OpenBSD Journal

OpenBSD 3.4 can now be pre-ordered

Contributed by jose on from the the-next-release dept.

Jedi/Sector One writes: "The upcoming OpenBSD release (due November 1st) can now be pre-ordered from http://www.openbsd.org/orders.html .

Check out all the cool changes that happened since the 3.3 day : http://www.openbsd.org/plus.html and the cool new artwork for this release : http://www.openbsd.org/34.html

Order your copy now to support the project and to get cool stickers by the way :)"

Order now, quantities limited, etc etc etc :)

(Comments are closed)


Comments
  1. By Noryungi () n o r y u n g i @ y a h o o . c o m on mailto:n o r y u n g i @ y a h o o . c o m


    But what drew my attention was the following:


    • Further W^X improvements, including support for the i386 architecture. Native i386 binaries have their executable segments rearranged to support isolating code from data.

    • Support for ProPolice stack protection in the kernel has been added.

    • The ports tree now supports building programs under systrace(1), preventing the possibility of applications harming the system at compile-time via trojaned configuration scripts or otherwise.

    • in pf: stateful TCP normalization (prevent uptime calculation and NAT detection)



    OpenBSD just keep getting better... Nice!

    Comments
    1. By Anonymous Coward () on

      Can I have someone tell me one thing OpenBSD has done to advance the state of system security?

      Possible answers are not:
      "well, they audit their code a lot" -> They did not advance the state of system security, look at what Stanford has done.

      "W^X" -> PaX - any usefulness, stupid implementation

      "systrace" -> poor re-implementation of a failed concept that's been shown to be useless in academic papers

      "stack randomization" -> ditto

      "mmap randomization" -> ditto, plus the reordering which is completely useless, but something to make it look like they're just not ripping everything off from others.

      "strlcpy" -> not valid, doesn't fix buffer overflows

      I will stop posting here if someone can give me one example of something legitimate OpenBSD has done THEMSELVES to advance the state of system security. Show me OpenBSD isn't just a bunch of repackagers of hacks that have already been done elsewhere, or trivial modifications on known implementations (much like your average script kiddie would do to hide their ripping of code). You find it appropriate to claim OpenBSD is more secure than every other OS, yet where are all your features and code coming from?

      Comments
      1. By ea1X () on

        "yet where are all your features and code coming from?
        "

        that's the benefit of opensource, doesn't recreate
        the wheel..
        and openbsd incorpore it well, do microsoft do it ?
        and Pf ?
        and openssh ?
        all this good crypto: twofish, rijndael, ....

        Comments
        1. By Anonymous Coward () on

          I agree with you on the notion of open source. However, the stance of OpenBSD towards the rest of the community is very different than what is found elsewhere. Since Theo has never designed anything himself to advance the state of security, and he is clearly not knowledgeable enough to do what some others have done, why is it acceptable for him to call these same people idiots in a public forum?

  2. By Anonymous Coward () on

    To be honest I still just don't like the blowfish. I'd prefer the classic BSD Daemon. :-/

    Comments
    1. By Anonymous Coward () on

      I feel precisely the opposite. For me, blowfish good, Daemon not so good.

      Comments
      1. By Gimlet () on

        How about someone draw up a Puffy the Sorceror summoning the BSD daemon?

        Comments
        1. By Anonymous Coward () on

          Puffy the necromancer wearing a necklace of penguin bones and a bracelet of penguin skulls I say.

      2. By Anonymous Coward () on

        I am going to have to agree 100%

        the blowfish is _much_ better then the silly old daemon

        Comments
        1. By Anonymous Coward () on

          Yes it is. It sets it apart from the other boring BSD daemons.

          Comments
          1. By Anonymous Coward () on

            Luv the blowfish. Chucky is great, but says 'FreeBSD' to me.

    2. By Jadipai () on

      I like the blowfish, but this 3.4 one is not so cool IMHO.

      Comments
      1. By Anonymous Coward () on

        This is my favorite artwork of them all! I think Robin Hood is very appropriate in this industry.

        Comments
        1. By Jadipai () on

          ACK! Didn't notice that was Robin Hood himself ;) Maybe the smile was too big...

          Comments
          1. By JonMartin () on

            Actually I believe it is meant to be a caricature of Errol Flynn as Robin Hood.

            I really like it.

    3. By BMI () noperz@notta.not on mailto:noperz@notta.not

      I think the blowfish is excellent. The Daemon is there also, they are just different characters in the OBSD world. *looks over at the 2.7 release artwork*

  3. By Anonymous Coward () on

    lol: "Have spamd(8) report exactly how much of the filthy spammer's time was wasted"

  4. By Anonymous Coward () on

    "Replacement of GNU diff, grep, and gzip with BSD licensed equivalents." I thought the GNU license was acceptable to the openbsd project. Didn't Wietsa Venema change his license to GNU when Theo asked for one more fitting to the ideals of the openbsd?

    Minor point and probably not worth really noting I guess merely curious. :) Looks like another fantastic release is on the way! WOOT!

    Comments
    1. By marco () on

      "Integrate good code from any source with acceptable copyright (ISC or Berkeley style preferred, GPL acceptable as a last recourse but not in the kernel, NDA never acceptable). "

      http://www.openbsd.org/goals.html

      marco

    2. By Anonymous Coward () on

      The OpenBSD project wants to do away with as much GPL'ed crap as possible.

    3. By BMI () UpYurs@notgonnasayit.nope on mailto:UpYurs@notgonnasayit.nope

      OBSD wants the system to be able to be taken directly from the website and modified in any form and even used in a commercial setting where the code doesn't have to be released for free. The GPL does not allow for this.

  5. By Wouter () on

    It's nice to see a new version of OpenBSD coming. Though, I am still thinking about upgrade strategies (which includes upgrading ports etc). Any thoughts about how I can do this the fastest way (because the machine shouldn't have to much downtime)

    Comments
    1. By Anonymous Coward () on

      Last sunday I upgraded my firewall from 3.2 to 3.4 in a matter of minute including ports.

      I grabbed a hard disk and installed it from scratch. Then I added all the ports that I used before. Coppied all relevant config files to the box. Tested it until I liked it.

      Took down my firewall; replaced the hard disk; brough it back up. Total downtime: less than 5 minutes.

      Comments
      1. By Anonymous Coward () on

        This method works if you have a similar (i.e. hardware) machine and a test network that minimizes the amount of config changes after HD swap.

        What I'm trying to work out is how to upgrade a whole bunch of systems as quickly as possible. I don't have available similar hardware to do the trick above, and downtime has to be minimized.

        Hopefully I or someone will figure out a quick way to do this safely.

        The 3.4 release itself looks absolutely fabulous though, and any pain upgrading will be overshadowed by the 'good stuff' afterwards.

        M

      2. By dpi () on

        How can you have upgraded to 3.4? Did you meant -current? Since 3.4 isn't out yet...

    2. By philipp () pb@ on http://debardage.sysfive.org/

      See the post last week about debardage..

      yes, no new tarball for a week, wait for monday ;)

      This thing *will* be ready for 3.4, since this time
      the upgrade will be a major pain, eh timewaste, on i386.

      //pb

      Comments
      1. By Wouter () on

        That would be really nice!

  6. Comments
    1. By Anonymous Coward () on

      It's in the works.

  7. By Chris () on www.consault.com

    I am stunned by the huge improvements that have taken place over this last release cycle; I'm particularly fond in the pf improvements. I am left wondering what the current state of pfsyncd is, however.

    The addition of failover and load balancing capabilities in 3.4 would be very welcomed.

    It is a feature that I have been very interested in investigating but haven’t due to the ALPHA warnings* and lack of discussion regarding it on the mail and news groups.

    With that said, I am aware of the patent on VRRP** that inhibits full inclusion in the source, but I do remember a time when OpenBSD was shipping controversial patented crypto code through sneaky means.

    A free implementation of VRRP is available at http://sourceforge.net/projects/hut which could be a “download after installation” feature.

    Do you think that this could be an option?

    I look forward to receiving my CDs. Thanks for all the top notch work guys!

    * http://www.greyhats.org/openbsd/openbsd.html#pfsyncd
    ** http://www.foo.be/vrrp/

    Comments
    1. By Anonymous Coward () on

      > I do remember a time when OpenBSD was shipping controversial patented crypto code through sneaky means.

      Care to elaborate and provide evidence? Unsubstantiated claims benefit no one and should be kept in your head until you can support your statement/s.

      Comments
      1. By Anonymous Coward () on

        controversial patented crypto code Care to elaborate and provide evidence? I suspect support for either RSA before the patent expired in the USA, since OpenBSD is Canadian-based.

      2. By Anonymous Coward () on

        controversial patented crypto code

        Care to elaborate and provide evidence?

        I suspect support for either RSA before the patent expired in the USA, since OpenBSD is Canadian-based.

      3. By Chris () on www.consault.com

        Care to post anonymously?

        I'm referring to shipping RSA code from Canada before the patent expired in the US. A "download after installation" approach was taken to avoid legal recourse.

        I don't believe common knowledge requires such substantiation, but thanks for your input.

        Comments
        1. By Anonymous Coward () on

          > Care to post anonymously?

          That is irrelevant.

          > I'm referring to shipping RSA code from Canada before the patent expired in the US. A "download after installation" approach was taken to avoid legal recourse.

          So? Was it illegal for OpenBSD? No.

          > I don't believe common knowledge requires such substantiation

          Then how can such common knowledge be "sneaky"?

          Common knowledge? In your head maybe. Not mine. I remember *nothing* sneaky done by OpenBSD in the past, and that still holds true today. So, no, OpenBSD being sneaky, is *not* common knowledge.

        2. By grey () on

          You're probably thinking of the workaround to get OpenSSH starting with 2.6, before the RSA patent had expired and ending after the patent was released (circa 2.8).

          E.g. "A clever trick allows us to distribute the same CD-ROM (USA and the rest of the world) and maintain full strength crypto without violating the RSA patent in the USA."

          If you recall that "trick" was requiring users to install a package after install if they were in the US and wanted to use the RSAREF implementation. You may also recall that one batch of CD's during that period needed to be scrapped because the package was inadvertantly on the master; most other folks in that situation probably would have shipped said CD's.

          Comments
          1. By Anonymous Coward () on

            > E.g. "A clever trick allows us to distribute the same CD-ROM (USA and the rest of the world) and maintain full strength crypto without violating the RSA patent in the USA."

            That "trick" I do remember. Thanks, grey.

            Chris: btw, "trick" is not synonymous with "sneaky".

    2. By Anonymous Coward () on http://www.openbsd.org/crypto.html#why

      ... I do remember a time when OpenBSD was shipping controversial patented crypto code through sneaky means.

      This is certaintly painting with a broad brush.

      From http://www.openbsd.org/crypto.html#why:

      Why do we ship cryptography?
      In three words: because we can.

    3. By Anonymous Coward () on

      > A free implementation of VRRP is available at http://sourceforge.net/projects/hut which could be “download after installation” feature.

      Ehm.. "available" as in "i've a website on SF and
      nothing more?
      One cannot download *anything* there and the last
      status is Dec,2002 .. d'uh

      Down to the point.. there is probably NO free
      implementation. The patent is about the "virtual MAC" *directly* - so one is pretty fucked going
      a VRRP-like way. There has to be something really
      new.

      pfsync itself is standalone, yet you have the
      problem to balance traffic over the machines.

      OTOH, differ between load balancing and failover.
      It's possible to filter even typical packet loads
      on a GigE link with *one* machine, the point is
      rather the failover - and there are methods like
      STONITH that come to mind.

      pfsync can be used for way other "features" than
      that anyway.. dont be a pawlow'd dog and think
      about VRRP (only) when you hear 'pfsync'

      //pb

  8. By hah () on

    OpenBSD 3.4: More OBSCURE than ever!

    Unfortunately for deadly.org readers, you will not be able to view the technical analysis of the new obscurity features in OpenBSD 3.4 as the administrators have clearly shown that this website is for mindless praising of OpenBSD, and should never contain any constructive criticism or technical analysis of anything OpenBSD does. The administrators want you to believe only what OpenBSD is telling you. With any luck, this post will be removed as well, to hide the fact that the original post was removed.

    Comments
    1. By Anonymous Coward () on

      Can you provide proof of this please?

      Comments
      1. By Anonymous Coward () on

        The person who replied to the post before it was removed can prove it.

        Comments
        1. By Anonymous Coward () on

          please repost.

          Comments
          1. By Anonymous Coward () on

            I will repost when I see an administrator admit that they removed the previous posting. Here is what we will not see:

            An administrator saying they did NOT remove the posting
            An administrator allowing me to repost it, since they removed the previous post.

            Can an administrator please clarify why technical analyses of OpenBSD features are not suitable for this forum, while mindless, pointless, "yes-man" comments are? I recognize that it is your website, and you are free to remove any content you wish, however, this should not be done in a stealthy fashion as you have done, and certainly not for a comment containing many technical details. If you considered the post to be hogwash, why not let the brilliant OpenBSD developers rip it apart with their keen security knowledge, unless this was not the case?

            Comments
            1. By Anonymous Coward () on

              Deleting posts, eh? Shame, shame, on YOU! Go wash your hands with soap mister! >:[

              Comments
              1. By sandolo () sandman@mufhd0.net on mailto:sandman@mufhd0.net

                TROLLS TROLLS TROLLS TROLLS
                please stop this boring BLA BLA BLA about OpenBSD.
                Will you ever say something CONCRETE or will you go on talking about "openbsd sucks, theo sucks, bla bla"??
                Watch the CVS log, read the code, use another o.s., post on another forum.

                Comments
                1. By Anonymous Coward () on

                  I did say something concrete, but that apparently isn't suitable for this forum. Even if you were able to read it, I doubt you would understand.

            2. By Anonymous Coward () on

              Were you bitching about PaX? Like two weeks ago on bugtraq in the thread "Buffer overflow prevention". In that case f*ck you! Why do you assholes keep coming back and complain?!

            3. By gwyllion () on

              If your message was deleted, I don't believe it contained "constructive criticism or technical analysis of anything OpenBSD does.", but rather pure troll.

              I haven't seen any form of censorship thus far. Lots of /. and PaX trolls were allowed to post crap here.

            4. By Anonymous Coward () on

              it does your case no good to wait for acknowledgement before reposting. repost and let us see if it stands merit.

        2. By Anonymous Coward () on

          Yup. I saw it, and responded.

    2. By gwyllion () on

      What the heck are you talking about? What new obscurity features? W^X on i386? Random order (on all ELF platforms) loading of libaries by ld.so and at randomized location (on i386)? Increase in default stackgap_random?

      Please explain yourself. Where is your "constructive criticism or technical analysis"?

  9. By jose () on http://monkey.org/~jose/

    i mean it. please keep the PaX stuff away. i think the matter has been taken care of already by various people. i point you to miod's comments on the subject, which i think were the best and technically astute.

    i'm just not interested in dealing with flame wars here. it's why i don't read misc, for example.

    Comments
    1. By Anonymous Coward () on

      You mean miod, who agreed that PaX did not violate POSIX, and OpenBSD did? Just as OpenBSD gaffed at the mention of the weak random stack gap, just to find them increasing it afterwards. Yes, clearly, OpenBSD is correct and everyone else is a bunch of flaming idiots. This still doesn't answer why you removed the post, which did not mention only W^X, but also systrace and other new features that have not been given any analysis yet.

      Comments
      1. By Anonymous Coward () on

        > You mean miod, who agreed that PaX did not violate POSIX, and OpenBSD did?

        Nice Straw Man.

        > OpenBSD is correct and everyone else is a bunch of flaming idiots.

        Its security track record is sufficient evidence to prove so.

        > This still doesn't answer why you removed the post,

        Censorship is bad, Mkay?

      2. By jose () on http://monkey.org/~jose/

        IP posting is back on. trolls are now publicly viewable ... next step is to shut down comments entirely. nothing constructive is coming of this.

        Comments
        1. By Anonymous Coward () on

          Clearly nothing constructive can come if it, since you removed the initial constructive argument. I was truly interested in some technical responses to it. Are you claiming to be an expert on every subject discussed in the comment, such that you could dismiss its technical merits by removing it from the website? If not (and I believe this is the case) you are doing a disservice to your readers. What good does it do them to be ignorant about the underlying implementation of the buzz-words they will eventually repeat to others?

          Comments
          1. By djm () on

            Don't kid yourself, this is Jose's site and not some pretend democracy. If you want an open forum, post your arguments to misc@openbsd.org. There you can participate in a real debate without hiding your trolling behind "Anonymous Coward".

            Comments
            1. By gwyllion () on

              Or keep discussing the new buffer overflow protection methods on bugtraq? There a moderator can judge whether you what you have to say, is indeed constructive criticism or a technical analysis instead of plain troll.

              I noticed OpenBSD developers were willing to keep the discussion technical and to correct wrong claims.

              This medium is far from suited for this discussion as only a few OpenBSD developers and users read it. And all those "Anonymous Coward".

              Comments
              1. By Anonymous Coward () on

                You people are blind. Theo had nothing useful to post on Bugtraq. When he attempted anything resembling technical knowledge, it was wrong, as you can clearly see from the archives.

                Note for example the mail where he calls another poster an idiot and claims what he wants to do is completely infeasible, only to find that it's exactly what PaX does.

              2. By Anonymous Coward () on

                Maybe your brain shuts off every time you see something Theo has written, making you believe your hero is actually correcting other people. I suppose that's a side-effect of knowing nothing of the subject you're reading about (as Theo keeps you in the dark by only using buzz-words), when your hero is using big words and insulting others.

                Comments
                1. By gwyllion () on

                  I was thinking about the reply anil@ corrected a wrong claim about propolice.

                  And yes I'm stupid and don't use my brain. I only have an IQ of around 140 and I'm only doing a PhD on computer security.

            2. By Anonymous Coward () on

              If this website is not interested in distributing facts to its readers, it should be stated clearly at the top that this is a communist thought control machine. It's pretty sad when you're willing to accept whatever someone tells you, especially when that person is not knowledgeable at all about the supposedly truthful information he is giving you.

        2. By gwyllion () on

          Isn't it possible to drop the last number of the IP address as a small form of privacy?

          Or reverse lookup the DNS name and drop the first part?

        3. By Anonymous Coward () on

          IP posting is a disservice to your readers. You must think IP posting stops trolls just as you think OpenBSD stops hackers. In both cases, you are wrong. How many examples does it take to show you OpenBSD is not secure?

          Comments
          1. By Anonymous Coward () on

            IP posting is a disservice to your readers. You must think IP posting stops trolls just as you think OpenBSD stops hackers. In both cases, you are wrong.
            Where did jose say IP posting stops trolls? He said "trolls are now publicly viewable" and suggested a solution to completely stop trolls ("next step is to shut down comments entirely").

            How many examples does it take to show you OpenBSD is not secure?
            Show me working exploits for OpenBSD 3.4 like Gobbles did, preferrably a lot of them.

            Comments
            1. By gwyllion () on

              Whoeps, forgot to fill in my name, like decent people do.

    2. By Anonymous Coward () on

      BTW, no where in the post was PaX mentioned, nor is your assumption correct that I am involved even indirectly with PaX, so I do not see how it is relevant to the removal of a legitimate, technical post.

  10. By Anonymous Coward () on

    Can I have someone tell me one thing OpenBSD has done to advance the state of system security?

    Possible answers are not:
    "well, they audit their code a lot" -> They did not advance the state of system security, look at what Stanford has done.

    "W^X" -> PaX - any usefulness, stupid implementation

    "systrace" -> poor re-implementation of a failed concept that's been shown to be useless in academic papers

    "stack randomization" -> ditto

    "mmap randomization" -> ditto, plus the reordering which is completely useless, but something to make it look like they're just not ripping everything off from others.

    "strlcpy" -> not valid, doesn't fix buffer overflows

    "privilege separation" -> an obscurity measure. OpenBSD has too many local kernel vulnerabilities that can be executed within the compromised task, not requiring any access to the filesystem, so this is useless.

    I will stop posting here if someone can give me one example of something legitimate OpenBSD has done THEMSELVES to advance the state of system security. Show me OpenBSD isn't just a bunch of repackagers of hacks that have already been done elsewhere, or trivial modifications on known implementations (much like your average script kiddie would do to hide their ripping of code). You find it appropriate to claim OpenBSD is more secure than every other OS, yet where are all your features and code coming from?

    Comments
    1. By Anonymous Coward () on

      BTW, it was funny on bugtraq when Theo was talking about using propolice because it found 2 buffer overflows triggerable by the user in their kernel. That's in your default install folks, and I didn't find any announcement of the bugs (at the very least an overflow would be a stability issue). Funny that Adamantix has been using propolice in the kernel for some time now and hasn't found any bugs. I thought OpenBSD was secure?

      Comments
      1. By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org/

        Does Adamantix compile the kernel with Propolice at least?

        Comments
        1. By Anonymous Coward () on

          Yes. Ever since Propolice was initially released, it was possible to compile the Linux kernel with it. I know of several people who were doing it months before OpenBSD ever knew about Propolice.

    2. By Anonymous Coward () on

      Since comments were turned off a couple hours after this was posted, clearly not enough time to research OpenBSD's history and come up with a single example of something they've done themselves to advance the state of system security, can we have such an example now?

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]