! OpenBSD looks a lot like NetBSD (from which it is derived, following
! the 4.4BSD roots), but is now being developed seperately. Good changes
! from other free operating systems will be merged in (of course, depending
! on various factors like developer time for example.) OpenBSD tracks
! NetBSD changes very closely; say anywhere between 2 to 10 days
! behind the state of NetBSD-current all the time. Hence you can truly
! say that OpenBSD is NetBSD PLUS MORE STUFF.
!
!
! Compared to NetBSD, various additions have been made. This is a
! partial list of the major machine independent changes (ie. these are the
! changes people ask about most often). Check the page of the specific port
! you are interested in for further port-specific details. Note that many ports
! have had architecture-specific enhancements.
!
!
!
Many many NetBSD PR's fixed (which NetBSD has not yet fixed)
!
New curses library, including libform, libpanel and libmenu.
!
a termlib library which understands termcap.db, needed for new curses.
!
The FreeBSD ports subsystem was integrated and is usable by you!
!
ipfilter for filtering dangerous packets
!
better ELF support
!
nlist() that understands ELF, ECOFF, and a.out, allowing non-a.out ports
! to use kvm utilies
!
Verbatim integration of the GNU tools (using a wrapper Makefile)
!
All the pieces needed for cross compilation are in the source tree.
!
Some LKM support in the tree.
!
ATAPI support (should work on all ISA busses)
!
new scsi, md5, pkg_* commands
!
Numerous security related fixes
!
Kerberos and other crypto in the source tree that is exportable
!
Solid YP master, server, and client capabilities.
!
/dev/*random -- a device driver providing some kinds of random data
!
In-kernel update(8) with an adaptive algorithm
!
Some ddb improvements and extensions
!
Numerous scsi fixes
!
ncheck utility for ffs
!
/sbin/init now deals with non-existant ttys, no longer spins gettys madly.
!
new system calls: rfork(), minherit(), poll().
!
select() that can handle any amount of file descriptors.
!
kernfs extensions
!
ATM support (support for one company's sparc & i386 cards available)
!
Boot kernels with "-c" to edit/enable/disable device configuration tables
!
pax as tar, gnutar is toast
!
using AT&T awk, gawk is toast
!
Even more security fixes.
!
Accepts FreeBSD MD5 passwords in password maps, soon will be able to
! generate them too
!
Linux ext2fs and BSD4.4 LFS support being worked on.
!
Working ATAPI audio support for multiple architectures.
!
terminfo database support.
!
Fortran in the tree.
!
The most secure rdist support anywhere.
!
randomized port allocation in bind(), bindresvport(), and rresvport() --
! security via unpredictability.
!
Protection from the udp spamming and ftp bounce attacks.
!
Significantly improved ftp daemon.
!
Numerous more security policy and implimentation improvements (OpenBSD
! defaults to installing in a very secure mode)
!
zlib (non-GPL'd gzip-compatible library)
!
Newest version of pppd.
!
_POSIX_SAVED_IDS behaviour with permitted BSD extensions.
!
Fixed long-standing vm swap-leak.
!
FreeBSD malloc() that uses mmap() and is able to free unused memory.
!
Numerous FreeBSD userland fixes and improvements incorporated.
!
new rdisc Router Discovery daemon
!
generic protection against the bind() takeover problem.
!
at -f security fix.
!
20 or so more security fixes
!
install now supports -C, -p, and -S flags.
!
a real adduser program, which can even be used uninteractively.
!
POSIX & C2 requirement; lose setuid/setgid bits if owner/group changed
! by chown(). This can be turned off with sysctl.
!
partial protection against tcp SYN attacks.
!
added /etc/fbtab support to login & init.
!
RCS version 5.7
!
much newer join command (4.4lite2 with other fixes)
!
scsi subsystem security fix
!
Kerberos is much more silent if not configured
!
arc4-based random support in kernel
!
ncr53cXXX scsi scripts assembler
!
Numerous ftpd improvements and fixes, including multihomed and skey support.
!
`lsof'-style features in fstat.
!
rudimentary support for ISA Plug-and-Play cards
!
Fixed timeout support in RPC library, and also fixed it to support more
! than FD_SETSIZE file descriptors.
!
improved locate command
!
a good start at NETIPX support
!
vim version 4.5
!
gcc 2.7.2.1 (to get closer to native alpha support ar gcc
! bugs).
!
latest version of perl, and a lndir command.
!
Even more security fixes.
!
cdio command for using CD audio.
!
Kernel warns f /dev/ces not ebooting ated /de
libgis gone; our malloc() is better.
!
FreeBSD pipe() system call; quite a bit faster.
!
Some serial driver support for /dev/cuaXX devices to support transparent
! out+dial
!
DDcess symrom LKM es
!
Say goodbye to dump, restore, and mt security holes: They are no longer
! setuid.
!
*Hobbit*'s netcat utility. The crackers use it, so should you.
!
New routed from SGI.
!
Complete in-tree development for MIPS/Alpha systems (ie. binutils).
!
And of course... more security related bugfixes... (ie. dump,
! restore, mt).
!
vim is replacing nvi, since nvi does not have a pure BSD license, and vim
! also works better.
!
16 partitions working on sparc and i386 (yipee!)
!
Nice sample files in /etc
!
sendmail gecos hole fixed (in a number of ways; other programs in the
! source tree were also vulnerable.)
!
secure multicast tools against possible security problems.
!
latest GNU groff, incorporated in a clean wrapperized form.
!
mopd for networking booting Digital machines
!
less version 2.90
!
deal with the SYN bomb problem (denial of service attack) as well known.
!
Sendmail 8.8.4 with smrsh
!
Another kerberos security fix.
!
Almost a hundred more security fixes, including /tmp races because of strncpy.
!
Compile time option to compile the source tree almost completely dynamic.
!
A 7% reduction in size of static binaries.
!
FreeBSD's adduser(8) command. Also an rmuser(8) command.
!
We have completed security reviews of almost all userland programs and
! libraries except for the gnu stuff (where, based on preliminary
! inspection there is poor handling of temp files).
!
Working Linux ext2fs.
!
Added sudo (which is maintained by one of our developers)
!
CTM is now a supported way of obtaining OpenBSD source code.
!
The NIST Posix test suite became free. As a result we have been correcting
! numerous problems in the source tree, and expect to be completely
! POSIX compliant very soon.
!
upgrade to CVS version 1.9.
!
Added -C option to pax/tar. Also made -z support compressed files too.
!
Updated md4 and md5 headers to use bittypes so they work on 64-bit machines.
!
IDE Hard Disk driver fix reduces chance of NULL pointers
!
binutils is now 961112 release from CYGNUS
!
includes and system dependancies now work on explicit 16- and 32-bit quantities-- not the machine dependent "short" and "long" integer.
!
!
! This list only mentions platform-independent changes. For a list of changes
! made in a particular platform, please check the page for that platform.
! OpenBSD looks a lot like NetBSD (from which it is derived, following
! the 4.4BSD roots), but is now being developed seperately. Good changes
! from other free operating systems will be merged in (of course, depending
! on various factors like developer time for example.) OpenBSD tracks
! NetBSD changes very closely; say anywhere between 2 to 10 days
! behind the state of NetBSD-current all the time. Hence you can truly
! say that OpenBSD is NetBSD PLUS MORE STUFF.
!
!
! Compared to NetBSD, various additions have been made. This is a
! partial list of the major machine independent changes (ie. these are the
! changes people ask about most often). Check the page of the specific port
! you are interested in for further port-specific details. Note that many ports
! have had architecture-specific enhancements.
!
!
!
Many many NetBSD PR's fixed (which NetBSD has not yet fixed)
!
New curses library, including libform, libpanel and libmenu.
!
a termlib library which understands termcap.db, needed for new curses.
!
The FreeBSD ports subsystem was integrated and is usable by you!
!
ipfilter for filtering dangerous packets
!
better ELF support
!
nlist() that understands ELF, ECOFF, and a.out, allowing non-a.out ports
! to use kvm utilies
!
Verbatim integration of the GNU tools (using a wrapper Makefile)
!
All the pieces needed for cross compilation are in the source tree.
!
Some LKM support in the tree.
!
ATAPI support (should work on all ISA busses)
!
new scsi, md5, pkg_* commands
!
Numerous security related fixes
!
Kerberos and other crypto in the source tree that is exportable
!
Solid YP master, server, and client capabilities.
!
/dev/*random -- a device driver providing some kinds of random data
!
In-kernel update(8) with an adaptive algorithm
!
Some ddb improvements and extensions
!
Numerous scsi fixes
!
ncheck utility for ffs
!
/sbin/init now deals with non-existant ttys, no longer spins gettys madly.
!
new system calls: rfork(), minherit(), poll().
!
select() that can handle any amount of file descriptors.
!
kernfs extensions
!
ATM support (support for one company's sparc & i386 cards available)
!
Boot kernels with "-c" to edit/enable/disable device configuration tables
!
pax as tar, gnutar is toast
!
using AT&T awk, gawk is toast
!
Even more security fixes.
!
Accepts FreeBSD MD5 passwords in password maps, soon will be able to
! generate them too
!
Linux ext2fs and BSD4.4 LFS support being worked on.
!
Working ATAPI audio support for multiple architectures.
!
terminfo database support.
!
Fortran in the tree.
!
The most secure rdist support anywhere.
!
randomized port allocation in bind(), bindresvport(), and rresvport() --
! security via unpredictability.
!
Protection from the udp spamming and ftp bounce attacks.
!
Significantly improved ftp daemon.
!
Numerous more security policy and implimentation improvements (OpenBSD
! defaults to installing in a very secure mode)
!
zlib (non-GPL'd gzip-compatible library)
!
Newest version of pppd.
!
_POSIX_SAVED_IDS behaviour with permitted BSD extensions.
!
Fixed long-standing vm swap-leak.
!
FreeBSD malloc() that uses mmap() and is able to free unused memory.
!
Numerous FreeBSD userland fixes and improvements incorporated.
!
new rdisc Router Discovery daemon
!
generic protection against the bind() takeover problem.
!
at -f security fix.
!
20 or so more security fixes
!
install now supports -C, -p, and -S flags.
!
a real adduser program, which can even be used uninteractively.
!
POSIX & C2 requirement; lose setuid/setgid bits if owner/group changed
! by chown(). This can be turned off with sysctl.
!
partial protection against tcp SYN attacks.
!
added /etc/fbtab support to login & init.
!
RCS version 5.7
!
much newer join command (4.4lite2 with other fixes)
!
scsi subsystem security fix
!
Kerberos is much more silent if not configured
!
arc4-based random support in kernel
!
ncr53cXXX scsi scripts assembler
!
Numerous ftpd improvements and fixes, including multihomed and skey support.
!
`lsof'-style features in fstat.
!
rudimentary support for ISA Plug-and-Play cards
!
Fixed timeout support in RPC library, and also fixed it to support more
! than FD_SETSIZE file descriptors.
!
improved locate command
!
a good start at NETIPX support
!
vim version 4.5
!
gcc 2.7.2.1 (to get closer to native alpha support ar gcc
! bugs).
!
latest version of perl, and a lndir command.
!
Even more security fixes.
!
cdio command for using CD audio.
!
Kernel warns f /dev/ces not ebooting ated /de
libgis gone; our malloc() is better.
!
FreeBSD pipe() system call; quite a bit faster.
!
Some serial driver support for /dev/cuaXX devices to support transparent
! out+dial
!
DDcess symrom LKM es
!
Say goodbye to dump, restore, and mt security holes: They are no longer
! setuid.
!
*Hobbit*'s netcat utility. The crackers use it, so should you.
!
New routed from SGI.
!
Complete in-tree development for MIPS/Alpha systems (ie. binutils).
!
And of course... more security related bugfixes... (ie. dump,
! restore, mt).
!
vim is replacing nvi, since nvi does not have a pure BSD license, and vim
! also works better.
!
16 partitions working on sparc and i386 (yipee!)
!
Nice sample files in /etc
!
sendmail gecos hole fixed (in a number of ways; other programs in the
! source tree were also vulnerable.)
!
secure multicast tools against possible security problems.
!
latest GNU groff, incorporated in a clean wrapperized form.
!
mopd for networking booting Digital machines
!
less version 2.90
!
deal with the SYN bomb problem (denial of service attack) as well known.
!
Another kerberos security fix.
!
Almost a hundred more security fixes, including /tmp races because of strncpy.
!
Compile time option to compile the source tree almost completely dynamic.
!
A 7% reduction in size of static binaries.
!
FreeBSD's adduser(8) command. Also an rmuser(8) command.
!
We have completed security reviews of almost all userland programs and
! libraries except for the gnu stuff (where, based on preliminary
! inspection there is poor handling of temp files).
!
Working Linux ext2fs.
!
Added sudo (which is maintained by one of our developers)
!
CTM is now a supported way of obtaining OpenBSD source code.
!
The NIST Posix test suite became free. As a result we have been correcting
! numerous problems in the source tree, and expect to be completely
! POSIX compliant very soon.
!
upgrade to CVS version 1.9.
!
A number of security fixes to the way coredumping works.
!
The /dev/*random devices are now default on all architectures.
!
Add stack tracebacks to Arc port's kernel debugger.
!
Skey revamped into full OTP (RFC1938) support, including sha1 and
! md5 support.
!
GPL i387 emulator added.
!
Crank kvm space on the i386 port, also limit buffer cache useage
! so that 512MB machines may work (untested :-)
!
Numerous fixes to the lpr suite, including security.
!
More ftpd raging paranoia security fixes.
!
The NIST suite showed numerous errors in libraries and the kernel.
! Only a few small errors remain now, mostly regarding serial
! ports.
!
In numerous utilities: prefer $LOGNAME, but also accept $USER.
!
OLF binary type added. This is like ELF, but includes an OS-dependent
! tag. elf2olf(1) converts an elf binary to a tagged OLF binary which
! the kernel can recognize correctly.
!
Beware $HOME overflows throughout the source tree.
!
Integration of the pmax port.
!
Import of ctm.
!
Various repairs to the scsi scanner support.
!
Numerous more difficult-to-exploit-but-possible-if-someone-really-wanted-to
! buffer overflows found in system utilities..
!
Memory leak paranoia in cron.
!
Make login get more consistantly upset about failed logins, and tell user
! about these failures at the next successfull login.
!
pdksh version is now 5.2.11
!
New bsd.*.mk feature: DEBUG=-g. Try it, you'll like it.
!
The Arc port family has a new member: The rPC44 works!
!
lpt driver is now bus-independent.
!
com driver is now bus-independent.
!
Numerous small security fixes again...
!
Use pdksh as our /bin/sh. This provides excellent POSIX compliance.
!
Prevent generic users from mounting filesystems by default.
!
Added -C option to pax/tar. Also made -z support compressed files too.
!
Increased compatibility in the pccons driver with BSDi features.
!
Imported FreeBSD's calendar.
!
GNU gdb works on the mips-based platforms.
!
Add FreeBSD md5 diffs to mtree(8). This can be used to implement a
! tripwire-like system.
!
Some YP and bootparamd security changes.
!
Hundreds of little fixes all over the place.
!
Multiple updates for GNU software
!
Add disklabels to the floppy device drivers.
!
At boottime, have (*mountroot)() look at the root device's disklabel
! to determine which filesystem type is to be mounted.
!
If disklabel reading code discovers an ISOFS filesystem underlying,
! spoof a nice disklabel (enough to fool mountroot).
!
tcpdump 3.3
!
Fix information gathering attack in ping(8).
!
Add NetBSD's "route show" implementation, and at the samet time fix
! the new buffer overflows that this provided.
!
Fix a few setgroups() related security holes.
!
sendmail 8.8.4
!
texinfo 3.9
!
f77 0.5.19
!
Repair some more KerberosIV buffer overflows. Hard to believe this is
! supposed to be security software.
!
Add XCASE/IUCLC/OLCUC/OCRNL/ONOCR/ONLRET tty subsystem flags for
! backwards compatibility.
!
Permit NFS attribute cache to be configured on a per-mount basis.
!
!
Properly split fsck, mount, and newfs into multiple pieces. Use
! disklabel information if it is available.
!
Add disklabels to the vnd device driver.
!
Change the games to be run setgid games, not setuid games. This closes
! a whole slew of fascinating security holes.
!
Import of the powerpc port.
!
Properly use _POSIX_SAVED_IDS throughout the source tree.
!
Permit building of kernels without a.out support.
!
ppp 2.3b3
!
libcrypt goes away. We do not need this stub library anymore. Do not link
! against it on OpenBSD, all the pieces you need are in libc.
!
!
!
! This list only mentions platform-independent changes. For a list of changes
! made in a particular platform, please check the page for that platform.