Sofware in Review
Tech news
Software reviews
Hardware reviews
Discuss technology
Sofware in Review → Operating systems → BSD →

OpenBSD 4.1 review

By Jem Matzan

OpenBSD 4.1 was released on May 1 with its usual mix of new hardware support and enhanced operating system features. OpenBSD releases generally represent a large collection of small changes plus a few new administration and networking tools. Beyond the standard "many little changes," the big news with 4.1 is a working native port of, the elimination of the Simtech StrongARM "cats" architecture from active development, and improved greylisting capabilities in the spamd spam filter.

OpenBSD overview

This section is for people who are not yet familiar with the OpenBSD operating system. Those who are may want to skip ahead to the next section on the new features in version 4.1

The BSDs in general have a common reputation for high code quality and poor hardware support. In OpenBSD's case, the code is definitely high quality. Nothing in the default installation is half-implemented, or committed on an experimental basis. If full functionality is not yet possible for hardware drivers, basic functionality is achieved and thoroughly tested; this forms the basis for further driver development. Everything you get in the release is production-ready, secure by default (meaning the administrator does not have to lock down the system -- it is already locked down, and services must be individually enabled), and comes with the finest integrated documentation in the operating system world. While you might find a poorly programmed driver or other base system component in other BSDs and GNU/Linux distributions, in OpenBSD if something is supported, it works. Like all operating systems, however, not everything is supported.

Hardware support is a sensitive area for the OpenBSD developers. Since they won't allow any proprietary code in the base system, and since manufacturers are frequently reluctant to give out hardware documentation, the development team is notorious for creating their own drivers through reverse-engineering. As a result, OpenBSD's RAID and wireless network card support is exceptional -- better than Linux's in some ways. It also has surprisingly good ACPI support, particularly on laptop computers. In fact, because of the good, documented wireless and ACPI support, OpenBSD works well as a laptop operating system, especially if you enjoy working from the command line interface. The only significant obstacle for desktop users is the lack of hardware 3D acceleration for video cards.

OpenBSD is among the most secure x86/AMD64 operating systems in the world. Cryptography is integrated into nearly every part of the operating system; libraries are loaded in a random fashion; and program and daemon privileges can easily be isolated from the rest of the system via chroot, and privilege separation and revocation.

A complete OpenBSD installation from the commercial CD set can be completed in about five minutes. Extra programs can be added through an APT-like package tool that has access to more than 4000 precompiled software packages, or custom compiled through the Ports system, which has about 4200 programs available. OpenBSD even has binary emulation layers for FreeBSD, Linux, Unix SVR4, SCO/ISC, and BSD/OS programs, so if there is no native OpenBSD port of your favorite *NIX application, you can probably still use its Linux or FreeBSD binary.

Each OpenBSD release has a graphical theme and a song that goes with it. The theme reflects a major concern that the OpenBSD programmers are addressing or bringing to light.

For more information on OpenBSD, you can visit the project Web site, or this article on using OpenBSD.

What's new in 4.1

The OpenBSD Project maintains a complete list of changes since 4.0 on its Web site. There have been hundreds of small improvements, but here are the highlights:

  • 2.1: OpenBSD finally has a working Port and package for It's been in the Ports tree for a while, but it didn't compile correctly in a release until 4.1.
  • spamd enhancements: Greylisting is now enabled by default, and changes have been made to enhance performance.
  • Multiple Packet Filter improvements: Many changes have been made to the OpenBSD Packet Filter that enhance its default security, expand the degree to which it can be customized, and improve its logging abilities.
  • Initial RIM BlackBerry support: You can now plug in and charge your BlackBerry device through a USB cable connected to an OpenBSD machine. Unfortunately that's all there is to say about OpenBSD's BlackBerry support right now.
  • The cats platform is gone: Due to the rarity of the hardware, the StrongARM "cats" platform port is no longer maintained.
OpenBSD 4.1

In addition to the above changes, there have also been substantial improvements to the yet-to-be-released OpenCVS project, which aims to replace the original (and now outdated) CVS.

The theme for the 4.1 release is the classic Persian tale of Ali Baba and the Forty Thieves, recast as Puffy Baba and the Forty Vendors. Instead of a treasure trove of stolen gold, the main character learns the secret words that open a cave filled with computer hardware documentation. Like the main character in the original story, Puffy Baba takes a small amount of the treasure and uses it for the benefit of the village. His brother Cassinux -- a penguin, of course -- learns the secret and tries to take a large number of hidden documents at once, thereby attracting the attention of the Forty Vendor thieves and resulting in his death. The OpenBSD-oriented retelling is a metaphor for the project's vociferous demands for hardware vendors to open up hardware interface documentation and provide freely distributable firmware files. The Jem Report has covered both the battle for documentation and device firmware in detail.

Putting it to the test

Though there have been some changes in the installation script, they are all transparent; no new options or modifications have been made to the traditional OpenBSD install routine. In-place upgrades, either by compiling from source code or running the upgrade script from the official CD set is still quick for the base system, and tedious for post-upgrade configuration updates. Most notably, changes to the /etc/rc.conf file are no longer supported, so all modifications and customizations you may have made to this file must be moved to /etc/rc.conf.local.

The big news between releases was the remote security hole, which was fixed with a patch for 4.0 and a commit to 4.0-CURRENT, so it's not an issue in 4.1-RELEASE.

As an OpenBSD desktop user, I was very pleased to see that a working package and Port has been added in 4.1. While I generally prefer to work solely with text in Vim, I do have several high-end projects that require me to use With a barebones GNOME or Fluxbox install and on top of it, I can quickly get into and work on those projects, then slink back to the command line when I'm finished. The addition of dramatically increases OpenBSD's capabilities as a desktop operating system for the technically able.

I haven't yet had the chance to implement spamd with all of its new enhancements, but from what I've read of the documentation and config files, I can't wait to get into it. At least it'll be easier to work with than the hacky kludge of several different filtering technologies that I have barely working on my mail server now.

The Sun Java Development Kit (JDK) is substantially easier to compile and install in OpenBSD 4.1. Previously you had to bootstrap it from earlier JDK releases, which required downloading a lot of proprietary files by hand. In 4.1, you only have to download the JDK 1.5.0 files -- nothing for 1.4.2 or 1.3 like before. As a result, the compile takes a couple of hours instead of half a day. If you compile from Ports, the JDK 1.5 is a default dependency; if you install the precompiled package, it is not.

Conclusions and developer recommendations

Overall, OpenBSD 4.1 is a solid release. No news there -- all OpenBSD releases I've tested since 3.4 have been totally reliable and delivered exactly what they claimed to. Few operating systems, especially those that aim to be totally open source, are able to make such claims with a straight face.

Nothing's perfect, though, and there is always room for improvement. Here's what I'd like to see in future OpenBSD releases:

  • Make mergemaster part of the base system. Upgrading is easier now than it's ever been, the only significant hurdle being upgrading configuration files, many of which haven't changed at all, some of which have changed little, and a few of which have changed in very important ways. It's not easy having to sort through every file in /etc/ and most of its subdirectories. There is an OpenBSD package for FreeBSD's mergemaster (which is made specifically for this process), but it would be helpful if it were included in the base system or made part of the upgrade process on the installation media and specialized for this task on OpenBSD. Currently it has a kind of wonky approach to updating the config files. This release, the OpenBSD developers have made a patch available to attempt to intelligently merge old config files with the updated ones, but it doesn't work under some circumstances. Upgrading is a reality, not a potential future event, and I'd like to see OpenBSD address it as such.
  • WPA support. It may be far from an ideal wireless security solution, but WPA support is important for many wireless users who need to be able to communicate with WPA-enabled access points.
  • Improved wireless networking tools. Right now you have to do some fancy footwork with ifconfig to find and join a wireless network if there are multiple access points available. Joining one in specific can be difficult, especially if it requires a WEP key. Once you've configured it a few times, it's easy to remember the switches, but it would be nice to have some kind of program or script in the base system that could find and manage access points and wireless network profiles. Setting up a single network is easy, but when you're travelling and don't know the specs of the wireless network you want to connect to, it becomes a bit of a challenge.
  • Better SMP support. Now that multi-core CPUs are basically the standard among laptop, desktop, and x86/AMD64 servers, and multi-core multi-CPU systems are becoming more common in servers, I think it's time to focus on expanding OpenBSD's SMP capabilities. A few releases ago we got initial SMP support, but from some basic performance tests that I've run, there's a lot of room for improvement in this area.
  • Framebuffer console support. 80x25 is fine for most command line work, but sometimes you really need more than that, especially if you're monitoring processes through top or ps. Scrolling up and down can distort continuity in the output. A barebones session with an xterm is not really a good solution because it involves a lot of overhead; a framebuffer console is a superior option, and one that is available in FreeBSD and GNU, so there is plenty of existing code to reference.

Purpose Operating system
Manufacturer The OpenBSD Project
Architectures x86, AMD64/EM64T, SPARC, SPARC64, ARM, Alpha, HP300, HPPA, Mac68k, MacPPC, mvme68k, mvme88k, luna88k, VAX, MIPS, Zaurus
License BSD
Market Network appliances and servers of all kinds, for home, office, or enterprise; security-minded desktop users and sysadmins
Price (retail) U.S. $50
Previous version OpenBSD 4.0
Product Web site Click here