Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: What is your opinion on Open BSD?
45 points by max_ 49 days ago | hide | past | favorite | 59 comments
I am looking for a new OS to base my work on.

I did some rudimentary research and came to the opinion that OpenBSD might be the most secure OS.

I am looking at.

- security (from hacking and spyware installations)

- usability (Tails is not practical in my case)

- availability of important tools I use.

Anyways after some research I later came to choosing between either Trisquel or OpenBSD (maybe FreeBSD)

I have not used BSD before. But it seems it's the most secure OS out there.

My questions.

1. What has been your experience with OpenBSD?

2. What are the pros & cons of using Open BSD?

3. What laptop would run OpenBSD best? (I am looking at the Razer Balde)

Given my requirements, do you have any other technologies you recommend I use?

Was choosing OpenBSD over Trisquel (Trisquel is Stallman endorsed) a better choice for someone who is concerned about privacy & security?

Thanks.




I think a security-focused GUI Linux distribution using hypervisor isolation may be more secure in practice for desktop/laptop use than OpenBSD.

OpenBSD base system is designed to be a very secure server OS, but this comes at the expense of requiring you to read a lot of docs and figure things out when you leave the base system. Drivers may be annoying and 3rd party software that expects Linux will not work easily. It is definitely far off the paved road. If you want your computer life to be an Interesting Challenge or Hobby, it’s good, but if you want to just get stuff done it may be frustrating.

I suggest you look into QubesOS, which has put a lot of work and research into isolating GUI applications from each other using hypervisor. Its hardened Linux VMs with a hypervisor underneath and probably what I would pick if I wanted a “secure workstation OS”. It will probably work with more laptop wifi cards than OpenBSD. https://www.qubes-os.org/


I have used OpenBSD as my daily driver for maybe 3/4 years, though I stopped after a dispute over the merge of some of my patches which I found petty.

My experience on the good side:

- OpenBSD has a very clean code base. Simple and to the point with no useless abstraction, which is ideal if you want to understand your kernel or make light changes. It's obviously opinionated, but I found OpenBSD to be clearer and simpler than FreeBSD and even NetBSD.

- Modification, build and boot of a kernel is a breeze. If you have been frustrated with Linux kernel development, OpenBSD is a million times simpler.

- If you use a common laptop, especially ThinkPads T series, then hardware and drivers won't be an issue.

- My usage is pretty typical for a programmer user: I need a WM (i3), a browser, a nice terminal, and development tools (c, c++, rust, python). Software is pretty up to date IMHO, nothing to complain about.

On the bad side:

- I found the core community annoying and immature. Every discussion that implies something could be done in a manner that ressembles what Linux does has to be mocked and turned to derision. It feels like a small circle of long time friends keep the projects in their hands and if you're either in or out this circle. This leads to a "us versus them" mentality that I dislike.


The issue with the community is foundational. The entire project was born out of a personal dispute between Theo and the NetBSD team he was contributing to. I recall he was a frequent headliner on Slashdot in the late 90s due to his flame wars

It was entertaining to read as a younger person but these days I prefer to avoid drama.

I haven’t deployed an openbsd system in a while as I feel the industry has standardized so many lessons that openbsd pioneered back then, and it is no longer novel to have a secure by default OS.


One thing to know about openbsd is that the default OS install and built-in services are mostly secure, but any third-party stuff you install is not guaranteed to be, and can be a vector for compromise.

If you intend to use it as a desktop OS, the amount of things you have to add will likely greatly increase the surface area to secure.

We once had a breach where through an insecure third-party service (I forget but it may have been some PHP script), someone managed to execute a remote payload on an openbsd server.

Luckily, the payload assumed a Linux system with an available C compiler, and it failed to “explode” in the alien openbsd environment.

To sum up, openbsd is indeed more secure but it’s not a panacea. As long as you follow best personal computing security practices you should be ok with either Linux or Openbsd.


Firefox and chrome has been patched with pledge(2) and unveil(2). That means these items have very limited access to your system and disk. Those are usually applications people get compromised by.

For Firefox, the settings are in: /etc/firefox/policies/

IMO, pledge(2) and unveil(2) are better than anything Linux and other OSs have for sandboxing.


But they also have more kernel features to secure all software, such as pledge.

You will often see major software which runs fine on Linux segfault on openbsd.


On the Linux side, aren't Flatpak and Podman enough, and even more granular, to limit file system access in the absence of pledge?


It does a lot more than limit file access. Plus most applications don’t come in a flatpak, nor do I want them to.

You can read more about pledge and the bsd specific kernel features on their site.


Dated experience here. I used OpenBSD a long time ago (20 years ago) as a primary desktop as well as within data center (physical not virtualized). I absolutely loved it, however expect you will spend more time configuring for your liking.

There were occasional situations where esoteric hardware support was iffy (especially software driven win modems). I anecdotally believe there’s a better experience today but would probably pay attention to GPU and wifi hardware.

Install is a breeze, probably one of the better install experiences out there. The port system was very easy to use to install 3rd party apps. Also pretty easy to build most things from source or modify for its particular differences.

The community around source contribution takes a little adjustment since there is a real focus on the OS design goals and less so on specific edge cases. Contributing to ports is a little more accessible.

I’ve used FreeBSD around the same time with similar experience. A little larger of a community there though I found OpenBSD’s contributors to be highly engaged and accessible.


> What has been your experience with OpenBSD?

Really forces me to think about what I want versus need out of a computer.

> pros & cons

+ Comes with everything for a home lab: packet filter, DHCP server, FTP, and web server.

+ Bundled with C compiler and perl in base.

- Limited drawing tablet support.

> What laptop

Any model with a successful installation blog post will do.

> OpenBSD over Trisquel

With two cheaper machines for the price of one, one could run both operating systems. Then you can learn kernel compile, static IP, SSH, and practice sysadmin tasks (backups, cron, OS internals) from both perspectives.


> Really forces me to think about what I want versus need out of a computer.

That is pretty spot on. I really enjoy using OpenBSD, the base OS is well documented and consistent, to a degree where Linux is just left behind to an embarrassing degree. Then there are things you just can't do, unless you feel like porting a bunch of stuff.

I like having VSCode available, but I'm not in a position to start porting it to OpenBSD. I'm also currently toying around with some C# and again, I'm not porting dotnet to OpenBSD.

Then again do I NEED these thing? I can use Vim just fine and Go is a nice language which for my use case can stand in for C#. Do I need Docker... I suppose not, it's just nice to have.

You're making some interesting tradeoffs with OpenBSD. You get a better Unix, a more consistent Unix experience and really good build in tools, but if they can't support your workflow it really doesn't work.


You might be able to make it work with https://github.com/muhammadsammy/free-vscode-csharp

.NET itself also supports FreeBSD and is distributed here https://www.freshports.org/lang/dotnet I assume this is compatible with OpenBSD? If not, please let me know.


OpenBSD and FreeBSD aren't compatible with each other. Having FreeBSD would certainly make porting simpler, as the two are more alike that say Linux and OpenBSD, or Windows and OpenBSD.

If you browse through the dotnet runtime code, you'll see that all the supported operating systems have code added to specifically support them. It's not much different than Java, the compiler targets an intermediate platform (JVM for Javva, CIL for C#/F#,VB.Net. The runtime needs to be ported and there's operating system specific code in the source for the runtime for all the supported operating system.


Isn't VSCode an electron app? Does do those not work on BSD?


There's still a bit of porting to be done, it's not all JavaScript (and sometimes the Javascript need a bit of love as well).

You can see the patches for FreeBSD: https://cgit.freebsd.org/ports/commit/?id=25eaa50554b9630168...


Audit Electron alone is a nightmare no one want to face, it's in term of safety a simple no-go. A monster.


Ports aren't audited, but no it wouldn't make it into base, but ease of auditing is probably not the reason why that won't happen.


Did they audit Firefox?


Seems it's a very stripped version I suppose, but do not know, and yes it would be no less a nightmare, but a single nightmare is still easier than many.


I run OpenBSD on an ancient laptop that I use to play videos. In about 7 years, I have had no bad experiences with it. Upgrading from release to release has been painless, hardware support is fine. Playing HD videos is out of the question, but the laptop is from ~2008, and it wasn't a high end model back in the day, so there is little OpenBSD can do about that.

I cannot say much about security, but in terms of reliability, I have only good things to say about the system.

EDIT: Once you connect a device to the Internet and possibly install third-party software on it, your own expertise is likely to have a bigger impact on security than the underlying system. I am not recommending to NOT use OpenBSD, but if you have no prior experience with it, you might have a better experience using what you know.


My sister made me install it on her Intel i3 PC one time.

The installation procedure was rather easy, I just had some hiccups when configuring stuff due to my background with Linux vs how things are done in *BSD.

But security comes at the expense of system responsiveness, so if things with an i3 processor were rather slow, all the stuff OpenBSD makes to keep you secure don't help much in that regard. Still I guess for more decent specs it can be much more bearable.

Another trade-off is that you're supposed to read a lot of documentation. Questioning things are discouraged because their documentation is the holy scriptures for them and everything is already answered there, since how to start X at boot to the meaning of life and the ultimate end of the universe. Not a welcoming mindset for newbies in my humble opinion, and even less for us who don't speak english as their native language, but surprisingly (and funny enough) some of the *BSD people diss at Linux since it's the latter the popular one and not them... So yeah, if you want a secure system you must devote a fair share of time into reading (technical) documentation, but surely you'll learn a thing or two.

I personally couldn't bear pkg/pkgsrc at all - I'm so used to Portage it felt so restrictive in terms of customizability. But if you come from, say, apt or rpm, it would be fine I guess. I heard even KDE is available for it so it seems they're working hard in making more software available for them.

Still it seems nothing beats OpenBSD in terms of security so it will be a great choice for you.


From what you wrote, it would be interesting if FreeBSD might be something you might enjoy more. Better SMP support, ports, Linux emulation for example


> My sister made me install it on her Intel i3 PC one time.

Your sister sounds hot!


If what you say about the documentation is true, that's a paradise given recent LLM advances.


OpenBSD is an admirable operating system. We reported a local privilege escalation vulnerability in cron on openbsd due to a memory corruption flaw. Our research got surprisingly close to a reliable exploitation path and we opened up a contest for someone to demonstrate a working exploit, https://www.supernetworks.org/crontab-challenge


Ages ago I worked for a while on OpenBSD on an old Dell laptop. It was a very stable system, and I could not complain. As previous posts point out, it tends to have good support for old hardware. I used Firefox for browsing, and it was noticeably slower than on Linux. It really depends on what software you need for work. If you prefer a BSD, FreeBSD tends to be more desktop-ready in my experience (but probably less secure in depth).


OpenBSD is my favorite OS for desktops and network appliances. Installation is very quick and easy, and it ships with practically everything I need except a web browser.

It's probably more secure than most linux distros and other BSDs by default, but if you're really trying to lock a system down seLinux and cgroups are probably more securable.

Those important tools you use may or may not run. Games almost certainly won't work unless they're open source. You probably don't want to use OpenBSD for anything that would benefit from the latest GPU drivers. Sndio is pretty nice for networked audio. If you use VMs heavily, you'd be better off with linux or another BSD.

Bluetooth isn't supported. Most modern hardware works unless it's brand new or obscure, but some peripherals may not be fully supported and battery life is probably worse than Linux but is usually comparable to or better than other BSDs. I'd prefer intel for laptops because the graphics and wireless are very well supported.


1. I love OpenBSD, I mostly use it for servers. I tried on Desktop, but since I was using CLion a lot at the time, the experience didn't work out (CLion uses a bundled native executable which didn't work). If you use a lot of open source software, then I'd expect the experience to be better

2. Pros: Secure, clear documentation and straight forward to configure, quality tools made by the project- pf is fantastic (I use authpf a lot too). The packages tend to have what you need included (php, etc.) When you get something set up it tends to keep running well for a long time.

Cons: If the package isn't well maintained, then it will eventually be removed, so there are some packages missing, but usually you can just compile it yourself. It also means the packages that exist tend to be maintained well and are secure.

3. Not sure on this, but one thing to check is the WiFi card. I tried with an older ThinkPad, and some of the ThinkPads have compatible Wifi cards, and some didn't. I got one that wasn't compatible.


Have you used it for authentication-type stuff, and/or can recommend anything in that direction?

I'm trying to build a homelab to learn from, and I was curious about using it for something security related like auth/IAM stuff.

Like a touch of spice to enhance the flavour profile of an otherwise Linux-heavy dish!


Security and usability are in direct opposition to one another. Maximising either will tend to minimise the other. Given you've never used BSD, I'd expect you to have a bad time using OpenBSD as a desktop system.

Suggest using Debian and accepting that internet connected computers are not secure against hacking or spyware, however you try to set them up.


1. What has been your experience with OpenBSD?

Tried it. Messed around with it for a few projects at home, looked at it as a Key Mgmt solution. Seems okay, but nothing that I couldn't do with some flavor of Linux, or FreeBSD. This was ~4 years ago? Maybe there have been changes

2. What are the pros & cons of using Open BSD?

It's secure. That's about it, mostly. While I'm sure it's more secure at a microcode level, I'm not sure that, in a practical sense, it's more secure than a hardened Linux install.

It wasn't hard to get it running, but not easy out of the box like Linux.

3. What laptop would run OpenBSD best? (I am looking at the Razer Balde)

I would not put it on a laptop; I'd consider QubesOS before OpenBSD, as O-BSD is a server OS and it would be a pain to make laptop drivers work. Like, I haven't messed with ndiswrapper and wifi for like a decade, and have no intentions of playing those sorts of games again.


> It wasn't hard to get it running, but not easy out of the box like Linux.

We've come a long way.


Pros:

- The UNIX(TM) experience

- Better manual pages than linux

- Excellent testing ground if you want to keep your scriptery portable

Cons:

- Binary incompatible with glibc linux

- No driver support for my specific iwlwifi card


It should be pointed out that OpenBSD is not UNIX certified.

You might retort that I'm being pedantic, but you didn't say that it offers "the UNIX experience". You said it offers "the UNIX(TM) experience".

https://www.opengroup.org/openbrand/register/

And it isn't just that OpenBSD isn't certified. OpenBSD notes where it deviates from POSIX and UNIX standards (For example: https://man.openbsd.org/sh.1#STANDARDS, https://man.openbsd.org/awk.1#STANDARDS).

You might retort with some "well, UNIX really means..." argument, but that's likely to come down to things like "I prefer or am more accustomed to where OpenBSD puts things or how its package management works or the way it does configuration." And that's fine. Arguing that a system has made better choices (or choices that work better for you) is wonderful.

macOS is actually UNIX® - but I don't think that what you're trying to get at is whether something is actually offering the UNIX experience. You're probably trying to get at something else - maybe a sense that there's fewer layers of indirection for things like how programs are actually installed and configured or a simpler, more standard layout across programs for things like configuration. But calling that the UNIX experience probably isn't the right way of phrasing it, especially if you're going to put a trademark symbol in there.


I would argue that macOS (since NextStep) is trying to bring unix pipes to gui via 'Services'. Unfortunately there is no integration with Spotlight (which would make apps like Quicksilver or Alfred obsolete).


What is your interpretation of a "Secure OS"? Trisquel isnt a hardened distro, so isnt going to give you any more security out of the box than a minimal ubuntu install - just a more restricted package selection.

What are your specific application requirements? OpenBSD is a BSD, not a linux, so you aren't going to have access to the benefits of the linux kernel - specifically hardware support.

You mention the device you are thinking of is a Razer Blade - which is chock full of hardware with closed BIOS and that will require 3rd party drivers. Its not exactly a libre device. The availability of some of that on linux may be limited, and may not exist in many cases on OpenBSD.

Maybe your question would be better posed by describing your requirements - what hardware and software you need/want/would like to use - then people may be able to advise based on that.


I was thinking of doing something similar. But I was thinking of starting on a virtual machine or shell account before trying to install on real hardware. I don't know much about OpenBSD but my guess is that finding a laptop that runs OpenBSD flawlessly is not easy. So odds are you're going to be spending a lot of time troubleshooting and debugging. If that's ok with you, then that's great.

ThinkPads might be your best bet. Someone here has cataloged their experience with OpenBSD on laptops: https://jcs.org/openbsd-laptops


I agree with others that you are expected to read documentation and use it on supported hardware. I have been using it on my laptop for some time now, though I don't need bluetooth nor do I suspend/resume much, and I don't know about battery life. I guess I use it mostly like a desktop.

About the security, which is my main reason for using it: I like having to install the things I really want, which gives me a chance to consider the security implications of them, instead of having many things pre-installed and I don't know what the total risks are. And nothing else I know of has gone since ~1996 with only 2 of the worst kind of security holes (i.e., remote exploit of something I didn't even need, but was installed by default).

In the base install are many useful things (including a web server IIRC, though the port is not exposed by default), and those are audited and have that excellent track record.

Then when you install extra things, they are usually limited by what user they run as, and usually have pledge/unveil run (limiting access to predetermined/approved syscalls and parts of the file system) so they can't break other things if compromised.

I do change my default umask (/etc/profile, sourced by shell startup files for all users) to 0077, which means putting the pkg_add command inside a script ("pa") that first sets it back to 0022 temporarily.

Also, for finding packages to install, doing pkg_add pkglocate, then using pkglocate -i, or pkg_add portslist then just searching the whole list with things like less /usr/local/share/ports-INDEX or less /usr/local/share/sqlports-list can be useful. There are very many packages available (over 12k on the amd64 platform).


I don’t like missing 3D GPU drivers, and missing .NET runtime. If it had these two things I would try OpenBSD for embedded use cases, instead of Debian or Alpine Linux.

Linux GPU story is not stellar but for embedded applications it’s not too bad; KMS, DRM, and GL or GLES library stack worked amazingly well for me.


Bad if you have Nvidia, but works OK with Intel and AMD even for new hardware.


Last time I did embedded Linux software professionally I had ARM Mali Midgard GPU in the target chip, and consumed GLES 3.1 GPU API.


I think it’s great for a home router and firewall. I wouldn’t recommend it for commercial use if you maintain a lot of firewalls for customers which is a mistake I made with it. They kept making breaking changes to the pf.conf syntax, so entire books, countless write ups etc on pf would become obsolete. This is in accordance with their BDFL’s philosophy that breaking changes are a good thing because then you’re “in a better place”.

What is really, really nice about OpenBSD is running ‘ps -ax’ on a fresh install. You get about 10 processes, each of which has an obvious responsibility. You can actually understand everything your OS is doing. Try that on Ubuntu, Windows, macOS.


> What has been your experience with OpenBSD?

Limited, tried it few times in a decade or so, used as a custom router for some years, then given up since for NixOS to have easy replication and much less hw issues.

> What are the pros & cons of using Open BSD?

IMVHO simplicity it's a pro, documentation is pretty well done, however hw support is limited and pkgs availability it's not that much. Being binary-centered instead of source centered like FreeBSD it's easier to maintain as long as you do not need much current software or non-official pkgs. The biggest cons for me is that's as most systems even today, it's not declarative.

> What laptop would run OpenBSD best?

I suggest only desktop hw, especially if you care about battery life.

> Was choosing OpenBSD over Trisquel (Trisquel is Stallman endorsed) a better choice for someone who is concerned about privacy & security?

IMVHO if you want something free in the GNU sense try Guix System, it's too much (IMO) focused on HPC instead of the desktop, but it's by far more rich, modern and have very good docs as well. Once you tried a declarative system you'll not go back to anything else.

About your requirements:

- security :: OpenBSD is very attentive, but it's community is way too little to keep up, so while formally "more secure", "more audited" than any GNU/Linux distro I do not consider much more "secure by default", and I do not consider "security-centered" distro more secure than mainstream ones... In general anything sold to be secure turn out to be much less secure than most else;

- usability :: as an embedded system OpenBSD is usable as long as the hw you have is supported, as a desktop well... IMO not much these days. Desktop needs vary much but...

- availability of important tools I use :: little community, less packages is always obvious. Guix have much more and could import NixOS packages (derivations) witch are along with Arch AUR the biggest repo existing today, but that does means not much, it's depend on which tools you use. Individual packages might be there community supported since years or not.


The filesystem is much slower than other OSes ; how much this matters depends on your usage patterns.

OpenBSD is very well documented and if you are focused on security research or development it can be a good choice.


I use OpenBSD as my daily driver and develop software in Go. I use DWM + tmux + nvi + git.

Pros:

    - no-bullshit OS
    - very clean, you know what is where and why
    - distraction-free
    - proactive security approach
Cons:

    - slow if you use heavy software like Chrome
Potential deal breakers you should know about:

    - web assembly is turned off by default for security reasons (login to Hetzner or Sinology, using Google Docs is a problem)
    - watching videos in the browser does not feel great
I conclude that it is great for (my) work and encourages you to be minimalistic.


Why does Hetzner login require WebAssembly???


I can not tell for sure, but one of the “are you a robot” checks fails with the default OpenBSD Chrome settings.


Wild.


> might be the most secure OS.

What are you planning to use it for (laptop suggests possibly a workstation?)

And what is your threat model? Who is the most likely attacker - govt? Crypto theft? Supply chain?


> I did some rudimentary research and came to the opinion that OpenBSD might be the most secure OS.

What's your threat model that a vanilla Fedora or Ubuntu install isn't secure?


It has become very clear that all of the major Operating Systems are just blatantly pre-loaded with spyware. (MacOS, Ubuntu, Microsoft etc al)

I don't want to predict my enemy. I just a secure OS.


1. Very easy to install and use, it is very well built.

2. Pro: Only two remote holes in the default install, in a heck of a long time! Con: Less (pre-built) software than linuxes.

3. Something cheaper than a Razer-Blade.

4. You have not stated your requirements other than 'security', which if you demand no more than two remote holes in a very long time, then OpenBSD it is. If 'security' means something other than that you might want to go with a different OS.


OpenBSD at the Edge. FreeBSD on the internal servers. FreeBSD or Linux as a daily-driver. (I can't settle)

You are trying to decide what-OS to base your work on. That depends on what your work is. If you are looking for cutting-edge? Go with Linux. If you are looking for a 'whole-system' approach? {Open|Free}BSD

I'd say we need more details if you want a better answer.


If you need security, you should consider a security oriented OS: https://qubes-os.org.

See also: https://forum.qubes-os.org/t/qubesos-vs-openbsd-security/790...


If your hardware supports OpenBSD go for it. Basically what you're looking for minimal host fingerprint with VM or dockerized application to work. OpenBSD is relatively small fingerprint and builtin binaries under 100.

Ref: https://jcs.org/openbsd-laptops


My experience is you have to be committed to make it a daily driver.

- bsd is good enough for servers

- mainstream Linux is good enough for desktops

- forget about OSS laptops unless it’s a 15 years old thinkpad


Why not FreeBSD? It has very useful ports.


Manual pages are very high quality. Everything's in a single greppable monorepo. Surprisingly good as a router (pf, openbgpd, rpki-client). Filesystem (FFS2) is a bit inflexible compared to ZFS/btrfs/etc.


BSDs are a no brainer if it's up your alley to use.

It was good luck to be exposed to BSD in school.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: