OpenBSD Innovations
79 comments
·February 22, 2025jmclnx
slome
The openbsd foundation raised around 5 million, half of which has been spent. Curiously they aren't as transparent as they once were.
You mention nvidia support, others are hopeful for a better filesystem and wifi as well.
brynet
> .. wifi as well.
OpenBSD has supported 11ac for several years, and has the iwx(4) driver for modern Intel WiFi cards. There's also support for Broadcom FullMAC, bwfm(4), which is on e.g: Apple Silicon machines.
HaikuOS also has a port of OpenBSD's iwm/iwx drivers.
FreeBSD just recently announced they've started porting the OpenBSD iwx driver.. from Haiku.
https://freebsdfoundation.org/blog/laptop-support-and-usabil...
brynet
> The openbsd foundation raised around 5 million, half of which has been spent.
Citation needed, they've raised nowhere near that amount.
https://github.com/bob-beck/foundation-web/commit/483266cece...
thegeekpirate
Not OP, but they've raised $4,974,668 since 2014 (done by adding up all the thermometers at https://github.com/bob-beck/foundation-web), and I'm excluding anything prior.
That's certainly what they meant ;)
deadbabe
When you give freely and generously to the community you should do so with no expectation of getting anything in return. Sometimes that expectation is fulfilled.
noisy_boy
They are not talking about OpenBSD's expectations, it's about the ethics (!) of the companies using things on the back of the generosity without giving back.
kweingar
I see this mindset more and more, and to me it seems against the ethos of open-source software. There's something philosophically odd about saying "you are free to use, change, redistribute, or sell this with basically no restrictions" while simultaneously maintaining that users incur unstated ethical debts by accepting. It could even be seen as a kind of bait-and-switch.
Contributions and reciprocity are praiseworthy of course, and we should all aspire to this. But that doesn't mean someone is ethically wrong for choosing to accept a gift freely given without giving one in return.
zx8080
Ethics does not belong to capitalism. Money is the central part of it, not ethics.
jjmarr
Use GPLv3 or AGPL then. If you want companies to "give back" when they use your code, put it in the licence.
Or you can charge money for your product.
lnxg33k1
Capitalism is based on the exploitation of workers who are directly hired by a company, now imagine if a company would pay someone who it doesn't have to
genewitch
I'd change "workers" to "persons with little capital".
olddustytrail
They could easily raise a few million if they bothered working on sales, but they don't.
hoppp
Its not really a for profit project and I prefer it stays that way. Projects that raise money tend to get "corrupted" by the greed.
Not that there is anything wrong with raising money, but the ideology behind openBSD don't really fit if they go for profit
dbtc
a) they shouldn't have to
b) part of what makes it great is that they don't
renewiltord
They have a sales team of online enthusiasts who work for free. Unfortunately, they got what they paid for.
tptacek
A phenomenal resource on the same subject:
i80and
I like this -- despite the clown nose logo, it's actually fair to my eye and is respectful to parts of OpenBSD that are thoughtfully designed.
chicom_malware
OpenBSD is thoughtfully designed because it is one of the best examples of "design by dictator" (Theo) - and a small core team - as opposed to design by committee like every other OS out there. Look me in the eye and tell me 90% of changes and unnecessary features in macOS aren't there because some team needs to justify their existence.
lobf
What features in macOS are you referring to?
arp242
I assume you meant to write "disrespectful"?
i80and
While much of this document is openly disdainful, there are areas like the malloc implementation[1] and features like the atexit hardening[2] where OpenBSD is unambiguously excellent, and it says as much, noting that the latter is a "pretty cool mitigation".
I used to do some OpenBSD ports work, and even got a tiny patch into the base system. I love OpenBSD! I don't have an axe to grind here! But it is not above reproach, and I think this site is overall harsh but fair.
jamal-kumar
Besides the clown nose on puffy it's honestly just realistic and not all just talking bad like I've seen some people do:
huang_chung
One of the author's complaints is it bothers him OpenBSD is "proud of not having a code of conduct".
Based on that alone, I take everything else with a grain of salt.
tptacek
Yeah I was worried for a second jcs might have something interesting to say about backward- and forward- edge CFI, but then I remembered he's woke and closed the tab before the mind virus could get me.
bentley
This is “stein”:
https://media.ccc.de/v/36c3-10519-a_systematic_evaluation_of...
Doesn’t look like jcs to me.
huang_chung
Sorry, but it is difficult to take someone 100% seriously if they inject personal feelings into debate.
It makes you wonder if they have ulterior motive for presentation of the data. It is okay to question this. Why else mention such a petty thing? Where is it documented in history that code of conduct has improved security?
sidkshatriya
I am guaranteed to get grief on this but an anti-Innovation in OpenBSD (so obsessed it is about security) is to use an unsafe language like C everywhere in kernel and user space.
The implementation of OpenBSD predates many safer systems languages but I think OpenBSD should now start moving to a checked variant of C or a safer language like Rust/OCaml/Odin/Zig/Something else.
The conversion can start with some OpenBSD user space programs. I notice a steady stream of C related security fixes in the OpenBSD changelog. Many of these could have been probably avoided if the implementation language was more “safe” by default.
I doubt that this is going to happen but I think it is fair to point out that using C does give you some additional security headaches by default.
chicom_malware
[dead]
brynet
In addition to work pioneering privdrop/privsep design for network daemons, and the almost ubiquitous adoption of pledge(2)/unveil(2) across the base system, I think people are missing out on much more recent mitigation work, such as mimmutable (which Linux is just beginning to land with mseal), on OpenBSD, most of a programs static address space (.text/ld.so's .text/.bss/main stack) is now automatically immutable.
There's also execute-only memory and BTI/IBT on modern Intel/AMD, and ARM machines, enabled by default. Including a significant amount of ports development work to make the larger software ecosystem ready for this.
eru
> Random-data memory: the ability to specify that a variable should be initialized at load time with random byte values (placed into a new ELF .openbsd.randomdata section) was implemented in OpenBSD 5.3 by Matthew Dempsky.
What's the use case for this?
EDIT: further down is one example:
> RETGUARD is a replacement for the stack-protector which uses a per-function random cookie (located in the read-only ELF .openbsd.randomdata section) to consistency-check the return address on the stack. Implemented for amd64 and arm64 by Todd Mortimer in OpenBSD 6.4, for mips64 in OpenBSD 6.7, and powerpc/powerpc64 in OpenBSD 6.9. amd64 system call stubs also protected in OpenBSD 7.3.
brynet
https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib...
Many things, retguard uses this for per-function random cookies, for instance.
The bootloader uses this mechanism to pass data to the kernel.
https://www.openbsd.org/papers/hackfest2014-arc4random/mgp00...
ephaeton
I suppose: Sometimes things work fine with the implicit default value that you end up with. So this will cause problems when you forget to initialize values to expected sane defaults.
commandersaki
Really surprised that pledge / unveil isn't featured more prominently on this page.
aomix
Everything I've read about pledge and unveil really admire the approach and the results but it didn't seem to have a big impact outside of OpenBSD. It took ~20 years for OpenBSD's CSPRNG to be re-implemented everywhere else maybe we're operating on a similar timeline here.
eyberg
We definitely took inspiration and implemented in the nanos unikernel cause we think it's a great idea:
https://nanovms.com/dev/tutorials/applying-sandbox-security-...
hellcow
While not the same, this is a SECCOMP-based Linux alternative (and it can even be used to restrict pre-compiled binaries).
ajb
Well, it's in date order. But they could do with a line or so of explanation
muppetman
A LOT of those innovations were first present in grsecurity/PaX. Back when it was freely available to everyone as well. I guess the arguments is the OpenBSD has them by default with needing a 3rd party patch, that's why they're claiming them as their innovations?
ardupper
Thanks for posting this, I think in our industry provenance is an underrated piece of knowledge.
bradley_taunt
Also a great resource:
gtirloni
Incredible. I wonder what's the debugging experience for userland developers with all these security features enabled (especially the memory randomization ones).
bentley
My general experience has been that it’s great at turning rare crashes into frequent crashes, which are much easier to fix.
eqvinox
Have they implemented ISO C11 _Thread_local yet? It's been the number one annoyance¹ with porting software to OpenBSD. It is (was?) the only mainline OS without support for native thread-local storage.
¹ e.g. https://github.com/FRRouting/frr/blob/3f290c97e8325bd9db9363...
avodonosov
Is OpenBSD suitable for daily use on a laptop?
Does anyone have such experience? Is it ok?
brynet
It depends on what you need for your daily use, OpenBSD has ports of common desktop environments, KDE Plasma, GNOME. In fact, thanks to KDE and GNOME port maintainers, Rafael Sadowski, and Antoine Jacoutot, respectively, OpenBSD 7.6 -current has the latest versions of both (KDE Plasma Desktop 6.3.1, GNOME 47).
I recently checked out KDE 6 for the first time last year, it really is as easy running as 'pkg_add kde kde-plasma kde-plasma-extras' and then reading through the local pkg-readme file, that said if you're not familiar with OpenBSD it won't be like other systems where it comes preinstalled and preconfigured.
https://brynet.ca/article-l13gen2.html
There's many popular window mangers and applications you can install using the package tools, as you'd expect, including Chromium and Firefox, but you can quickly search here: https://openbsd.app/
LeoPanthera
The developers often use ThinkPads, and so consequently it works quite well on ThinkPads.
Your experience will be a lot more variable on any other laptop.
Worth remembering that OpenBSD has no support for bluetooth, which many users often require on a laptop.
chicom_malware
Worth mentioning lack of Bluetooth is only because they felt the existing BT stack was not up their standards and ripped it out rather than let it rot like most software.
porridgeraisin
There are a grand total of zero valid reasons for not including bluetooth in a desktop OS.
mikem170
Small usb bluetooth dongles work, they show up as a regular audio device. I use one and sndiod can set set to automatically switch back and forth to it.
I run openbsd on my laptop, a thinkpad x260 with an ssd, and it works great.
myaccountonhn
It works quite well. The OOB experience is very complete and hardware gets picked up without issue. However you’re limited in the amount of apps and it’s also incredibly slow, so you’ll need to really use minimal, fast cli apps.
I left it ultimately because it had way worse battery life than Linux on my T480s and I also wanted to play some games with steam.
eru
You could probably get close to the same experience by running your BSD in a VM when you need it?
tasuki
> it’s also incredibly slow
I never used OpenBSD. Why is it incredibly slow?
amatecha
well, SMT/hyper-threading is disabled by default[0] , not sure if there are other reasons though. It's not that bad, but yeah OpenBSD is probably not your optimal gaming OS :P
[0] https://www.mail-archive.com/source-changes@openbsd.org/msg9...
daneel_w
Disk I/O is notably slower than e.g. Linux or Windows and executional performance is generally a tiny bit slower, but nothing about it is "incredibly slow".
hoppp
Yes but depends on the laptop.
RachelF
Get a Mac laptop. OS X is based on BSD.
hnlmorg
OpenBSD is as different from macOS as Windows 11 is from OpenVMS.
daneel_w
Common misconception. It is not. The kernel is XNU, and the OS base is Darwin which has some BSD parts in it, and some of the userland came directly from FreeBSD (though heavily modified).
hnlmorg
You’re not actually disagreeing with the OPs statement though. And they’re technically right too.
The problem is that all the user facing stuff in macOS isn’t BSD. It’s Apples proprietary APIs. So while macOS was originally and technically based on BSD, almost none of that is exposed to their users.
So they’re technically correct that macOS / Next was based on BSD. But also completely wrong to recommend macOS as a comparison to OpenBSD.
OpenBSD foundation raised around ~380 thousand IIRC.
By creating OpenSSH and the fact all fortune 500 companies use it, I would say every year, the foundation should be bringing in around 1 or 2 million. It is time these companies really give back.
And while I am here, hardware vendors should open up their source, looking directly an Nvidia.