OpenBSD

From Freepedia

OpenBSD
Image:Openbsd.png Secure by Default
Development team:	The OpenBSD Project
OS family:	BSD
Source model:	Open source
Latest stable release:	3.7 / May 19, 2005
Kernel type:	Monolithic
License:	Mostly BSD
Working state:	Current
Website:	http://www.openbsd.org

OpenBSD is a secure, freely available, multi-platform BSD-based Unix-like operating system. It is able to run on many families of processors, including the DEC Alpha, AMD64, StrongARM, i386, PowerPC, MIPS and SPARC.

Like the other open source BSDs and in contrast to most Linux distributions, the OpenBSD kernel and userland programs, such as the shell and common tools like cat and ps, are developed together in a single source repository. Third-party software is available as binary packages or may be built from source using the ports tree.

OpenBSD specialises in security and correctness and is considered by many to be very stable and reliable. It has a number of security features not found or optional in other operating systems and is often the first to implement new security ideas. In addition, its developers carefully and proactively audit the system's code. The project is led by Theo de Raadt from Calgary, Alberta, Canada and is released under a combination of licences, primarily the BSD licence and its variants.

Contents 1 History 1.1 Fork from NetBSD 1.2 Project name 1.3 Focus on security 1.4 The POSSE project 1.5 Here and now 2 Releases 2.1 Nomenclature 2.2 Latest 3 Uses 3.1 Derivatives 3.2 Desktop 4 Ports and packages 5 Security 5.1 API and build changes 5.2 Strong cryptography 5.3 Memory protection 5.3.1 Stack-smashing and W^X 5.3.2 Malloc changes 5.4 Privilege separation 6 Licencing 6.1 Audit 6.1.1 DJB 6.2 XFree86 6.3 Highlights 7 Image and marketing 7.1 Themes 7.2 Mascot 7.3 Slogans 8 Hackathons 9 Developers 10 Screenshots 11 Books 12 See also 13 External links

History

Fork from NetBSD

In December 1994, Theo de Raadt, a co-founder and member of the NetBSD core team for two years, was asked to resign from the NetBSD Foundation. His access to the NetBSD CVS server was terminated and he was instructed to e-mail any further changes to the system as patches, so that the core team could check them. He was also informed that he no longer represented the NetBSD project in any formal manner.

The only available details of these events are an incomplete set of emails, published by Theo de Raadt on his personal site. From these, it appears that the then NetBSD core team of Charles Hannum, Adam Glass, Paul Kranenburg, J.T. Conklin and Chris Demetriou considered some of Theo's behavior to have been insulting to other users of and contributors to NetBSD. They also stated that they had received a considerable number of complaints. However, an email from another participant asserts that these complaints were the result of a disagreement between Theo and a single user. During the seven months that followed his expulsion, Theo attempted to continue work on NetBSD and to recover his access to the CVS repository. However, after finding the limits of his new status overly frustrating, he decided to create a new project, forked from NetBSD 1.0.

The removal of Theo de Raadt caused a schism within NetBSD and many developers chose to pick a side. Some that considered Theo's treatment unjust moved to work with him. Others that agreed with the core team's actions, or felt that Theo had been damaging to NetBSD's image and had scared away potential contributors, stayed with NetBSD. Some remained on the sidelines, contributing to both projects. In October 1995, the first release of OpenBSD, release 2.0, appeared.

Project name

At the time OpenBSD was created, the NetBSD CVS system was closed to the general public. Only members of the core team were permitted to access it. Outsiders were only able to see what was released, rather than follow what was currently being worked on. This approach had flaws which Theo de Raadt hoped to avoid in his project. For example, because outside contributors had no way to know what had been done by the main developers, contributed patches would often be duplicates of already completed but undisclosed work in the CVS repository. Theo decided to make this aspect of his project the polar opposite of NetBSD. Where the NetBSD CVS was closed, his project's would be open. Working with Chuck Cranor, a server was set up to allow anonymous access to the new project's source, completely open and unrestricted access to what was being worked on at all times. It is from this that the new project took its name. This was the first time this concept was used for a software project. It has since been adopted by all of the open source BSD operating systems and many other open source projects.

Focus on security

During the early period of OpenBSD's existence, Theo de Raadt was contacted by a local security software developer interested in creating a tool to find and attempt to exploit possible software security flaws. This company, whose name has never been publicly revealed, began a symbiotic relationship with Theo and his newly formed OpenBSD project, a synergy that allowed him to tighten his operating system while the company expanded its tool. This relationship helped to form the focal point of the OpenBSD project. Where other systems might take the path of least resistance, OpenBSD would often go out of the way to do what was right, proper or secure, even at the cost of ease, speed or functionality. With time, relations with the company began to dissipate. As bugs within OpenBSD became harder to find and exploit, the security company found that it was too difficult, or not cost effective, to handle such obscure problems. After years of cooperation, the two parties decided that their goals together had been met and parted ways.

The POSSE project

Beginning in 2001 and continuing to April 2003, OpenBSD development was partly sponsored by DARPA, as a member of the POSSE project. This was a security inititive directed by the University of Pennsylvania Distributed Systems Laboratory and paid for through the Composable High Assurance Trusted Systems programme. POSSE was a US$2,125,000 grant designed "to introduce advanced security features used in special-purpose government computers into standard office PCs." The United States government hoped to benefit from the availability of better security features in affordable, standardized computers and software. OpenBSD was selected as one of the computing world's most secure forums for the development of open source software and approximately $1,000,000 was allotted to its development. In addition, by applying the security auditing concepts used in OpenBSD to other projects like OpenSSL, POSSE helped to increase the overall security of freely available software.

In April 2003, speaking in an interview to a Canadian newspaper, the Globe and Mail, Theo de Raadt remarked: "I try to convince myself that our grant means a half of a cruise missile doesn't get built." Jonathan Smith, the head of the POSSE project, stated that military officials had expressed discomfort with this comment. A short time later, the project was prematurely terminated. This was explained as being "due to world events and the evolving threat posed by increasingly capable nation-states", but some have speculated that Theo de Raadt's comments played a part in the decision.

Here and now

Despite being the most commonly cited reason for OpenBSD's existence, security is not the only focus of the OpenBSD project. As a descendant of NetBSD, OpenBSD is a very portable operating system, currently running on 16 different hardware platforms: alpha, AMD64, cats, hp300, hppa, i386, luna88k, mac68k, macppc, mvme68k, mvme88k, sgi, sparc, sparc64, vax and zaurus. Supported platforms are added and dropped as resources and practicality warrant. Other focuses are licence purity and good documentation. OpenBSD has strict guidelines regarding the licence of imported code, and strives to remove or replace existing code that is under licences considered undesirable. The excellent quality and wide coverage of the man pages are a noted feature of the project.

Releases

OpenBSD issues new versions every six months. Each version is supported for one year after release. During this time, stable CVS trees for ports and source are updated with errata. These are listed on the OpenBSD website and provide fixes for any security and reliability problems which crop up after release. In addition, errata are made available as source patches for those who prefer them over CVS.

Nomenclature

OpenBSD has three major flavours at any one time: -current or -beta, -stable and -release. The -current name refers to the continuously moving development source of the system. It appears in CVS with the HEAD tag and may be built from source or installed from a snapshot. Snapshots are testing releases created from -current every few weeks. The -beta flavour is a variant of -current used when the system is in beta and approaching release, -release is the final version of OpenBSD which appears on the official CDs and FTP servers and -stable a patched version of a release which corrects any issues found while it is still supported.

Some time, usually two to three months, before a release, the set of source files that will be used to build the release is tagged in the CVS tree. Tagging marks a set of source files with a label, such as OPENBSD_3_7 for release 3.7. This label can then be used to pick out the release source files from the frequently updated -current sources. The delay between tagging and release is to allow time for packages to be built and for CDs and artwork to be produced. After this, development continues on -current in preparation for the next release.

Latest

OpenBSD 3.7 was released on May 19, 2005. It includes X.Org Server 6.8.2, further enhancements to the packet filter, the BGP daemon and the NTP daemon (OpenNTPD) and a new OSPF daemon (ospfd) implementing the OSPFv2 routing protocol. This release also sees significant development of the packaging tools, which can now perform in-place package updates.

OpenBSD 3.8 is currently in testing and is planned for release on November 1, 2005.

Uses

OpenBSD's stances on code correctness and licencing, its security enhancements and the pf firewall suit it for use in the security industry, particularly for firewalls and intrusion-detection systems. It is also commonly used for web and other servers which need to be resistant against cracking attempts and DDOS attacks.

Derivatives

Many of the OpenBSD system tools have been used in Microsoft's Services for UNIX, an extension to Windows systems to provide some Unix-like functionality. There are several other proprietary systems which are based on OpenBSD, including Profense from Armorlogic ApS, IP360 Vulnerability Management Solution from nCircle, syswall from Syscall Network Solutions AG, GeNUGate and GeNUBox from GeNUA mbH and RTMX O/S from RTMX Inc. Of these, both RTMX and GeNUA have contributed back to OpenBSD. RTMX have sent patches to add further POSIX compliance to the system and GeNUA funded the development of SMP on the i386 platform. Several open source operating systems have also been derived from OpenBSD, notably MirOS BSD and the now defunct ekkoBSD, MicroBSD and Gentoo/OpenBSD.

There have also been projects which use OpenBSD as part of images for embedded systems, including OpenSoekris, flashdist and the defunct CompactBSD. Together with tools like nsh, these allow Cisco-like embedded devices to be created.

Desktop

OpenBSD ships with the X window system. It presently includes two options: a recent X.org release and an older XFree86 3.3 release for legacy video cards. With either of these, it is possible to use OpenBSD as a desktop or workstation. Despite this, it is regularly speculated by outsiders and users new to OpenBSD whether it has any use on the desktop. As X, rather than the operating system, is the foundation for most desktops, OpenBSD can be made to perform quite capably for this purpose, making use of a desktop environment, window manager or both to give the X desktop a wide range of appearances. It can appear similar to Mac OS, Microsoft Windows, Plan 9, NeXTStep and many other environments.

The OpenBSD ports tree contains many of the most popular tools for desktop use, including desktop environments GNOME and KDE, web browsers Mozilla Firefox and Opera and multimedia programs. Graphical software for many uses is available from both the ports tree and by compiling POSIX compliant software. Also available are compatibility layers, which allow binary code compiled for other kernels such as Linux, Plan 9, FreeBSD, Solaris, BSD/OS, SunOS and HP-UX to be run. However, since hardware providers such as ATI and NVIDIA refuse to release open source drivers or documentation for the 3D capabilities of their video cards, OpenBSD lacks accelerated 3D graphics support.

Ports and packages

As with several other operating systems, OpenBSD uses ports and packages systems to allow for easy installation and management of programs which are not a part of the base operating system. Originally based on the FreeBSD ports tree, the systems are now quite distinct. Additionally, major changes have been made between the 3.6 and 3.8 releases and are still ongoing. These changes include the replacement of the package tools by more capable versions, written in Perl by Marc Espie. The package tools are the tools available to the user to manipulate packages and were formerly written in C.

In contrast to FreeBSD, the OpenBSD ports system is intended as a source used to create the end product, the packages. Installing a port first creates a package and then installs it using the package tools. Packages are built in bulk by the OpenBSD team for each release and snapshot. OpenBSD is also unique among the BSDs in that the ports and base trees are developed and released together for each version. This means that the ports or packages released with, for example, 3.7 are not suitable for use with 3.6 and vice versa. This policy lends a great deal of stability to the development process, but means that the software in ports for the latest OpenBSD release can lag somewhat from the latest version available from the author.

An OpenBSD port is made up of a makefile, text files with descriptions and installation messages, any patches required to adjust the program to work on OpenBSD and a packing list listing the files to be included in the packages. The ports tree uses a set of standard makefiles, some of which are shared with the source tree, to provide the bulk of its functionality. This shared infrastructure includes many utility functions for port developers and means that ports can often be made very simply. As a security precaution or an aid when developing new ports, port builds may be run using systrace and a default policy is provided.

Security

OpenBSD is well-known for its security focus and track record. Until June 2002, the OpenBSD web page featured the slogan "No remote hole in the default install, in nearly 6 years." After an exploit was discovered in OpenSSH, this was changed to "Only one remote hole in the default install, in more than 8 years." This statement has been criticised because little is enabled in a default install of OpenBSD and releases have included software that later was found to have remote holes. The OpenBSD project maintains that the slogan is intended to refer to a default install and that it is correct by that measure.

One of the OpenBSD project's fundamental ideas is a consistent drive for systems to be simple, clean and "Secure by Default." For example, OpenBSD's minimal defaults fit in with standard computer security practice of enabling as few services as possible on production machines.

API and build changes

The strcpy and strcat string functions commonly used with the C programming language are easy to misuse, leading to bugs and security flaws. The existing alternatives, strncpy and strncat, are not ideal, so OpenBSD developers Todd C. Miller and Theo de Raadt implemented the strlcpy and strlcat functions. These are designed to be safer and more consistent replacements for strncat and strncpy, making it harder for programmers to leave buffers unterminated or allow them to be overflowed. These functions have been adopted by the NetBSD and FreeBSD projects but have notably not been accepted by the GNU C library. The maintainer, Ulrich Drepper, vehemently opposes their incorporation, stating that memcpy is an adequate solution to the problems. The OpenBSD linker has been changed to issue a warning when unsafe functions, such as strcpy, strcat or another string manipulation function that is often a cause of errors, sprintf, are found. All uses in the OpenBSD source tree have been replaced and a policy of patching any uses found in the ports tree has been adopted. In addition, a static bounds checker has been added to OpenBSD in an attempt to find other common programming mistakes at compile time. Other security-related APIs developed by the OpenBSD project are issetugid and arc4random.

The OpenBSD team have a policy of seeking out examples of classic, K&R-style C code and converting it to the more modern ANSI equivalent. Along with DragonFly BSD, they are the only open source operating systems with such a goal. A standard code style, the Kernel Normal Form, must be applied to all code before it is considered for inclusion in the base operating system. This dictates how code must look in order to be easily maintained and understood. Existing code is actively updated to meet the style requirements.

Strong cryptography

OpenBSD uses a password-hashing algorithm derived from Bruce Schneier's Blowfish block cipher. This takes advantage of the slow Blowfish key schedule to make password-checking inherently CPU-intensive so that password-cracking attempts are slower and more difficult. The project was perhaps the first to disable the plain-text telnet daemon in favour of the encrypted SSH daemon. The OpenBSD SSH daemon, OpenSSH, is now included in all major BSD operating systems and Linux distributions.

Memory protection

OpenBSD integrates several technologies to help protect the operating system from attacks such as buffer overflows or integer overflows.

Stack-smashing and W^X

Developed by Hiroaki Etoh, ProPolice is a GCC extension for protecting applications from stack-smashing attacks. In order to make this possible, it performs a number of operations. Local stack variables are reordered to place buffers after pointers, protecting them from corruption in case of a buffer overflow. Pointers from function arguments are also placed before local buffers and a canary value is placed after local buffers. When the function exits, this canary can be used to detect buffer overflows. ProPolice chooses whether or not to protect a buffer based on automatic heuristics which judge how vulnerable it is, reducing the performance overhead of the protection. It was integrated into the OpenBSD gcc in December 2002, and first made available in version 3.3; the protection was then applied to the kernel in release 3.4. The extension works effectively on all the CPU architectures supported by OpenBSD and is activated by default, so any C code compiled will be protected without further user intervention.

In May 2004, OpenBSD on the sparc platform received further stack protection in the form of StackGhost. Support for sparc64 was added to -current in March 2005. Details of this technique can be found in the Usenix paper: StackGhost: Hardware Facilitated Stack Protection.

OpenBSD 3.4 introduced W^X ("w x-or x"), a memory management scheme to ensure that memory is either writable or executable, but never both. This provides another layer of protection against buffer overflows.

Malloc changes

During the development cycle of the forthcoming 3.8 release, changes were made to the malloc memory management functions. In traditional Unix operating systems, malloc allocates more memory by extending the Unix data segment. This has made it difficult to implement strong protection against security problems. The new malloc implementation in OpenBSD changes malloc to make use of the mmap system call, which has been modified so that it returns random memory addresses and ensures that different areas are not mapped next to each other. In addition, allocation of small blocks in shared areas is now randomised and the free function has been changed to return memory to the kernel immediately rather than leaving it mapped into the process. A number of additional, optional checks have also been added to aid in development. These new features make program bugs easier to detect and harder to exploit. Instead of memory being corrupted or an invalid access being ignored, they will often result in a SIGSEGV and abortion of the process. This has brought to light several issues with software running on OpenBSD 3.8, particularly with programs reading beyond the start or end of a buffer. This type of bug would previously have been ignored but can now cause an error.

These abilities have taken more than 3 years to implement without considerable performance loss. This functionality is similar in goals to that of the Electric Fence malloc debugging library by Bruce Perens, but is used by default in OpenBSD.

Privilege separation

Privilege separation, privilege revocation, chrooting and randomized loading of libraries also play a role in increasing the security of the system. Many of these have been applied to the OpenBSD versions of common programs such as tcpdump and Apache.

Licencing

OpenBSD contains components under a variety of different licences. The ISC licence is preferred for new code but the MIT or BSD licences are accepted. The GPL is considered overly restrictive in comparison with these; code licenced under it, and other licences the project sees as undesirable, is no longer accepted for addition to the base system. In addition, existing code under such licences is actively replaced when possible, although in some cases, such as GCC, there is no suitable replacement and creating one is time-consuming and impractical. In addition, OpenBSD has a history of fighting for more liberally licenced releases of code. To allow code with an unsuitable licence to be used by the project, OpenBSD developers usually attempt to have it relicenced by the copyright holders. However, this path has sometimes had limited success. As an alternative, developers have completely replaced tools from the ground up or reshaped an existing tool which is appropriately licenced but lacks functionality.

Audit

In August of 2001, triggered by concerns over Darren Reed's modification of IPFilter's licence wording, developers began a systematic licence audit of the OpenBSD ports and source trees. Code in more than 100 files throughout the system was found to be unlicenced, ambiguously licenced or in use against the terms of the licence. To ensure that all licences were properly adhered to, an attempt was made to make contact with all the relevant copyright holders. Some pieces of code were removed and many were replaced. Others, including the multicast routing tools, mrinfo and map-mbone, which were licenced by Xerox for research only, were relicenced so that OpenBSD could continue to use them.

DJB

Also of note during this audit was the removal of all software produced by Daniel J. Bernstein from the OpenBSD ports tree. At the time, Daniel requested that all modified versions of his code be approved by him prior to redistribution. No developer was willing to devote time nor effort to this requirement, so all DJB code was removed. This led to a clash with Daniel, who felt this removal to be uncalled for and claimed this was an attack on his software and the users of his software. He cited the Netscape web browser as much less free and accused the OpenBSD project and Theo de Raadt of hypocrisy for permitting Netscape to remain while removing his software. OpenBSD's stance was that Netscape, although not open source, allowed for free redistribution and was thus permitted in ports. They asserted that DJB's demand for control of derivatives would lead to much work and that removal was the most appropriate way to comply with his requirements.

XFree86

In February 2004, the president of the XFree86 project, David Dawes, added an additional licencing clause to all of the software distributed by the project. This clause, which applied after XFree86 4.4 RC2, served as an additional restriction for redistributors making use of the code. Comparable to the advertising clause of the original four-clause BSD licence, the change caused a great deal of distress and dissent within the communities making use of XFree86. Expressing the view of the OpenBSD project, Theo de Raadt said that "like other projects, we will not be incorporating new code from David Dawes into the XFree86 codebase used in OpenBSD. All such changes have to be skipped, rewritten, or you can contact the XFree86 group and place your own efforts to repair this damage." Because of this, OpenBSD shipped with a patched version of XFree86 4.4 RC2 in release 3.6. Later releases have replaced XFree86 with the X.Org implementation.

Highlights

Over the years, OpenBSD has made some significant strides in relicencing or replacing code with licences that are incompatible with the goals of the project. Highlights include:

• In 1999, OpenSSH was developed. OpenSSH was based on the original SSH suite and developed further by the OpenBSD team. It first appeared in OpenBSD 2.6 and is now the single most popular SSH implementation. OpenSSH is available as standard on most free Unix-like and many commercial operating systems. It is available as a package on most others.
• In 2001, after licence restrictions were imposed on IPFilter, the pf packet filter was developed. pf first appeared in OpenBSD 3.0 and is now available in DragonFly BSD, NetBSD and FreeBSD.
• In 2003, code from ALTQ, which had a licence disallowing the sale of derivatives, was relicenced, integrated into pf and made available in OpenBSD 3.3.
• The GPL licenced gzip was replaced by retooling the existing compress tool to include its functionality. This was first made available in OpenBSD 3.4.
• The GPL licenced grep was replaced with FreeGrep, an updated BSD-licenced grep. This new grep was first available in OpenBSD 3.4 and is now also available in NetBSD.
• A public domain diff was updated and used to replace the GPL licenced diff previously included. The new diff was first available in OpenBSD 3.4.
• Code from the LGPL licenced p0f was relicenced to allow pf to feature passive operating system detection. This first appeared in OpenBSD 3.4.
• In 2004, OpenBSD 3.5 featured CARP, an open alternative to the HSRP and VRRP redundancy systems available from commercial vendors.
• GPL licenced parts of the GNU toolset, bc [1], dc [2], nm [3] and size [4], were all replaced with BSD licenced equivalents.
• OpenNTPD, a compatible alternative to the reference NTP daemon, was developed within the OpenBSD project. OpenNTPD was first made available in OpenBSD 3.6. The goal of OpenNTPD was not solely a compatible licence. It also aims to be a simple, secure NTP implementation providing acceptable accuracy for most cases, without requiring detailed configuration.

Image and marketing

After a number of releases, OpenBSD has become notorious for its catchy songs and interesting and often comical artwork. These help to create an image and a mystique around the project, promoting it through word of mouth as much as deliberate effort and helping to build anticipation for each release.

Themes

The promotional material of early OpenBSD releases did not have a cohesive theme or design. However, starting with OpenBSD 3.0, the CDs, posters and tee-shirts have been designed together, with the same style and with a single theme. These themes have been worked on by Ty Semaka of the Plaid Tongued Devils. At first they were done lightly and only intended to add humour but, as the concept has evolved, they have become a part of the OpenBSD evangelism, with each release expanding a moral or political point important to the project. Below are a list of releases since 3.0 and their themes:

• 3.8: Hackers of the Lost RAID. Styled after the radio serials of the 1930s and 40s, this was a parody of Indiana Jones and was linked to the new RAID tools featured as part of this release.
• 3.7: The Wizard of OS. Styled after the works of Pink Floyd and a parody of The Wizard of Oz, this dealt with wireless hacking.
• 3.6: Pond-erosa Puff (live). Styled after the works of Johnny Cash, a parody of the Spaghetti Western and Clint Eastwood and inspired by liberal licence enforcement
• 3.5: CARP License and Redundancy must be free. A parody of the Fish Licence Skit and Eric the Half-a-Bee Song by Monty Python, with an anti-software patents message.
• 3.4: The Legend of Puffy Hood. An unusual blend of both hip-hop and medievally styled music, a parody of the tale of Robin Hood intended to express OpenBSD's attitude to free speech.
• 3.3: Puff the Barbarian. An 80s rock-style song and parody of Conan the Barbarian dealing with open documentation.
• 3.2: Goldflipper. Styled after the orchestral introductory ballads of James Bond films.
• 3.1: Systemagic. Inspired by the works of Rammstein and a parody of Buffy the Vampire Slayer.
• 3.0: E-Railed (OpenBSD Mix). A techno track.

Mascot

Puffy, the pufferfish, is the mascot of the OpenBSD project as well as its child projects: OpenSSH, OpenNTPD, OpenCVS and OpenBGPD. Puffy was selected because of the blowfish algorithm used in OpenSSH and the strongly defensive image of the puffer, whose spikes help deter predators. He quickly became very popular, mainly because of the cute image of the fish and his distinction from the beastie used by FreeBSD and the horde of daemons then used by NetBSD. Puffy made his first public appearance in OpenBSD 2.6. Since then, many releases have seen a different side of Puff presented on tee-shirts and posters. These have included:

• 3.8: Puffiana Jones - famed hackologist and adventurer, seeking out the Lost RAID,
• 3.7: Puffathy - a little Alberta girl, who must work with Taiwan to save the day,
• 3.6: Pond-erosa Puff - a no-guff freedom fighter from the wild west, set to hang a lickin' on no-good bureaucratic nerds,
• 3.5: Customer - a fish seeking to licence his free redundancy protocol, CARP,
• 3.4: Sir Puffy of Ramsay - a freedom fighter who, with Little Bob of Beckley, took from the rich and gave to all,
• 3.3: Puff the Barbarian - born in a tiny bowl, Puff was a slave, now he hacks through the C,
• 3.2: James Pond, agent 077 - super spy and suave lady's man,
• 3.1: Puffy, the Kitten Slayer - hunting down the evil script kitties,
• 3.0: Puff Daddy - famed rapper and political icon.

Slogans

In addition to the slogans used on tee-shirts and posters for releases, OpenBSD occasionally produces other material. Over the years, catch-phrases have included "Sending script-kiddies to /dev/null since 1995", "Functional, secure, free - choose 3" and "Secure by default." There have also been a few insider slogans, only available on tee-shirts made for developer gatherings, particularly: "World class security for much less than the price of a cruise missile" and a crufty old octopus proclaiming "Shut up and hack!"

Hackathons

Beginning on June 4, 1999, OpenBSD began the annual hackathon tradition. During the hackathon, many of the developers come together for a period which usually sees rapid OpenBSD development. The original hackathon took place in Calgary, Alberta, Canada and was attended by ten developers. It was focused on cryptographic development; part of the reason for holding it in Canada was to avoid legal problems caused by United States regulations on the export of cryptographic software. The designation for each subsequent hackathon has been marked by this, as OpenBSD has used c, standing first for crypto and later for Calgary, as the first letter of these events. Since then, hackathons have become a big event, a week-long gathering during which more than 60 developers from around the world come together to drink beer, listen to Eläkeläiset, hike, and hack on OpenBSD.

As of 2005, the official OpenBSD hackathons have been:

• c99 - June 4, 1999, 10 developers in Calgary, Alberta, Canada.
• c2k - June 15, 2000, 18 developers in Calgary.
• c2k1 - June 21, 2001, 35 developers in Cambridge, Massachusetts, USA.
• c2k1-II - August 17, 2001, 12 developers in Washington, DC, USA.
• c2k2 - June 04, 2002, 42 developers in Calgary, origin of the "Shut Up and Hack!" motto.
• c2k3 - May 10, 2003, 51 developers in Calgary.
• pf2k4 - April 24, 2004, Sechelt, British Columbia, Canada.
• c2k4 - June 19, 2004, 46 developers, Calgary.
• c2k5 - May 21, 2005, 60 developers in Calgary.

Developers

OpenBSD has developers from around the world. Current developers include:

• Theo de Raadt - Benevolent Dictator for Life. Lives in Calgary, Alberta, Canada.
• Todd C. Miller - Lives in Boulder, Colorado, USA.
• Damien Miller - Lives in Melbourne, Australia.
• Bob Beck - spamd development. Lives in Edmonton, Alberta, Canada.
• Marc Espie - gcc maintainer and package tools and make development. Lives in Paris, France.
• Daniel Hartmeier - Creator of the pf firewall. Lives in Zug, Switzerland.
• Henning Brauer - pf, OpenNTPD and OpenBGPD development. Lives in Hamburg, Germany.
• Mike Frantzen - Lives in Washington D.C., USA.
• Cedric Berger - pf development. Lives in Neuchatel, Switzerland.
• Ryan McBride - CARP and pf development. Lives in Vancouver, British Columbia, Canada.
• Can Erkin Acar - Lives in Ankara, Turkey.
• Nick Holland - Documentation and FAQ maintainer. Lives in St. Clair Shores, Michigan, USA.
• Ted Unangst.
• Marco Peereboom - RAID developer.
• Otto Moerbeek - patch, diff, dc, bc, privilege separated tcpdump and userland in general. Lives in Heemstede, Netherlands.
• Jason Wright - Hardware driver developer/porter, sparc64 maintainer. Lives in Virginia, USA.
• Dale Rahn - macppc maintainer, G5 development. Lives in St. Joseph, Illinois, USA.
• Mark Kettenis - macppc developer, SMP and G5 development. Lives in the Netherlands
• Jason McIntyre - Man page developer. Lives in Scotland
• Miod Vallat - Old platform developer and mvme88k maintainer. Lives in France.
• Joel Knight - PF User's Guide and FAQ maintainer.
• Art Grabowski - sparc maintainer. Lives in Haninge, Sweden.
• Peter Valchev - Ports developer. Lives in Calgary, Alberta, Canada.
• Michael "Mickey" Shalayeff - amd64, hppa maintainer.
• Anil Madhavapeddy - GCC bounds checker, ports. Lives in Cambridge, United Kingdom.
• Markus Friedl - SSH, crypto. Lives in Bavaria.
• Federico Schwindt.
• Reyk Floeter - Wireless and wired and networking. Lives in Germany.
• David Gwynne - RAID and USB developer. Lives in Australia.
• Christian "naddy" Weisgerber. Lives in Germany.

Significant past developers are:

• Niels Provos - systrace and OpenSSH developer. Now works for Google.

Screenshots

OpenBSD 3.8 booting

OpenBSD 3.8 login prompt

OpenBSD 3.8 running with its default FVWM

OpenBSD 3.7 running JWM

Books

As OpenBSD's popularity has grown, a number of books on it have been published. A short list is:

• Mastering FreeBSD and OpenBSD Security - Yanek Korff, Paco Hope and Bruce Potter

ISBN 0-596-00626-8, March 2005, 462 pages.

Deals with OpenBSD 3.6. Official site.

• Building Firewalls with OpenBSD and PF: Second Edition - Jacek Artymiak

ISBN 83-916651-1-9, October 2003, 320 pages.

Deals with OpenBSD 3.4.

• Secure Architectures with OpenBSD - Brandon Palmer and Jose Nazario

ISBN 03-21193-66-0, April 2004, 520 pages.

Deals with OpenBSD 3.4.

• Absolute OpenBSD, Unix for the Practical Paranoid - Michael W. Lucas

ISBN 1-886411-99-9, July 2003, 500 pages.

Deals with OpenBSD 3.3. Official site.

• Building Linux and OpenBSD Firewalls - Wes Sonnenreich and Tom Yates

ISBN 0-471-35366-3, February 2000, 384 pages.

Deals with OpenBSD 2.5. Official site.

See also

• Comparison of operating systems
• BSD and GPL licensing

External links

• OpenBSD homepage
  • OpenBSD CVS Web Repository
  • OpenBSD Documentation and Frequently Asked Questions
  • OpenBSD man pages
  • OpenBSD songs
• OpenSSH homepage
• OpenNTPD homepage
• OpenBGPD homepage
• OpenCVS homepage
• OpenBSD journal
• Free For All by Pete Wayner
• Daniel Ouellet's OpenBSD HOWTO site
• MARC: OpenBSD misc mailing list archive
• OpenBSD beginners tutorial