You Can Only Grab One Thing, What Is It? OpenBSD?!

Okay okay, if I was in a situation where I was in a burning building or something like that, and I could only grab one thing, I would choose my family and people. But for sakes of the digital argument, read on...

The OpenBSD operating system is a complete distribution that can perform many tasks, especially important and crucial networking tasks, without the need to install additional software. This is important for security, because if we trust the supply chain for the distribution, then we implicitly trust the software that is packaged with it.

I believe that I've essentially written this article once before. But, I have it in mind to write this once again. What would cause me to re-write an article on the same topic? Well, a couple years ago (approximately) I came across an article entitled OpenBSD is the Perfect OS post Nuclear Apocalypse. I'm not sure if that article is what kicked off my thought process, or if I just naturally came to this. But the main idea is, OpenBSD is packaged with the stuff you need. If your house caught fire, and you could only take a single installation image with you, what would it be? OpenBSD. Yep, OpenBSD, not Linux.

The Software

OpenBSD comes with a number of base programs installed that provide a powerful server platform. Here is a list of programs or capabilities that I care about, which come "out of the box":

• httpd - An HTTP server
• acme-client - A utility to acquire free TLS certificates
• relayd - Provides TLS termination and proxying
• pf - A firewall tool
• smtpd - An email server
• WireGuard Support - Kernel support for WireGuard VPN peers

This is just a short list of the things that I utilize. If you find yourself needing to prepare for the apocolypse, then you might give OpenBSD a try.

There is this somewhat-recent concept in the world of software that a developer could provide a Software Bill of Materials (SBOM). I like this idea, because a lot of modern software is really just a bunch of hobbled together libraries that were collected from across the Internet. For example, a Python program might have a baker's dozen of modules that it relies on, and there may be specific version of each that are required. The SBOM can then provide a list of all these materials, and then you can compare those software dependencies and versions against a list of known vulnerabilities. You can learn about the process here.

Well, I haven't come across a SBOM for OpenBSD, but that is somewhat of the point. All these packages for webserving, firewalling, proxying, TLS termination, email, these all come from the same source. And you should know, the OpenBSD claim to fame is: "Only two remote holes in the default install, in a heck of a long time!" If this is true, then the default install, including all these useful tools, has had a good track record.

On the flip side, imagine needing to setup a non-OpenBSD server that needs to do all the same tasks (webserver, email, etc). You would need to download a different package for each, such as Nginx or Caddy for the webserver/relay/proxy, and Postfix for email, and the WireGuard kernel modules, etc. Each of those packages has their own dependencies, triggering an avalanche of new software being installed on the server. Each new package introduces another potential vulnerability.

The Tunes

Admittedly, this point is completely moot. But, the people who use OpenBSD are the kind of folks who make songs about it. Click here to enjoy a variety of musical pieces that have been recorded in celebration of this operating system. I am not recommending every song there, but "Wrap in Time" was one that I've listened to a number of times. The lyrics are quite clever:

Tell me doctor, what will be the date, Is it 1901, or 2038. All I wanna do is make my keyboard sing

From today I'll be fine But you better promise me I won't wrap back in time. Don't wanna wrap back in time.

Don't bet your future on compat's bad advice Better remember, bugs always strike twice. Please don't use time32_t, not just a word again

So talk to me, I'll be fine But you better promise me I won't wrap back in time. Don't wanna wrap back in time. Don't wanna wrap back in time. No bad hacks in time.

Don't wanna wrap back in time. Don't wanna wrap back in time, don't wrap! don't wrap!

The Freedom

There is a maxim I read recently which states that freedom is inseparably tied to responsibility. If you can be more responsible, you can be more free. Well, the point of this article is that OpenBSD is import because it provides a base level of tools to cover a lot of responsibilites. Whether that is protecting a network, routing packets, serving up web pages and email, and connecting to a secure network over the Internet. These are important things in our day and age, and OpenBSD requires no extra dependencies to do those tasks. Out of the box, you are free.

That is probably why the writer of the Confuzeus.com blog (the post is mentioned above) wrote: "OpenBSD was create for free men like you, enjoy it."

Share