Monthly Archives: November 2007

OpenBSD vs. Linux

I still haven tried other BSDs. Why you may ask did I start with OpenBSD? It all started with the problem that I had an old Fedora Core 4 which was really unstable (kernel panics). I then installed OpenBSD back in July 2007 . The interesting result was: Although I did not know much about OpenBSD I got it working AND it just ran. It felt like every day it looked the same. One of the core principles of OpenBSD is to install fewer packages and to have these secure. Fedora OTOH installs quite a lot and rather suggests graphical administration (classical Red Hat style). Also Fedora suggest to never upgrade a release but to always reinstall from scratch. For my usage this just wasnt useful. The only way would have been to make a partition for the data (should be Samba server) and then always erase all system settings. But still – system settings are essential. So from my perspective an OS that suggest to always reinstall from scratch can not be taken seriously. My alternatives where either other BSDs or Debian. Why not Debian? Because Debian is always outdated. So I would have to live with outdated software for many years. As even software like Samba is evolving quickly I dont want to miss additional features. Why not other BSDs? 1.) OpenBSD has a good reputation in security 2.) FreeBSD is the BSD that is most similar to Linux – and also has some hype – but as I want something different I dont want a big thing but something small 3.) OpenBSD is rather aggressive when it comes to demand open source driver support from hardware vendors. Although Theo de Raadt seems to be somebody who know how to make himself enemies I like that he speaks up and has an opinion. I am a Linux guy, I like/prefer the GPL but I respect the work of OpenBSD and thing they did some great work. In September I had the possibility to chat a bit (just too short) with a OpenBSD guy (Bernd Ahlers) on our Linux day in Kiel which i helped to organize. In fact OpenBSD said they come to Kiel in the same week as I was considering it.  So this was one of the reason  I said – ok if they come I try it and maybe have the chance to ask some questions.
I did ont have the chance to discuss it really because I was too involved in helping with the event. And also I did not have much questions as OpenBSD just did what I expected.

Tomorrow I am going to install OpenBSD first time for a customer where it also shall replace a Fedora system. Same background: Hard disk is full – but should I install Fedora again? If you go to a Fedora channel and ask for FC 4 or 5 people just laugh at you. So on systems that should run for longer time without often upgrades its much nicer to have a system which you can fix with help of the distribution. I dont particular like the source compiling. But OpenBSD gives me ports that it has copied from FreeBSD.

I have also made some experiences with Gentoo, but my impression is that its not really taking care about packages. The worst thing they did was to mask fastcgi and suggest fcgi. For somebody who is only a part time Gentoo user this resulted in some time offline. I really expected that fcgi would work just the same with my setup (small fastcgi processes of my moin wiki where the Apache connects to), but fcgi does not support that or at least must have a totally different syntax. I dont accept any drastical changes from one day to the other that require me to make decisions or to learn how not to do what Gentoo suggests – I rather like to trust a distribution to know better then me that something is better AND compatible. So Gentoo for a server was no go for me, too.

So far I could deal Ok with OpenBSD. I have asked some questions on #openbsd and so far found them always helpful. They are not guys who will always answer your question liek you expect – rather they sometimes tell you that you dont want to do something if you aksing such stupid questions. But this is ok. Because then I dont end up with a system state that I cant handle. If you are reading this because you are thinking about if you want to use OpenBSD I would say: If you come from Windows OpenBSD might be too different maybe – but if you are an administrator who is willing to learn and look for a system that is easy to maintain (easy not in the sense of comfortable but in the sense of: you can maintain what you want without a lot of compromises) then OpenBSD might be for you. If you come from Linux I suggest you try to forget most that you learned. Althought the principles are the same OpenBSD doesnt use systems like the System V init scripts. After you have installed a server package you will have to add start commands to /etc/rc.local. Thats not that hard. Mostly OpenBSD packages tell you what you can use after installation or you find that in /usr/local/share/doc/*.  If you know about scripting this isnt a problem anyway. So startup process in OpenBSD tned to be more simple. As System V scripts tend to be rather complex.

Another priority is to have 100% of the system documented with manuals (man command). This is very nice if you dont have an internet connection – and then OpenBSD offers you all information you need to fix a problem. Many Linux distributions dont have that. Debian has extensive docs – but more often in /usr/share/doc/* – and also Debian packages often are very different – so lets say the postfix maintainer and the exim maintainer (both MTAs)  do make very distinct packages and ask different questions. On OpenBSD its rather that all packages are installed in more or less the same way BUT you can expect that every command has a manual.

For desktop systems that is not always needed also because many graphical apps cant be documented fully with text alone. But still I have found this “feature” EXTREMELY helpful for administring. And I know if I am alone at my customers and dont have the possibility to make extensive internet researches I will be able to find all I might want to know inside the system I am just working. Fedora for instance is rather bad in that respect.

So to summarize OpenBSD looks very clean. I have encountered some problems with the ports. Some seem to have a dependency problem (like Moin and Python). Not sure why that is the case. Either I did something wrong or OpenBSD needs to work on that part. OpenBSD is not something that “just works” – so if I need to tweak this and that its ok as long as the things I depend on (the core OS) works as expected. I was able to upgrade my newest install for4.2 to current. I needed to compile “userland” and a new kernel which took about 2 1/2 hours in a 2 Ghz system. Well in fact I think should have only needed to update 3 packages but that I did find out too late and also I was interested in how long all this would take.

I was happy to see that all I learned on Linux was not for nothig but in fact I was able to do some things different because I knew what the documentation tried to suggest and how to make it quicker or better. In some situations I still rather like to follow the docs word by word sometimes.

I expect this new installation to be much more stable and clean than the Fedora system. We often had some problems with Samba. On my own trials with OpenBSD my samba access was 4×5 times more stable and felt more solid. I dont have any stats but thats what I have experienced.

What next? Next I like to try out Minix and NetBSD. Minix because it should boot a lot faster. I will watch how the package progress is going. For now I stick with Foresight also because its package manager is really cool. With Conary package manager you can go to an unstable system and then back. Dont try that at home with any other Unix/Linux besides rPath! NetBSD I like to try to see whereit differs from OpenBSD and how it “feels”.


Filed under Free Software, Linux, OpenBSD, Technology

OpenBSD security on the flow…

People who read this blog know I somehow like OpenBSD for some reasons. One passage in the FAQ I just read strike me as its what I also think:

In fact, as our hope is to continually improve OpenBSD, the goal is that -current should be more reliable, more secure, and of course, have greater features than -stable. Put bluntly, the “best” version of OpenBSD is -current.

Thats what I always though where Debian sucks. They have software which is many years old in the stable branch. They try to fix some security issues with bug fixes – but fact is that many early versions of software are broken by design and that very often newer software is better. Its not always a real security leak – sometimes early release dont require or provide some level of security – so to think that old software which has no reported bugs or leaks is better than a new one is just false and also dangerous. Old software enables hackers to work for years to discover vulnerabilities which is much harder on moving targets.

And about security in general: Statistics sometimes can help – but in the end all must come down to very practical issues. Like – some people think its necessary to run a full scale firewall on every webserver. This might make sense on some installations – but often this is overkill. And some measures like prohibiting password access via SSH is much more important than to block all but a few tcp/udp ports. Security is a very relative term. On one hand you can make your systems infinite insecure, even with the most secure OS – and OTOH you can invest endless time to make your system still more secure. I would vore for “practical security” – which means that your system should be bit more secure than you actually need. And it also should depend on how much money you got. So security is not only about how much YOU should do to your system, but also – if you have a cash cow web server – please pay some good people to take care that its secure. Think about how bad it is if you loose data. If its not bad at all you dont need to do much – mostly you want to make sure that you mails servers are not abused by spammers and its not easy to access your system. So please beware of this situation:

  1. All users (also mail users) are system users (this alone is not fatal, but…)
  2. They can change their own passwords and…
  3. They have SSH access

This would mean that simple user names like “john” could give access with password “1234” . And then some very simple SSH hacking is on your box. And then you better have a really secure system, because if this happens a hacker has all possibilities to work on the vulnerabilities. This may sound silly for some people, but I think that those things are propably more widespread and more problematic as if your InmageMagick is slightly outdated. Not to suggest you shouldnt update ImageMagick but some scenarios are more likely than others and should be looked at more closely.

Leave a comment

Filed under Free Software, OpenBSD, Technology

Googles Phone will be THE killer

Why do I think that? Because only Google has the power to integrate all their internet services (Mail, Google Maps+GPS, …) The only other company who could do that with such a large user base would be AOL – but they lack a lot of the services. So what Google will do is delivering instant information to what people might be looking for – so like they make a photo with their mobile phone of a church and will get every information about it including nearby restaurants.
It is clear to those who can add one to one that no phone company can ever compete with Google. This may sound a bit strange to some people, because they think Apples iPhone looks cool or that there are really large phone companies. But the thing is – they all dont have anything new to give. Only Apple is trying to bring some new uses and functionality to the user – but still they dont yet have a large userbase. Google just has all possibilities in its hands to roll up the mobile market.

OTOH – do we really want Google to be in control of yet another sector? I think not as long as Googles policy is so obscure and not open. We need more guarantees that our information will be kept secret and is not used for unwanted purposes!

Leave a comment

Filed under Linux, Technology