Return to plus.html CVS log

Up to [local] / www

clarify

<!DOCTYPE HTML PUBLIC  "-//IETF//DTD HTML Strict//EN">
<html>
<head>
<title>OpenBSD changes</title>
<link rev=made href=mailto:www@openbsd.org>
<meta name="resource-type" content="document">
<meta name="description" content="the main OpenBSD page">
<meta name="keywords" content="openbsd,main">
<meta name="distribution" content="global">
<meta name="copyright" content="This document copyright 1996 by OpenBSD, Inc.">
</head>

<body>

<h1>OpenBSD</h1>
<hr>
<h3>Changes Relative to other *BSD's.</h3>

<p>
OpenBSD looks a lot like NetBSD (from which it is derived, following
the 4.4BSD roots), but is now being developed seperately.  Good changes
from other free operating systems will be merged in (of course, depending
on various factors like developer time for example.)  OpenBSD tracks
NetBSD changes very closely; say anywhere between 2 to 10 days
behind the state of NetBSD-current all the time.  You used to be able to
say that OpenBSD is NetBSD <b>PLUS MORE STUFF</b>, but nowadays OpenBSD
very much is it's own thing.  Too much stuff was added and fixed to be
able to compare it against NetBSD...

<p>
Compared to NetBSD, various additions have been made. This is a
partial list of the major machine independent changes (ie. these are the 
changes people ask about most often). Check the page of the specific port
you are interested in for further port-specific details. Note that many ports
have had architecture-specific enhancements.

<p>
<h3>Life for the OpenBSD project begins...</h3>
<p>
<ul>
<li>Many many NetBSD PR's fixed (which NetBSD has not yet fixed)
<li>New curses library, including libform, libpanel and libmenu.
<li>a termlib library which understands termcap.db, needed for new curses. 
<li>The FreeBSD ports subsystem was integrated and is usable by you! 
<li>ipfilter for filtering dangerous packets
<li>better ELF support
<li>nlist() that understands ELF, ECOFF, and a.out, allowing non-a.out ports
        to use kvm utilies 
<li>Verbatim integration of the GNU tools (using a wrapper Makefile)
<li>All the pieces needed for cross compilation are in the source tree.
<li>Some LKM support in the tree.
<li>ATAPI support (should work on all ISA busses)
<li>new scsi, md5, pkg_* commands
<li>Numerous security related fixes
<li>Kerberos and other crypto in the source tree that is exportable
<li>Solid YP master, server, and client capabilities.
<li>/dev/*random -- a device driver providing some kinds of random data
<li>In-kernel update(8) with an adaptive algorithm
<li>Some ddb improvements and extensions
<li>Numerous scsi fixes
<li>ncheck utility for ffs
<li>/sbin/init now deals with non-existant ttys, no longer spins gettys madly.
<li>new system calls: rfork(), minherit(), poll().
<li>select() that can handle any amount of file descriptors.
<li>kernfs extensions
<li>ATM support (support for one company's sparc & i386 cards available)
<li>Boot kernels with "-c" to edit/enable/disable device configuration tables
<li>pax as tar, gnutar is toast
<li>using AT&T awk, gawk is toast
<li>Even more security fixes.
<li>Accepts FreeBSD MD5 passwords in password maps, soon will be able to
        generate them too
<li>Linux ext2fs and BSD4.4 LFS support being worked on.
<li>Working ATAPI audio support for multiple architectures.
<li>terminfo database support.
<li>Fortran in the tree.
<li>The most secure rdist support anywhere.
<li>randomized port allocation in bind(), bindresvport(), and rresvport() --
        security via unpredictability.
<li>Protection from the udp spamming and ftp bounce attacks.
<li>Significantly improved ftp daemon.
<li>Numerous more security policy and implimentation improvements (OpenBSD
        defaults to installing in a very secure mode)
<li>zlib (non-GPL'd gzip-compatible library)
<li>Newest version of pppd.
<li>_POSIX_SAVED_IDS behaviour with permitted BSD extensions.
<li>Fixed long-standing vm swap-leak.
<li>FreeBSD malloc() that uses mmap() and is able to free unused memory.
<li>Numerous FreeBSD userland fixes and improvements incorporated.
<li>new rdisc Router Discovery daemon
<li>generic protection against the bind() takeover problem.
<li>at -f security fix.
<li>20 or so more security fixes
<li>install now supports -C, -p, and -S flags.
<li>a real adduser program, which can even be used uninteractively.
<li>POSIX & C2 requirement; lose setuid/setgid bits if owner/group changed
        by chown(). This can be turned off with sysctl.
<li>partial protection against tcp SYN attacks.
<li>added /etc/fbtab support to login & init.
<li>RCS version 5.7
<li>much newer join command (4.4lite2 with other fixes)
<li>scsi subsystem security fix
<li>Kerberos is much more silent if not configured
<li>arc4-based random support in kernel
<li>ncr53cXXX scsi scripts assembler
<li>Numerous ftpd improvements and fixes, including multihomed and skey support.
<li>`lsof'-style features in fstat.
<li>rudimentary support for ISA Plug-and-Play cards
<li>Fixed timeout support in RPC library, and also fixed it to support more
        than FD_SETSIZE file descriptors.
<li>improved locate command
<li>a good start at NETIPX support
<li>vim version 4.5
<li>gcc 2.7.2.1 (to get closer to native alpha support ar gcc
        bugs).
<li>latest version of perl, and a lndir command.
<li>Even more security fixes.
<li>cdio command for using CD audio. 
<li>Kernel warns f /dev/ces not ebooting ated /de<li>libgis gone; our malloc() is better.
<li>FreeBSD pipe() system call; quite a bit faster.
<li>Some serial driver support for /dev/cuaXX devices to support transparent
      out+dial
<li>DDcess symrom LKM es
<li>Say goodbye to dump, restore, and mt security holes: They are no longer
        setuid.
<li>*Hobbit*'s netcat utility. The crackers use it, so should you.
<li>New routed from SGI.
<li>Complete in-tree development for MIPS/Alpha systems (ie. binutils).
<li>ftp command modified for easily scripted ftp & http downloads.
<li>And of course... more security related bugfixes... (ie. dump,
        restore, mt).
<li>vim is replacing nvi, since nvi does not have a pure BSD license, and vim
        also works better.
<li>16 partitions working on sparc and i386 (yipee!)
<li>Nice sample files in /etc
<li>sendmail gecos hole fixed (in a number of ways; other programs in the
	source tree were also vulnerable.)
<li>secure multicast tools against possible security problems.
<li>latest GNU groff, incorporated in a clean wrapperized form.
<li>mopd for networking booting Digital machines
<li>less version 2.90
<li>deal with the SYN bomb problem (denial of service attack) as well known.
<li>Another kerberos security fix.
<li>Almost a hundred more security fixes, including /tmp races because of strncpy.
<li>Compile time option to compile the source tree almost completely dynamic.
<li>A 7% reduction in size of static binaries.
<li>FreeBSD's adduser(8) command. Also an rmuser(8) command.
<li>We have completed security reviews of almost all userland programs and
        libraries except for the gnu stuff (where, based on preliminary
        inspection there is poor handling of temp files).
<li>Working Linux ext2fs.
<li>Added sudo (which is maintained by one of our developers)
<li>CTM is now a supported way of obtaining OpenBSD source code.
</ul>
<p>
<h3>OpenBSD 2.0 released.</h3>
<p>
<ul>
<li>The NIST Posix test suite became free. As a result we have been correcting
	numerous problems in the source tree, and expect to be completely
	POSIX compliant very soon.
<li>upgrade to CVS version 1.9.
<li>A number of security fixes to the way coredumping works.
<li>The /dev/*random devices are now default on all architectures.
<li>Add stack tracebacks to Arc port's kernel debugger.
<li>Skey revamped into full OTP (RFC1938) support, including sha1 and
	md5 support.
<li>GPL i387 emulator added.
<li>Crank kvm space on the i386 port, also limit buffer cache useage
	so that 512MB machines may work (untested :-)
<li>Numerous fixes to the lpr suite, including security.
<li>More ftpd raging paranoia security fixes.
<li>The NIST suite showed numerous errors in libraries and the kernel.
	Only a few small errors remain now, mostly regarding serial
	ports.
<li>In numerous utilities: prefer $LOGNAME, but also accept $USER.
<li>OLF binary type added.  This is like ELF, but includes an OS-dependent
	tag. elf2olf(1) converts an elf binary to a tagged OLF binary which
	the kernel can recognize correctly.
<li>Beware $HOME overflows throughout the source tree.
<li>Integration of the pmax port.
<li>Import of ctm.
<li>Various repairs to the scsi scanner support.
<li>Numerous more difficult-to-exploit-but-possible-if-someone-really-wanted-to
	buffer overflows found in system utilities..
<li>Memory leak paranoia in cron.
<li>Make login get more consistantly upset about failed logins, and tell user
	about these failures at the next successfull login.
<li>pdksh version is now 5.2.11
<li>New bsd.*.mk feature: DEBUG=-g.  Try it, you'll like it.
<li>The Arc port family has a new member: The rPC44 works! 
<li>lpt driver is now bus-independent.
<li>com driver is now bus-independent.
<li>Numerous small security fixes again...
<li>Use pdksh as our /bin/sh.  This provides excellent POSIX compliance.
<li>Prevent generic users from mounting filesystems by default.
<li>Added -C option to pax/tar. Also made -z support compressed files too.
<li>Increased compatibility in the pccons driver with BSDi features.
<li>Imported FreeBSD's calendar.
<li>GNU gdb works on the mips-based platforms.
<li>Add FreeBSD md5 diffs to mtree(8).  This can be used to implement a
	tripwire-like system.
<li>Some YP and bootparamd security changes.
<li>Hundreds of little fixes all over the place.
<li>Multiple updates for GNU software
<li>Add disklabels to the floppy device drivers.
<li>At boottime, have (*mountroot)() look at the root device's disklabel
	to determine which filesystem type is to be mounted.
<li>If disklabel reading code discovers an ISOFS filesystem underlying,
	spoof a nice disklabel (enough to fool mountroot).
<li>tcpdump 3.3
<li>Fix information gathering attack in ping(8).
<li>Add NetBSD's "route show" implementation, and at the samet time fix
	the new buffer overflows that this provided.
<li>Fix a few setgroups() related security holes.
<li>sendmail 8.8.4
<li>texinfo 3.9
<li>f77 0.5.19
<li>Repair some more KerberosIV buffer overflows.  Hard to believe this is
	supposed to be security software.
<li>Add XCASE/IUCLC/OLCUC/OCRNL/ONOCR/ONLRET tty subsystem flags for
	backwards compatibility.
<li>Permit NFS attribute cache to be configured on a per-mount basis.
<li>Properly split fsck, mount, and newfs into multiple pieces.  Use
	disklabel information if it is available.
<li>Add disklabels to the vnd device driver.
<li>Change the games to be run setgid games, not setuid games.  This closes
	a whole slew of fascinating security holes.
<li>Import of the powerpc port.
<li>Properly use _POSIX_SAVED_IDS throughout the source tree.
<li>Permit building of kernels without a.out support.
<li>ppp 2.3b3
<li>libcrypt goes away. We do not need this stub library anymore. Do not link
	against it on OpenBSD, all the pieces you need are in libc.
<li>new aucat command.
<li>Fix a fairly nasty security hole in all of the games.
<li>Support for the <a href="hp300.html">hp300</a> added.
<li>Upgrade of awk(1), integration of BSD tsort(1), getopt fixes.
<li>Sendmail upgraded to version 8.8.5.
<li>Added lchown(2) for compatibility with SVR4 implementations.
<li>New gnu cpio 2.4.2
<li>Support lchown(2) in dump(8), cp(1), pax(1), cpio(1), chown(8), and
	restore(8).
<li>No buffer lengths in fmt(1).
<li>various adjtime() corrections inside the kernel.
<li>Prevent stat() from disclosing inode generation numbers to non-root userland.
<li>pax in tar mode will understand multiple -v options to generate ls-like output.
<li>Repair many uses of the SIOCGIFCONF code for machines with an outrageous
	number of network interfaces.
<li>More kerberosIV security patches.
<li>A working fsirand.
<li>A start at a SA_SIGINFO implementation. Currently solid enough to provide
	fault address information.
<li>Completely in-tree <a href="ppc.html">PowerPC</a> port for non-Apple
	hardware.  This port requires nothing outside the in-tree development
	environment to build (except mkisofs for building distributions).
<li>Some ypbind(8) tightening up, includes a method to specify a list of
	valid servers
<li>Bug fixed that prevented bufpages/nbuf > 1 setups.  This allows large
	buffer caches even when available kvm space is low, like for i386
	& sparc.
<li>Changed netinet IP_HDRINCL option to require ip_len and ip_off in network
	byte order. This is a compatibility/portability fix and we expect
	other BSD systems to eventually follow suit.
<li>amd (the automounter) is now 64-bit and working on the alpha.
<li>The <a href="alpha.html">Alpha</a> port and all it's utilities now compiles
	using in-tree versions of all tools.  Yipee!
<li>More work on the SA_SIGINFO implementation. (SA_SIGINFO is a small part of
	POSIX 1003.1b)
</ul>
<p>
<h3>Development is rapidly continuing...</h3>
<p>

This list only mentions platform-independent changes.  For a list of changes
made in a particular platform, please check the page for that platform.<br><br>

<hr>
<a href="index.html"><img src=back.gif border=0 alt=OpenBSD></a> 
<a href=mailto:www@openbsd.org>www@openbsd.org</a>
<br><small>$OpenBSD: plus.html,v 1.28 1997/02/02 17:46:56 deraadt Exp $</small>

</body>
</html>