upvote
OpenBSD is the Linux of a decade or two ago, not attracting attention and not being compatible or useful for quite a lot of stuff.
reply
Not counting GPU compute, what exactly is OpenBSD not useful for?
reply
Personal laptop use with Ada Lovelace or Ampere family NVIDIA GPUs (did you mean this or CUDA, i couldnt tell), personal desktop use with unusual peripherals, dependency on ports, existence and competition of FreeBSD etc. I love OpenBSD's code philosophy (they were the first to introduce a lot of security techniques[1]) and the programs they produce, OpenSSH is a lifesaver, and I use doas for its low footprint on my Linux machine. Still, they have a convulated install process, dubious hardware and software compatibility that is better solved in the Linux world today.

[1]: https://www.openbsd.org/innovations.html

reply
So pretty much only GPU compute (CUDA) and exotic peripherals?

I don't see any ports dependency issues as there's been binary packages available forever. Even the install process is a lot faster than any linux I have to use at $work, not to mention easier to automate with autoinstall[0] if needed.

[0]https://man.openbsd.org/autoinstall.8

reply
GPU driver support is not limited to CUDA. Devices that require binary blobs of firmware to work properly are not always exotic. Some examples off the top of my head that won't work with OpenBSD hassle-free is Vantage (LLL), Solaar ... but I haven't tested. I understand you finding it easier to work with and it's faster install speeds do pique my interest, yet you being on HN already puts your technical literacy on some low % of gen pop. OpenBSD may be comparable to distros like Gentoo, Void or Arch but certainly not out-of-the-box ones like Ubuntu. They serve different auidences.
reply
Just OpenSSH, nothing ;)
reply
Try illumos with zones. We run all critical services on SmartOS nowadays. Even linux bhyve VMs get confined inside a zone.
reply
If there was a similar class of bug in the illumos kernel, it would also allow for a container escape, no?

There are many issues with the formulation of containers on Linux (though I think people overstate it whenever bugs like this happen) but ultimately this bug was a UAF that gave you arbitrary code execution in the kernel. Zone IDs are also just numbers in kernel memory... right?

reply
Not necessarily. Zones in illumos (and Solaris before) were designed from ground up to be secure in multitenant workloads[0]. It's quite different from the duct tape style[1] of linux containerization.

[0]https://www.usenix.org/legacy/event/lisa04/tech/full_papers/...

[1]Tape different things together and see if it holds.

reply
I am aware of the history behind Zones and Jails, but my point is still the same -- the (lack of) protection you get against kernel exploits should be the same because the only thing protecting you from escapes is kernel data structures.

(I've been one of the maintainers of runc -- the most widely use used container runtime on Linux -- for more than a decade, so I'm at least somewhat well-informed on the topic.)

The duct tape criticisms are fair when talking about other vulnerabilities (such as when container runtimes have misconfiguration or other inatomicity bugs) but not really here in the context of a kernel arbitrary code execution gadget. It also seems quite unlikely that the illumos kernel doesn't contain any of these kinds of bugs.

reply
> Do we really need infosec companies now that a skid with claude can find decades-old kernel privesc over a weekend?

Why are you not making easy money hand over fist from these rewards? A couple of weekends of work and you can retire early.

Maybe that's exactly what these infosec companies are. And maybe you need more than "a skid with claude over a weekend" to get anything worthwhile.

reply
Why didn't you find it with claude over a weekend?
reply
> and is really, really secure

... until its getting popular usage and gets targeted for vulnerability research

reply
TIL OpenBSD doesn't have jails
reply