Why OpenBSD?

2016-03-24 14:03

Using OpenBSD as my operating system of choice is the conclusion of my now 20 years journey into UNIX-like systems. I've been using FreeBSD from 2000 to 2005 as my sole operating system at the time (both on servers and workstations), from 4.1 to the end of the 4.x series. I have fond memories of that period, and that's probably the main reason why I've been diving again into the BSDs during the last few years. Prior to that, I had been running Slackware, which in retrospective was very BSD-like, since January 1996.

When I first installed OpenBSD, two things struck me. The installation process was both easy and fast, as the OpenBSD installer, a plain shell script, is very minimalist and uncluttered. It is in fact the fastest installation process I've ever experienced, and it made a really positive first impression. The second one is the quality of the documentation. Not only does the OpenBSD project produces high quality code, they are also very good at documenting it. And it's not only man pages and documentation, presentations and papers also reflect that.

OpenBSD is an ecosystem of quality. This is the result of a culture of code auditing, reviewing, and a rigorous development process where each commit hitting the tree must be approved by other developers. It has a slower evolution pace and a more carefully planned development model which leads to better code quality overall. Its well deserved reputation of being an ultra secure operating system is the byproduct of a no compromise attitude valuing simplicity, correctness, and most importantly proactivity. OpenBSD also deletes code, a lot of code. Everyone should know that removing code and keeping the codebase modern is probably as important as adding new one. Quoting Saint-Exupery: "It seems that perfection is attained not when there is nothing more to add, but when there is nothing more to remove".

Another important thing to mention is that OpenBSD is a truly multi-platform operating system, and when they say an architecture is supported, they really mean it. All platforms are self-hosting and builds happen on real hardware, both for the system and the ports collection. Cross-compiling or using emulators is not an option.

If there is one thing I learned over the years, it's that the importance of sane defaults can't be stressed enough. In OpenBSD case, it means that a default install comes with almost no services running, encrypted swap, and all security mitigation mechanisms (including ASLR, W^X, PIE, stack protector) enabled. Secure by default. For more details regarding OpenBSD exploit mitigation techniques, please refer to Theo's ruBSD 2013 talk and slides. Moreover, the fact that the OpenBSD project is based in Canada means that there is no significant restriction on the export of cryptographic software.

OpenBSD just works. Things happen exactly the way described in the man pages, there is no surprise. It's predictable, easy to use and administrate. One example I like to mention is connecting to a Wi-Fi network: there is no need for third party software, everything required is built into ifconfig. Thanks to OpenBSD own ACPI implementation, suspend and resume functionalities usually work flawlessly, and hibernate works as well. ACPI is one of many examples where OpenBSD chose to develop an homegrown implementation when the existing solutions are poorly performing or unacceptable. For the curious, here is a list of software developed or maintained by the OpenBSD project over the years. As a matter of fact, the page you are currently reading is served by httpd(8), OpenBSD's own HTTP server.

On that topic, OpenBSD networking features are extremely impressive. For the record, it was the first free operating system offering an IPSec stack, and the first production ready IPv6 implementation. While there is no need to mention pf and OpenSSH, did you know about carp(4), httpd(8), relayd(8), and OpenBGPD, OpenIKED, OpenNTPD, OpenSMTPD, just to name a few?

The ports collection is both up to date and high quality. As with code, the project removes obsolete and decaying ports on a regular basis. The port system infrastructure is written in Perl, which I consider to be a good choice considering the large possible attack surface which regular package managers represent. Binary packages are available (checksumed using SHA-256, signed with Ed25519) and are the preferred way to use ports. Over the last year, I've been contributing to the collection, and also ported some of my own programs. The suggestions I received on the mailing lists helped me to write better software, minimize dependencies, improve overall program flexibility, and also gave me motivation to write man pages. May the story continue.

Lastly, the community is super friendly. OpenBSD developers are not only highly skilled, but also have a great sense of humour. The no compromise attitude, attention to detail, and willingness to do things the right way is both motivating and contagious. Ultimately, what I hope for the future is a world where the OpenBSD approach to problem solving is the norm rather than the exception. Proactive security!