M-209 cipher device.

Bob's Blog

Why I Abandoned OpenBSD

I used OpenBSD for a number of years, It was a low-demand operating system for low-end hardware, and I learned quite a bit about using an operating system designed for security by default. However, in the mid-2010s I abandoned it.

No, that's too kind. I rejected it. Kicked it to the curb. Yelled "Good riddance!" at it.

I refused to do anything more with an operating system associated with an environment that was dysfunctional and contrary at best, openly hostile and ill-mannered much of the time.

Here's what happened.

Why Did I Ever Use OpenBSD?

I had started using Linux in April 1994. In 1997 I started carrying a laptop with me on both business and pleasure trips. Then as now, laptops cost significantly more than desktops for similar CPU/RAM/disk capabilities. I'm cheap, so I had a lower-end used laptop with Windows 95. A used laptop with an i486DX2-33, 4 MB of RAM, and a 120 MB disk cost US$ 400.

I wanted a UNIX-family operating system for a variety of reasons. However, I found that Linux plus KDE overwhelmed my hardware. And so, for a short time I carried a text-only Linux laptop. No graphics, who needs that! But that quickly got in the way of a number of things.

I was in the process of getting more involved in teaching a general UNIX-family security course, I would eventually end up as its author. OpenBSD was explicitly designed for security, and it came with a lightweight graphical environment, so it made sense at the time.

OpenBSD on a Laptop?

It worked out pretty well for a while. But yeah, it was a form of performance art. There were continuing shortcomings and annoyances.

Shortcomings and Annoyances?

I wanted to do some experiments with web service. Nothing fancy, point the browser at The Apache web server is there, right? Nope. There's a httpd HTTP/HTTPS server, and it would pretend to be some version of Apache, but while it was based on the original it had been subjected to a large number of OpenBSD-specific modifications. So, I could get something running there but with no reason to expect that the same approach would work on real Apache. And similarly with other subsystems.

New OpenBSD releases would come out every May and November. They're new for good reasons and you want to stay up to date by running the latest, right? Sure, although how much time do you have to work on the migration? Oh, and each release is supported for only one year, so you can only skip one without being on an unsupported operating system.

I had needed to learn how to do DNS service with BIND, which OpenBSD had. Great, I can work on this project on my laptops during quiet evenings when I'm in the Washington D.C. area teaching a class!

Then they suddenly announced that this latest version has dropped BIND because it's a horrible insecure mess. Quick, switch everything over to NSD!

Six months later, guess what, OpenBSD switched back from BIND to NSD.

The same back-and-forth went on with the web service, from the customized Apache project's httpd to Nginx, which I don't remember whether it was actual Nginx or a customized web server pretending to be Nginx while using its configuration syntax. Before I really needed to figure that out, OpenBSD had switched back to their sort-of-Apache again. And then back to Nginx(-ish) and then back again to Apache(-ish).

After I had discarded OpenBSD, I happened to notice that it had dropped sudo in favor of doas. Who knows what they've done since then.

The Toxic OpenBSD Environment

For a while, I could use QEMU to run Windows as a virtual machine. Until that was completely ripped out of OpenBSD. Researching how to build QEMU for source, and then how that would ultimately be impossible to do in any truly useful way at the time, began to open my eyes.

By that time I had become aware that Linus Torvalds, founder and still leader of the Linux kernel project, was notoriously ill-tempered. Well, that's too bad, but I'm not at all involved in the Linux kernel development project so I can just ignore that.

Then the QEMU change led me to begin learning that Linus is a kitten compared to Theo de Raadt, the OpenBSD project founder and still leader. See one of his original rants on virtualization here and some discussion of it here.

If only I had read this 2010 essay by someone who had been an OpenBSD developer.

Or, if I had noticed that Theo de Raadt was one of the co-founders of the NetBSD project in 1993, but by the end of 1994 he had been banished from the project. Even Linus Torvolds said that it was because of toxic behavior. And if Linus says you're hard to deal with, well...

Nietzsche Was Right

In Beyond Good and Evil, Friedrich Nietzsche wrote:

"He who fights monsters should see to it that he himself does not become a monster. And if you gaze long enough into an abyss, the abyss will also gaze into you."

ASIN: 014044923X

Any time I think back on my use of OpenBSD, or see it mentioned, I'm reminded of Nietzsche's insight. The OpenBSD project gazed for too long into the abyss. Or maybe it is the abyss. I don't know, I don't care.

OpenBSD's Lack of Hardware Support

I continuously ran into problems getting wired Ethernet networking going on older laptops where you had to insert a PCMCIA card (remember those?). Wireless was far worse.

The only somewhat reliable solution would be to first see what was available, manufacturer and product name and number. Then do research to figure out what its chipset was. Then do research to figure out if OpenBSD supported it. Start with the release notes at openbsd.org. Then carefully read completely through the corresponding manual pages for the relevant kernel modules. Only then was it somewhat likely that the available item would really work.

Do you want Bluetooth to work on your laptop? Linux can do that! As for OpenBSD, nope.

I Was Doing Something Inappropriate

Like I said, I know that it was downright weird of me to want to run OpenBSD on a laptop. But I thought I could get away with it.

That was inappropriate, and I shudder to consider the angry tirade I would receive from an OpenBSD True Believer if they heard that I was doing such a thing. "Obviously", they would shout while sneering, "OpenBSD should only be used on a real computer like a rack-mounted server."

You know what? OpenBSD is also utterly inappropriate for many of those.

The last time I had to investigate anything about OpenBSD was when I was working on an NFS interoperability project. The situation was far worse than I expected, even though I already had a low opinion of OpenBSD.

Red Hat's documentation is appallingly sloppy for an operating system for which you have to pay thousands of dollars per server, per year. It had taken us a while to figure out that its manual pages about NFS service and being an NFS client were slightly conflicting, and none of them completely correct. I finally found a solution by running both:
# mount.nfs --help
# mount.nfs4 --help
Then experiment with combinations of what those two commands suggest. Eventually I got NFS 4.2 working between a RHEL server and a RHEL client. Only then should you try to involve a Windows system.


So, OpenBSD might be OK as an Internet-only server, providing DNS and HTTP/HTTPS service with their own mutated programs. However, OpenBSD is inappropriate within the datacenter. De Raadt said, rudely of course, that NFSv4 was trash and anyone wanting to use it is an idiot. But hey, OpenBSD runs NFSv3, so if you want a network file sharing service from December 2000, there you go. Hopefully performance and stability aren't important to you.

Given his angry attitude about IPv6, I wouldn't have high hopes for running that on OpenBSD, either.

FreeBSD, However, is Great

FreeBSD on
Google Cloud

I moved my web servers to FreeBSD running on Google Cloud in 2017, and that was easy to get working. Also, I don't worry that someone at Google is going to start screaming at me.

Other Thoughts on OpenBSD Versus Other UNIX-Family Operating Systems

"Why FreeBSD? in BSD Magazine is a good comparison of open-source UNIX-family operating systems.

OpenBSD didn't have to be that way, but it certainly is. See the paper "'Did You Miss My Comment or What?', Understanding Toxicity in Open Source Discussions" for the unfortunate prevalence of hostile environments within open-source projects.

Hopefully this isn't some fundamental problem with open-source projects, or with the majority of the people they attract, but I found the New Yorker article "The Surreal Case of a C.I.A. Hacker’s Revenge" to be fascinatingly unpleasant, and distantly familiar.


What's Up With My Social Media Postings?
I have an automated Mastodon identity that posts numerous factoids of widely varying relevance. What's going on?.


What Does "FIPS" Mean?
People often casually speak of "FIPS compliance", but that could mean multiple things. If it matters — and why else speak of it — we must be careful.

How Does Asymmetric Cryptography Work?
Asymmetric cryptography is a vital tool, but how does it work? We have two major solutions now, with more on the way. Learn how asymmetric ciphers protect information.

What's the Point of Asymmetric Encryption?
Asymmetric encryption is often described as useful for "small messages", but that's misleading. They're absolutely vital in cryptographic protocols such as key agreement and authentication.

Learn How to Write a Shell Script to Analyze Logs
Write a shell script to analyze logs and generate a report. We'll start by reporting the web server's 20 most popular pages.