Why OpenBSD?

The OpenBSD logo with the mascot, Puffy the pufferfish, above it.

Formerly, my thoughts on OpenBSD were scattered around my website. I'd allude to its strengths when needed; however, that approach made my argumentation feel disjointed as a result. Overall, it seems more sensible to have a central place to talk about these things that can be linked to from elsewhere.

Why not OpenBSD?

Firstly, I'd like to bring up the ‘dealbreakers.‘ I wouldn't recommend OpenBSD to those that:

If you remain unfettered by these, or at least aren't bothered by them too much, continue on. Otherwise, perhaps Librehunt will be of more avail.

Simplicity

When I say simplicity, I mean architectural simplicity. OpenBSD follows the Unix philosophy and consciously avoids feature creep. There aren't as many bells and whistles compared to other operating systems and that's good! That means there's less to sift through if something breaks.

Less decision paralysis

One of Linux's strengths is also a grave weakness: the abundance of choice. Deciding what implementation to use for a mail/web/DNS/NTP server is a task in itself, as there are many out there. With OpenBSD, one already has a sane, powerful, and secure suite of software to choose from, also known as the base system. For instance, a secure web server with automated certificate renewal can be had with httpd(8) and acme-client(1), all without installing any additional software.

See OpenBSD's ‘innovations’ page for more cool software and ideas developed by the OpenBSD project. Did you know that OpenSSH is an OpenBSD project?

Great documentation

OpenBSD feels transparent and comprehensible. Between the FAQ, man pages, and mailing lists, as well as other resources (/etc/examples, /usr/local/share/doc/pkg-readmes), OpenBSD gives one the tools to understand any problems one may run into at a fundamental level. It's a didactic environment well-suited to anyone with a DIY attitude.

Security

Of course, no discussion of OpenBSD's strengths would be complete without mention of its focus on security. One great example is pledge(2) and unveil(2) support for Firefox and Tor Browser. There's no reason these browsers should be able to read ~/.ssh, ~/.gnupg, or private documents, so they can't. If they request a file or capability outside of those that are whitelisted (~/Downloads being one such whitelisted location), they'll fail. As a result, the amount of damage a malicious extension or browser exploit can wreak is much less than usual.

Privacy

kern.video.record and kern.audio.record are both set to 0 by default, meaning that no video or audio can be recorded without permission.

Hardware compatibility

This might sound strange. Surely Linux supports more hardware, no? The key is that when OpenBSD supports a piece of hardware, it supports it really well. Things that are often a struggle to set up on minimalist Linux distributions are a piece of cake on OpenBSD. Power management, CPU frequency scaling, and hibernate + suspend are easily handled by apmd(8), for example.

  1. Enable the service.

    # rcctl enable apmd
    
  2. Ensure that it'll be started in automatic performance adjustment mode.

    # rcctl set apmd flags '-A'
    
  3. Finally, start the service.

    # rcctl start apmd
    

The only thing a bit ‘weird’ regarding hardware compatibility is that binary blobs, needed sometimes for graphics and wireless, aren't distributed with the installation images. Rather, they're automatically detected and installed with fw_update(1) upon first boot given a functioning Internet connection. I'd say it's a superior approach overall, as binary blobs are a security risk and using a tool like this ensures only what's needed is installed.

Stability

I mean this both in terms of system stability and how fast things change. A constantly changing system is a nightmare to maintain for system administrators.

Other resources