rather insignificant. And they could generate a default password based on the hardware. For the real security nuts they could tell them to build an image without default-on WiFi (currently they do the inverse).
You bring up a particular edge case as a way to discredit a much more thorough essay on the system.
And if someone is administering routers but don't have the hard-line equipment to configure them locally, I wish them well.
Servers I setup in openbsd just keep working, and are an easy patch/upgrade process. Servers I setup in Ubuntu break and have weird patching issues. Maybe it's something I'm doing, but I sure do like that OpenBSD seems a lot easier to just have solid and work indefinitely.
You are not....it's Ubuntu.
Not Linux, not Debian, Ubuntu.
Debian (provided you don't just dump a bunch of 3rd party repos) just upgrades cleanly, we have hundreds of servers that just run unattended-upgrade and get upgraded to new Debian version every 2 years.
The few Ubuntus we had had more problems.
I used to have this Debian box (which was a PowerMac G4) in my hallway. It had a 1000+ day uptime, back when this kind of uptime was still cool, or at least I thought it was. At some point it was two major versions behind, and I decided to dist-upgrade it. To my amazement, the upgrade went flawlessly, and the system booted without problems afterward. Debian is just great like that.
How to upgrade Debian unattended if it's not a rolling release
Not the Grand Poster, but we use the Debian package "unattended-upgrades" to install security updates automatically on our servers, and send an email if a reboot is required to complete the process (kernel upgrade).
Unattended upgrades could be configured to install more than the security release. Even with the stable release, one can add the official APT source for the Debian backports.
Back to OpenBSD... realize that it has no "unattended upgrades" capability. Until syspatch(8) appeared in 6.x you had to download patches and rebuild kernel and userland to get security fixes. Today, you could run syspatch(8) in a cron job but that only covers the base system. You'd need to handle any installed packages separately. And only the current and immediately previous release are supported at all. There are two releases a year, so you have to upgrade every ~6 months to stay in the support window.
Fortunately, with the introduction of the syspatch(8) and sysupgrade(8) utilities this is much simpler than it used to be. And, release numbers are just sequential with one point number, i.e. 7.0 was just the next release after 6.9, nothing more is implied by the "major" number ticking up.
Debian still has security fixes, and point releases. unattended-upgrades is the package that automates their install.
I think you can also do unattended release upgrades by using the 'stable' release alias in sources. That will probably result in some stuff breaking since there will be package and configuration churn.
Maybe they run Debian Testing. Testing and Unstable (sid) are rolling, and the stable release cut from the testing branch (through some process)
Well - I would recommend using a better linux distribution than Ubuntu.
I run just lighttpd these days; used to run httpd before they decided the configuration must become even more complicated. I don't have any issues with lighttpd (admittedly only few people use it; most seem to now use nginx).
Ubuntu seems to have a trend of taking something that works under Debian and somehow messing that up. Upgrades are one thing but for a while we had separate instruction on how to make Yubikey tokens work under each version of Ubuntu (we used them as smartcards for SSH key auth), while Debian instructions stayed the same...
Update was also hit and miss on user's desktop machines, for a while ubuntu had a nasty habit of installing new kernel upgrades... without removing old ones, which eventually made boot run out of space and poor user usually had to give it to helpdesk to fix.
Tho tbh most of the problems in any distro with packages is "an user installed 3rd party repo that don't have well structured packages and it got messy".
I have used lighttpd in the past but have been using nginx largely because I got used to it because other people chose it.
Now in more of a position to pick for myself, and I wondered how you feel about the pros and cons of lighttpd? I remember quite liking its config at the time.
And which distribution would that be?
Slackware
Debian
I agree but you could have just said it :)
Long time OpenBSD fan. Used it as my daily driver for years before standardizing all computers at home to macOS. I still think about going back to openBSD one day, but it's no longer very practical as a daily driver.
I want to use OpenBSD for the next project I'm building. However, I can't wrap my head around the old way of doing deployments (before containers). People who've built production grade systems with OpenBSD:
1. How do you deploy software? 2. How do you manage fleets of servers? 3. How do you spin up/turn down servers from cloud providers? (I only know of Vultr who provided an OpenBSD option out of the box).
> Long time OpenBSD fan. Used it as my daily driver for years before standardizing all computers at home to macOS. I still think about going back to openBSD one day, but it's no longer very practical as a daily driver.
It's only practical for hobbyists. I used OpenBSD as a daily driver between 2001-2005. I fought, I suffered, I conquered, and I got tired of not being able to watch video on the web reliably and MacOS in those days was so clean and refreshing. I learned so much, though.
> I want to use OpenBSD for the next project I'm building.
I admire your open-mindedness. But ask yourself:
1. Do you want to have to upgrade fleets of servers every year with no exceptions for extended security support instead of 5 (or more if you're willing to pay) for LTS versions of Linux?
2. Who else will need to support it?
3. You will likely have worse performance if that matters.
> 1. How do you deploy software?
Honestly, not many people create their own services that run on OpenBSD. Those that do use old-school packaging and scripting. Tooling like ansible works.
> 2. How do you manage fleets of servers?
Ansible would be my go-to for classic fleets of servers.
> How do you spin up/turn down servers from cloud providers?
There are ports of cloud-init for OpenBSD. Creating images for third party OSes can be different levels of painful, depending on the cloud provider.
RE: 1/2, doesn't Ansible work for BSDs?
OpenBSD has virtualization out of the box now. Most of the benefit of containers you can get with chroot. I don't know if any of the developers are working on a true container/jail capability.
I'd like to see a more modern performant filesystem with OpenBSD but ffs has never really let me down. Capability for logical volumes and/or live resizing of partitions would be welcome as well.
One of the reasons why I'm using OpenBSD is because it passes what I think of as a litmus test for FLOSS software: can I build the whole thing from scratch, in a short time and with minimal fuss? In the case of OpenBSD, the answer is yes. I can install it on a new machine, fetch the source code from mirrors, do some edits to the source, build a fresh release, write it to a USB stick and boot it on another machine. On my machine, the whole process takes about 10 minutes for the kernel, additional 20 minutes for base and maybe an hour if you add Xenocara. Compare that to Linux distros like Ubuntu or Arch where building from scratch is either discouraged or some fringe activity that requires skimming through wiki articles, forum posts or old Websites on the Wayback Machine.
Gentoo is a Linux rolling release built from source (just recently they gave the option of using binary packages as well). I've ran it on my desktop for years.
Buildroot does exactly that and it gives you big TUI menu to pick what you want included in your linux image
There is also T2 SDE.
I adore openbsd and have been using it since 4.x however it is still slow, not slow to boot or anything like that but if you run it as a web server it manages about half the req/s of Debian. Network performance is also slower than Debian if you're using it as a firewall (but I still prefer it as the syntax of PF is just perfect).
It's gotten a lot faster with 7.6 (lots of work on the TCP stack iirc). We saw huge improvements in throughput after updating.
The new 7.8 release should bring some more performance, haven't tested it yet though.
Yes, they've been working on unlocking more and more performance over the 7.x series of releases if not longer.
Remember the BSDs date from an era when you only had one core in the CPU.
there's a lot of optimisations they don't engage with because it makes the code "ugly" but there's a larger one here, where they disable hyperthreading outright due to side-channel attacks.
Might be a leading cause of what you're seeing.
So, spin up lots of single-core VMs?
for I/O intensive applications, it's always been true that VMs are a decent chunk of overhead: https://sites.cc.gatech.edu/systems/projects/Elba/pub/JackLi...
Also, it's likely already in a VM.
It used to be faster than Linux for that, but that's been a while ago.
I moved some stuff away from OpenBSD when the release of Linux 2.4 implemented all missing firewall functionality - but kept others still due to the early issues with the 2.4 kernel. But by the time 2.5 was getting decent - roughly a year before the 2.6 release - in most cases just using Linux with a custom 2.5 kernel was the better option.
The list is missing the fact that the documentation is consistent and centralized.
> is consistent and centralized
complete, useful, well written and contently at hand.
If you can tolerate poor performance then by all means use OpenBSD. Debian stable FTW.
You do have to buy more powerful hardware than you otherwise would. I find it worth it to run code I can more easily understand. I agree on Debian as well. My router and laptop are OpenBSD but most vms on my proxmox are Debian.
Agreed. I run my OpenBSD firewall on my odroid h4 - it's relatively cheap and plenty powerful to route gigabit+. I prefer pf and the simplicity of OpenBSD over Debian for such a purpose-built application. For my other "home servers" I simply run Debian as I believe it to be one of the more sane Linux choices for a server-type application.
To be honest I don't really see a reason to use a *BSD system myself other than just for the sake of using something different and less mainstream. FreeBSD had some advantages in the past but nowadays Linux has caught up in features.
When I switched to FreeBSD, it was because of the quality of the documentation. In Linux manpages are a patchwork from various sources, and it shows; it's not rare for a manpage to be missing, obsolete, or to document another similar tool, or to be inacurrate... Much better than in many other OSes, but still nowhere as good as in FreeBSD.
Now that I think of it, when I switched from DOS to Linux it was already because I found manpages amazing. Maybe I've just a soft spot for documentation.
BSD license so you don't have to upstream your stuff would be one. Tho it's not an advantage to *BSD systems, Linux near-forcing vendors to go mainline (as keeping separate kernel tree is PITA) did a lot of good in hardware support.
Not really a problem for users. Only for people who want to redistribute a fork. It matters if you are Apple or Sony, but not for most people.
incidentally, the requirement of the GPL is not to upstream your stuff, but to offer to make the modified source available to anyone you distribute the code to. Often the same in practice, but does not have to be.
To me the advantages are: simpler and more consistent configuration, less churn, better documentation, focus on security and secure-by-default.
Yes if raw performance is your top priority, linux wins. But for a desktop or general-purpose server, that's not the most important thing for me.
The development move in ZFS from FreeBSD to OpenZFS (AKA Linux) was a mayor point on that.
I feel like DragonflyBSD is really cool if you want to look at some BSD that offers some advantages and something unique to your day-to-day desktop usage. And I feel like their community is not as toxic as that of FreeBSD and OpenBSD with their holier-than-thou attitude towards Linux.
I'd love it if Gentoo/BSD were a thing once again, I like the BSD concepts but there's nothing like Portage on BSD so far - afaik pkgsrc is nowhere close to it.
>To be honest I don't really see a reason to use a *BSD system myself
I see some reasons:
- the BSD license
- the system is composed of pieces written to work together, it is built from start up as a coherent operating system as opposed to things cobbled together like other UNIX-like OS-es do
I tried using OpenBSD, but the support for some specific things isn't very good. For example, J language support is always missing some packages. I also don't want to, and very much do not want to, use systemd. I finally chose FreeBSD, but I'm using some things from OpenBSD as much as possible, like obhttpd, etc. It feels good now.
Why isn’t it used more often at BigCorp? Or as a base container image?
I hope people here keep donating to the OpenBSD project. I have myself not yet but I'm waiting yo do that
[flagged]
Are you calling Anubis an AI trashcan? Are you opening their website with an i286 for it to take 40s to load?
it took 30s to even load the trashcan
Doesn't load here at all, I had to change my User-Agent to "curl".
AI? I may be missing something. You are talking about whom here? The blog author?
GP is referring to the LLM crawler captcha thing. The one with the anime girls in it. It only took a few seconds on my phone, but it's slow on my old ThinkPad.
it took tens of seconds to load, once it loaded it was quick
And the point of "why waste time for captcha for static file" still stands, it's not like there is comment section for bots to abuse
It's not about keeping spam out of comments, it's about keeping systems and content safe/operational for normal people and more costly or unavailable for the trillion dollar "AI" companies that are shitting all over everything.
Don't blame this on site operators, this is the fault of careless LLM operators knocking down everybody's walls doors and windows to "learn" from their content.
So if the author recommended software that you loved and used everyday you would stop using that software?
Even broken clock is right twice a day so no.
You mistake dismiss with "do opposite"
I appreciate that OpenBSD sold its course on security-everywhere.
Unfortunately I also kind of lost faith in the BSD variants. There are a few minor things such as PC-BSD suddenly vanishing, or years before NetBSD on their mailing list admitting that Linux outperformed their "runs on any toaster and other gimmick" strategy. But one of the key issues I had was this:
I installed it (FreeBSD) on my second computer. I went out of my apartment and returned hours later. Well, the FreeBSD machine was no longer running; my linux machine on the other hand is running non-stop for months, literally. This may be a fluke, perhaps the computer had a problem - I am not saying this is really what the BSDs are all about, as I also had them installed before. But then I also asked myself "why would I want to bother with the BSDs, if Linux simply runs better?". And I haven't found a good, convincing answer to that for me to rationalise why I'd still be using the BSDs. Note: I also use Linux in a non-standard way, e. g. versioned AppDirs, but essentially Linux is simply more flexible than the BSDs (that is my opinion) and there are more users too. There will be always some BSD users, but to me they are like a dying breed. They would need to market themselves as a "runs outside the nerd bubble as well"; even Linux is still stuck in its own nerd bubble. You have to break out of it if you want to really dominate (Linux semi-does it indirectly, e. g. we can count many smartphones as Linux-driven, but I am still using a desktop computer system here, so to me this is what really counts, even if the total number is less than the smartphone users numbers).
What Linux has is mostly better hardware support and on gnome and some distributions they have a software installation tool that look like an app store but that's about it... Everything else is pretty much the same, random people wouldn't figure out a system is freebsd instead of Linux when running same desktop (like plasma).
The license makes it very different philosophically.
Which is what makes Linux kernel stand out, as we can see by Sony and Apple contributions upstream.
Had BSD not been busy with AT&T lawsuit, all major UNIXes would probably still be around, consuming whatever was produced out of BSD like the networking code and OS IPC improvements over AT&T UNIX.
Instead sponsoring Linux kernel became the plan B, as means to reduce their UNIX development costs.
> Commercial use began when Dell and IBM, followed by Hewlett-Packard, started offering Linux support to escape Microsoft's monopoly in the desktop operating system market
-- https://en.wikipedia.org/wiki/Linux
> 1998: Many major companies such as IBM, Compaq and Oracle announce their support for Linux.
-- https://en.wikipedia.org/wiki/History_of_Linux
Ironically the major contributor to many GNU/Linux critical components, Red-Hat, is now an IBM subsiduary, recouping that investment beyond doing only Aix.
It is no accident that all FOSS OSes that came after Linux, none of them has adopted GPL, as big corporations would rather not be obliged by it.
Of course big corporations would rather not be obliged by the GPL. But my feeling is that, if we give them the option to grab the code without contributing back their improvements, they would just do that. In the long run, this risks harming the OSS community, as developers would feel like big corps are being leeches and profiting out of their work without giving anything back.
After all, the GPL forces to contribute back only if you modify and distribute a modified version of the software (the AGPL modified this point, to account for cloud services). A corporation that isn't modifying GPL'd code or isn't redistributing the modified binaries, doesn't incur any additional burden for using a software distributed under the GPL.
It is no accident that Google has removed everything GPL out of Android, falling short of the Linux kernel, and they haven't done the final step with Fuchsia/Zircon mostly due to what appears internal politics.
It is good for Google, not Android users.
Just a few hours ago on the irc channel of OpenBSD someone said that OpenBSD is good at not letting a wonky hardware run compared to linux. So you could use the dmesg and ask it in the OpenBSD mailing list and they will point out which wonky hardware is causing trouble and you can replace that problematic part. I ran OpenBSD current for 6 years and never faced such issue
Years ago (circa ~2005) I was working for a company with a mix of OpenBSD, FreeBSD, Windows, and Linux. I was more of a fan of OpenBSD and I received a lot of grief when the OpenBSD team suddenly ripped out support for one of the Dell hardware RAID controllers (I don't remember which one, but IIRC it was one based on something from Adaptec), claiming they couldn't reliably reverse engineer it to create stable drivers. Their attempts ultimately always ended up with "random" corruption.
A year or so later our main DB on Windows (long story on why we were running windows DBs with most of the other kit being BSD/Linux) had a total corruption incident (it was painful, but we had a replica failover that we recovered from) - turns out we could get an answer from Dell since Windows was obviously supported by Dell themselves. There was a known issue with that model of RAID controller that would result in random and total corruption - and there was no way to fix it in firmware.
I was smug about it, but had to concede that people should still be given an informed choice. IIRC Dell was very quiet about it, which is certainly not "informed choice". Had we known, we'd have shelled out for different hardware for our databases!
Hangon on a second, you paid dell support and they knowingly let you run production on kit with known total irreversible data loss bugs? Da. Fuq?!?
To be fair, there was not much Dell could do as their PERC cards were all rebranded Adaptec and later LSI. Adaptec was the gold standard for ages, but I assume was enshitified somewhere along the way. The long term result was that the entire hardware raid world ditched Adaptec for LSI and/or software RAID (eg ZFS). Dell (in those days, not sure if it's still the case) had excellent support. There was a bug on another server model where the onboard video card would eventually fail and fry the motherboard. Even years later out of support, Dell would for free replace it if it failed with whatever new model equivalent existed.
I left the company before things were totally resolved, but I think dell ultimately gave people who complained LSI cards, but it took awhile for those to be designed and manufactured to fit the internal drive slot. Most people who were also using external arrays moved to third party ones or other hardware.
Some background from an OpenBSD dev:
https://nickh.org/warstories/adaptec.html
It was a fluke or a problem with the computer unless you can provide more than 1 data point with more info than "it wasn't running".
The NetBSD thing is becoming true again as Linux distros and the kernel are lately on a tear of purging old and niche architectures.