OpenBSD

OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution (BSD), a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995. As well as the operating system, the OpenBSD Project has produced portable versions of numerous subsystems, most notably PF, OpenSSH and OpenNTPD, which are very widely available as packages in other operating systems.

The project is also widely known for the developers' insistence on open-source code and quality documentation, uncompromising position on software licensing, and focus on security and code correctness. The project is coordinated from de Raadt's home in Calgary, Alberta, Canada. Its logo and mascot is a pufferfish named Puffy.

OpenBSD includes a number of security features absent or optional in other operating systems, and has a tradition in which developers audit the source code for software bugs and security problems. The project maintains strict policies on licensing and prefers the open-source BSD licence and its variants—in the past this has led to a comprehensive license audit and moves to remove or replace code under licences found less acceptable.

As with most other BSD-based operating systems, the OpenBSD kernel and userland programs, such as the shell and common tools like cat and ps, are developed together in one source code repository. Third-party software is available as binary packages or may be built from source using the ports tree. Also like most modern BSD operating systems, it is capable of running binary code compiled for Linux in a compatible computer architecture at full speed in compatibility mode.

The OpenBSD project maintains ports for 20 different hardware platforms, including the DEC Alpha, Intel i386, Hewlett-Packard PA-RISC, x86-64 and Motorola 68000 processors, Apple's PowerPC machines, Sun SPARC and SPARC64-based computers, the VAX and the Sharp Zaurus

Security

OpenBSD's security enhancements, built-in cryptography and the pf packet filter suit it for use in the security industry, for example on firewalls, intrusion-detection systems and VPN gateways.

Proprietary systems from several manufacturers are based on OpenBSD, including devices from Armorlogic (Profense web application firewall), Calyptix Security, GeNUA mbH, RTMX Inc, and .vantronix GmbH

Later versions of Microsoft's Services for UNIX, an extension to the Windows operating system which provides some Unix-like functionality, use much OpenBSD code included in the Interix interoperability suite, developed by Softway Systems Inc., which Microsoft acquired in 1999. Core Force, a security product for Windows, is based on OpenBSD's pf firewall.

Desktop

OpenBSD ships with the X window system and is suitable for use on the desktop.[11] Packages for popular desktop tools are available, including desktop environments GNOME, KDE, and Xfce; web browsers Konqueror, Mozilla Firefox and Chromium; and multimedia programs MPlayer, VLC media player and xine.The Project also supports minimalist window management philosophies by including the cwm stacking window manager in the main distribution.

Enterprise

Open source software consultancy "M:tier" has deployed OpenBSD on servers, desktops and firewalls in corporate environments of many large Fortune 500 companies.

Server

OpenBSD features a full server suite and is easily configured as a mail server, web server, ftp server, DNS server, router, firewall, or NFS file server. Software providing support for other server protocols such as SMB (Samba) is available as packages.

OpenBSD component projects

Despite the small team size and relatively low usage of OpenBSD, the project has successfully spun off widely available portable versions of numerous parts of the base system, including:

1. OpenBGPD, a free implementation of the Border Gateway Protocol 4 (BGP-4)
2. OpenOSPFD, a free implementation of the Open Shortest Path First (OSPF) routing protocol
3. OpenNTPD, a simple alternative to ntp.org's Network Time Protocol (NTP) daemon
4. OpenSMTPD, a free Simple Mail Transfer Protocol (SMTP) daemon with IPv4/IPv6, PAM, Maildir and virtual domains support
5. OpenSSH, a highly regarded implementation of the Secure Shell (ssh) protocol
6. OpenIKED, a free implementation of the Internet Key Exchange (IKEv2) protocol
7. Common Address Redundancy Protocol (CARP), a free alternative to Cisco's patented HSRP/VRRP server redundancy protocols
8. PF, an IPv4/IPv6 stateful firewall with NAT, PAT, QoS and traffic normalization support
9. pfsync, a firewall states synchronization protocol for PF firewall with High Availability support using CARP
10. spamd, a spam filter with greylisting capability designed to inter-operate with the PF firewall
11. tmux, a free, secure and maintainable alternative to the GNU Screen terminal multiplexer
12. sndio, a compact audio and MIDI framework
13. Xenocara, a customized X.Org build infrastructure
14. cwm, a stacking window manager
15. Some of the subsystems have been integrated into the core system of several other BSD projects, and all are available widely as packages for use in other Unix-like systems, and in some cases in Microsoft Windows.

Development and release process

Development is continuous, and team management is open and tiered. Anyone with appropriate skills may contribute, with commit rights being awarded on merit and de Raadt acting as coordinator.[14] Two official releases are made per year, with the version number incremented by 0.1,[15] and these are each supported for twelve months. Snapshot releases are also available at very frequent intervals. Maintenance patches for supported releases may be applied manually or by regularly updating the system against the patch branch of the CVS repository for that release.

Alternatively a system administrator may opt to upgrade using a snapshot release and then regularly update the system against the "current" branch of the CVS repository, in order to gain pre-release access to recently added features.

The standard GENERIC OpenBSD kernel, as maintained by the project, is strongly recommended for universal use, and customized kernels are not supported by the project, in line with the philosophy that 'attempts to customize or "optimize" the kernel causes more problems than they solve.'

Packages outside the main system build are maintained by CVS through a ports tree and are the responsibility of the individual maintainers (known as porters). As well as keeping the current branch up to date, the porter of a package is expected to apply appropriate bug-fixes and maintenance fixes to branches of the package for supported releases. Ports are not subject to the same continuous rigorous auditing as the main system because the project lacks the manpower to do this.

Binary packages are built centrally from the ports tree for each architecture. This process is applied for the current version, for each supported release, and for each snapshot. Administrators are recommended to use the package mechanism rather than build the package from the ports tree, unless they need to perform their own source changes.

With every new release a song is also released.

Licensing

A goal of the OpenBSD project is to "maintain the spirit of the original Berkeley Unix copyrights", which permitted a "relatively un-encumbered Unix source distribution".To this end, the Internet Systems Consortium (ISC) licence, a simplified version of the BSD licence with wording removed that is unnecessary under the Berne convention, is preferred for new code, but the MIT or BSD licences are accepted. The widely used GNU General Public License is considered overly restrictive in comparison with these.

In June 2001, triggered by concerns over Darren Reed's modification of IPFilter's licence wording, a systematic licence audit of the OpenBSD ports and source trees was undertaken.Code in more than a hundred files throughout the system was found to be unlicensed, ambiguously licensed or in use against the terms of the licence. To ensure that all licences were properly adhered to, an attempt was made to contact all the relevant copyright holders: some pieces of code were removed, many were replaced, and others, including the multicast routing tools, mrinfo and map-mbone, which were licensed by Xerox for research only, were relicensed so that OpenBSD could continue to use them; also removed during this audit was all software produced by Daniel J. Bernstein. 

At the time, Bernstein requested that all modified versions of his code be approved by him prior to redistribution, a requirement to which OpenBSD developers were unwilling to devote time or effort. The removal led to a clash with Bernstein who felt the removal of his software to be uncalled for. He cited the Netscape web browser as much less freely licensed and accused the OpenBSD developers of hypocrisy for permitting Netscape to remain while removing his software. The OpenBSD project's stance was that Netscape, although not open source, had licence conditions that could be more easily met. They asserted that Bernstein's demand for control of derivatives would lead to a great deal of additional work and that removal was the most appropriate way to comply with his requirements.

The OpenBSD team has developed software from scratch, or adopted suitable existing software, because of licence concerns. Of particular note is the development, after licence restrictions were imposed on IPFilter, of the pf packet filter, which first appeared in OpenBSD 3.0 and is now available in DragonFly BSD, NetBSD and FreeBSD. OpenBSD developers have also replaced GPL licensed tools (such as diff, grep and pkg-config) with BSD licensed equivalents and founded new projects including the OpenBGPD routing daemon and OpenNTPD time service daemon. Also developed from scratch was the globally used software package OpenSSH.

Distribution and marketing

OpenBSD is available freely in various ways: the source can be retrieved by anonymous CVS, and binary releases and development snapshots can be downloaded either by FTP, HTTP, rsync or AFS.Prepackaged CD-ROM sets can be ordered online for a small fee, complete with an assortment of stickers and a copy of the release's theme song. These, with their artwork and other bonuses, are one of the project's few sources of income, funding hardware, bandwidth and other expenses.

In common with other operating systems, OpenBSD provides a package management system for easy installation and management of programs which are not part of the base operating system. Packages are binary files which are extracted, managed and removed using the package tools. On OpenBSD, the source of packages is the ports system, a collection of Makefiles and other infrastructure required to create packages. In OpenBSD, the ports and base operating system are developed and released together for each version: this means that the ports or packages released with, for example, 4.6 are not suitable for use with 4.5 and vice versa.

OpenBSD at first used the BSD daemon mascot created by Phil Foglio, updated by John Lasseter and copyright Marshall Kirk McKusick. Subsequent releases saw variations, eventually settling on Puffy,described as a pufferfish. Since then Puffy has appeared on OpenBSD promotional material and featured in release songs and artwork. The promotional material of early OpenBSD releases did not have a cohesive theme or design but later the CD-ROMs, release songs, posters and tee-shirts for each release have been produced with a single style and theme, sometimes contributed to by Ty Semaka of the Plaid Tongued Devils. These have become a part of OpenBSD advocacy, with each release expounding a moral or political point important to the project, often through parody.

Past themes have included: in OpenBSD 3.8, the Hackers of the Lost RAID, a parody of Indiana Jones linked to the new RAID tools featured as part of the release; The Wizard of OS, making its debut in OpenBSD 3.7, based on the work of Pink Floyd and a parody of The Wizard of Oz related to the project's recent wireless work; and OpenBSD 3.3's Puff the Barbarian, including an 80s rock-style song and parody of Conan the Barbarian, alluding to open documentation.

Source : 

• Absolute OpenBSD, 2nd Edition by Michael W. Lucas. ISBN 978-1-59327-476-4
• The OpenBSD Command-Line Companion, 1st ed. by Jacek Artymiak. ISBN 83-916651-8-6.
• Building Firewalls with OpenBSD and PF: Second Edition by Jacek Artymiak. ISBN 83-916651-1-9.
• Mastering FreeBSD and OpenBSD Security by Yanek Korff, Paco Hope and Bruce Potter. ISBN 0-596-00626-8.
• Absolute OpenBSD, Unix for the Practical Paranoid by Michael W. Lucas. ISBN 1-886411-99-9 (online copy here)
• Secure Architectures with OpenBSD by Brandon Palmer and Jose Nazario. ISBN 0-321-19366-0.
• The OpenBSD PF Packet Filter Book: PF for NetBSD, FreeBSD, DragonFly and OpenBSD published by Reed Media Services. ISBN 0-9790342-0-5.
• Building Linux and OpenBSD Firewalls by Wes Sonnenreich and Tom Yates. ISBN 0-471-35366-3.
• The OpenBSD 4.0 Crash Course by Jem Matzan. ISBN 0-596-51015-2.
• The Book of PF A No-Nonsense Guide to the OpenBSD Firewall, 2nd edition by Peter N.M. Hansteen ISBN 978-1-59327-274-6 .