> Proactive security
●64-bit long long time_t
(NetBSD technically did it first)
The best kind of first. Joking aside -- why is so much OpenBSD advocacy backhanded like this ? Do the writers not think that OpenBSD can stand on it's own ?
Well I think actually NetBSD just made less noise about it. You can call that "engaging with the community", and it can be helpful but since NetBSD switched in 2012 it was not the case that there was no engagement in making software work if it needed fixing.
And they will copy UBC, uvm locks, WAPBL, device abstraction layer. Just diff their kernel source to 4.3BSD and compare how close they are still. Their kernel is still stuck in the 80s.
Actually this is not quite right.
Pkgsrc pushes fixes upstream for all breakage, including the 64bit long long time_t. We just weren't born on third base thinking we scored a triple.
Slightly off topic, but does anybody know why the OpenBSD community has started using Comic Sans in all their material? Is it some kind of inside joke?
I don't find it neither good nor wrong, but there must be some reason behind it.
All the wannabes on reddit end up getting derailed into long comment chains circlejerking about comic sans; shunts a lot of people who have nothing worthwhile to say into an easy-to-avoid thread.
> Random PIDs
> Eliminates race conditions
> Say you have a root daemon that forks then the child drops privileges. If you can beat the child you can inherit root privileges
Can someone explain this? I don't see what this has to do with the randomness of pids.
Seems an extra layer in defence in depth, making it harder to attack a process between the time it is forked and the time it has dropped privileges by making it harder to find it.
Being the most secure OS, these days, is like being valedictorian of summer school.
The reality is as soon as you install a dynamic language behind a webserver all their memory tricks are for not.
They are still focusing on exploitation from 2002.
Something like after the parent forks, the child opens a file called "/tmp/log.$$" with its PID in the name as root. If you can guess the PID of the child, you could create a link with that name, pointing at a file of your choice that is owned by root, such as "/etc/passwd". Then, you need to make the child do something predictable to that file, such as ensuring that the user supplied data being logged contains text like "\npwn::0:0::/:/bin/sh\n" giving you a valid password file entry for "pwn" with no password and root privileges.
In all my years in networking, I've ran exactly one instance of OpenBGPD and that's used simply for real-time updates of (anti-spam) blacklists and whitelists [0,1].
Also, most large service providers don't tend to talk about their internal implementations.
Many in the networking field have been indoctrinated in a Cisco-only philosophy, and then get hired into that monoculture over and over to the point they don't know about anything else, other than if it's something viewed as a Cisco competitor.
Sorry, I never doubted that there are large organizations that run OpenBGPD -- it's just that I, myself, have never personally encountered one (meaningless, I know).
I do know that it's used quite often as a route server/reflector at various IXPs (and I may be standing up an instance to do just that in the near future as well) as well as a looking glass. I've managed routers from most of the large manufacturers (Cisco, Juniper, Brocade, HP/H3C, ALU, Mikrotik) and I took a good hard look at OpenBGPD a while back for a customer project so I am aware that it is quite feature-rich and capable and I certainly didn't intend to imply (if it came across that way) that it's not.
Really, the thing that I took issue with was:
> OpenBSD's OpenBGPD responsible for 30% of worldwide BGP communication
It was followed up with:
> Correction: 20% of ISPs using OpenBGPD
That claim may very well be technically correct, but it strikes me as similar to, e.g., someone claiming that 90% of users on the Internet "use Linux" simply because their traffic may have {passed through|been directed to} a {router|server|firewall} that runs Linux.
I still love Gopher. Its for people who give a shit about the content and structure, not oodles of CSS and JS cack wrapped around four square inches of content that looks like my teenage daughter fired up Word and set the font size to 18pt so she didn't have to write so much.
yes that is one. I remember accessing txt files via gopher on university systems back in the 90's. It was similar to browsing an FTP directory via a web browser, with a few more features.
Works fine in VMware ESX and HyperV. Need to run NTP though to combat clock drift. Not tried it on Xen but it has drivers for virtual NICs and storage etc.
If you watch the the ruBSD 2013 interview video with Theo de Raadt[1] at the 6:36, he states that they should take a shot at dealing with modern x86 VMs. That gives me quite a bit of hope along with the work on vmware related drivers in each release.
> strlcat() and strlcpy()
> - Solves the problem of unterminated C strings
Handling truncation correctly with those is just as much work as handling strcat and strcpy correctly. The only difference is that wrong handling of strcat and strcpy have worse effects usually.
44 comments
[ 2.4 ms ] story [ 108 ms ] threadThe best kind of first. Joking aside -- why is so much OpenBSD advocacy backhanded like this ? Do the writers not think that OpenBSD can stand on it's own ?
* NetBSD technically did it first
* But OpenBSD is the one who engaged with the rest of the software community to fix bugs that were uncovered
Now it doesn't seem so backhanded.
I don't find it neither good nor wrong, but there must be some reason behind it.
Like wearing a SPAM[1] shirt to a vegan potluck, I guess.
[1] http://www.spam.com/
http://www.openbsd.org/papers/bsdcan14-libressl/mgp00025.htm...
Can someone explain this? I don't see what this has to do with the randomness of pids.
Seems an extra layer in defence in depth, making it harder to attack a process between the time it is forked and the time it has dropped privileges by making it harder to find it.
Ummm. Citation needed?
In all my years in networking, I've ran exactly one instance of OpenBGPD and that's used simply for real-time updates of (anti-spam) blacklists and whitelists [0,1].
[0]: http://bgp-spamd.net/ [1]: http://www.openbsd.org/papers/asiabsdcon2013/phessler-bgp-sp...
Also, most large service providers don't tend to talk about their internal implementations.
Many in the networking field have been indoctrinated in a Cisco-only philosophy, and then get hired into that monoculture over and over to the point they don't know about anything else, other than if it's something viewed as a Cisco competitor.
I do know that it's used quite often as a route server/reflector at various IXPs (and I may be standing up an instance to do just that in the near future as well) as well as a looking glass. I've managed routers from most of the large manufacturers (Cisco, Juniper, Brocade, HP/H3C, ALU, Mikrotik) and I took a good hard look at OpenBGPD a while back for a customer project so I am aware that it is quite feature-rich and capable and I certainly didn't intend to imply (if it came across that way) that it's not.
Really, the thing that I took issue with was:
> OpenBSD's OpenBGPD responsible for 30% of worldwide BGP communication
It was followed up with:
> Correction: 20% of ISPs using OpenBGPD
That claim may very well be technically correct, but it strikes me as similar to, e.g., someone claiming that 90% of users on the Internet "use Linux" simply because their traffic may have {passed through|been directed to} a {router|server|firewall} that runs Linux.
gopher://gopher.anthrobsd.net/
http://gopherproxy.meulie.net/gophernicus.org/ or you can use the overbite extension for firefox.
There's a project to improve AWS/Xen support, http://www.joelroberts.org/openbsd/
I use VMware at work, seems to do ok.
1) https://www.youtube.com/watch?v=OXS8ljif9b8
Handling truncation correctly with those is just as much work as handling strcat and strcpy correctly. The only difference is that wrong handling of strcat and strcpy have worse effects usually.