Why I use NetBSD

First published: February 01, 2007

Last updated: February 11, 2013



Introduction

People are often surprised to hear that somebody is using NetBSD as a desktop or server operating system on i386 hardware, like I am. NetBSD has a well earned reputation for being the Unix that runs on anything and everything (including toasters), but this reputation has also given most people the idea that NetBSD has nothing to offer people running non-obscure hardware which is supported by more mainstream systems like FreeBSD or those based on the Linux kernel. This is unfortunate, because NetBSD has a lot to recommend it even for people who aren't running VAXen or Dreamcasts.

Here are some reasons why NetBSD is my operating system of choice.

NetBSD is small, light and simple

On the i386, NetBSD requires 4MB of RAM and 40MB of disk space at bare minimum. For a full installation, 8 MB of RAM and 200 MB of disk are recommended. You can download a NetBSD installer .iso with just the system, and no packages, and it's about 250 MB. In contrast, FreeBSD requires 24 MB of RAM and 150 MB of disk at bare minimum, and the no-packages .iso is about 500 MB. Ubuntu needs a minimum of 48 MB of RAM, and the smallest .iso I could find is about 700 MB.

Now, of course, I have a lot more than 8 MB of RAM and 200 MB of disk, and I can download 700 MB in an acceptable time frame. That's not the point. The point is that NetBSD does everything I want a Unix to do, and it does it using significantly less resources than the majority of the alternatives. This implies that the alternative operating systems either achieve the same things as NetBSD in far less efficient ways, and/or the contain a substantial amount of non-optional stuff that I don't want or need. Neither of those are good things. All that extra stuff constitutes a lot of extra places where things can go wrong, leading to crashes or security vulnerabilities. The best approach in system design is to do the simplest thing that could possibly work. Less is more.

NetBSD gives me a clean slate

(NOTE: Sadly, this is becoming increasingly less true)

NetBSD's base system is one of the few these days which actually deserves the term ``base''. It is a basic, uncustomised Unix system and that's it. NetBSD does not install web servers (actually, the bozotic HTTP server has been in base since 5.0, so this is no longer true. But it used to be) and browsers or scripting languages (actually, there's a push to put Lua into base, and even the kernel(!). I think this might be slated for 6.0) by default. It does not install vim for me and symlink vi to it without asking. If I install X, it does not presume to know what window manager I want to use or how I want it to look and feel and do the corresponding installation and configuration for me.

More so than on any other operating system I've tried, everything about a NetBSD system is the way it is because the administrator made it that way. I like it that way.

NetBSD releases are fairly infrequent

New major releases of NetBSD tend to come out something like a year or two apart, as opposed to every six months like clockwork as is the case for OpenBSD or a lot of popular Linux distributions. I get the impression that most people would think this is a bad thing, but I actually prefer it. Significant upgrades are a pain in the butt. They take up my time and my bandwidth and they mean downtime for servers, tedious updating of config files and possible breakage. I'd prefer not to have to deal with that every six months just for the sake of it. Of course, sometimes upgrades mean exciting new features too. But there are plenty of applications where you don't want or need the latest and greatest ideas and technologies being integrated into the system as soon as they're available, you just want a basic Unix system that works, and NetBSD is fantastic in that situation.

Now, important updates for security or stability are different. The NetBSD project releases these when they are needed and that's good - I'd be concerned if they didn't. But these are usually small and simple updates which only affect one or two subsystems and so the scope for breakage is relatively limited.

Note that NetBSD releasing infrequently does not mean that you are necessarily stuck using outdated software (as people often complain about on the stable flavour of Debian GNU/Linux, the only other popular OS that releases once every few years). The main branch of pkgsrc tracks the latest version of upstream software relatively well (although sometimes it fails miserably in this regard, for example pkgsrc was once stuck on Python 2.4 for an eternity, I think even up until well after 2.6 had been released).

I feel like NetBSD hits a nice sweet spot. I don't have to upgrade my whole system every six months whether I need the new features or not just so I still get security and stability updates and can use binary packages, but I still get to use relatively up to date versions of all my third-party software.

NetBSD's package management system, pkgsrc, is awesome

NetBSD's package management system, pkgsrc, is an unsung hero of package management. For all the rage about Debian GNU/Linux's APT, Gentoo Linux's portage and FreeBSD's ports, few people even seem aware of pkgsrc as an alternative with a lot of solid features, some of them rare, some even unique to pkgsrc.

Portability

Everyone knows that NetBSD runs on anything with a transistor in it, but not everybody realises that pkgsrc is developed to be portable as well. Yes, that means you can use pkgsrc to manage the software you have installed on your FreeBSD or OpenBSD boxes, your Linux boxes, even your Solaris boxes. This means that when you learn pkgsrc, you are learning a transferable skill which you can still benefit from even if you use another OS later, not a skill which applies only to a single Linux distribution.

License management

Pkgsrc is aware of the license each of its pieces of software is distributed under. You can provide pkgsrc with a list of licenses which you consider acceptable and then if you try to install a piece of software not realising that you don't agree with or can't comply with its license, pkgsrc will stop and warn you and will not install the package until you adjust your list of acceptable licenses. This is particularly handy for avoiding commercial use of software whose license prohibits it and avoiding evil licenses, like the Apache 2 license. I am unaware of any other package management system that does this. Emailed corrections on this point are welcome. UPDATE 2013: Florian Ermisch wrote to let me know that Gentoo's portage can, in fact, do license management.

Simple security auditing

The pkgsrc developers maintain a file detailing known security vulnerabilities in all of their packages. The pkgtools/pkgaudit package can read this file and alert the user to any vulnerable packages which are installed on the machine it is running on, so that these can be promptly patched or removed. If you set up cron jobs to automate downloading the latest copy of the vulnerability list and running the check, you'll never miss another third party vulnerability again. No having to monitor mailing lists and trying to remember what versions of what libraries you have installed - you just get told. Further more, whenever you try to install a new package, pkgsrc will try to check it for known vulnerabilities first and warn you if any are found, so you can't unknowingly install a package which is known to be vulnerable.

This is really cool, and seems to be fairly unique. FreeBSD's ports system has something similar, called portaudit, but OpenBSD's ports system certainly does not. I have been unable to find anything on the web about a similar thing for Gentoo's portage or Debian's apt-get, which seem the most likely linux package systems to include such a tool. Emailed corrections on this point are welcome. UPDATE 2013: Florian Ermisch wrote to let me know that "glsa-check" (a part of gentoolkit) and debscan provide similar but not identical functionality for Gentoo and Debian, respectively.

NetBSD has clear separation of base system and extra packages

In NetBSD, everything that is installed by the pkgsrc package management system goes into (by default) /usr/pkg/ . This includes configuration files, which go in /usr/pkg/etc/ . There is never any ambiguity as to whether a given file was installed as part of the base system or installed by an administrator at a later date.

NetBSD has some advanced and unique security features

While OpenBSD is the operating system that most people associate with security, NetBSD is certainly not a poor performer in the security arena. The document Recent Security Enhancements in NetBSD gives a detailed overview of many present and planned security features of the operating system.

Disk encryption

NetBSD's disk encryption framework, CGD, provides support for a range of ciphers and key sizes, and is well documented. This is in contrast to OpenBSD's XXXconfig, which offers exactly one cipher and key size.

File integrity

NetBSD's veriexec framework provides kernel-level verification of the integrity of both binary and text files using cryptographic hash functions. If veriexec is used correctly, trojaned binaries will not be executed and modified config files will not be read. This is enforced by the kernel, not a userland program, so even in the event of a root compromise there is still some assurance of integrity. I am not aware of any other operating system which provides a feature like this. Emailed corrections on this point are welcome.

Monitoring third-party package vulnerabilities

As discussed above, NetBSD's pkgsrc package management system enables nearly effortless monitoring of third-party package vulnerabilities.

NetBSD's internals are clearly documented

The NetBSD website includes a document entitled NetBSD internals which, while incomplete, does an excellent job of detailing a lot of what goes on under the hood of NetBSD. It even lets the reader know exactly which source files contain the code responsible for various things! For someone like me who is interested in operating systems and dreams of one day understanding enough to be able to contribute to one, such a resource is invaluable.

As far as I know, neither FreeBSD or OpenBSD have this sort of documentation available. FreeBSD has a published book, and there is an older book which is probably still somewhat relevant to OpenBSD, but NetBSD takes the cake here.

NetBSD is a direct descendent of 4.4BSD

This is not an especially compelling technical reason for why someone might want to use NetBSD, and I wouldn't base a decision on it if I was trying to pick an OS for an important business application or anything like that. But when it comes to choosing an OS for my personal use, providing it doesn't mean sacrificing technical adequacy, I think it's perfectly fine to take this into consideration. NetBSD has an amazing heritage. I love Unix, and I love the Internet, and NetBSD is intimately connected to the earliest days of both of those things. I really enjoy knowing that about my systems!