I have migrated from OpenBSD to Fedora for a couple of reasons -- and
these may be outdated, as it has been a while. The issues with OpenBSD that I ran into personally were as follows * limited Unicode / UTF-8 support in OpenBSD: this was an issue especially for installing databases such as MySQL and PostgreSQL because there were no good sorting routines available for the non-ASCII characters which are used in almost all languages except rudimentary American English. * the race conditions that were documented at one time in systrace, the disappearance of that utility in OpenBSD, and the lack of its development into anything similar to NSA's SELinux, with the detailed security policies that are developed for different applications and services -- such mandatory access control policies, effectively enforced, for example, theoretically make chroot totally unnecessary to secure apache httpd. * lack of support as a virtualization host -- this need not be the job of OpenBSD per se, but perhaps a very lightweight, very secure hypervisor, such as sel4 https://sel4.systems/ for example, could be run with OpenBSD as its main guest and used to conrol other guests under virtualizaton. I do want to mention, though, that vultr.com offers as one of its options VPS preinstalled with OpenBSD. I realize that OpenBSD is free software and a great O/S, but there is always room for development and improvement, and I just want to offer these points for discussion and debate. I'd like to get back into OpenBSD, especially if there are ideas to mitigate some of these issues. It would also be interesting if the OpenBSD team could point out any flaws in SELinux similar to the ones they experienced with systrace. |
My take on the philosophy of OpenBSD: Along with "security first", essentially OpenBSD is the by product of whatever it is that it's developers have found interesting to work on. Features that have security holes will be dropped whenever discovered, until some developer finds it interesting to work on them. Of course some reward might also help a developer find something interesting. That has been known to happen. So, I think, either donating money, employment, or code, or some kind of resource is the answer, each time you find something almost good enough about OpenBSD. Otherwise feel free to use other tools if you need them. There really is no competition in the sense you are thinking. The one place there might be competition, is finding the clarity of great documentation and clean secure code to surround your own efforts as you invest your time beside it. ALH On Sat, 14 Oct 2017, Justina Colmena wrote: > I have migrated from OpenBSD to Fedora for a couple of reasons -- and > these may be outdated, as it has been a while. The issues with OpenBSD > that I ran into personally were as follows > > * limited Unicode / UTF-8 support in OpenBSD: this was an issue > especially for installing databases such as MySQL and PostgreSQL > because there were no good sorting routines available for the > non-ASCII characters which are used in almost all languages except > rudimentary American English. > > * the race conditions that were documented at one time in systrace, > the disappearance of that utility in OpenBSD, and the lack of its > development into anything similar to NSA's SELinux, with the detailed > security policies that are developed for different applications and > services -- such mandatory access control policies, effectively > enforced, for example, theoretically make chroot totally unnecessary > to secure apache httpd. > > * lack of support as a virtualization host -- this need not be the job > of OpenBSD per se, but perhaps a very lightweight, very secure > hypervisor, such as sel4 https://sel4.systems/ for example, could > be run with OpenBSD as its main guest and used to conrol other > guests under virtualizaton. > > I do want to mention, though, that vultr.com offers as one of its > options VPS preinstalled with OpenBSD. I realize that OpenBSD is free > software and a great O/S, but there is always room for development and > improvement, and I just want to offer these points for discussion and > debate. > > I'd like to get back into OpenBSD, especially if there are ideas to > mitigate some of these issues. It would also be interesting if the > OpenBSD team could point out any flaws in SELinux similar to the ones > they experienced with systrace. > |
In reply to this post by Justina Colmena
> On Sat, Oct 14, 2017 at 9:27 AM, Justina Colmena <[hidden email]> wrote:
> I have migrated from OpenBSD to Fedora for a couple of reasons -- and > these may be outdated, as it has been a while. I take it "a while" has been quite a while - ? > * limited Unicode / UTF-8 support in OpenBSD: this was an issue > especially for installing databases such as MySQL and PostgreSQL > because there were no good sorting routines available for the > non-ASCII characters which are used in almost all languages except > rudimentary American English. OpenBSD has supported UTF-8 since...2010ish? A long time. > * the race conditions that were documented at one time in systrace, > the disappearance of that utility in OpenBSD, and the lack of its > development into anything similar to NSA's SELinux, with the detailed > security policies that are developed for different applications and > services -- such mandatory access control policies, effectively > enforced, for example, theoretically make chroot totally unnecessary > to secure apache httpd. This could be rephrased as Linux's lack of development of anything similar to pledge :-) If you missed pledge, Theo has several talks on YouTube about it, e.g.: 2015: https://www.youtube.com/watch?v=F_7S1eqKsFk 2017: https://www.youtube.com/watch?v=FzJJbNRErVQ What is your ultimate goal? A secure system? There are numerous security features that OpenBSD has that Linux doesn't have and refuses to add. Does Linux have pledge? Random PIDs? Does it use arc4random all over the place because it can? Which platform would you say has a more robust set of memory protections? You could probably go to openbsd.org/security.html and use it as a checklist of security features missing in other operating systems. Maybe for your needs, SELinux is a better choice but personally, it's all theory until someone's knocking on the door, and OpenBSD has more than proven itself in that context. Certainly, OpenBSD has the better track record. A picture is worth a thousand words...no idea what the animated gif exchange rate is, but this has always summed it up for me re: OpenBSD security: https://securityreactions.tumblr.com/post/80685010067/that-one-openbsd-box-during-the-pentest > * lack of support as a virtualization host -- this need not be the job > of OpenBSD per se, but perhaps a very lightweight, very secure > hypervisor, such as sel4 https://sel4.systems/ for example, could > be run with OpenBSD as its main guest and used to conrol other > guests under virtualizaton. OpenBSD has had native support for running as a VM host officially since 6.1 earlier this year: http://man.openbsd.org/vmm.4 To be fair, OpenBSD developed its support for VM hosting a lot later than other projects. That's just the nature of having a smaller team - they can't focus on everything concurrently. But it's been in the works since 2015: https://undeadly.org/cgi?action=article&sid=20150831183826 You can use vmm to run OpenBSD, Linux, etc. guests. E.g.: https://medium.com/@dave_voutila/docker-on-openbsd-6-1-current-c620513b8110 > I do want to mention, though, that vultr.com offers as one of its > options VPS preinstalled with OpenBSD. BTW, you can actually run OpenBSD on any VM/VPS provider that offers KVM. There's nothing special about Vultr other than that they streamline the install. Nothing against them and they're a fine provider, but it's trivial to run OpenBSD on thousands of VM providers. Typically you mount the ISO in the provider's Solus (or whatever) control panel, boot off it in the console, and then it's a standard bsd.rd install. -- andrew fabbro [hidden email] |
On Sun, 15 Oct 2017 05:59:14 -0700
Andrew Fabbro <[hidden email]> wrote: > OpenBSD has supported UTF-8 since...2010ish? A long time. point taken. yes, it may have been that long... I may have to try it out again and report back since i do need another virtual server for a database anyways, as i have too much other "stuff" running on my present server. > ... Linux's lack of development of anything > similar to pledge :-) If you missed pledge, Theo has several talks > on YouTube about it, e.g.: > > 2015: https://www.youtube.com/watch?v=F_7S1eqKsFk > > 2017: https://www.youtube.com/watch?v=FzJJbNRErVQ > > What is your ultimate goal? A secure system? There are numerous > security features that OpenBSD has that Linux doesn't have and > refuses to add. Does Linux have pledge? pledge is well and good, and definitely to be commended, but from my understanding that is an internal security feature for a program to secure itself, not to provide an extra layer of security on third-party programs (ports) which the OpenBSD team does not necessarily have the time to audit or the clout to effect upstream security patches, especially for openbsd-specific improvements. the selinux security policies > Random PIDs? these are definitely an option in the Linux kernel, with or without SELinux. i am not really sure why the distributions don't enable them by default, but at the same time i am not sure of the importance of the ability to guess a process' PID versus the permission of any user to view a complete ps listing. > OpenBSD has had native support for running as a VM host officially > since 6.1 earlier this year: http://man.openbsd.org/vmm.4 that is very new then, awesome! > BTW, you can actually run OpenBSD on any VM/VPS provider that offers > KVM. There's nothing special about Vultr other than that they > streamline the install. Nothing against them and they're a fine > provider, but it's trivial to run OpenBSD on thousands of VM > providers. Typically you mount the ISO in the provider's Solus (or > whatever) control panel, boot off it in the console, and then it's a > standard bsd.rd install. yes and I have. i just noticed and i thought it worth mentioning that that particular provider now has a convenient preinstalled image for OpenBSD, (whereas before i installed it just as you described.) unfortunately, i am on a budget, so i bought a cheap laptop for <$200, kicked windows 10 and office 365 off and installed fedora linux, because openbsd does not support the hardware on it. however i certainly can run openbsd as a vm guest on this laptop when i have the time to experiment with it -- 4g memory and 4 cores amd64 -- otherwise a rather basic barebones model, no bluetooth, no cdrom. funny story, i bought the laptop at target downtown seattle, and as soon as i got online with linux, i bought a cheap plane ticket to anchorage leaving that evening, and i skipped town to get away from that marijuana-dealing city attorney who was filing false criminal charges against me http://blogs.seattletimes.com/pot/2014/07/11/city-attorney-pete-holmes-apologizes-for-taking-pot-to-work/ having me falsely committed to the state insane asylum in steilacoom, where they threw a chair at me clear from redmond, and so on and so forth. people these days are just so amazingly complicit in organized crime, in total denial of the holocaust-level white nationalist war crimes taking place, while doing absolutely nothing to stop such crimes. "HP Notebook Model 14-an012nr" "Realtek Radio Model RTL8188EE" |
Free forum by Nabble | Edit this page |