Ask HN: What is your opinion on Open BSD?
I did some rudimentary research and came to the opinion that OpenBSD might be the most secure OS.
I am looking at.
- security (from hacking and spyware installations)
- usability (Tails is not practical in my case)
- availability of important tools I use.
Anyways after some research I later came to choosing between either Trisquel or OpenBSD (maybe FreeBSD)
I have not used BSD before. But it seems it's the most secure OS out there.
My questions.
1. What has been your experience with OpenBSD?
2. What are the pros & cons of using Open BSD?
3. What laptop would run OpenBSD best? (I am looking at the Razer Balde)
Given my requirements, do you have any other technologies you recommend I use?
Was choosing OpenBSD over Trisquel (Trisquel is Stallman endorsed) a better choice for someone who is concerned about privacy & security?
Thanks.
61 comments
[ 1.6 ms ] story [ 121 ms ] threadThinkPads might be your best bet. Someone here has cataloged their experience with OpenBSD on laptops: https://jcs.org/openbsd-laptops
Ref: https://jcs.org/openbsd-laptops
Really forces me to think about what I want versus need out of a computer.
> pros & cons
+ Comes with everything for a home lab: packet filter, DHCP server, FTP, and web server.
+ Bundled with C compiler and perl in base.
- Limited drawing tablet support.
> What laptop
Any model with a successful installation blog post will do.
> OpenBSD over Trisquel
With two cheaper machines for the price of one, one could run both operating systems. Then you can learn kernel compile, static IP, SSH, and practice sysadmin tasks (backups, cron, OS internals) from both perspectives.
That is pretty spot on. I really enjoy using OpenBSD, the base OS is well documented and consistent, to a degree where Linux is just left behind to an embarrassing degree. Then there are things you just can't do, unless you feel like porting a bunch of stuff.
I like having VSCode available, but I'm not in a position to start porting it to OpenBSD. I'm also currently toying around with some C# and again, I'm not porting dotnet to OpenBSD.
Then again do I NEED these thing? I can use Vim just fine and Go is a nice language which for my use case can stand in for C#. Do I need Docker... I suppose not, it's just nice to have.
You're making some interesting tradeoffs with OpenBSD. You get a better Unix, a more consistent Unix experience and really good build in tools, but if they can't support your workflow it really doesn't work.
You can see the patches for FreeBSD: https://cgit.freebsd.org/ports/commit/?id=25eaa50554b9630168...
.NET itself also supports FreeBSD and is distributed here https://www.freshports.org/lang/dotnet I assume this is compatible with OpenBSD? If not, please let me know.
If you browse through the dotnet runtime code, you'll see that all the supported operating systems have code added to specifically support them. It's not much different than Java, the compiler targets an intermediate platform (JVM for Javva, CIL for C#/F#,VB.Net. The runtime needs to be ported and there's operating system specific code in the source for the runtime for all the supported operating system.
If you intend to use it as a desktop OS, the amount of things you have to add will likely greatly increase the surface area to secure.
We once had a breach where through an insecure third-party service (I forget but it may have been some PHP script), someone managed to execute a remote payload on an openbsd server.
Luckily, the payload assumed a Linux system with an available C compiler, and it failed to “explode” in the alien openbsd environment.
To sum up, openbsd is indeed more secure but it’s not a panacea. As long as you follow best personal computing security practices you should be ok with either Linux or Openbsd.
You will often see major software which runs fine on Linux segfault on openbsd.
You can read more about pledge and the bsd specific kernel features on their site.
For Firefox, the settings are in: /etc/firefox/policies/
IMO, pledge(2) and unveil(2) are better than anything Linux and other OSs have for sandboxing.
2. Pros: Secure, clear documentation and straight forward to configure, quality tools made by the project- pf is fantastic (I use authpf a lot too). The packages tend to have what you need included (php, etc.) When you get something set up it tends to keep running well for a long time.
Cons: If the package isn't well maintained, then it will eventually be removed, so there are some packages missing, but usually you can just compile it yourself. It also means the packages that exist tend to be maintained well and are secure.
3. Not sure on this, but one thing to check is the WiFi card. I tried with an older ThinkPad, and some of the ThinkPads have compatible Wifi cards, and some didn't. I got one that wasn't compatible.
I'm trying to build a homelab to learn from, and I was curious about using it for something security related like auth/IAM stuff.
Like a touch of spice to enhance the flavour profile of an otherwise Linux-heavy dish!
The installation procedure was rather easy, I just had some hiccups when configuring stuff due to my background with Linux vs how things are done in *BSD.
But security comes at the expense of system responsiveness, so if things with an i3 processor were rather slow, all the stuff OpenBSD makes to keep you secure don't help much in that regard. Still I guess for more decent specs it can be much more bearable.
Another trade-off is that you're supposed to read a lot of documentation. Questioning things are discouraged because their documentation is the holy scriptures for them and everything is already answered there, since how to start X at boot to the meaning of life and the ultimate end of the universe. Not a welcoming mindset for newbies in my humble opinion, and even less for us who don't speak english as their native language, but surprisingly (and funny enough) some of the *BSD people diss at Linux since it's the latter the popular one and not them... So yeah, if you want a secure system you must devote a fair share of time into reading (technical) documentation, but surely you'll learn a thing or two.
I personally couldn't bear pkg/pkgsrc at all - I'm so used to Portage it felt so restrictive in terms of customizability. But if you come from, say, apt or rpm, it would be fine I guess. I heard even KDE is available for it so it seems they're working hard in making more software available for them.
Still it seems nothing beats OpenBSD in terms of security so it will be a great choice for you.
Your sister sounds hot!
- The UNIX(TM) experience
- Better manual pages than linux
- Excellent testing ground if you want to keep your scriptery portable
Cons:
- Binary incompatible with glibc linux
- No driver support for my specific iwlwifi card
You might retort that I'm being pedantic, but you didn't say that it offers "the UNIX experience". You said it offers "the UNIX(TM) experience".
https://www.opengroup.org/openbrand/register/
And it isn't just that OpenBSD isn't certified. OpenBSD notes where it deviates from POSIX and UNIX standards (For example: https://man.openbsd.org/sh.1#STANDARDS, https://man.openbsd.org/awk.1#STANDARDS).
You might retort with some "well, UNIX really means..." argument, but that's likely to come down to things like "I prefer or am more accustomed to where OpenBSD puts things or how its package management works or the way it does configuration." And that's fine. Arguing that a system has made better choices (or choices that work better for you) is wonderful.
macOS is actually UNIX® - but I don't think that what you're trying to get at is whether something is actually offering the UNIX experience. You're probably trying to get at something else - maybe a sense that there's fewer layers of indirection for things like how programs are actually installed and configured or a simpler, more standard layout across programs for things like configuration. But calling that the UNIX experience probably isn't the right way of phrasing it, especially if you're going to put a trademark symbol in there.
There were occasional situations where esoteric hardware support was iffy (especially software driven win modems). I anecdotally believe there’s a better experience today but would probably pay attention to GPU and wifi hardware.
Install is a breeze, probably one of the better install experiences out there. The port system was very easy to use to install 3rd party apps. Also pretty easy to build most things from source or modify for its particular differences.
The community around source contribution takes a little adjustment since there is a real focus on the OS design goals and less so on specific edge cases. Contributing to ports is a little more accessible.
I’ve used FreeBSD around the same time with similar experience. A little larger of a community there though I found OpenBSD’s contributors to be highly engaged and accessible.
2. Pro: Only two remote holes in the default install, in a heck of a long time! Con: Less (pre-built) software than linuxes.
3. Something cheaper than a Razer-Blade.
4. You have not stated your requirements other than 'security', which if you demand no more than two remote holes in a very long time, then OpenBSD it is. If 'security' means something other than that you might want to go with a different OS.
OpenBSD base system is designed to be a very secure server OS, but this comes at the expense of requiring you to read a lot of docs and figure things out when you leave the base system. Drivers may be annoying and 3rd party software that expects Linux will not work easily. It is definitely far off the paved road. If you want your computer life to be an Interesting Challenge or Hobby, it’s good, but if you want to just get stuff done it may be frustrating.
I suggest you look into QubesOS, which has put a lot of work and research into isolating GUI applications from each other using hypervisor. Its hardened Linux VMs with a hypervisor underneath and probably what I would pick if I wanted a “secure workstation OS”. It will probably work with more laptop wifi cards than OpenBSD. https://www.qubes-os.org/
OpenBSD is very well documented and if you are focused on security research or development it can be a good choice.
Linux GPU story is not stellar but for embedded applications it’s not too bad; KMS, DRM, and GL or GLES library stack worked amazingly well for me.
- bsd is good enough for servers
- mainstream Linux is good enough for desktops
- forget about OSS laptops unless it’s a 15 years old thinkpad
Suggest using Debian and accepting that internet connected computers are not secure against hacking or spyware, however you try to set them up.
I cannot say much about security, but in terms of reliability, I have only good things to say about the system.
EDIT: Once you connect a device to the Internet and possibly install third-party software on it, your own expertise is likely to have a bigger impact on security than the underlying system. I am not recommending to NOT use OpenBSD, but if you have no prior experience with it, you might have a better experience using what you know.
Pros:
Cons: Potential deal breakers you should know about: I conclude that it is great for (my) work and encourages you to be minimalistic.See also: https://forum.qubes-os.org/t/qubesos-vs-openbsd-security/790...
What are you planning to use it for (laptop suggests possibly a workstation?)
And what is your threat model? Who is the most likely attacker - govt? Crypto theft? Supply chain?
It was good luck to be exposed to BSD in school.