flak rss random

from distribution to project

OpenBSD is going through something of a minimalist phase right now, but that wasn’t always the case. There was definitely an era of aggressive importation as well. Times change, priorities change, projects change. I wasn’t involved with OpenBSD during the early years, but I think I can explain the shift in attitudes. This is part three of an apparently ongoing series that started with Pruning and Polishing and out with the old, in with the less.


Kirk is really the guy who knows the early history, so I’ll keep this section short to avoid making mistakes. The CSRG wrote quite a lot of code, but they also reused lots of the original unix code. Hence, distribution. BSD wasn’t just an operating system; it was a distribution of a particular operating system. That changed as more code was replaced moving towards the lite releases, but collecting and curating remained important functions. Some pretty big components, e.g. NFS, were developed elsewhere and incorporated.


As the OG BSD project wound down, so did the collation and collection efforts. 386BSD added support for computers people actually had, but wasn’t completely integrated back. Then 386BSD slowed down, too, leaving an ever growing patchkit. And thus, FreeBSD and NetBSD, trying to put all the pieces together in one place. After a few years, NetBSD changed its name to OpenBSD to reflect a new focus on desktop computing. (I never promised this section would be free of mistakes.)


The first five years of OpenBSD definitely followed in the distribution track. Collect all the code, integrate it, ship it. And so OpenBSD included Apache to serve web pages. And lynx to read web pages. And apop3d to serve email. And perl. Definitely going to need that.

At the most recent hackathon I was reminded that it was at the very first hackathon that IPsec and IPv6 were integrated. OpenBSD was the first operating system to ship with either IPsec or IPv6. Cutting edge stuff.

Lots of security code was added. SSH is a notable example. And Kerberos. And SSLeay. And IPsec. And IPFilter. Although not stated, I think there was an assumption that even if the code wasn’t high quality, it would get better. People would use it, fix the bugs, onward and upward. The important idea was that somehow, if we keep pressing forward and add enough features, someone will figure out how to build a secure system out of them.

All of the above were developed outside the project. Every six months some lucky committer would run cvs import on the latest release. There were some patches and customizations, but a lot of development was in a sense outsourced. Compared to FreeBSD and NetBSD, OpenBSD was the project incorporating the most code. OpenBSD was the system with the largest base. About the only program not added was tcsh.


The middle ten years are OpenBSD in transition. The project continued updating and distributing the integrated code, but stopped importing so much new external code. Instead, homegrown replacements were written. Writing a new bgpd was better than importing zebra. And then came ntpd. So we should perhaps blame Henning for showing us a new way. ls /usr/sbin/*d exaggerates the situation, but it’s not entirely inaccurate.

Whereas the previous era considered whether code was useful before it was imported, the new question was “Is this the best there is, or can we do better?” The total size of OpenBSD continued to grow, but at a slower pace than before. However, the amount of original code increased substantially.

On the security front, systrace was probably the last attempt at more is better security. The focus since has been on mostly invisible features.


The last five years learned from the observations of the middle years. The in house code wasn’t always perfect, but it required a lot less maintenance than the imported code. And so we started deleting even the already existing code. This chapter has already been covered in some depth.


I may be fire bomber in chief, but the project’s change in direction is not my doing. Rather, I’d say I just happened to embrace the new attitude as it emerged.

One of the first things I did after installing OpenBSD back in the day was set up a 6bone tunnel and ping6 all three other IPv6 sites out there. I was living in the future. Fifteen years later, and well... Fuck IPv6.

One of the first OpenBSD projects I worked on, that lead to becoming a developer, was fixing null and union mounts. Just think of the possibilities of custom filesystem namespacing. Twelve years later, and... null mounts no longer exist.

Sometimes OpenBSD gets bogged down by a kind of not invented here attitude. And often OpenBSD is missing the latest gizmo. But it’s not like the project has never experienced the shiny life.

Posted 31 Jul 2015 03:52 by tedu Updated: 31 Jul 2015 03:52
Tagged: openbsd