This points out something we forget at times: being a fan of a thing shouldn't mean we have to suffer for it.
NetBSD doesn't have GPU compute capabilities, plus browser DRM is a PITA, so I run macOS, too. If I have to choose between not doing a thing at all and doing it in a less enjoyable environment, it's only my own foot that suffers were I to choose not doing it at all.
What really matters here is that systems shouldn't crash or panic at all, ever, or if they do, the filesystems used shouldn't lose data or otherwise become corrupt. We left the lack of memory protection in the '80s (some of us the '90s), so there's no excuse if the hardware isn't faulty.
So I have to wonder why the OpenBSD folks, who prioritize security over speed, for example, wouldn't prioritize stability over everything except possibly security (I'd rather a panic than a compromise) and spend some energy looking in to these issues and fix them?
Why wouldn't any filesystem corruption (which could have security implications if the corruption can be controlled) and/or data loss be considered a sign of other deep issues and be made a high priority at OpenBSD?
Perhaps Solène's writeup will be a good wake-up call for the OpenBSD people.
I suspect a lot just comes down to manpower... While extremely important the FS currently works "good" enough (although there were/are efforts to port HAMMER2).
But I share the frustrations, all these little papercuts really add up and I only use OpenBSD in server settings nowadays
Good enough? As far as I could gather, they never implemented FFS/UFS journaling and removed support for soft updates. If that’s incorrect, I apologize for this comment.
So, they basically have a filesystem that operates like it did in the ninetees, unclean shutdown and you have to go through a full fsck and hope for the best. Most people who used some Unix before journaling would never want to go back.
Sorry to see Solène Rapenne move on, I wish her success going forward. She has been a great asset to the OpenBSD team. But glad she will still try and help them out a bit.
But in a way she has a point :( Just a few weeks ago I had a panic with 7.6 and half my files in /home disappeared. In the past I never lost data on an fsck, plus I never had a panic in many years. But glad I clone /home to another device daily :)
But I still will use OpenBSD for testing items I develop on Linux. It is a great help finding issues where Linux will ignore some bugs I insert.
> flatpak: I really like software distribution done with flatpak, packages are all running in their own namespace, they can't access all the file system, you can roll back to a previous version, and do some interesting stuff
As of today flatpak still has holes you can drive a truck through.
Could you link some related Flatpak issues where this happens? I've been under the impression that security under bwrap could be relatively acceptable and mostly the same as running containers (aside from all the portals).
I haven't been using Flatpak, but was recently thinking about it.
I still don't understand the slapdash approach the desktop Linux crowd took, Qubes is a much better approach. Such unprofessional software engineering pervades FLOSS with the worn and tired "but it's a hobby project" when it's a core dependency necessary for international corporate, government, and military strategic systems. (I also don't understand the lack of appropriate support for critical projects either, but it makes sense because of decline, entitlement, corruption, and greed.)
I had to shout and scream at docker early on for container image integrity, but that fell on deaf ears. Heck, Python even threw away GPG to roll their own sketchy setup and Ruby doesn't even care about package integrity or supply chain attacks.
flatpack for isolation is a joke. All the file duplication, none of the security. Not to mention nothing that depends on camera, screen cap, etc will ever get close to working.
Just accepting there's no easy solution, and do aparmour+firejail. It's awful user experience, but at least only once per application. Then it is perfect. There should be a distro like qubes but where everything must have either a firejail profile or a hardened systemd unit file (which is the worse designed/documented thing in the universe, taking the place of X11). That would be the ideal world.
To be hones I appreciate flatpak for software distribution. Afaik (correct me if I’m wrong) some degree of security is implemented through selinux (i’m on fedora).
Yes, you are technically right, but you are wrong only in the sense that most packs either do not ship with a selinux policy or ship with some just-added-whatever policy.
> I appreciate flatpak for software distribution
Flatpack is for distributors. Not end users or for the benefit of the end system running them. There are already too much written about this. The lax state of selinux policies is also a result of this focus.
Makes sense. I've always assumed that OpenBSD has a very narrow use case anyway. I love it for a network firewall because the configuration files are sane and easy to understand (stares at systemd networkd). I set it and forget it.
it is easier to setup a openbsd vm and have it handle all the network routing and wireguard stuff, than it is to simply disable the unrequested zeroconf stuff included in systemd-networkd/resolvd.
I personally think systemd, which I despise, won and effort would be better allocated trying to improve it (e.g. ripping the zero conf stuff from it to begin with)
Journaling filesystems have been around for decades now; I don't think I've had a data loss incident since I stopped using Windows 98? I know it's volunteer driven but it seems like working on data integrity might be more of a benefit for security than some of the gimmicks like TRAPSLED.
OpenBSD had Soft Updates, which isn't really journaling but sort of similar. It was suppose to help with with file system integrity, in the case of crashes. OpenBSD removed it last year because it got in the way of VFS updates, and was hard for the team to maintain[1].
I love OpenBSD, but it really does need a modern filesystem. The current team might be to small or just not have the right people to do a new filesystem. HammerFS2 could maybe be ported (and one has to wonder if that's not one of the thing that would requires VFS layer updates). Much of the current work on filesystems are being poured into GPL licensed code or ZFS, which also have an unfortunate license, so OpenBSD either has to borrow HammerFS, or do their own thing, which they probably don't have the resources for.
BSDs bet on permissive license hoping companies would drop code on them. Turned out companies were either using linux or dumping abandoned code as GPL to strategically keep out of competitors.
BSD licenses were a thing before GPL lost the final battle, when linus accepted the tainted-kernel compromise. Now it's a relic of a bygone time, which show allegiance to a side on a war that no longer matters.
The journal does what it's supposed to, doesn't it? I.e: keep the file system from breaking on panics, or power loss. Sure it doesn't protect you against a corruption bug in LVM et al., but that doesn't make it useless.
Yes, if you search for people trying to mount a LUKS volume image readonly to then try (somewhat successfully in my case) to get data from the journal or run destructive fsck operations, you will find lots and lots of examples.
> If you have SSD->LUKS->GPT->LVM->Ext4, then a bug on any of the (newer, buggier) components before your journaled FS means you lost data
And yet it's never happened to me. Dozens upon dozens of systems. Linux or Windows or Mac for that matter.
I've toted around a laptop with whole disk encryption for > 15 years and never lost data. Not once.
I have, however, lost data to major FS corruption on an OpenBSD system with no encryption whatsoever. Still using ancient MBR and legacy boot because, well, OpenBSD.
It seems her biggest issue by far is bad VM hosting, followed by the filesystem (the latter being possibly an hardware compat issue). Everything else seems tertiary or downstream from the big one.
Better VM hosting would enable a big usecase directly, enable the software separation she likes, ameliorate a good part of the battery issues (as that's what she often uses the OS for), and with passthrough maybe even help work around the other hw support issues.
Given how critical virtualization is to security anyway, it sounds like a topical thing for OpenBSD folks to put directly into the OS (a la bhyve).
I keep a special laptop for all financial stuff. It is not that expensive and the inconvenience is limited. And on it I have CubesOS, but I guess OpenBSD would also be a good choice.
> I need to experiment and learn with a lot of stuff, this includes OCI containers
OK understandable ofc.
> Running virtual machines on OpenBSD is really limited, running programs headless with one core and poor performance is not a good incentive to work at staying sharp.
Can someone explain this a bit more? I mean: I also run both VMs and OCI containers (well, Docker really atm) but what's that about "headless with one core" OpenBSD thing?
OpenBSD can run a VM but it's limited to one core and there can be no GPU passthrough? Is that what she means? That she can only access the VMs through the network?
No GPU passthrough would indeed be kinda a deal breaker for me too.
> I moved from OpenBSD to Qubes OS for almost everything
(a bit of a rant but it's related to TFA from a "what a dev may need" point of view)
I like that Qubes OS focuses on security, something which, for example, Proxmox seems to have an interest approaching about zero. Sure you can contenairize and virtualize but the Proxmox host itself, the "hypervisor" has countless ports open by default "because you'll need them for insecure lots of insecure protocols here and the entire Proxmox security seems to rely on only the firewall. Firewall which, moreover, sometimes resets by itself to "ACCEPT" everything by default.
I run Proxmox on a server and I did a proof-of-concept, running Proxmox as my desktop, using GPU passthrough from a VM to my main display (requires quite a bit of setup and settings and may or may not work on some hardware, but it's darn sweet when it works: one GPU for the host, one GPU for the guest(s)). It works. I know some are using that setup (including some Proxmox devs) on their workstation. But, sheesh, does the Proxmox team seem to care more about a shiny UI than security.
So, basically to be too far from TFA: leaving OpenBSD (considered to be ultra secure) for QubeOS... Does QubeOS really deliver more on security compared to another efficient alternative, like Proxmox? (don't get me wrong: I know that QubeOS is meant to be a desktop, which Proxmox not so much... I just wonder if QubeOS is really secure compared to OpenBSD).
In this day and age of AI models (for those who want to run some locally) requiring fat GPUs and lots of configuration on the software side and with the pace at which new models are coming out, I think nothing beats an hypervisor and VMs using GPU(s) passthrough. This way you can quickly test new models, install tens of them, backup working VMs or containers, etc.
I can see how OpenBSD is negatively affected by that: a 4090 or 5090 (or two in the same machine FWIW: a friend of mine runs just that, two 4090 using GPU passthrough) is quite something. The world, atm, shifted towards GPU. That's why NVidia is enjoying such a market cap.
Although Bluetooth and gamepad do not matter, it looks like OpenBSD may be missing something here if the GPU and GPU passthrough story is subpar.
In a "the world is moving" way.
At least in my case, after reading a TFA like this, I don't see why I'd run OpenBSD... Except as a firewall in front of my Proxmox machines (which badly need that) ; )
P.S: don't mistake this rant for me not loving Proxmox. It's just that I wished they cared less about "shiny" and "convenience" and more about not opening every single port and service under the sun on the host. Something which QubeOS may be better at.
Something like 99% of the use cases I've seen for OpenBSD are servers that have no keyboard, mouse, video, audio or other plugged into them. It's completely unsurprising that bluetooth and gamepad support isn't a priority.
> It's completely unsurprising that bluetooth and gamepad support isn't a priority.
The Bluetooth stack on linux is literal code trhown away from qalcomm (or was it broadcom?) with dbus on top. But since they dumped it as GPL it won't reach BSDs.
I like Linux a lot but personally I am starting to get frustrated with rootless containers. It is frustrating one has to have higher privileges running the container to make it have its own IP address inside the container. It's frustrating you cannot have the container read and write on the filesystem as the UID running the container unless the process inside is root.
I might have a better experience with VMs but every system seems like a lot of effort to just get something running. And after that the object is not as disposable as I'd like. My favorite tool for VMs so far is Incus. I'm planning on looking into Firecracker this weekend for fun.
Unrelated, but regarding:
> I understand it can make some people angry as they have to learn how to use it.
I don't think that's a significant part of what is upsetting anyone.
And losing files after a crash is something that hasn't happened to me for at least a decade (not with NTFS,ZFS(FreeBSD),UFS2(FreeBSD), ext4 or XFS), maybe rip out soft updates was a bad idea?
I adore OpenBSD because it's so lightweight, but I dropped it for FreeBSD when the same hardware couldn't max out a 1 gigabit connection running OpenBSD but could with Free. Since then they have made network changes so I'll probably try again even though the bar's moved and now I need 2.5 gigabit connections to be saturated. Happy to give it a chance anyway.
NetBSD doesn't have GPU compute capabilities, plus browser DRM is a PITA, so I run macOS, too. If I have to choose between not doing a thing at all and doing it in a less enjoyable environment, it's only my own foot that suffers were I to choose not doing it at all.
What really matters here is that systems shouldn't crash or panic at all, ever, or if they do, the filesystems used shouldn't lose data or otherwise become corrupt. We left the lack of memory protection in the '80s (some of us the '90s), so there's no excuse if the hardware isn't faulty.
So I have to wonder why the OpenBSD folks, who prioritize security over speed, for example, wouldn't prioritize stability over everything except possibly security (I'd rather a panic than a compromise) and spend some energy looking in to these issues and fix them?
Why wouldn't any filesystem corruption (which could have security implications if the corruption can be controlled) and/or data loss be considered a sign of other deep issues and be made a high priority at OpenBSD?
Perhaps Solène's writeup will be a good wake-up call for the OpenBSD people.
reply