Formerly, my thoughts on OpenBSD were scattered around my website. I’d allude to its strengths when needed; however, that approach made my argumentation feel disjointed as a result. Overall, it seems more sensible to have a central place to talk about these things that can be linked to from elsewhere.
Firstly, I’d like to bring up the ‘dealbreakers.’ I wouldn’t recommend OpenBSD to those that:
If you remain unfettered by these, or at least aren’t bothered by them too much, continue on. Otherwise, perhaps Librehunt will be of more avail.
When I say simplicity, I mean architectural simplicity. OpenBSD follows the Unix philosophy and consciously avoids feature creep. There aren’t as many bells and whistles compared to other operating systems and that’s good! That means there’s less to sift through if something breaks.
One of Linux’s strengths is also a grave weakness: the abundance of
choice. Deciding what implementation to use for a mail/web/DNS/NTP
server is a task in itself, as there are many out there. With OpenBSD,
one already has a sane, powerful, and secure suite of software to choose
from, also known as the base
system. For
instance, a secure web server with automated certificate renewal can be
had with httpd(8) and
acme-client(1), all without
installing any additional software.
See OpenBSD’s “innovations” page for more cool software and ideas developed by the OpenBSD project. Did you know that OpenSSH is an OpenBSD project?
OpenBSD feels transparent and comprehensible. Between the FAQ, man
pages, and mailing lists, as well as other resources (/etc/examples,
/usr/local/share/doc/pkg-readmes), OpenBSD gives one the tools to
understand any problems one may run into at a fundamental level. It’s a
didactic environment well-suited to anyone with a DIY attitude.
Of course, no discussion of OpenBSD’s strengths would be complete
without mention of its focus on
security. One great example is
pledge(2) and
unveil(2) support for Firefox and Tor
Browser. There’s no reason these browsers should be able to read
~/.ssh, ~/.gnupg, or private documents, so they can’t. If they request a file
or capability outside of those that are whitelisted (~/Downloads being one
such whitelisted location), they’ll fail. As a result, the amount of
damage a malicious extension or browser exploit can wreak is much less
than usual.
kern.video.record and kern.audio.record are both set to 0 by
default, meaning that no video or audio can be recorded without
permission.
This might sound strange. Surely Linux supports more hardware, no? The
key is that when OpenBSD supports a piece of hardware, it supports it
really well. Things that are often a struggle to set up on minimalist
Linux distributions are a piece of cake on OpenBSD. Power management,
CPU frequency scaling, and hibernate + suspend are easily handled by
apmd(8), for example.
Enable the service.
# rcctl enable apmd
Ensure that it’ll be started in automatic performance adjustment mode.
# rcctl set apmd flags '-A'
Finally, start the service.
# rcctl start apmd
The only unusual thing regarding hardware compatibility is that binary
blobs, needed sometimes for graphics and wireless, aren’t distributed
with the installation images. Rather, they’re automatically detected and
installed with fw_update(1) upon
first boot given a functioning Internet connection. I’d say it’s a
superior approach overall, as binary blobs are a security risk and using
a tool like this ensures only what’s needed is installed.
I mean this both in terms of system stability and how fast things change. A constantly changing system is a nightmare to maintain for system administrators.