DistroWatch Weekly, Issue 639, 7 December 2015

Feature Story (by Jesse Smith)

Guarding the gates with OpenBSD 5.8



The OpenBSD project has long held a reputation for producing a secure operating system. The project boasts just two remote security holes reported over a span of about twenty years. It's an impressive accomplishment for the developers and a good indication of why OpenBSD is so often trusted for security oriented tasks like running firewalls. However, the OpenBSD team has been steadily working on other projects too. The team behind OpenBSD also creates the widely used OpenSSH software which is used around the world by system administrators to remotely work on servers and securely transfer files. The OpenBSD project also spawned the LibreSSL software (a replacement for OpenSSL) following the Heartbleed vulnerability. In the latest release of OpenBSD we also saw improvements to the project's lightweight and secure web server (called httpd), the introduction of the doas command (a replace for sudo), a new implementation of the file command and W^X support for i386 processors. The latest version of the operating system, OpenBSD 5.8, also switched to denying root logins in the default installation.



OpenBSD is available for several different architectures and, for the purposes of this review, I decided to try the 64-bit x86 build and run it in a virtual machine. The ISO I downloaded was 220MB in size and, upon booting from the disc, I was presented with a text console where I was asked if I would like to perform a new installation, upgrade an existing copy of OpenBSD, perform a quick "auto-install" or drop to a command shell. I decided my best option was to perform a fresh installation.



OpenBSD's system installer displays a series of prompts on the text console and we type in our answers. Many of the prompts provide a good default option and we can simply press the Enter key to take the default setting. The installer walks us through the steps of getting us to select our keyboard's layout, set the hostname for our computer and configure our network card. The installer supports DHCP and manually supplied network settings for both IPv4 and IPv6. We are asked to provide a password for the root account and we are asked if we would like to run the OpenSSH secure shell service. The installer then asks if we would like to enable graphical desktop software. We then have the option of creating a user account for ourselves. The next section walks us through partitioning the hard drive and OpenBSD's installer will suggest layouts and mount points for us that should work in many cases. We are next asked where OpenBSD's source files are located (in my case on the CD) and we can then select which OpenBSD packages we want to install. The various packages include the base operating system, various kernels, documentation, games and graphical utilities. The operating system's files are copied to our hard drive, after which we are asked to supply our time zone. With all the installer's steps completed we are dropped to a command line where we can reboot the computer.



The first time I went through the installer I took the suggested disk layout on blind faith, which was clearly (in hind-sight) a poor choice. While my 8GB of free space was more than enough room for OpenBSD and all of its components, those 8GB had been divided by the installer into about eight separate partitions (and swap space) which meant there was very little free space under any mount point other than /home. This meant, in brief, I was unable to install new packages or software updates as the space set aside for the root file system and /usr were nearly full following the initial installation. I went back through the installer, performing a fresh installation with fewer mount points and ended up with plenty of room for the operating system and its packages.





OpenBSD 5.8 -- Installing new software packages

(full image size: 48kB, resolution: 1024x768 pixels)



Since I had installed packages with graphical support at install time, my copy of OpenBSD booted to a graphical login screen. From there we can sign into a bare bones window manager where we are given a virtual terminal and workspace switcher. I found that when logged into this graphical environment, OpenBSD used about 120MB of memory in total.



Package management on OpenBSD works in a similar manner to the other members of the BSD family, but is a little different from Linux distributions, so I want to go over it briefly. On OpenBSD the system is divided into the base operating system and third-party software. We can install third-party items, like web browsers, desktop utilities and extra services, using the pkg_add command or through a ports system. Using pkg_add tends to be a lot faster and easier, but it does require that we set an environment variable with the name of the repository mirror we want to use. Fortunately this is all nicely documented for us on the OpenBSD website. I installed a few packages this way and found the pkg_add command line utility handled software for me well. My one issue with pkg_add is that it does not warn the user when a repository mirror has not been set. This means if we run "pkg_add firefox" without specifying a mirror first, pkg_add simply fails without telling us if it is because the package does not exist or it just did not have a mirror to search.



Updates to the base operating system are installed from source code and the OpenBSD website lists available security updates and errata. Since downloading, compiling and installing security patches can be a complex undertaking, there is an unofficial website which supplies binary software updates. The mtier.org website actually supplies a shell script which can be run manually or from a scheduled job that will detect and install binary security updates. I tried this update script and found it worked very well and it makes updating OpenBSD a much faster and more streamlined experience.



One of the reasons I wanted to try this version of OpenBSD was the project's new doas command which is intended to replace sudo. Both commands allow a non-privileged user to perform actions that would normally be restricted to another user such as root. According to the OpenBSD developers, the sudo command's code and configuration file are too complex and the complexity may mean unexpected problems lurk in the sudo code. There is also the risk of an administrator accidentally introducing a security hole in the sudo configuration file due to the complex nature of sudo's configuration syntax. The doas command is not enabled by default, but creating a configuration file for the doas command enables it.



I found I very much appreciated the doas command, its documentation and configuration file. The doas configuration file is much easier to read than sudo's and the available options are well explained. The doas command allowed me to assign root access to a user given the proper password and doas worked as advertised.



I also decided to try out the latest version of OpenBSD's built-in web server, called httpd. The server has a very straight forward configuration file which, for simple websites, makes httpd very attractive when compared next to the Apache web server or nginx. I had to read a little documentation to find out how to properly enable PHP support on the web server, but the steps were straight forward and would be easy to reproduce. In the end, I ended up creating a small website and was happy with the results I got from httpd, whose configuration file was a total of about five lines.





OpenBSD 5.8 -- Testing the httpd web server with Firefox

(full image size: 29kB, resolution: 1024x768 pixels)



A lot of people use OpenBSD as a firewall operating system and I feel the system delivers there. I quite like the PF firewall. I find its syntax easier to read than rules for Linux's iptables and it is easy to set up lists of addresses to ban. Plus I like how straight forward it is to block brute-force attacks against services like OpenSSH. In short, PF on OpenBSD is just like any other service the project creates: it is easy to set up, has a clearly written configuration file and the documentation is useful.



Conclusions



What I really took away from my experience with OpenBSD is something I (and I think others) often forget about OpenBSD and that is: the project values documentation and clean design. I spend a lot of time on Linux which often has poor or non-existent documentation for a lot of services. Too often on GNU/Linux distributions the manual pages are vague and include instructions to find the complete documentation elsewhere. FreeBSD has good documentation, but it is in the project's handbook. OpenBSD is one of the few, perhaps the only, project I can think of that keeps almost all of its documentation in the operating system's manual pages where we can find examples and clear explanations. It's a remarkably pleasant feature.



OpenBSD may be very secure, but I think what sets the operating system apart are its documentation and clean system design. It is so easy to find things and understand the configuration of an OpenBSD system. The file system is organized in a clean and orderly manner. It always takes me a while to get accustomed to using OpenBSD, as for me it is a rare occurrence, but once I get settled in I like how straight forward everything is. I can usually find and configure anything on the system without referring to external documents or searching for answers on-line and that is quite an accomplishment for an operating system where virtually everything is done from the command line.



In short, I was happy with OpenBSD 5.8. I like how httpd is coming together, I like that the installer defaults to disabling root logins, I enjoy working with the PF firewall and doas is such a wonderful replacement to sudo I hope it is widely adopted by other open source projects. This feels like a solid release from the OpenBSD project and I was quite happy using it.





Miscellaneous News (by Jesse Smith)

openSUSE seeks Summer of Code ideas, Mint's website outage, Enlightenment ships with Wayland support and tips for monitoring Linux



The openSUSE team is already looking ahead to next year's Summer of Code, a program sponsored by Google where the company pays students to work on open source projects. The openSUSE project plans to participate in Google's Summer of Code (GSoC) in 2016 and is looking for a list of things openSUSE users want to see fixed or added to the distribution. " Mentoring is important for the future of open source software and for openSUSE. It introduces students to the culture and practices of open source. It can provide lessons for building interpersonal skills and the results of GSoC produce open-source code, which benefits everyone. openSUSE is actively searching for mentors, students and projects for GSoC as well as administrators for openSUSE's involvement with GSoC. Students are matched with a mentoring organization like openSUSE and given projects to work on over a three-month period, but project ideas must be submitted for openSUSE to take part in GSoC. Ideas can be submitted to openSUSE on the wiki under the GSoC ideas 2016 page. " Further information on openSUSE's participation in the Summer of Code program can be found on the project's blog and suggestions can be submitted to openSUSE's wiki. * * * * * Last week fans of Linux Mint had been expecting to witness the launch of Linux Mint 17.3. Instead, visitors to the project's website encountered a message saying the distribution's website was off-line and would be back in a few days. On Friday, a message appeared on the Linux Mint blog explaining what had happened: " I would like to apologize for keeping you in the dark. You probably noticed our website and forums were down and even though it's early December, Linux Mint 17.3 isn't officially out yet. We've been hit by a series of disk issues on our main server and we made a critical mistake which resulted in data loss when trying to solve them. We then discovered our daily backups only covered part of what we lost. We're working day and night to recover the data and to bring everything back to normal. " By the weekend most of the project's website was back on-line again and Linux Mint 17.3 had been released. * * * * * A new release of the Enlightenment desktop software was announced last week. The new version, 0.20.0, offers several interesting features, including a new audio mixer gadget and improved FreeBSD support. " The E20 development cycle has come to a close, with 1,890 patches submitted by over 50 developers in the course of 441 days. 25+ reported Coverity analyzer issues and 165 tickets were addressed during this time (based on commit message tagging). I'd like to personally thank everyone who contributed, whether by submitting patches, writing documentation, reporting bugs, or simply providing feedback on IRC. " Perhaps the most interesting new feature is full Wayland support. Wayland is the planned replacement for the X display software and support for Wayland is being added to cutting edge distributions such as Fedora and KaOS. Notes on building Enlightenment with Wayland support enabled and using this new feature can be found in this document. * * * * * The Netflix organization sends a lot of data across the Internet and needs to maintain a large and responsive infrastructure. As a result, the company's system administrators need to be able to quickly check on their servers and make sure they are running smoothly. The company recently blogged about some of the monitoring tools they use which are common across most Linux and BSD systems and can be used by people at home. " In 60 seconds you can get a high level idea of system resource usage and running processes by running the following ten commands. Look for errors and saturation metrics, as they are both easy to interpret, and then resource utilization. Saturation is where a resource has more load than it can handle, and can be exposed either as the length of a request queue, or time spent waiting. " The blog post covers ten commands for monitoring resource usage and how to use the tools to check a system for common problems.





Questions and Answers (by Jesse Smith)

WINE and Mono on live media



Seeking-live-distros-with-WINE asks: Today I found myself recovering data from some "dead" storage devices. Of all the tools that I used, the only one that successfully recovered the data was DiskDigger. Although I generally loathe using Windows software, this was borne out of necessity, not even old faithful TestDisk could find the files.



The application runs under Mono and worked very well with my Debian install (LMDE). But it got me thinking: if I was not near a computer running Linux, how could I have run the Mono application (please don't tell me to use Windows!)? I generally carry several USB flash drives containing various live bootable distros, but none of them come with Mono (or WINE) included.



Do you (or any of your DistroWatch readers) know of any current Linux live distro that includes Mono and/or WINE as standard, or is it that those packages are too bloated and problematic for them to work successfully in those circumstances?



DistroWatch answers: While most Linux distributions do not include WINE or Mono with their live media, there are a few exceptions. For people who want to run Windows applications from a live disc using WINE, one of the best options is probably Zorin OS. The Zorin OS distribution is designed specifically with former Windows users in mind and I think WINE is available from their live media. I'm not sure if Mono is included, but their live disc does feature packages with the term "mono" in the packages names.



Another way to go would be to install Mono packages while running the live distribution. Most live distributions will allow you to temporarily install new software packages and run them in memory. So, assuming you have an active Internet connection and the computer you are operating on has a few gigabytes of RAM, you should be able to use the package manager to install the tools you need. Then it will not really matter which distribution you start with, so long as Mono and/or WINE are included in the distribution's package repositories.



I have occasionally had to recover files using a live distribution that does not ship with recovery tools, but I was able to install the items I needed (like TestDisk) and run them from memory. It is not an ideal arrangement, but is a solution that works on almost every distribution.



One last option you might want to look at is creating your own live distribution for future use. Tools like SUSE Studio will help you put together a custom recovery disk that includes the tools you want. That way you can put Mono and WINE on the disc and take it with you wherever you go. * * * * * Past Questions and Answers columns can be found in our Q&A Archive.





Torrent Corner

Weekly Torrents



Bittorrent is a great way to transfer large files, particularly open source operating system images, from one place to another. Most bittorrent clients recover from dropped connections automatically, check the integrity of files and can re-download corrupted bits of data without starting a download over from scratch. These characteristics make bittorrent well suited for distributing open source operating systems, particularly to regions where Internet connections are slow or unstable.



Many Linux and BSD projects offer bittorrent as a download option, partly for the reasons listed above and partly because bittorrent's peer-to-peer nature takes some of the strain off the project's servers. However, some projects do not offer bittorrent as a download option. There can be several reasons for excluding bittorrent as an option. Some projects do not have enough time or volunteers, some may be restricted by their web host provider's terms of service. Whatever the reason, the lack of a bittorrent option puts more strain on a distribution's bandwidth and may prevent some people from downloading their preferred open source operating system.



With this in mind, DistroWatch plans to give back to the open source community by hosting and seeding bittorrent files. For now, we are hosting a small number of distribution torrents, listed below. The list of torrents offered will be updated each week and we invite readers to e-mail us with suggestions as to which distributions we should be hosting. When you message us, please place the word "Torrent" in the subject line, make sure to include a link to the ISO file you want us to seed. To help us maintain and grow this free service, please consider making a donation.



The table below provides a list of torrents we currently host. If you do not currently have a bittorrent client capable of handling the linked files, we suggest installing either the Transmission or KTorrent bittorrent clients.



Operating System Torrent MD5 checksum Raspbian 2015-11-21-raspbian-jessie.zip 686fb2f51f124622bded7049de3d9b46 Sabayon Sabayon_Linux_15.12_amd64_Xfce.iso d3c865e87d9ec5c2dde8cc58b54d9d1f



Archives of our previously seeded torrents may be found here. All torrents we make available here are also listed on the very useful Linux Tracker website. Thanks to Linux Tracker we are able to share the following torrent statistics.



Torrent Corner statistics:

Total torrents seeded: 139

Total data uploaded: 21.8TB

Released Last Week

Porteus Kiosk 3.6.0



Tomasz Jokiel has announced the release of Porteus Kiosk 3.6.0, the latest quarterly update of the project's single-purpose Gentoo-based distribution for web kiosks. This release introduces a server edition which designed for monitoring, accessing and managing Porteus Kiosk clients: " I'm pleased to announce that Porteus Kiosk 3.6.0 is now available for download. The new version sums all the development which happened in the last three months. Linux kernel has been updated to version 4.1.13, Mozilla Firefox to version 38.4.0 ESR and Google Chrome to version 46.0.2490.86. Packages from the userland are upgraded to portage snapshot tagged on 20151128. Here is a short overview of the most notable features introduced in this release: implemented support for associating the kiosk clients with Porteus Kiosk Server - our brand new operating system which allows monitoring, accessing and managing the clients even if they are placed behind a NAT, proxy or firewall; added support for injecting or replacing default browser preferences with a text file hosted on the network.... " See the release announcement and changelog for a full list of changes and new features.



Q4OS 1.4.4



The developers of Q4OS have announced a new version of the project's Debian-based distribution. Q4OS features the Trinity desktop environment and can work on low-resource hardware. " The Q4OS development team is pleased to announce the immediate availability of the new Q4OS 1.4.4 release. It's the maintenance release of the Q4OS 1.4 'Orion' series, and is built on and improves the previous version. The new Q4OS release ships with brand new update notifier and manager, as well as several different improvements. Update notifier pops up an icon in system tray, when updates are available from system repositories and lets administrator to apply them on request. Other improvements include optimized desktop profiles, fast data transfer from Android devices, broader support for various multimedia formats and more. Bunch of more or less important bug fixes, packages updates and security patches has been delivered as usual. " Further information can be found on the project's blog. Builds of Q4OS are available for computers featuring 32-bit and 64-bit x86 processors and there is an image of Q4OS for the Raspberry Pi mini computer.





Q4OS 1.4.4 -- Running the Trinity desktop environment

(full image size: 122kB, resolution: 1366x768 pixels)



Raspbian 2015-11-21



Simon Long has announced the release of Raspbian 2015-11-21, a new update of the Debian-based distribution made for the Raspberry Pi single-board mini-computer: " Amid all the excitement last week, some people have noticed that we also released an updated Raspbian image, and have been asking what is in it. Obviously, one of the most important features of this image is support for Pi Zero (which is also the main reason we didn't make any fuss about it in advance). But there are a few other small changes which apply to all versions of the Pi, so here's a list for the curious. IBM's Node-RED Internet Of Things application is now included - this allows you to rapidly create IoT applications by connecting blocks in a graphical editor. To get started, run the Node-RED application from Programming in the main menu, and then use the web browser to access port 1880 at your Pi's own address to see the editor. Under Preferences in the main menu, you will now find an option for Add/Remove Software. This launches a modified version of the GNOME Packages application, which allows you to add and remove software on your Pi. " Read the full release announcement for further information and screenshots.



Linux Mint 17.3



Clement Lefebvre has announced a new release of the Linux Mint distribution. The new release, Linux Mint 17.3, is based on Ubuntu 14.04 LTS and is available in MATE and Cinnamon editions. Some of the key changes in this release involve the handling of software updates and managing hardware drivers. " Linux Mint 17.3 is a long term support release which will be supported until 2019. It comes with updated software and brings refinements and many new features to make your desktop experience more comfortable to use. Software repositories are very important. We use them all the time when installing new software or performing updates. They need to be fast and reliable. This was a major point of focus in the development of Linux Mint 17.3. Software repositories are mirrored (i.e. duplicated on many servers) all over the world. The main goal of the Software Sources configuration tool is to make it easy to find the best available mirror for you; one that is: reliable and fully up to date; fast and responsive. To find the fastest mirrors, the Software Sources tool now detects your location and starts its speed tests with mirrors near you. " Further information can be found in the release announcements for the Cinnamon and MATE editions.



Robolinux 8.3



The Robolinux project has announced the availability of a new release of their commercial, Debian-based distribution. The latest version, Robolinux 8.3, includes several new multimedia applications, including Photo Filmstrip, Spotify, Blender, OpenShot and Pinta. Robolinux 8.3 also ships with Wireshark for monitoring network traffic. Additional wi-fi and printer drivers were added while Popcorntime was removed from the list of applications. " As the Christmas and holiday season was approaching Robolinux polled its user base extensively asking `What hot new apps do you want in Robolinux Cinnamon, Mate, Xfce & LXDE Raptors?' An overwhelming number of users responded with "We want more multimedia and privacy apps in Robolinux". Interestingly many users asked for a packet sniffer to monitor their privacy amongst other things. " Further information on this release can be found in the project's release announcement. * * * * * Development, unannounced and minor bug-fix releases

deepin 15-alpha2 (Announcement)

Android-x86 6.0-20151202

CoreOS 835.8.0

Pentoo 2015.0-rc4.6 (Announcement)

DragonFlyBSD 4.4.0

ArchBang 031215

Upcoming Releases and Announcements

Opinion Poll

Webmail vs local e-mail clients



Last week we heard from Mozilla that the organization is considering dropping support for the Thunderbird e-mail client. Though the announcement, and its follow-up, do not say for certain what Thunderbird's future may be, it is unfortunate to see Mozilla planning to cease Thunderbird development.



The announcement was not entirely a surprise since Mozilla had already placed Thunderbird in maintenance mode, where the software received security updates and bug fixes only. However, it is interesting to note Mozilla has not put effort into expanding on Thunderbird as a product the same way they have with Firefox. After all, according to Mozilla itself, Thunderbird has around ten million users. Tie-in products such as large attachment storage and on-line message archiving might have funded further development of the popular Thunderbird application.



The above announcement about Thunderbird's future has sparked a lot of debate over the usefulness of local e-mail clients verses webmail. This week we would like to know whether you use a local client, such as Thunderbird or Evolution, for accessing e-mail or if you use web-based e-mail.



You can see the results of last week's poll on web browser extensions here. All previous poll results can be found in our poll archives. Webmail vs local e-mail clients



I use webmail exclusively: 803 (31%) I use local e-mail clients exclusively: 828 (32%) I use both webmail and applications: 905 (35%) I do not use either: 16 (1%)

DistroWatch.com News