Formerly, my thoughts on OpenBSD were scattered around my website. I’d allude to its strengths when needed. However, that approach made my argumentation feel disjointed as a result. Overall, it seems more sensible to have a central place to talk about these things that can be linked to from elsewhere.
Firstly, I’d like to bring up the ‘dealbreakers.’ I wouldn’t recommend OpenBSD to those that:
$PREVIOUS_OS.If these aren’t things that align with a given use case, maybe Librehunt will be of more avail. Otherwise, continue on.
When I say simplicity, I mean simplicity from a software design/development perspective. OpenBSD follows the Unix philosophy and consciously avoids feature creep. There aren’t as many bells and whistles compared to other operating systems and that’s good. That means there’s less to sift through if something breaks.
One of Linux’s strengths is also a grave weakness: the abundance of choice. Deciding what implementation to use for a mail/web/DNS/NTP server is a task in itself, as there are many out there.
With OpenBSD, one already has a sane, powerful, and secure suite of
software to choose from, also known as the base
system. For
instance, a web server with HTTPS and automated certificate renewal can
be had with httpd(8),
acme-client(1), and
cron(8), all without installing any
additional software.
See OpenBSD’s “innovations” page for more cool software and ideas developed by the OpenBSD project. Did you know that OpenSSH is an OpenBSD project?
OpenBSD feels transparent and comprehensible. Between the FAQ, man
pages, and mailing lists, as well as other resources like
/etc/examples and /usr/local/share/doc/pkg-readmes, the user isn’t
lacking in ways to understand how the system works under the hood. An
OpenBSD installation is a didactic environment well-suited to anyone
with a DIY attitude.
Of course, no discussion of OpenBSD’s strengths would be complete without mention of its focus on security.
One example I like, albeit one not strictly focused on the base system,
is how Firefox and Tor Browser are packaged with
pledge(2) and
unveil(2) in mind. Speaking to the
latter system call, there’s no reason these browsers should be able to
read ~/.ssh or ~/.gnupg, so they can’t. They can only interact with
whitelisted paths (with permission to read, write, execute, create, or
any combination thereof, depending on what’s stipulated). As a result,
the amount of damage a malicious extension or browser exploit could
wreak is much less than usual.
kern.video.record and kern.audio.record are both set to 0 by
default, meaning that no video or audio can be recorded without
permission.
I mean this both in terms of system stability and how fast things change. A constantly changing system is a nightmare to maintain for system administrators.
Users can depend on a new release being made available about once every
6 months. Every new release comes with documentation on changes made and
how to upgrade, which is a painless process with the
sysupgrade(8) tool.
OpenBSD is certainly configurable, but the project’s attitudes toward knobs is different from some others. OpenBSD tries to set good defaults that work for everyone in the hopes that people won’t need to fiddle around much (the more someone who doesn’t totally understand what they’re doing changes a system, the more likely they are to break something).
Unlike many minimal Linux distributions, time synchronization, cron, log rotation, a stateful packet filter/firewall, and local mail delivery are all enabled by default on a new OpenBSD installation.
OpenBSD makes a good OS for both the desktop and the server, at least for my needs.