Ask HN: What is your opinion on Open BSD?

45 points by max_ ↗ HN
I am looking for a new OS to base my work on.

I did some rudimentary research and came to the opinion that OpenBSD might be the most secure OS.

I am looking at.

- security (from hacking and spyware installations)

- usability (Tails is not practical in my case)

- availability of important tools I use.

Anyways after some research I later came to choosing between either Trisquel or OpenBSD (maybe FreeBSD)

I have not used BSD before. But it seems it's the most secure OS out there.

My questions.

1. What has been your experience with OpenBSD?

2. What are the pros & cons of using Open BSD?

3. What laptop would run OpenBSD best? (I am looking at the Razer Balde)

Given my requirements, do you have any other technologies you recommend I use?

Was choosing OpenBSD over Trisquel (Trisquel is Stallman endorsed) a better choice for someone who is concerned about privacy & security?

Thanks.

61 comments

[ 1.6 ms ] story [ 121 ms ] thread
I was thinking of doing something similar. But I was thinking of starting on a virtual machine or shell account before trying to install on real hardware. I don't know much about OpenBSD but my guess is that finding a laptop that runs OpenBSD flawlessly is not easy. So odds are you're going to be spending a lot of time troubleshooting and debugging. If that's ok with you, then that's great.

ThinkPads might be your best bet. Someone here has cataloged their experience with OpenBSD on laptops: https://jcs.org/openbsd-laptops

If your hardware supports OpenBSD go for it. Basically what you're looking for minimal host fingerprint with VM or dockerized application to work. OpenBSD is relatively small fingerprint and builtin binaries under 100.

Ref: https://jcs.org/openbsd-laptops

> What has been your experience with OpenBSD?

Really forces me to think about what I want versus need out of a computer.

> pros & cons

+ Comes with everything for a home lab: packet filter, DHCP server, FTP, and web server.

+ Bundled with C compiler and perl in base.

- Limited drawing tablet support.

> What laptop

Any model with a successful installation blog post will do.

> OpenBSD over Trisquel

With two cheaper machines for the price of one, one could run both operating systems. Then you can learn kernel compile, static IP, SSH, and practice sysadmin tasks (backups, cron, OS internals) from both perspectives.

> Really forces me to think about what I want versus need out of a computer.

That is pretty spot on. I really enjoy using OpenBSD, the base OS is well documented and consistent, to a degree where Linux is just left behind to an embarrassing degree. Then there are things you just can't do, unless you feel like porting a bunch of stuff.

I like having VSCode available, but I'm not in a position to start porting it to OpenBSD. I'm also currently toying around with some C# and again, I'm not porting dotnet to OpenBSD.

Then again do I NEED these thing? I can use Vim just fine and Go is a nice language which for my use case can stand in for C#. Do I need Docker... I suppose not, it's just nice to have.

You're making some interesting tradeoffs with OpenBSD. You get a better Unix, a more consistent Unix experience and really good build in tools, but if they can't support your workflow it really doesn't work.

Isn't VSCode an electron app? Does do those not work on BSD?
Audit Electron alone is a nightmare no one want to face, it's in term of safety a simple no-go. A monster.
Ports aren't audited, but no it wouldn't make it into base, but ease of auditing is probably not the reason why that won't happen.
Did they audit Firefox?
Seems it's a very stripped version I suppose, but do not know, and yes it would be no less a nightmare, but a single nightmare is still easier than many.
You might be able to make it work with https://github.com/muhammadsammy/free-vscode-csharp

.NET itself also supports FreeBSD and is distributed here https://www.freshports.org/lang/dotnet I assume this is compatible with OpenBSD? If not, please let me know.

OpenBSD and FreeBSD aren't compatible with each other. Having FreeBSD would certainly make porting simpler, as the two are more alike that say Linux and OpenBSD, or Windows and OpenBSD.

If you browse through the dotnet runtime code, you'll see that all the supported operating systems have code added to specifically support them. It's not much different than Java, the compiler targets an intermediate platform (JVM for Javva, CIL for C#/F#,VB.Net. The runtime needs to be ported and there's operating system specific code in the source for the runtime for all the supported operating system.

One thing to know about openbsd is that the default OS install and built-in services are mostly secure, but any third-party stuff you install is not guaranteed to be, and can be a vector for compromise.

If you intend to use it as a desktop OS, the amount of things you have to add will likely greatly increase the surface area to secure.

We once had a breach where through an insecure third-party service (I forget but it may have been some PHP script), someone managed to execute a remote payload on an openbsd server.

Luckily, the payload assumed a Linux system with an available C compiler, and it failed to “explode” in the alien openbsd environment.

To sum up, openbsd is indeed more secure but it’s not a panacea. As long as you follow best personal computing security practices you should be ok with either Linux or Openbsd.

But they also have more kernel features to secure all software, such as pledge.

You will often see major software which runs fine on Linux segfault on openbsd.

On the Linux side, aren't Flatpak and Podman enough, and even more granular, to limit file system access in the absence of pledge?
It does a lot more than limit file access. Plus most applications don’t come in a flatpak, nor do I want them to.

You can read more about pledge and the bsd specific kernel features on their site.

Firefox and chrome has been patched with pledge(2) and unveil(2). That means these items have very limited access to your system and disk. Those are usually applications people get compromised by.

For Firefox, the settings are in: /etc/firefox/policies/

IMO, pledge(2) and unveil(2) are better than anything Linux and other OSs have for sandboxing.

1. I love OpenBSD, I mostly use it for servers. I tried on Desktop, but since I was using CLion a lot at the time, the experience didn't work out (CLion uses a bundled native executable which didn't work). If you use a lot of open source software, then I'd expect the experience to be better

2. Pros: Secure, clear documentation and straight forward to configure, quality tools made by the project- pf is fantastic (I use authpf a lot too). The packages tend to have what you need included (php, etc.) When you get something set up it tends to keep running well for a long time.

Cons: If the package isn't well maintained, then it will eventually be removed, so there are some packages missing, but usually you can just compile it yourself. It also means the packages that exist tend to be maintained well and are secure.

3. Not sure on this, but one thing to check is the WiFi card. I tried with an older ThinkPad, and some of the ThinkPads have compatible Wifi cards, and some didn't. I got one that wasn't compatible.

Have you used it for authentication-type stuff, and/or can recommend anything in that direction?

I'm trying to build a homelab to learn from, and I was curious about using it for something security related like auth/IAM stuff.

Like a touch of spice to enhance the flavour profile of an otherwise Linux-heavy dish!

My sister made me install it on her Intel i3 PC one time.

The installation procedure was rather easy, I just had some hiccups when configuring stuff due to my background with Linux vs how things are done in *BSD.

But security comes at the expense of system responsiveness, so if things with an i3 processor were rather slow, all the stuff OpenBSD makes to keep you secure don't help much in that regard. Still I guess for more decent specs it can be much more bearable.

Another trade-off is that you're supposed to read a lot of documentation. Questioning things are discouraged because their documentation is the holy scriptures for them and everything is already answered there, since how to start X at boot to the meaning of life and the ultimate end of the universe. Not a welcoming mindset for newbies in my humble opinion, and even less for us who don't speak english as their native language, but surprisingly (and funny enough) some of the *BSD people diss at Linux since it's the latter the popular one and not them... So yeah, if you want a secure system you must devote a fair share of time into reading (technical) documentation, but surely you'll learn a thing or two.

I personally couldn't bear pkg/pkgsrc at all - I'm so used to Portage it felt so restrictive in terms of customizability. But if you come from, say, apt or rpm, it would be fine I guess. I heard even KDE is available for it so it seems they're working hard in making more software available for them.

Still it seems nothing beats OpenBSD in terms of security so it will be a great choice for you.

If what you say about the documentation is true, that's a paradise given recent LLM advances.
> My sister made me install it on her Intel i3 PC one time.

Your sister sounds hot!

From what you wrote, it would be interesting if FreeBSD might be something you might enjoy more. Better SMP support, ports, Linux emulation for example
(comment deleted)
Pros:

- The UNIX(TM) experience

- Better manual pages than linux

- Excellent testing ground if you want to keep your scriptery portable

Cons:

- Binary incompatible with glibc linux

- No driver support for my specific iwlwifi card

It should be pointed out that OpenBSD is not UNIX certified.

You might retort that I'm being pedantic, but you didn't say that it offers "the UNIX experience". You said it offers "the UNIX(TM) experience".

https://www.opengroup.org/openbrand/register/

And it isn't just that OpenBSD isn't certified. OpenBSD notes where it deviates from POSIX and UNIX standards (For example: https://man.openbsd.org/sh.1#STANDARDS, https://man.openbsd.org/awk.1#STANDARDS).

You might retort with some "well, UNIX really means..." argument, but that's likely to come down to things like "I prefer or am more accustomed to where OpenBSD puts things or how its package management works or the way it does configuration." And that's fine. Arguing that a system has made better choices (or choices that work better for you) is wonderful.

macOS is actually UNIX® - but I don't think that what you're trying to get at is whether something is actually offering the UNIX experience. You're probably trying to get at something else - maybe a sense that there's fewer layers of indirection for things like how programs are actually installed and configured or a simpler, more standard layout across programs for things like configuration. But calling that the UNIX experience probably isn't the right way of phrasing it, especially if you're going to put a trademark symbol in there.

I would argue that macOS (since NextStep) is trying to bring unix pipes to gui via 'Services'. Unfortunately there is no integration with Spotlight (which would make apps like Quicksilver or Alfred obsolete).
Manual pages are very high quality. Everything's in a single greppable monorepo. Surprisingly good as a router (pf, openbgpd, rpki-client). Filesystem (FFS2) is a bit inflexible compared to ZFS/btrfs/etc.
Dated experience here. I used OpenBSD a long time ago (20 years ago) as a primary desktop as well as within data center (physical not virtualized). I absolutely loved it, however expect you will spend more time configuring for your liking.

There were occasional situations where esoteric hardware support was iffy (especially software driven win modems). I anecdotally believe there’s a better experience today but would probably pay attention to GPU and wifi hardware.

Install is a breeze, probably one of the better install experiences out there. The port system was very easy to use to install 3rd party apps. Also pretty easy to build most things from source or modify for its particular differences.

The community around source contribution takes a little adjustment since there is a real focus on the OS design goals and less so on specific edge cases. Contributing to ports is a little more accessible.

I’ve used FreeBSD around the same time with similar experience. A little larger of a community there though I found OpenBSD’s contributors to be highly engaged and accessible.

1. Very easy to install and use, it is very well built.

2. Pro: Only two remote holes in the default install, in a heck of a long time! Con: Less (pre-built) software than linuxes.

3. Something cheaper than a Razer-Blade.

4. You have not stated your requirements other than 'security', which if you demand no more than two remote holes in a very long time, then OpenBSD it is. If 'security' means something other than that you might want to go with a different OS.

I think a security-focused GUI Linux distribution using hypervisor isolation may be more secure in practice for desktop/laptop use than OpenBSD.

OpenBSD base system is designed to be a very secure server OS, but this comes at the expense of requiring you to read a lot of docs and figure things out when you leave the base system. Drivers may be annoying and 3rd party software that expects Linux will not work easily. It is definitely far off the paved road. If you want your computer life to be an Interesting Challenge or Hobby, it’s good, but if you want to just get stuff done it may be frustrating.

I suggest you look into QubesOS, which has put a lot of work and research into isolating GUI applications from each other using hypervisor. Its hardened Linux VMs with a hypervisor underneath and probably what I would pick if I wanted a “secure workstation OS”. It will probably work with more laptop wifi cards than OpenBSD. https://www.qubes-os.org/

The filesystem is much slower than other OSes ; how much this matters depends on your usage patterns.

OpenBSD is very well documented and if you are focused on security research or development it can be a good choice.

I don’t like missing 3D GPU drivers, and missing .NET runtime. If it had these two things I would try OpenBSD for embedded use cases, instead of Debian or Alpine Linux.

Linux GPU story is not stellar but for embedded applications it’s not too bad; KMS, DRM, and GL or GLES library stack worked amazingly well for me.

Bad if you have Nvidia, but works OK with Intel and AMD even for new hardware.
Last time I did embedded Linux software professionally I had ARM Mali Midgard GPU in the target chip, and consumed GLES 3.1 GPU API.
My experience is you have to be committed to make it a daily driver.

- bsd is good enough for servers

- mainstream Linux is good enough for desktops

- forget about OSS laptops unless it’s a 15 years old thinkpad

Security and usability are in direct opposition to one another. Maximising either will tend to minimise the other. Given you've never used BSD, I'd expect you to have a bad time using OpenBSD as a desktop system.

Suggest using Debian and accepting that internet connected computers are not secure against hacking or spyware, however you try to set them up.

I run OpenBSD on an ancient laptop that I use to play videos. In about 7 years, I have had no bad experiences with it. Upgrading from release to release has been painless, hardware support is fine. Playing HD videos is out of the question, but the laptop is from ~2008, and it wasn't a high end model back in the day, so there is little OpenBSD can do about that.

I cannot say much about security, but in terms of reliability, I have only good things to say about the system.

EDIT: Once you connect a device to the Internet and possibly install third-party software on it, your own expertise is likely to have a bigger impact on security than the underlying system. I am not recommending to NOT use OpenBSD, but if you have no prior experience with it, you might have a better experience using what you know.

I use OpenBSD as my daily driver and develop software in Go. I use DWM + tmux + nvi + git.

Pros:

    - no-bullshit OS
    - very clean, you know what is where and why
    - distraction-free
    - proactive security approach
Cons:

    - slow if you use heavy software like Chrome
Potential deal breakers you should know about:

    - web assembly is turned off by default for security reasons (login to Hetzner or Sinology, using Google Docs is a problem)
    - watching videos in the browser does not feel great
I conclude that it is great for (my) work and encourages you to be minimalistic.
Why does Hetzner login require WebAssembly???
I can not tell for sure, but one of the “are you a robot” checks fails with the default OpenBSD Chrome settings.
Why not FreeBSD? It has very useful ports.
Ages ago I worked for a while on OpenBSD on an old Dell laptop. It was a very stable system, and I could not complain. As previous posts point out, it tends to have good support for old hardware. I used Firefox for browsing, and it was noticeably slower than on Linux. It really depends on what software you need for work. If you prefer a BSD, FreeBSD tends to be more desktop-ready in my experience (but probably less secure in depth).
> might be the most secure OS.

What are you planning to use it for (laptop suggests possibly a workstation?)

And what is your threat model? Who is the most likely attacker - govt? Crypto theft? Supply chain?

OpenBSD is an admirable operating system. We reported a local privilege escalation vulnerability in cron on openbsd due to a memory corruption flaw. Our research got surprisingly close to a reliable exploitation path and we opened up a contest for someone to demonstrate a working exploit, https://www.supernetworks.org/crontab-challenge
(comment deleted)
BSDs are a no brainer if it's up your alley to use.

It was good luck to be exposed to BSD in school.