Why use OpenBSD?
50 comments
·November 16, 2025hellcow
thomashabets2
Finally Linux has something that approaches pledge/unveil: landlock.
Seccomp was never actually usable: https://blog.habets.se/2022/03/seccomp-unsafe-at-any-speed.h...
shiomiru
> Seccomp was never actually usable
It's barely usable by itself but I don't think it's an inherent problem of seccomp-bpf, rather the lack of libc support. Surely the task of "determine which syscalls are used for feature X" belongs in the software that decides which syscalls to use for feature X.
In fact, Cosmopolitan libc implements pledge on Linux on top of seccomp-bpf: https://justine.lol/pledge/
jorvi
> I built my last company on OpenBSD. It was easy to understand the entire system, and secure-by-default (everything disabled) is the right posture for servers.
That really depends. You could argue a router is a server. OpenWRT has the default of WiFi off for security, which means that if the config is somehow hosed and you have to hard reset the router, you now have an inaccessible brick unless you happen to have a USB-Ethernet adapter on you.
Sensible defaults are much, much better than the absolutionist approach of "disable everything".
brobdingnagians
Servers I setup in openbsd just keep working, and are an easy patch/upgrade process. Servers I setup in Ubuntu break and have weird patching issues. Maybe it's something I'm doing, but I sure do like that OpenBSD seems a lot easier to just have solid and work indefinitely.
PunchyHamster
You are not....it's Ubuntu.
Not Linux, not Debian, Ubuntu.
Debian (provided you don't just dump a bunch of 3rd party repos) just upgrades cleanly, we have hundreds of servers that just run unattended-upgrade and get upgraded to new Debian version every 2 years.
The few Ubuntus we had had more problems.
Guestmodinfo
How to upgrade Debian unattended if it's not a rolling release
idoubtit
Not the Grand Poster, but we use the Debian package "unattended-upgrades" to install security updates automatically on our servers, and send an email if a reboot is required to complete the process (kernel upgrade).
Unattended upgrades could be configured to install more than the security release. Even with the stable release, one can add the official APT source for the Debian backports.
epakai
Debian still has security fixes, and point releases. unattended-upgrades is the package that automates their install.
I think you can also do unattended release upgrades by using the 'stable' release alias in sources. That will probably result in some stuff breaking since there will be package and configuration churn.
01HNNWZ0MV43FF
Maybe they run Debian Testing. Testing and Unstable (sid) are rolling, and the stable release cut from the testing branch (through some process)
shevy-java
Well - I would recommend using a better linux distribution than Ubuntu.
I run just lighttpd these days; used to run httpd before they decided the configuration must become even more complicated. I don't have any issues with lighttpd (admittedly only few people use it; most seem to now use nginx).
PunchyHamster
Ubuntu seems to have a trend of taking something that works under Debian and somehow messing that up. Upgrades are one thing but for a while we had separate instruction on how to make Yubikey tokens work under each version of Ubuntu (we used them as smartcards for SSH key auth), while Debian instructions stayed the same...
Update was also hit and miss on user's desktop machines, for a while ubuntu had a nasty habit of installing new kernel upgrades... without removing old ones, which eventually made boot run out of space and poor user usually had to give it to helpdesk to fix.
Tho tbh most of the problems in any distro with packages is "an user installed 3rd party repo that don't have well structured packages and it got messy".
scatbot
One of the reasons why I'm using OpenBSD is because it passes what I think of as a litmus test for FLOSS software: can I build the whole thing from scratch, in a short time and with minimal fuss? In the case of OpenBSD, the answer is yes. I can install it on a new machine, fetch the source code from mirrors, do some edits to the source, build a fresh release, write it to a USB stick and boot it on another machine. On my machine, the whole process takes about 10 minutes for the kernel, additional 20 minutes for base and maybe an hour if you add Xenocara. Compare that to Linux distros like Ubuntu or Arch where building from scratch is either discouraged or some fringe activity that requires skimming through wiki articles, forum posts or old Websites on the Wayback Machine.
sekh60
Gentoo is a Linux rolling release built from source (just recently they gave the option of using binary packages as well). I've ran it on my desktop for years.
PunchyHamster
Buildroot does exactly that and it gives you big TUI menu to pick what you want included in your linux image
Milpotel
There is also T2 SDE.
matt-p
I adore openbsd and have been using it since 4.x however it is still slow, not slow to boot or anything like that but if you run it as a web server it manages about half the req/s of Debian. Network performance is also slower than Debian if you're using it as a firewall (but I still prefer it as the syntax of PF is just perfect).
detourdog
The list is missing the fact that the documentation is consistent and centralized.
mono442
To be honest I don't really see a reason to use a *BSD system myself other than just for the sake of using something different and less mainstream. FreeBSD had some advantages in the past but nowadays Linux has caught up in features.
rixed
When I switched to FreeBSD, it was because of the quality of the documentation. In Linux manpages are a patchwork from various sources, and it shows; it's not rare for a manpage to be missing, obsolete, or to document another similar tool, or to be inacurrate... Much better than in many other OSes, but still nowhere as good as in FreeBSD.
Now that I think of it, when I switched from DOS to Linux it was already because I found manpages amazing. Maybe I've just a soft spot for documentation.
PunchyHamster
BSD license so you don't have to upstream your stuff would be one. Tho it's not an advantage to *BSD systems, Linux near-forcing vendors to go mainline (as keeping separate kernel tree is PITA) did a lot of good in hardware support.
Gualdrapo
I feel like DragonflyBSD is really cool if you want to look at some BSD that offers some advantages and something unique to your day-to-day desktop usage. And I feel like their community is not as toxic as that of FreeBSD and OpenBSD with their holier-than-thou attitude towards Linux.
I'd love it if Gentoo/BSD were a thing once again, I like the BSD concepts but there's nothing like Portage on BSD so far - afaik pkgsrc is nowhere close to it.
secwang
I tried using OpenBSD, but the support for some specific things isn't very good. For example, J language support is always missing some packages. I also don't want to, and very much do not want to, use systemd. I finally chose FreeBSD, but I'm using some things from OpenBSD as much as possible, like obhttpd, etc. It feels good now.
Guestmodinfo
I hope people here keep donating to the OpenBSD project. I have myself not yet but I'm waiting yo do that
lol_catz
If you can tolerate poor performance then by all means use OpenBSD. Debian stable FTW.
ectospheno
You do have to buy more powerful hardware than you otherwise would. I find it worth it to run code I can more easily understand. I agree on Debian as well. My router and laptop are OpenBSD but most vms on my proxmox are Debian.
hyperpl
Agreed. I run my OpenBSD firewall on my odroid h4 - it's relatively cheap and plenty powerful to route gigabit+. I prefer pf and the simplicity of OpenBSD over Debian for such a purpose-built application. For my other "home servers" I simply run Debian as I believe it to be one of the more sane Linux choices for a server-type application.
shevy-java
I appreciate that OpenBSD sold its course on security-everywhere.
Unfortunately I also kind of lost faith in the BSD variants. There are a few minor things such as PC-BSD suddenly vanishing, or years before NetBSD on their mailing list admitting that Linux outperformed their "runs on any toaster and other gimmick" strategy. But one of the key issues I had was this:
I installed it (FreeBSD) on my second computer. I went out of my apartment and returned hours later. Well, the FreeBSD machine was no longer running; my linux machine on the other hand is running non-stop for months, literally. This may be a fluke, perhaps the computer had a problem - I am not saying this is really what the BSDs are all about, as I also had them installed before. But then I also asked myself "why would I want to bother with the BSDs, if Linux simply runs better?". And I haven't found a good, convincing answer to that for me to rationalise why I'd still be using the BSDs. Note: I also use Linux in a non-standard way, e. g. versioned AppDirs, but essentially Linux is simply more flexible than the BSDs (that is my opinion) and there are more users too. There will be always some BSD users, but to me they are like a dying breed. They would need to market themselves as a "runs outside the nerd bubble as well"; even Linux is still stuck in its own nerd bubble. You have to break out of it if you want to really dominate (Linux semi-does it indirectly, e. g. we can count many smartphones as Linux-driven, but I am still using a desktop computer system here, so to me this is what really counts, even if the total number is less than the smartphone users numbers).
prmoustache
What Linux has is mostly better hardware support and on gnome and some distributions they have a software installation tool that look like an app store but that's about it... Everything else is pretty much the same, random people wouldn't figure out a system is freebsd instead of Linux when running same desktop (like plasma).
sekh60
The license makes it very different philosophically.
pjmlp
Which is what makes Linux kernel stand out, as we can see by Sony and Apple contributions upstream.
Had BSD not been busy with AT&T lawsuit, all major UNIXes would probably still be around, consuming whatever was produced out of BSD like the networking code and OS IPC improvements over AT&T UNIX.
Instead sponsoring Linux kernel became the plan B, as means to reduce their UNIX development costs.
> Commercial use began when Dell and IBM, followed by Hewlett-Packard, started offering Linux support to escape Microsoft's monopoly in the desktop operating system market
-- https://en.wikipedia.org/wiki/Linux
> 1998: Many major companies such as IBM, Compaq and Oracle announce their support for Linux.
-- https://en.wikipedia.org/wiki/History_of_Linux
Ironically the major contributor to many GNU/Linux critical components, Red-Hat, is now an IBM subsiduary, recouping that investment beyond doing only Aix.
It is no accident that all FOSS OSes that came after Linux, none of them has adopted GPL, as big corporations would rather not be obliged by it.
Guestmodinfo
Just a few hours ago on the irc channel of OpenBSD someone said that OpenBSD is good at not letting a wonky hardware run compared to linux. So you could use the dmesg and ask it in the OpenBSD mailing list and they will point out which wonky hardware is causing trouble and you can replace that problematic part. I ran OpenBSD current for 6 years and never faced such issue
HumanOstrich
It was a fluke or a problem with the computer unless you can provide more than 1 data point with more info than "it wasn't running".
kryptiskt
The NetBSD thing is becoming true again as Linux distros and the kernel are lately on a tear of purging old and niche architectures.
PunchyHamster
[flagged]
prmoustache
Are you calling Anubis an AI trashcan? Are you opening their website with an i286 for it to take 40s to load?
PunchyHamster
it took 30s to even load the trashcan
binaryturtle
Doesn't load here at all, I had to change my User-Agent to "curl".
shevy-java
AI? I may be missing something. You are talking about whom here? The blog author?
andai
GP is referring to the LLM crawler captcha thing. The one with the anime girls in it. It only took a few seconds on my phone, but it's slow on my old ThinkPad.
PunchyHamster
it took tens of seconds to load, once it loaded it was quick
And the point of "why waste time for captcha for static file" still stands, it's not like there is comment section for bots to abuse
AIBytes
So if the author recommended software that you loved and used everyday you would stop using that software?
PunchyHamster
Even broken clock is right twice a day so no.
You mistake dismiss with "do opposite"
I built my last company on OpenBSD. It was easy to understand the entire system, and secure-by-default (everything disabled) is the right posture for servers. Pledge and unveil worked brilliantly to restrict our Go processes to specific syscall sets and files. The firewall on OpenBSD is miles better to configure than iptables. I never had challenges upgrading them--they just kept working for years.