Misplaced Pages

#266733

63-541: OpenBSD is a security-focused , free software , Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. The OpenBSD project emphasizes portability , standardization , correctness , proactive security , and integrated cryptography . The OpenBSD project maintains portable versions of many subsystems as packages for other operating systems. Because of

126-476: A trade secret . Software can be made available with fewer restrictions on licensing or source-code access; software that satisfies certain conditions of freedom and openness is known as " free " or " open-source ." Since license agreements do not override applicable copyright law or contract law , provisions in conflict with applicable law are not enforceable. Some software is specifically licensed and not sold, in order to avoid limitations of copyright such as

189-507: A "mixed source" model including both free and non-free software in the same distribution. Most if not all so-called proprietary UNIX distributions are mixed source software, bundling open-source components like BIND , Sendmail , X Window System , DHCP , and others along with a purely proprietary kernel and system utilities. Some free software packages are also simultaneously available under proprietary terms. Examples include MySQL , Sendmail and ssh. The original copyright holders for

252-523: A February 21, 1997, internal Microsoft memo drafted for Bill Gates : Early versions of the iPhone SDK were covered by a non-disclosure agreement . The agreement forbade independent developers from discussing the content of the interfaces. Apple discontinued the NDA in October 2008. Any dependency on the future versions and upgrades for a proprietary software package can create vendor lock-in , entrenching

315-467: A Government Security Program (GSP) to allow governments to view source code and Microsoft security documentation, of which the Chinese government was an early participant. The program is part of Microsoft's broader Shared Source Initiative which provides source code access for some products. The Reference Source License (Ms-RSL) and Limited Public License (Ms-LPL) are proprietary software licenses where

378-401: A copy can decide whether, and how much, to charge for a copy or related services. Proprietary software that comes for no cost is called freeware . Proponents of commercial proprietary software argue that requiring users to pay for software as a product increases funding or time available for the research and development of software. For example, Microsoft says that per-copy fees maximize

441-564: A license for the Internet forum software vBulletin can modify the source for their own site but cannot redistribute it. This is true for many web applications, which must be in source code form when being run by a web server. The source code is covered by a non-disclosure agreement or a license that allows, for example, study and modification, but not redistribution. The text-based email client Pine and certain implementations of Secure Shell are distributed with proprietary licenses that make

504-560: A monopoly position. Proprietary software may also have licensing terms that limit the usage of that software to a specific set of hardware. Apple has such a licensing model for macOS , an operating system which is limited to Apple hardware, both by licensing and various design decisions. This licensing model has been affirmed by the United States Court of Appeals for the Ninth Circuit . Proprietary software which

567-470: A network-related remote vulnerability. The quote was subsequently changed to: Only two remote holes in the default install, in a heck of a long time! This statement has been criticized because the default install contains few running services, and many use cases require additional services. Also, because the ports tree contains unaudited third-party software , it is easy for users to compromise security by installing or improperly configuring packages. However,

630-434: A new one from scratch. OpenBSD has its own NTPd, SMTPd and, more recently, HTTPd. They work great". As a result, OpenBSD is relatively prolific in creating components that become widely reused by other systems. OpenBSD runs nearly all of its standard daemons within chroot and privsep security structures by default, as part of hardening the base system. The Calgary Internet Exchange was formed in 2012, in part to serve

693-712: A particular set of requirements. Proprietary software Proprietary software is a subset of non-free software , a term defined in contrast to free and open-source software ; non-commercial licenses such as CC BY-NC are not deemed proprietary, but are non-free. Proprietary software may either be closed-source software or source-available software . Until the late 1960s, computers—especially large and expensive mainframe computers , machines in specially air-conditioned computer rooms—were usually leased to customers rather than sold . Service and all software available were usually supplied by manufacturers without separate charge until 1969. Computer vendors usually provided

SECTION 10

#1732771968267

756-655: A program is split into two or more parts, one of which performs privileged operations and the other—almost always the bulk of the code—runs without privilege. Privilege revocation is similar and involves a program performing any necessary operations with the privileges it starts with then dropping them. Chrooting involves restricting an application to one section of the file system , prohibiting it from accessing areas that contain private or system files. Developers have applied these enhancements to OpenBSD versions of many common applications, such as tcpdump , file , tmux , smtpd , and syslogd . OpenBSD developers were instrumental in

819-511: A prominent reference to the system's security record. Until June 2002, it read: Five years without a remote hole in the default install! In June 2002, Mark Dowd of Internet Security Systems disclosed a bug in the OpenSSH code implementing challenge–response authentication . This vulnerability in the OpenBSD default installation allowed an attacker remote access to the root account, which

882-405: A question of process than of a specific bug being hunted." He went on to list several typical steps once a bug is found, including examining the entire source tree for the same and similar issues, "try[ing] to find out whether the documentation ought to be amended", and investigating whether "it's possible to augment the compiler to warn against this specific problem." The OpenBSD website features

945-604: A security system. Additional services are to be enabled manually to make users think of the security implications first. On 11 December 2010, Gregory Perry, a former technical consultant for the Federal Bureau of Investigation (FBI), emailed De Raadt alleging that the FBI had paid some OpenBSD ex-developers 10 years prior to insert backdoors into the OpenBSD Cryptographic Framework . De Raadt made

1008-462: A significant part of them are "useless at best and based on pure luck and superstition", arguing for a more rational approach when it comes to designing them. Many open source projects started as components of OpenBSD, including: Some subsystems have been integrated into other BSD operating systems, and many are available as packages for use in other Unix-like systems. Linux administrator Carlos Fenollosa commented on moving from Linux to OpenBSD that

1071-481: A single user or computer. In some cases, software features are restricted during or after the trial period, a practice sometimes called crippleware . Proprietary software often stores some of its data in file formats that are incompatible with other software, and may also communicate using protocols which are incompatible. Such formats and protocols may be restricted as trade secrets or subject to patents . A proprietary application programming interface (API)

1134-462: A software package may be ended to force users to upgrade and pay for newer versions ( planned obsolescence ). Sometimes another vendor or a software's community themselves can provide support for the software, or the users can migrate to either competing systems with longer support life cycles or to FOSS -based systems. Some proprietary software is released by their owner at end-of-life as open-source or source available software, often to prevent

1197-434: A song. OpenBSD is known for its high-quality documentation. When OpenBSD was created, De Raadt decided that the source code should be available for anyone to read. At the time, a small team of developers generally had access to a project's source code. Chuck Cranor and De Raadt concluded this practice was "counter to the open source philosophy" and inconvenient to potential contributors. Together, Cranor and De Raadt set up

1260-606: A talk at the CCC as well as DEF CON , entitled "Are all BSDs created equally? — A survey of BSD kernel vulnerabilities", in which he stated that although OpenBSD was the clear winner of the BSDs in terms of security, "Bugs are still easy to find in those kernels, even in OpenBSD". Two years later, in 2019, a talk named "A systematic evaluation of OpenBSD's mitigations" was given at the CCC, arguing that while OpenBSD has some effective mitigations,

1323-425: A technical measure, such as product activation , a product key or serial number, a hardware key , or copy protection . Vendors may also distribute versions that remove particular features, or versions which allow only certain fields of endeavor, such as non-commercial, educational, or non-profit use. Use restrictions vary by license: Vendors typically distribute proprietary software in compiled form, usually

SECTION 20

#1732771968267

1386-406: A work of free software, even copyleft free software, can use dual-licensing to allow themselves or others to redistribute proprietary versions. Non-copyleft free software (i.e. software distributed under a permissive free software license or released to the public domain) allows anyone to make proprietary redistributions. Free software that depends on proprietary software is considered "trapped" by

1449-427: Is "no way to fix [them] ... when they break." Security-focused operating system This is a list of operating systems specifically focused on security . Similar concepts include security-evaluated operating systems that have achieved certification from an auditing organization, and trusted operating systems that provide sufficient support for multilevel security and evidence of correctness to meet

1512-484: Is a software library interface "specific to one device or, more likely to a number of devices within a particular manufacturer's product range." The motivation for using a proprietary API can be vendor lock-in or because standard APIs do not support the device's functionality. The European Commission , in its March 24, 2004, decision on Microsoft's business practices, quotes, in paragraph 463, Microsoft general manager for C++ development Aaron Contorer as stating in

1575-495: Is continuous, and team management is open and tiered. Anyone with appropriate skills may contribute, with commit rights being awarded on merit and De Raadt acting as coordinator. Two official releases are made per year, with the version number incremented by 0.1, and these are each supported for twelve months (two release cycles). Snapshot releases are also available at frequent intervals. Maintenance patches for supported releases may be applied using syspatch , manually or by updating

1638-530: Is divided into small sections and each section is encrypted with its own key, ensuring that sensitive data does not leak into an insecure part of the system. OpenBSD randomizes various behaviors of applications, making them less predictable and thus more difficult to attack. For example, PIDs are created and associated randomly to processes; the bind system call uses random port numbers ; files are created with random inode numbers; and IP datagrams have random identifiers. This approach also helps expose bugs in

1701-505: Is hard to determine how widely OpenBSD is used, because the developers do not publish or collect usage statistics. In September 2005, the BSD Certification Group surveyed 4330 individual BSD users, showing that 32.8% used OpenBSD, behind FreeBSD with 77%, ahead of NetBSD with 16.3% and DragonFly BSD with 2.6%. However, the authors of this survey clarified that it is neither "exhaustive" nor "completely accurate", since

1764-489: Is no longer marketed, supported or sold by its owner is called abandonware , the digital form of orphaned works . If the proprietor of a software package should cease to exist, or decide to cease or limit production or support for a proprietary software package, recipients and users of the package may have no recourse if problems are found with the software. Proprietors can fail to improve and support software because of business problems. Support for older or existing versions of

1827-436: Is not synonymous with commercial software , although the two terms are sometimes used synonymously in articles about free software. Proprietary software can be distributed at no cost or for a fee, and free software can be distributed at no cost or for a fee. The difference is that whether proprietary software can be distributed, and what the fee would be, is at the proprietor's discretion. With free software, anyone who has

1890-400: Is required for another party to use the software. In the case of proprietary software with source code available, the vendor may also prohibit customers from distributing their modifications to the source code. Shareware is closed-source software whose owner encourages redistribution at no cost, but which the user sometimes must pay to use after a trial period. The fee usually allows use by

1953-491: Is strongly recommended for end users, in contrast to operating systems that recommend user kernel customization. Packages outside the base system are maintained by CVS through a ports tree and are the responsibility of the individual maintainers, known as porters. As well as keeping the current branch up to date, porters are expected to apply appropriate bug-fixes and maintenance fixes to branches of their package for OpenBSD's supported releases. Ports are generally not subject to

OpenBSD - Misplaced Pages Continue

2016-472: Is supported for one year. On 25 July 2007, OpenBSD developer Bob Beck announced the formation of the OpenBSD Foundation , a Canadian non-profit organization formed to "act as a single point of contact for persons and organizations requiring a legal entity to deal with when they wish to support OpenBSD." In 2024, it announced that the project has modified all files since the original import. It

2079-568: The NetBSD project, was asked to resign from the NetBSD core team over disagreements and conflicts with the other members of the NetBSD team. In October 1995, De Raadt founded OpenBSD, a new project forked from NetBSD 1.0. The initial release, OpenBSD 1.2, was made in July 1996, followed by OpenBSD 2.0 in October of the same year. Since then, the project has issued a release every six months, each of which

2142-565: The Windows operating system to provide Unix-like functionality, use much of the OpenBSD code base that is included in the Interix interoperability suite, developed by Softway Systems Inc., which Microsoft acquired in 1999. Core Force, a security product for Windows, is based on OpenBSD's pf firewall . The pf firewall is also found in other operating systems: including FreeBSD , and macOS . OpenBSD ships with Xenocara , an implementation of

2205-401: The X Window System , and is suitable as a desktop operating system for personal computers , including laptops. As of September 2018, OpenBSD includes approximately 8000 packages in its software repository , including desktop environments such as Lumina , GNOME , KDE Plasma , and Xfce , and web browsers such as Firefox and Chromium . The project also includes three window managers in

2268-425: The first-sale doctrine . The owner of proprietary software exercises certain exclusive rights over the software. The owner can restrict the use, inspection of source code, modification of source code, and redistribution. Vendors typically limit the number of computers on which software can be used, and prohibit the user from installing the software on extra computers. Restricted use is sometimes enforced through

2331-468: The machine language understood by the computer's central processing unit . They typically retain the source code , or human-readable version of the software, often written in a higher level programming language . This scheme is often referred to as closed source. While most proprietary software is distributed without the source code, some vendors distribute the source code or otherwise make it available to customers. For example, users who have purchased

2394-625: The Free Software Foundation. This includes software written only for Microsoft Windows, or software that could only run on Java , before it became free software. Most of the software is covered by copyright which, along with contract law , patents , and trade secrets , provides legal basis for its owner to establish exclusive rights. A software vendor delineates the specific terms of use in an end-user license agreement (EULA). The user may agree to this contract in writing, interactively on screen ( clickwrap ), or by opening

2457-416: The box containing the software ( shrink wrap licensing ). License agreements are usually not negotiable . Software patents grant exclusive rights to algorithms, software features, or other patentable subject matter , with coverage varying by jurisdiction. Vendors sometimes grant patent rights to the user in the license agreement. The source code for a piece of proprietary software is routinely handled as

2520-512: The creation and development of OpenSSH (aka OpenBSD Secure Shell), which is developed in the OpenBSD CVS repositories. OpenBSD Secure Shell is based on the original SSH . It first appeared in OpenBSD 2.6 and is now by far the most popular SSH client and server, available on many operating systems. The project has a policy of continually auditing source code for problems, work that developer Marc Espie has described as "never finished ... more

2583-667: The email public on 14 December by forwarding it to the openbsd-tech mailing list and suggested an audit of the IPsec codebase. De Raadt's response was skeptical of the report and he invited all developers to independently review the relevant code. In the weeks that followed, bugs were fixed but no evidence of backdoors was found. De Raadt stated "I believe that NetSec was probably contracted to write backdoors as alleged. If those were written, I don't believe they made it into our tree. They might have been deployed as their own product." In December 2017, Ilja van Sprundel, director at IOActive , gave

OpenBSD - Misplaced Pages Continue

2646-431: The first public, anonymous revision control system server. De Raadt's decision allowed users to "take a more active role", and established the project's commitment to open access. OpenBSD is notable for its continued use of CVS (more precisely an unreleased, OpenBSD-managed fork named OpenCVS), when most other projects that used it have migrated to other systems. OpenBSD does not include closed source binary drivers in

2709-440: The focus of the OpenBSD project. OpenBSD includes numerous features designed to improve security, such as: To reduce the risk of a vulnerability or misconfiguration allowing privilege escalation , many programs have been written or adapted to make use of privilege separation , privilege revocation and chrooting . Privilege separation is a technique, pioneered on OpenBSD and inspired by the principle of least privilege , where

2772-536: The kernel and in user space programs. The OpenBSD policy on openness extends to hardware documentation: in the slides for a December 2006 presentation, De Raadt explained that without it "developers often make mistakes writing drivers", and pointed out that "the [oh my god, I got it to work] rush is harder to achieve, and some developers just give up." He went on to say that vendor-supplied binary drivers are unacceptable for inclusion in OpenBSD, that they have "no trust of vendor binaries running in our kernel" and that there

2835-619: The legal status of software copyright , especially for object code , was not clear until the 1983 appeals court ruling in Apple Computer, Inc. v. Franklin Computer Corp . According to Brewster Kahle the legal characteristic of software changed also due to the U.S. Copyright Act of 1976 . Starting in February 1983 IBM adopted an " object-code -only" model for a growing list of their software and stopped shipping much of

2898-405: The main distribution: cwm , FVWM (part of the default configuration for Xenocara), and twm . OpenBSD features a full server suite and can be configured as a mail server , web server , FTP server , DNS server , router , firewall , NFS file server , or any combination of these. Since version 6.8, OpenBSD has also shipped with native in-kernel WireGuard support. Shortly after OpenBSD

2961-472: The name OpenBSD refers to the availability of the operating system source code on the Internet , although the word "open" in the name OpenSSH means "OpenBSD". It also refers to the wide range of hardware platforms the system supports. OpenBSD supports a variety of system architectures including x86-64 , IA-32 , ARM , PowerPC , and 64-bit RISC-V . In December 1994, Theo de Raadt , a founding member of

3024-431: The needs of the OpenBSD project. In 2017, Isotop, a French project aiming to adapt OpenBSD to desktops and laptops, using xfce then dwm , started to be developed. OpenBSD includes a number of third-party components , many with OpenBSD-specific patches, such as X.Org , Clang (the default compiler on several architectures ), GCC , Perl , NSD , Unbound , ncurses , GNU binutils , GDB , and AWK . Development

3087-466: The project maintains that the slogan is intended to refer to a default install and that it is correct by that measure. One of the fundamental ideas behind OpenBSD is a drive for systems to be simple, clean, and secure by default. The default install is quite minimal, which the project states is to ensure novice users "do not need to become security experts overnight", which fits with open-source and code auditing practices considered important elements of

3150-529: The project's preferred BSD license, which allows binary redistributions without the source code, many components are reused in proprietary and corporate-sponsored software projects. The firewall code in Apple 's macOS is based on OpenBSD's PF firewall code, Android 's Bionic C standard library is based on OpenBSD code, LLVM uses OpenBSD's regular expression library, and Windows 10 uses OpenSSH (OpenBSD Secure Shell) with LibreSSL . The word "open" in

3213-581: The same continuous auditing as the base system due to lack of manpower. Binary packages are built centrally from the ports tree for each architecture. This process is applied for the current version, for each supported release, and for each snapshot. Administrators are recommended to use the package mechanism rather than build the package from the ports tree, unless they need to perform their own source changes. OpenBSD's developers regularly meet at special events called hackathons , where they "sit down and code", emphasizing productivity. Most new releases include

SECTION 50

#1732771968267

3276-561: The software from becoming unsupported and unavailable abandonware . 3D Realms and id Software are famous for the practice of releasing closed source software into the open source . Some of those kinds are free-of-charge downloads ( freeware ), some are still commercially sold (e.g. Arx Fatalis ). More examples of formerly closed-source software in the List of commercial software with available source code and List of commercial video games with available source code . Proprietary software

3339-484: The software. This is particularly common with certain programming languages . For example, the bytecode for programs written in Java can be easily decompiled to somewhat usable code, and the source code for programs written in scripting languages such as PHP or JavaScript is available at run time . Proprietary software vendors can prohibit the users from sharing the software with others. Another unique license

3402-402: The source code available. Some licenses for proprietary software allow distributing changes to the source code, but only to others licensed for the product, and some of those modifications are eventually picked up by the vendor. Some governments fear that proprietary software may include defects or malicious features which would compromise sensitive information. In 2003 Microsoft established

3465-826: The source code for installed software to customers. Customers who developed software often made it available to the public without charge. Closed source means computer programs whose source code is not published except to licensees. It is available to be modified only by the organization that developed it and those licensed to use the software. In 1969, IBM, which had antitrust lawsuits pending against it, led an industry change by starting to charge separately for mainframe software and services, by unbundling hardware and software. Bill Gates ' " Open Letter to Hobbyists " in 1976 decried computer hobbyists' rampant copyright infringement of software, particularly Microsoft's Altair BASIC interpreter, and asserted that their unauthorized use hindered his ability to produce quality software. But

3528-476: The source code is made available . Governments have also been accused of adding such malware to software themselves. According to documents released by Edward Snowden , the NSA has used covert partnerships with software companies to make commercial encryption software exploitable to eavesdropping, or to insert backdoors . Software vendors sometimes use obfuscated code to impede users who would reverse engineer

3591-555: The source code, even to licensees. In 1983, binary software became copyrightable in the United States as well by the Apple vs. Franklin law decision, before which only source code was copyrightable. Additionally, the growing availability of millions of computers based on the same microprocessor architecture created for the first time an unfragmented and big enough market for binary distributed software. Software distributions considered as proprietary may in fact incorporate

3654-521: The source tree, nor does it include code requiring the signing of non-disclosure agreements . According to the GNU Project , OpenBSD includes small "blobs" of proprietary object code as device firmware. Since OpenBSD is based in Canada, no United States export restrictions on cryptography apply, allowing the distribution to make full use of modern algorithms for encryption. For example, the swap space

3717-885: The survey was spread mainly through mailing lists, forums and word of mouth. This combined with other factors, like the lack of a control group, a pre-screening process or significant outreach outside of the BSD community, makes the survey unreliable for judging BSD usage globally. OpenBSD features a robust TCP/IP networking stack, and can be used as a router or wireless access point . OpenBSD's security enhancements , built-in cryptography , and packet filter make it suitable for security purposes such as firewalls , intrusion-detection systems , and VPN gateways . Several proprietary systems are based on OpenBSD, including devices from Armorlogic (Profense web application firewall), Calyptix Security, GeNUA, RTMX, and .vantronix. Some versions of Microsoft 's Services for UNIX , an extension to

3780-533: The system against the patch branch of the CVS source repository for that release. Alternatively, a system administrator may opt to upgrade to the next snapshot release using sysupgrade , or by using the -current branch of the CVS repository, in order to gain pre-release access to recently added features. The sysupgrade tool can also upgrade to the latest stable release version. The generic OpenBSD kernel provided by default

3843-472: The system is faithful to the Unix philosophy of small, simple tools that work together well: "Some base components are not as feature-rich, on purpose. Since 99% of the servers don't need the flexibility of Apache, OpenBSD's httpd will work fine, be more secure, and probably faster". He characterized the developer community's attitude to components as: "When the community decides that some module sucks, they develop

SECTION 60

#1732771968267

3906-434: Was created, De Raadt was contacted by a local security software company named Secure Networks (later acquired by McAfee ). The company was developing a network security auditing tool called Ballista, which was intended to find and exploit software security flaws. This coincided with De Raadt's interest in security, so the two cooperated leading up to the release of OpenBSD 2.3. This collaboration helped to define security as

3969-409: Was extremely serious not only to OpenBSD, but also to the large number of other operating systems that were using OpenSSH by that time. This problem necessitated the adjustment of the slogan on the OpenBSD website to: One remote hole in the default install, in nearly 6 years! The quote remained unchanged as time passed, until on 13 March 2007, when Alfredo Ortega of Core Security Technologies disclosed

#266733