Previously, I scattered my thoughts on OpenBSD around my website, alluding to its strengths when needed. However, that approach made my argumentation feel disjointed as a result. It seems more sensible to have a central place to discuss these things.
First, I’d like to bring up the ‘dealbreakers.’ I wouldn’t recommend OpenBSD to those that:
$PREVIOUS_OS.When I say simplicity, I mean simplicity from a software design/development perspective. OpenBSD follows the Unix philosophy and consciously avoids feature creep. There aren’t as many bells and whistles compared to other operating systems and that’s good. That means there’s less to sift through if something breaks.
One of Linux’s strengths is also a grave weakness: the abundance of choice. Deciding what implementation to use for a mail, web, Domain Name System (DNS), or Network Time Protocol (NTP) server is a task in itself, as there are many out there.
With OpenBSD, one already has a sane, powerful, and secure suite of
software to choose from, also known as the base
system. For
instance, a web server with HyperText Transfer Protocol Secure (HTTPS)
and automated certificate renewal can be had with
httpd(8),
acme-client(1), and
cron(8), all without installing any
additional software.
See OpenBSD’s “innovations” page for more cool software and ideas developed by the OpenBSD project. Did you know that OpenSSH is an OpenBSD project?
OpenBSD feels transparent and comprehensible. Between the Frequently
Asked Questions (FAQ), man pages, and mailing lists, as well as other
resources like /etc/examples and /usr/local/share/doc/pkg-readmes,
the user isn’t lacking in ways to understand how the system works under
the hood. An OpenBSD installation is a didactic environment well-suited
to anyone with a Do It Yourself (DIY) attitude.
No discussion of OpenBSD’s strengths would be complete without mention of its focus on security.
One example I like, albeit one not strictly focused on the base system,
is how the OpenBSD project packages Firefox and Tor Browser with
pledge(2) and
unveil(2) in mind. Speaking to the
latter system call, there’s no reason these browsers should be able to
read ~/.ssh or ~/.gnupg, so they can’t. They can only interact with
allowlisted paths (with permission to read, write, execute, create, or
any combination thereof, depending on what’s stipulated). As a result,
the amount of damage a malicious extension or browser exploit could
wreak is much less than usual.
kern.video.record and kern.audio.record are both set to 0 by
default, meaning that no video or audio recording can occur without
permission.
I mean this both in terms of system stability and how fast things change. A constantly changing system is a nightmare to maintain for system administrators.
Users can depend on the project making a new release available about
once every 6 months. Every new release comes with documentation on
changes made and how to upgrade, which is a painless process with the
sysupgrade(8) tool.
OpenBSD is certainly configurable, but the project’s attitudes toward knobs is different from some others. OpenBSD tries to set good defaults that work for everyone in the hopes that people won’t need to fiddle around much (the more someone who doesn’t totally understand what they’re doing changes a system, the more likely they are to break something).
Unlike many minimal Linux distributions, these services are all enabled by default on a new OpenBSD installation:
OpenBSD makes a good OS for both the desktop and the server, at least for my needs.