OpenBSD Logo with Puffy, the pufferfish. | |
Developer | The OpenBSD Project |
---|---|
OS family | BSD |
Working state | Current |
Source model | Open source |
Latest release | 3.8 / November 1, 2005 |
Repository | |
Kernel type | Monolithic |
Default user interface | pdksh, fvwm for X11 |
License | Mostly BSD |
Official website | http://www.openbsd.org |
OpenBSD is a freely available, BSD-based Unix-like operating system. It was forked from NetBSD in 1994 by Theo de Raadt and since then has focused on security and code correctness. It has a number of security features not found or optional in other operating systems and is often the first to implement new security ideas. In addition, its developers carefully and proactively audit the system's code.
As well as security, OpenBSD maintains strict policies regarding software licensing. The project strongly prefers the BSD license and its variants—its history has included a comprehensive license audit and other moves to remove or replace code under licenses seen as less acceptable.
The OpenBSD kernel and userland programs, such as the shell and common tools like cat and ps, are developed together in a single source repository. Third-party software is available as binary packages or may be built from source using the ports tree.
History
Fork from NetBSD
In December 1994, Theo de Raadt, a co-founder and member of the NetBSD core team for two years, was asked to resign from the NetBSD Foundation. His access to the NetBSD CVS server was removed and he was instructed to e-mail any further changes to the system as patches, so that the core team could check them. He was also informed that he no longer represented the NetBSD project in any formal manner.
The only available records of these events are an incomplete set of emails, published by Theo de Raadt on his personal site[1]. From these, it appears that the then NetBSD core team of Charles Hannum, Adam Glass, Paul Kranenburg, J.T. Conklin and Chris Demetriou considered some of Theo's behavior to have been insulting to other users of and contributors to NetBSD. They also stated that they had received a considerable number of complaints. However, an email from another participant asserts that these complaints were the result of a disagreement between Theo and a single user. During the months that followed his expulsion, Theo attempted to continue work on NetBSD and to recover his access to the CVS repository. However, after finding the limits of his new status overly frustrating, he decided to create a new project, forked from NetBSD 1.0 in October 1995.
Theo de Raadt's departure and the subsequent fork caused a schism within NetBSD, forcing many developers to pick a side. Some that considered Theo's treatment unjust moved to work with him. Others that agreed with the core team's actions, or felt that Theo had been damaging to NetBSD's image and had scared away potential contributors, stayed with NetBSD. Some remained on the sidelines, contributing to both projects. In July 1996, an initial first release of OpenBSD, release 1.2, appeared, to be followed in October of the same year by OpenBSD 2.0[2].
Early days
At the time OpenBSD was created, the NetBSD CVS system was closed to the general public. Only members of the core team were permitted to access it. Outsiders saw only what was released and could not follow what was currently being worked on. This approach had flaws which Theo de Raadt hoped to avoid in his project. For example, because outside contributors had no way to know what had been done by the main developers, contributed patches would often be duplicates of already completed but unreleased work in the CVS repository. Theo decided to make this aspect of his project the polar opposite of NetBSD. Where the NetBSD CVS repository was private, his project's would be open. Working with Chuck Cranor[3], a server was set up to allow anonymous access to the new project's source, permitting everyone open and unrestricted access to what was being worked on at all times. It is from this that the new project took its name. This was the first time this concept was used for a software project. It has since been adopted by all of the open source BSD operating systems and many other open source projects.
Shortly after OpenBSD's creation, Theo de Raadt was contacted by a local security software developer interested in creating a tool to find and attempt to exploit possible software security flaws. This company, whose name has never been publicly revealed, began a symbiotic relationship with Theo and his newly formed OpenBSD project, a synergy that allowed him to tighten his operating system while the company expanded its tool. This relationship helped to form the focal point of the OpenBSD project. Where other systems might take the path of least resistance, OpenBSD would often go out of the way to do what was right, proper or secure, even at the cost of ease, speed or functionality. With time, relations with the company began to dissipate. As bugs within OpenBSD became harder to find and exploit, the security company found that it was too difficult, or not cost effective, to handle such obscure problems. After years of cooperation, the two parties decided that their goals together had been met and parted ways.
The POSSE project
Beginning in 2001 and continuing to April 2003, OpenBSD development was partly sponsored by DARPA, as a member of the POSSE project. This was a security initiative directed by the University of Pennsylvania Distributed Systems Laboratory and paid for through the Composable High Assurance Trusted Systems programme. POSSE was a US$2,125,000 grant designed "to introduce advanced security features used in special-purpose government computers into standard office PCs[4]." The United States government hoped to benefit from the availability of better security features in affordable, standardized computers and software. OpenBSD was selected as "the computing world’s most secure forum for the development of open-source software" and approximately $1,000,000 was allotted to its development. In addition, by applying the security auditing concepts used in OpenBSD to other projects like OpenSSL, POSSE helped to increase the overall security of free and open source software.
In April 2003, speaking in an interview to a Canadian newspaper, the Globe and Mail, Theo de Raadt remarked: "I try to convince myself that our grant means a half of a cruise missile doesn't get built." Jonathan Smith, the head of the POSSE project, stated that military officials had expressed discomfort with this comment. A short time later, the project was prematurely terminated. This was explained as being "due to world events and the evolving threat posed by increasingly capable nation-states," but some have speculated that Theo de Raadt's comments played a part in the decision[5].
Adaptec and open documentation
Recently, the OpenBSD project was involved in an argument about the release of documentation for Adaptec AAC RAID controllers. In March 2005, Theo de Raadt made a post[6] to the openbsd-misc mailing list, asserting that after four months of discussion, Adaptec had yet to disclose documentation needed to improve the OpenBSD drivers for their controllers. As in similar circumstances in the past, he encouraged the OpenBSD community to become involved and express their opinion to Adaptec.
Shortly after this, FreeBSD committer, former Adaptec employee and author of the FreeBSD AAC RAID support Scott Long[7] made a comment[8] on the OSNews website castigating Theo de Raadt for not making contact with him regarding the issues with Adaptec. This caused the discussion to spill over onto the freebsd-questions mailing list, where Theo de Raadt countered[9] by claiming that he had received no previous offer of help from Scott Long, nor had Adaptec informed him that this was who he should contact. The debate was amplified[10] by disagreements between members of the two camps regarding the use of binary-only drivers and NDAs. Theo de Raadt and the OpenBSD project are strongly opposed to and do not permit the inclusion of closed-source binary drivers in the OpenBSD source tree and are reluctant to sign NDAs. However, the policy of the FreeBSD project has been less strict and much of the Adaptec RAID management code Scott Long proposed as assistance for OpenBSD was in closed-source form or written under an NDA.
As no documentation was forthcoming before the deadline for release of OpenBSD 3.7, support for Adaptec AAC RAID controllers was removed from the standard OpenBSD kernel.
Here and now
Despite being the most commonly cited reason for OpenBSD's existence, security is not the only focus of the OpenBSD project. As a descendant of NetBSD, OpenBSD is a very portable operating system, currently running on 16 different hardware platforms, including the DEC Alpha, Intel i386 and Motorola 68000 processors, Apple's PowerPC machines, Sun Sparc and Sparc64-based computers, the VAX, the Sharp Zaurus and several others. Supported platforms are added and dropped as resources and practicality warrant. Other focuses are license purity and good documentation. OpenBSD has strict guidelines regarding the license of imported code, and strives to remove or replace existing code that is under licenses considered undesirable. The excellent quality and wide coverage of the man pages are a noted feature of the project.
Releases
OpenBSD issues new versions every six months. Each version is supported for one year after release. During this time, stable CVS trees for ports and source are updated with errata. These are listed on the OpenBSD website and provide fixes for any security and reliability problems which crop up after release. In addition, errata are made available as source patches for those who prefer them over CVS.
OpenBSD's codebase is divided into three sections at any one time: -current or -beta, -stable and -release. The -current name refers to the continuously moving development source of the system. It appears in CVS with the HEAD tag and may be built from source or installed from a snapshot. Snapshots are testing releases created from -current every few weeks. The -beta flavor is a variant of -current used when the system is in beta and approaching release, -release is the final version of OpenBSD which appears on the official CDs and FTP servers and -stable a patched version of a release which corrects any issues found while it is still supported.
Some time, usually two to three months, before a release, the set of source files that will be used to build the release is tagged in the CVS tree. Tagging marks a set of source files with a label, such as OPENBSD_3_7 for release 3.7. This label can then be used to pick out the release source files from the frequently updated -current sources. The delay between tagging and release is to allow time for packages to be built and for CDs and artwork to be produced. After this, development continues on -current in preparation for the next release.
The current release is OpenBSD 3.8. It appeared[11] on November 1, 2005 MST and includes OpenSSH 4.2, and further enhancements to the BGP and OSPF daemons. This release also includes a generic RAID management command line tool. The most impressive new security feature is a rewrite of the fundamental malloc command to use mmap, which will protect against some heap-based attacks and overflows.
Uses
OpenBSD's stances on code correctness and licensing, its security enhancements and the pf firewall suit it for use in the security industry, particularly for firewalls and intrusion-detection systems. It is also commonly used for web and other servers which need to be resistant against cracking attempts and DDOS attacks. Due to the inclusion of the spamd daemon, OpenBSD occasionally sees use in mail filtering applications.
The OpenBSD project does not collect and publish usage statistics itself and there are few other sources so popularity is hard to gauge. The nascent BSD Certification project performed a usage survey which revealed that 32.8% of BSD users (1420 of 4330 respondants) were using OpenBSD[12]. This placed it second of the four major BSD variants, behind FreeBSD with 77.0% and ahead of NetBSD with 16.3%. The Distrowatch[13] website, well-known in the Linux community and often used as a reference for popularity, publishes page hits for each of the Linux distributions and other operating systems it covers. As of December 10, 2005 it places OpenBSD in 38th place, but fairly close to the average with 137 hits per day. FreeBSD is in 11th place with 493 hits per day and a number of Linux distributions range between them. From these statistics, it is possible to conclude that OpenBSD is a substantial presence in the BSD world, with somewhere around a third of the userbase of FreeBSD, and is certainly not unnoticed in the wider open source and free software operating system community.
There are several proprietary systems which are based on OpenBSD, including Profense from Armorlogic ApS, IP360 Vulnerability Management Solution from nCircle, syswall from Syscall Network Solutions AG, GeNUGate and GeNUBox from GeNUA mbH and RTMX O/S from RTMX Inc. Of these, both RTMX and GeNUA have contributed back to OpenBSD. RTMX have sent patches to add further POSIX compliance to the system and GeNUA funded the development of SMP on the i386 platform. Several open source operating systems have also been derived from OpenBSD, notably MirOS BSD and the now defunct ekkoBSD, MicroBSD and Gentoo/OpenBSD. In addition, code from many of the OpenBSD system tools has been used in recent versions of Microsoft's Services for UNIX. This is an extension to the Windows operating system to provide some Unix-like functionality, originally based on 4.4BSD-Lite. There have also been projects which use OpenBSD as part of images for embedded systems, including OpenSoekris and flashdist. Together with tools like nsh, these allow Cisco-like embedded devices to be created[14].
OpenBSD ships with the X window system. It presently includes two options: a recent X.org release and an older XFree86 3.3 release for legacy video cards. With these, it is possible to use OpenBSD as a desktop or workstation, making use of a desktop environment, window manager or both to give the X desktop a wide range of appearances. The OpenBSD ports tree contains many of the most popular tools for desktop use, including desktop environments GNOME and KDE, web browsers Mozilla Firefox and Opera and multimedia programs. Graphical software for many uses is available from both the ports tree and by compiling POSIX compliant software. Also available are compatibility layers, which allow binary code compiled for other operating systems, including Linux, FreeBSD, SunOS and HP-UX, to be run. However, since hardware providers such as ATI and NVIDIA refuse to release open source drivers or documentation for the 3D capabilities of their video cards, OpenBSD lacks accelerated 3D graphics support.
Ports and packages
As with several other operating systems, OpenBSD uses ports and packages systems to allow for easy installation and management of programs which are not a part of the base operating system. Originally based on the FreeBSD ports tree, the systems are now quite distinct. Additionally, major changes have been made between the 3.6 and 3.8 releases and are still ongoing. These changes include the replacement of the package tools by more capable versions, written in Perl by Marc Espie. The package tools are the tools available to the user to manipulate packages and were formerly written in C.
In contrast to FreeBSD, the OpenBSD ports system is intended as a source used to create the end product, the packages. Installing a port first creates a package and then installs it using the package tools. Packages are built in bulk by the OpenBSD team for each release and snapshot. OpenBSD is also unique among the BSDs in that the ports and base trees are developed and released together for each version. This means that the ports or packages released with, for example, 3.7 are not suitable for use with 3.6 and vice versa. This policy lends a great deal of stability to the development process, but means that the software in ports for the latest OpenBSD release can lag somewhat from the latest version available from the author.
An OpenBSD port is made up of a makefile, text files with descriptions and installation messages, any patches required to adjust the program to work on OpenBSD and a packing list listing the files to be included in the packages. The ports tree uses a set of standard makefiles, some of which are shared with the source tree, to provide the bulk of its functionality. This shared infrastructure includes many utility functions for port developers and means that ports can often be made very simply. As a security precaution or an aid when developing new ports, port builds may be run using systrace and a default policy is provided.
Security
OpenBSD is well-known for its security focus and track record. Until June 2002, the OpenBSD website featured the slogan:
- "No remote hole in the default install, in nearly 6 years."
In June 2002, Internet Security Systems discovered a bug in the OpenSSH code implementing challenge-response authentication[15]. This was the first and, so far, only vulnerability discovered in the OpenBSD default installation which allowed an attacker remote access to the root account. It was extremely serious, partly due to the widespread use of OpenSSH by that time—the bug affected a considerable number of other operating systems[16]. This problem necessitated the adjustment of the slogan on the OpenBSD website to:
- "Only one remote hole in the default install, in more than 8 years."
This statement has been criticized because little is enabled in a default install of OpenBSD and releases have included software that later was found to have remote holes. The OpenBSD project maintains that the slogan is intended to refer to a default install and that it is correct by that measure. One of the OpenBSD project's fundamental ideas is a consistent drive for systems to be simple, clean and "Secure by Default." For example, OpenBSD's minimal defaults fit in with standard computer security practice of enabling as few services as possible on production machines and the project uses open source and code auditing practices which have been argued to be important elements of a security system[17].
API and build changes
The strcpy and strcat string functions commonly used with the C programming language are easy to misuse, leading to bugs and security flaws. The existing alternatives, strncpy and strncat[18], are not ideal, so OpenBSD developers Todd C. Miller and Theo de Raadt implemented the strlcpy and strlcat functions[19]. These are designed to be safer and more consistent replacements for strncat and strncpy, making it harder for programmers to leave buffers unterminated or allow them to be overflowed[20]. These functions have been adopted by the NetBSD and FreeBSD projects but have notably not been accepted by the GNU C library. The maintainer, Ulrich Drepper, vehemently opposes their incorporation, stating that memcpy is an adequate solution to the problems[21]. The OpenBSD linker has been changed to issue a warning when unsafe functions, such as strcpy, strcat or another string manipulation function that is often a cause of errors, sprintf, are found. All occurrences in the OpenBSD source tree have been replaced and a policy of patching any uses found in the ports tree has been adopted. In addition, a static bounds checker is included in OpenBSD in an attempt to find other common programming mistakes at compile time[22]. Other security-related APIs developed by the OpenBSD project are issetgid and arc4random[23].
The OpenBSD team have a policy of seeking out examples of classic, K&R-style C code and converting it to the more modern ANSI equivalent. Along with DragonFly BSD, they are the only open source operating systems with such a goal. A standard code style, the Kernel Normal Form, must be applied to all code before it is considered for inclusion in the base operating system. This dictates how code must look in order to be easily maintained and understood. Existing code is actively updated to meet the style requirements.
Memory protection
OpenBSD integrates several technologies to help protect the operating system from attacks such as buffer overflows or integer overflows.
Developed by Hiroaki Etoh, ProPolice[24] is a GCC extension for protecting applications from stack-smashing attacks. In order to make this possible, it performs a number of operations. Local stack variables are reordered to place buffers after pointers, protecting them from corruption in case of a buffer overflow. Pointers from function arguments are also placed before local buffers and a canary value is placed after local buffers. When the function exits, this canary can be used to detect buffer overflows. ProPolice chooses whether or not to protect a buffer based on automatic heuristics which judge how vulnerable it is, reducing the performance overhead of the protection. It was integrated into the OpenBSD gcc in December 2002, and first made available in version 3.3; the protection was applied to the kernel in release 3.4. The extension works on all the CPU architectures supported by OpenBSD and is activated by default, so any C code compiled will be protected without user intervention.
In May 2004, OpenBSD on the sparc platform received further stack protection in the form of StackGhost. This makes use of features of the sparc architecture to help prevent exploitation of buffer overflows[25]. Support for sparc64 was added to -current in March 2005.
OpenBSD 3.4 introduced W^X ("w x-or x"), a memory management scheme to ensure that memory is either writable or executable, but never both. This provides another layer of protection against buffer overflows. While this is relatively easy to implement on a platform like AMD64, which has hardware support for the NX bit, OpenBSD is one of the few OSes to support this on the generic i386 platform.
During the development cycle of the 3.8 release, changes were made to the malloc memory management functions. In traditional Unix operating systems, malloc allocates more memory by extending the Unix data segment. This has made it difficult to implement strong protection against security problems. The malloc implementation now in OpenBSD makes use of the mmap system call, which was modified so that it returns random memory addresses and ensures that different areas are not mapped next to each other. In addition, allocation of small blocks in shared areas are now randomized and the free function was changed to return memory to the kernel immediately rather than leaving it mapped into the process. A number of additional, optional checks were also added to aid in development. These features make program bugs easier to detect and harder to exploit. Instead of memory being corrupted or an invalid access being ignored, they often result in a SIGSEGV and abortion of the process. This has brought to light several issues with software running on OpenBSD 3.8, particularly with programs reading beyond the start or end of a buffer. This type of bug would previously have been ignored but can now cause an error.
These abilities took more than three years to implement without considerable performance loss. They are similar in goals to that of the Electric Fence malloc debugging library by Bruce Perens, but are used by default in OpenBSD.
Other features
OpenBSD uses a password-hashing algorithm derived from Bruce Schneier's Blowfish block cipher. This takes advantage of the slow Blowfish key schedule to make password-checking inherently CPU-intensive so that password-cracking attempts are slower and more difficult. The project was perhaps the first to disable the plain-text telnet daemon in favor of the encrypted SSH daemon. The OpenBSD SSH daemon, OpenSSH, is now included in all major BSD operating systems and Linux distributions.
The OpenBSD network stack makes heavy use of randomization to increase security and reduce the predictability of various values that may be of use to an attacker, including TCP ISNs and timestamps, and ephemeral source ports[26]. OpenBSD also includes a number of features designed to increase network resilience and availability, including countermeasures for problems with ICMP and software for redundancy, such as CARP and pfsync.
Privilege separation, privilege revocation, chrooting and randomized loading of libraries also play a role in increasing the security of the system. Many of these have been applied to the OpenBSD versions of common programs such as tcpdump and Apache.
Licensing
OpenBSD contains components under a variety of different licenses. The ISC license is preferred for new code but the MIT or BSD licenses are accepted. The GPL is considered overly restrictive in comparison with these; code licensed under it, and other licenses the project sees as undesirable, is no longer accepted for addition to the base system. In addition, existing code under such licenses is actively replaced when possible, although in some cases, such as GCC, there is no suitable replacement and creating one is time-consuming and impractical. In addition, OpenBSD has a history of fighting for more liberally licensed releases of code. To allow code with an unsuitable license to be used by the project, OpenBSD developers usually attempt to have it relicensed by the copyright holders. However, this path has sometimes had limited success. As an alternative, developers have completely replaced tools from the ground up or reshaped an existing tool which is appropriately licensed but lacks functionality.
Audit
In June of 2001, triggered by concerns over Darren Reed's modification of IPFilter's license wording, developers began a systematic license audit of the OpenBSD ports and source trees[27]. Code in more than 100 files throughout the system was found to be unlicensed, ambiguously licensed or in use against the terms of the license. To ensure that all licenses were properly adhered to, an attempt was made to make contact with all the relevant copyright holders. Some pieces of code were removed and many were replaced. Others, including the multicast routing tools, mrinfo and map-mbone[28], which were licensed by Xerox for research only, were relicensed so that OpenBSD could continue to use them.
Also of note during this audit was the removal of all software produced by Daniel J. Bernstein from the OpenBSD ports tree. At the time, Daniel requested that all modified versions of his code be approved by him prior to redistribution. The OpenBSD project was unwilling to devote time nor effort to this requirement, so all DJB ports were removed[29]. This led to a clash with Daniel, who felt this removal to be uncalled for, cited the Netscape web browser as much less free and accused the OpenBSD project and Theo de Raadt of hypocrisy for permitting Netscape to remain while removing his software[30]. OpenBSD's stance was that Netscape, although not open source, had license conditions that were much easier to meet[31]. They asserted that DJB's demand for control of derivatives would lead to a great deal of additional work and that removal was the most appropriate way to comply with his requirements.
XFree86
In January 2004, the president of the XFree86 project, David Dawes, announced[32] the addition of a licensing clause to all of the software distributed by the project. This clause, which applied after XFree86 4.4 RC2, served as an additional restriction for redistributors making use of the code. Comparable to the advertising clause of the original four-clause BSD license, the change caused a great deal of distress and dissent within the communities making use of XFree86. Expressing the view of the OpenBSD project, Theo de Raadt said that "like other projects, we will not be incorporating new code from David Dawes into the XFree86 codebase used in OpenBSD. All such changes have to be skipped, rewritten, or you can contact the XFree86 group and place your own efforts to repair this damage[33]." Because of this, OpenBSD 3.6 shipped with a patched version of XFree86 4.4 RC2. Later releases have replaced XFree86 with the X.org implementation.
Highlights
Over the years, OpenBSD has made some significant strides in relicensing or replacing code with licenses that are incompatible with the goals of the project. Of particular note is the development of OpenSSH. OpenSSH was based on the original SSH suite and developed further by the OpenBSD team. It first appeared in OpenBSD 2.6 and is now the single most popular SSH implementation. OpenSSH is available as standard on most free Unix-like and many commercial operating systems and available as a package on most others.
Also worth mentioning is the development, after license restrictions were imposed on IPFilter, of the pf packet filter. pf first appeared[34] in OpenBSD 3.0 and is now available in DragonFly BSD, NetBSD and FreeBSD. Two years later, code from ALTQ, which had a license disallowing the sale of derivatives, was relicensed, integrated into pf and made available in OpenBSD 3.3. In OpenBSD 3.4, code from the LGPL licensed p0f[35] was relicensed to allow pf to feature passive operating system detection.
OpenBSD 3.5 featured CARP, an open alternative to the HSRP and VRRP redundancy systems available from commercial vendors, and other recent OpenBSD releases have seen the GPL licensed tools diff, grep, gzip, bc, dc, nm and size replaced with BSD licensed equivalents.
The period leading up to the release of OpenBSD 3.6 saw the development of OpenNTPD, a compatible alternative to the reference NTP daemon. The goal of OpenNTPD is not solely a compatible license: it also aims to be a simple, secure NTP implementation providing acceptable accuracy for most cases, without requiring detailed configuration[36].
Distribution and marketing
OpenBSD is available freely in various ways: the source can be retrieved by anonymous CVS or CVSup and binary releases and development snapshots can be downloaded with ftp or http. Prepackaged CD sets can be ordered online for a small fee, complete with an assortment of stickers and a copy of the release's theme song. Rather than provide full release ISO images so that CDs may be easily burned, OpenBSD makes only a small install ISO available for download. This is to encourage the sale of the official CDs. These, with their artwork and other bonuses, are one of the project's few sources of income, funding hardware, bandwidth and other expenses.
Puffy, the pufferfish, is the mascot of the OpenBSD project as well as its child projects: OpenSSH, OpenNTPD, OpenCVS and OpenBGPD. Puffy was selected because of the blowfish algorithm used in OpenSSH and the strongly defensive image of the puffer, whose spikes help deter predators. He quickly became very popular, mainly because of the cute image of the fish and his distinction from the beastie used by FreeBSD and the horde of daemons then used by NetBSD. Puffy made his first public appearance in OpenBSD 2.6. Since then, many releases have seen a different side of Puff presented on tee-shirts and posters. These have included Puffiana Jones, the famed hackologist and adventurer, seeking out the Lost RAID; Puffathy, a little Alberta girl, who must work with Taiwan to save the day; Sir Puffy of Ramsay, a freedom fighter who, with Little Bob of Beckley, took from the rich and gave to all; and Puff Daddy, famed rapper and political icon.
After a number of releases, OpenBSD has become notorious for its catchy songs and interesting and often comical artwork. The promotional material of early OpenBSD releases did not have a cohesive theme or design. However, starting with OpenBSD 3.0, the CDs, posters and tee-shirts have been designed together, with the same style and with a single theme. These themes have been worked on by Ty Semaka of the Plaid Tongued Devils. At first they were done lightly and only intended to add humour but, as the concept has evolved, they have become a part of the OpenBSD evangelism, with each release expanding a moral or political point important to the project, often through parody. Past themes have included: in OpenBSD 3.8, the Hackers of the Lost RAID, a parody of Indiana Jones linked to the new RAID tools featured as part of the release; The Wizard of OS, making its debut in OpenBSD 3.7, based on the work of Pink Floyd and a parody of The Wizard of Oz related to the project's recent wireless hacking; and OpenBSD 3.3's Puff the Barbarian, including an 80s rock-style song and parody of Conan the Barbarian, alluding to open documentation.
In addition to the slogans used on tee-shirts and posters for releases, OpenBSD occasionally produces other material. Over the years, catch-phrases have included "Sending script-kiddies to /dev/null since 1995", "Functional, secure, free - choose 3" and "Secure by default." There have also been a few insider slogans, only available on tee-shirts made for developer gatherings, particularly: "World class security for much less than the price of a cruise missile" and a crufty old octopus proclaiming "Shut up and hack!"
Hackathons
Beginning on June 4, 1999, OpenBSD began the annual hackathon tradition. During the hackathon, many of the developers come together for a period which usually sees rapid OpenBSD development. The original hackathon took place in Theo de Raadt's hometown of Calgary, Alberta, Canada and was attended by ten developers. It was focused on cryptographic development; part of the reason for holding it in Canada was to avoid legal problems caused by United States regulations on the export of cryptographic software. The designation for each subsequent hackathon has been marked by this, as OpenBSD has used c, standing first for crypto and later for Calgary, as the first letter of these events. Since then, hackathons have become a big event, a week-long gathering during which up to 60 developers from around the world come together to drink beer, listen to Eläkeläiset, hike, and hack on OpenBSD.
As of late 2005, there have been 10 official hackathons. Most have been in Calgary but appearances have also been made in Sechelt, British Columbia; Cambridge, Massachusetts; Washington, DC; and Venice, Italy.
Books
A number of books on OpenBSD have been published, including:
- Mastering FreeBSD and OpenBSD Security by Yanek Korff, Paco Hope and Bruce Potter. ISBN 0-596-00626-8.
- Building Firewalls with OpenBSD and PF: Second Edition by Jacek Artymiak. ISBN 83-916651-1-9.
- Secure Architectures with OpenBSD by Brandon Palmer and Jose Nazario. ISBN 03-21193-66-0.
- Absolute OpenBSD, Unix for the Practical Paranoid by Michael W. Lucas. ISBN 1-886411-99-9.
- Building Linux and OpenBSD Firewalls by Wes Sonnenreich and Tom Yates. ISBN 0-471-35366-3.
See also
- Comparison of operating systems
- BSD and GPL licensing
- OpenBSD developers
- Security focused operating system
Notes and references
- ^ Theo de Raadt's personal site is here and the mail archive here.
- ^ de Raadt, Theo. Mail to openbsd-announce: The OpenBSD 2.0 release, October 18, 1996. Accessed December 10, 2005.
- ^ Chuck Cranor's site is here.
- ^ University of Pennsylvania Almanac, Vol. 48, No. 6. $2.1 Million: Integrate Security Features into Computers, October 2, 2001. Accessed December 9, 2005.
- ^ LWN.net. DARPA Cancels OpenBSD Funding, April 23, 2003. Visited November 21, 2005.
- ^ de Raadt, Theo. Mail to openbsd-misc: Adaptec AAC raid support, March 18, 2005. Accessed December 9, 2005.
- ^ Scott Long's site is here.
- ^ Long, Scott. Post to OSNews: From a BSD and former Adaptec person..., March 19, 2005. Accessed December 9, 2005.
- ^ de Raadt, Theo. Mail to freebsd-questions: aac support, March 19, 2005. Accessed December 9, 2005.
- ^ de Raadt, Theo. Mail to freebsd-questions: aac support, March 19, 2005. Accessed December 9, 2005.
- ^ de Raadt, Theo. Mail to openbsd-misc: 3.8 release, November 1 2005. Accessed December 9, 2005.
- ^ BSD Certification site: here; PDF of usage survey results: here.
- ^ Distrowatch site: here.
- ^ OpenSoekris, flashdist and nsh.
- ^ Internet Security Systems. OpenSSH Remote Challenge Vulnerability, June 26, 2002. Visited December 17, 2005.
- ^ A partial list of affected operating systems is here.
- ^ Wheeler, David A. Secure Programming for Linux and Unix HOWTO, 2.4. Is Open Source Good for Security?, March 3, 2003. Visited December 10, 2005.
- ^ Man pages: strncpy and strncat.
- ^ Man pages: strlcpy and strlcat.
- ^ Miller, Todd C. and Theo de Raadt. strlcpy and strlcat - consistent, safe, string copy and concatenation. Proceedings of the 1999 USENIX Annual Technical Conference, June 6-11, 1999, pp. 175–178.
- ^ Depper, Ulrich. Mail to libc-alpha: Re: PATCH: safe string copy and concetation(sic), August 8, 2000. Visited December 9, 2005.
- ^ Madhavapeddy, Anil. Mail to openbsd-cvs: CVS: cvs.openbsd.org: src, June 6, 2003. Accessed December 9, 2005.
- ^ Man pages: issetugid and arc4random.
- ^ Frantzen, Mike and Mike Shuey. StackGhost: Hardware Facilitated Stack Protection. Proceedings of the 10th USENIX Security Symposium, August 13–17, 2001, pp. 55–66.
- ^ ProPolice site: here.
- ^ SecurityFocus. Federico Biancuzzi, OpenBSD's network stack, October 12, 2005. Accessed December 10, 2005.
- ^ NewsForge. OpenBSD and ipfilter still fighting over license disagreement, June 06, 2001. Visited November 23, 2005.
- ^ Man pages: mrinfo and map-mbone.
- ^ de Raadt, Theo. Mail to openbsd-misc: Re: Why were all DJB's ports removed? No more qmail?, August 24, 2005. Accessed December 9, 2005.
- ^ Bernstein, DJ. Mail to openbsd-misc: Re: Why were all DJB's ports removed? No more qmail?, August 27, 2005. Accessed December 9, 2005.
- ^ Espie, Marc. Mail to openbsd-misc: Re: Why were all DJB's ports removed? No more qmail?, August 28, 2005. Accessed December 9, 2005.
- ^ Dawes, David. Mail to xfree86-forum: Announcement: Modification to the base XFree86(TM) license, January 29, 2004. Accessed December 9, 2005.
- ^ de Raadt, Theo. Mail to openbsd-misc: XFree86 license, February 16, 2004. Accessed December 9, 2005.
- ^ Hartmeier, Daniel. Design and Performance of the OpenBSD Stateful Packet Filter (pf). Accessed December 9, 2005.
- ^ p0f official site.
- ^ OpenNTPD.org. Goals. Visited December 9, 2005.