HN Reader

This points out something we forget at times: being a fan of a thing shouldn't mean we have to suffer for it.

NetBSD doesn't have GPU compute capabilities, plus browser DRM is a PITA, so I run macOS, too. If I have to choose between not doing a thing at all and doing it in a less enjoyable environment, it's only my own foot that suffers were I to choose not doing it at all.

What really matters here is that systems shouldn't crash or panic at all, ever, or if they do, the filesystems used shouldn't lose data or otherwise become corrupt. We left the lack of memory protection in the '80s (some of us the '90s), so there's no excuse if the hardware isn't faulty.

So I have to wonder why the OpenBSD folks, who prioritize security over speed, for example, wouldn't prioritize stability over everything except possibly security (I'd rather a panic than a compromise) and spend some energy looking in to these issues and fix them?

Why wouldn't any filesystem corruption (which could have security implications if the corruption can be controlled) and/or data loss be considered a sign of other deep issues and be made a high priority at OpenBSD?

Perhaps Solène's writeup will be a good wake-up call for the OpenBSD people.

Sorry to see Solène Rapenne move on, I wish her success going forward. She has been a great asset to the OpenBSD team. But glad she will still try and help them out a bit.

But in a way she has a point :( Just a few weeks ago I had a panic with 7.6 and half my files in /home disappeared. In the past I never lost data on an fsck, plus I never had a panic in many years. But glad I clone /home to another device daily :)

But I still will use OpenBSD for testing items I develop on Linux. It is a great help finding issues where Linux will ignore some bugs I insert.

“I can not do that on OpenBSD without a huge headache and very bad performance.”

This applies to practically everything, not just virtualization!

> flatpak: I really like software distribution done with flatpak, packages are all running in their own namespace, they can't access all the file system, you can roll back to a previous version, and do some interesting stuff

As of today flatpak still has holes you can drive a truck through.

The way I see it, there’s conflict between her professional goals and her hacking goals.

The way I avoid that is by keeping that separate. But might not be for everyone.

Something like 99% of the use cases I've seen for OpenBSD are servers that have no keyboard, mouse, video, audio or other plugged into them. It's completely unsurprising that bluetooth and gamepad support isn't a priority.

It seems her biggest issue by far is bad VM hosting, followed by the filesystem (the latter being possibly an hardware compat issue). Everything else seems tertiary or downstream from the big one.

Better VM hosting would enable a big usecase directly, enable the software separation she likes, ameliorate a good part of the battery issues (as that's what she often uses the OS for), and with passthrough maybe even help work around the other hw support issues.

Given how critical virtualization is to security anyway, it sounds like a topical thing for OpenBSD folks to put directly into the OS (a la bhyve).

This was interesting to me.

> I have grievances against OpenBSD file system. Every time OpenBSD crash, and it happens very often for me when using it as a desktop, it ends with file corrupted or lost files. This is just not something I can accept.

Doesn’t openbsd use a fancy-ish ZFS type file system?

I have the same grievance with XFS on Linux though. For as much as people say how awesome it is, the few nodes I have running XFS are the least reliable pieces of garbage on a hard power off and a pain to get back up (if I don’t just nuke it anyway)

The name is familiar, I learned a couple of things from Solène in the Qubes OS forums. Many thanks in case you see this.

I think OpenBSD has a big advantage (to me at least) that it’s the OS I really want to use, but I could never find a place for it for the reasons described. It just doesn’t fit my use cases except on the philosophy department!

In fact I had to leave Qubes OS for different reasons: strange behavior with USB devices, perceptible latency, would not sleep properly when running on battery, Windows VM would freeze on wake up from sleep. Small things but very annoying.

Maybe I just got bad luck with hardware (Thinkpad X260), or I just don’t have the time to troubleshoot it anymore.

Anyway, I’m having a great honeymoon period with OpenSuse now. I’ve chosen it mainly for great filesystem snapshot support. It seems this time everything missing on the repositories are covered on flatpak, and things that usually give me trouble (for example IME support) simply worked. I loved the Xfce theme. I’ll probably be staying for a while.

Fedora atomic mentioned let's gooo

cool keep us updated

Another recent discussion (fewer comments): https://news.ycombinator.com/item?id=42201302

Also FWIW, I use OpenBSD as my daily driver, and I like it especially due to the security (I separate user-level activities, including net browsing, by account), and have not had the crashing or filesystem issues, fortunately. Her points are probably valid though, as my demands of the system are less than hers.

Does working on the OpenBSD team require using OpenBSD on your daily desktop?

I keep a special laptop for all financial stuff. It is not that expensive and the inconvenience is limited. And on it I have CubesOS, but I guess OpenBSD would also be a good choice.

Makes sense. I've always assumed that OpenBSD has a very narrow use case anyway. I love it for a network firewall because the configuration files are sane and easy to understand (stares at systemd networkd). I set it and forget it.

I like Linux a lot but personally I am starting to get frustrated with rootless containers. It is frustrating one has to have higher privileges running the container to make it have its own IP address inside the container. It's frustrating you cannot have the container read and write on the filesystem as the UID running the container unless the process inside is root.

I might have a better experience with VMs but every system seems like a lot of effort to just get something running. And after that the object is not as disposable as I'd like. My favorite tool for VMs so far is Incus. I'm planning on looking into Firecracker this weekend for fun.

Unrelated, but regarding:

> I understand it can make some people angry as they have to learn how to use it.

I don't think that's a significant part of what is upsetting anyone.

TL;DR: OpenBSD is bad as a desktop (no bluetooth, limited gamepad support, etc).

> I need to experiment and learn with a lot of stuff, this includes OCI containers

OK understandable ofc.

> Running virtual machines on OpenBSD is really limited, running programs headless with one core and poor performance is not a good incentive to work at staying sharp.

Can someone explain this a bit more? I mean: I also run both VMs and OCI containers (well, Docker really atm) but what's that about "headless with one core" OpenBSD thing?

OpenBSD can run a VM but it's limited to one core and there can be no GPU passthrough? Is that what she means? That she can only access the VMs through the network?

No GPU passthrough would indeed be kinda a deal breaker for me too.

> I moved from OpenBSD to Qubes OS for almost everything

(a bit of a rant but it's related to TFA from a "what a dev may need" point of view)

I like that Qubes OS focuses on security, something which, for example, Proxmox seems to have an interest approaching about zero. Sure you can contenairize and virtualize but the Proxmox host itself, the "hypervisor" has countless ports open by default "because you'll need them for insecure lots of insecure protocols here and the entire Proxmox security seems to rely on only the firewall. Firewall which, moreover, sometimes resets by itself to "ACCEPT" everything by default.

I run Proxmox on a server and I did a proof-of-concept, running Proxmox as my desktop, using GPU passthrough from a VM to my main display (requires quite a bit of setup and settings and may or may not work on some hardware, but it's darn sweet when it works: one GPU for the host, one GPU for the guest(s)). It works. I know some are using that setup (including some Proxmox devs) on their workstation. But, sheesh, does the Proxmox team seem to care more about a shiny UI than security.

So, basically to be too far from TFA: leaving OpenBSD (considered to be ultra secure) for QubeOS... Does QubeOS really deliver more on security compared to another efficient alternative, like Proxmox? (don't get me wrong: I know that QubeOS is meant to be a desktop, which Proxmox not so much... I just wonder if QubeOS is really secure compared to OpenBSD).

In this day and age of AI models (for those who want to run some locally) requiring fat GPUs and lots of configuration on the software side and with the pace at which new models are coming out, I think nothing beats an hypervisor and VMs using GPU(s) passthrough. This way you can quickly test new models, install tens of them, backup working VMs or containers, etc.

I can see how OpenBSD is negatively affected by that: a 4090 or 5090 (or two in the same machine FWIW: a friend of mine runs just that, two 4090 using GPU passthrough) is quite something. The world, atm, shifted towards GPU. That's why NVidia is enjoying such a market cap.

Although Bluetooth and gamepad do not matter, it looks like OpenBSD may be missing something here if the GPU and GPU passthrough story is subpar.

In a "the world is moving" way.

At least in my case, after reading a TFA like this, I don't see why I'd run OpenBSD... Except as a firewall in front of my Proxmox machines (which badly need that) ; )

P.S: don't mistake this rant for me not loving Proxmox. It's just that I wished they cared less about "shiny" and "convenience" and more about not opening every single port and service under the sun on the host. Something which QubeOS may be better at.

I expect to see lots of people jumping in to defend OpenBSD right about now...

Journaling filesystems have been around for decades now; I don't think I've had a data loss incident since I stopped using Windows 98? I know it's volunteer driven but it seems like working on data integrity might be more of a benefit for security than some of the gimmicks like TRAPSLED.