SafekipediaOpenBSD
Adapted from Wikipedia · Adventurer experience
OpenBSD is a special kind of computer operating system that focuses on safety and security. It was created in 1995 by Theo de Raadt. He started it by taking an existing system called NetBSD and making his own version.
Because OpenBSD is free software, many big companies use parts of it in their products. For example, the safety features in Apple’s macOS computers, the basic tools in Android phones, and some parts of Windows 10 all use ideas and code from OpenBSD. This shows how useful and reliable the system is.
The name “OpenBSD” tells us two important things: first, that anyone can see and use its code because it is available online, and second, that it works on many different kinds of hardware, from regular computers to newer types of processors. Even though it doesn’t have a fancy graphical interface by default, OpenBSD is powerful and trusted by people who care about keeping their computers safe.
History
In 1995, a person named Theo de Raadt started OpenBSD after leaving another project called NetBSD. He wanted to make a better and safer operating system. The first version came out in 1996. Since then, new versions have been released every six months.
In 2007, a group called the OpenBSD Foundation was created to help support the project. By 2024, OpenBSD had changed so much that none of the original files from NetBSD were left unchanged.
Usage statistics
It can be hard to know how many people use OpenBSD because its developers do not count users.
In September 2005, a group asked 4,330 BSD users about their choices. About 32.8% said they used OpenBSD. More people used FreeBSD at 77%, while NetBSD was used by 16.3% and DragonFly BSD by 2.6%. The group said their results might not be perfect because they shared the survey mostly with people already interested in BSD. This makes it hard to know exactly how many people use OpenBSD around the world.
Uses
OpenBSD is good at networking and can work as a router or wireless access point. It has strong cryptography and a packet filter, which makes it useful for security jobs like firewalls, intrusion-detection systems, and VPN gateways.
Some parts of Microsoft's Windows Services for UNIX came from OpenBSD. The pf firewall from OpenBSD is also used in FreeBSD and macOS. OpenBSD can run on personal computers and includes many programs like Firefox and Chromium.
OpenBSD can be set up as a mail server, web server, FTP server, DNS server, router, firewall, NFS file server, or a mix of these. Starting with version 6.8, OpenBSD includes support for WireGuard directly in its software.
Security
See also: OpenBSD security features
After OpenBSD was created, its founder worked with a security company. They made tools to find weak spots in software. This helped make security very important for OpenBSD.
OpenBSD has many features to keep it safe. It has special tools to check for mistakes, ways to protect memory, and strong ways to keep information private. It also limits what programs can do to reduce risks. The developers often review the code to find and fix problems.
OpenBSD created a popular tool called OpenSSH. It helps computers talk to each other safely over the internet. The project believes in making computers simple and secure by default. This way, new users don’t have to worry about safety right away. Users can add more features themselves, always thinking about safety first.
Subprojects
OpenBSD has helped create many useful tools and projects. Some of these include:
- bioctl, a tool to manage RAID similar to ifconfig
- CARP, a free tool to help computers work together, like Cisco's HSRP/VRRP
- cwm, a program to organize windows on your screen
- doas, a simpler way to give users special permissions instead of using sudo
- OpenBSD httpd, a web server program implementing httpd
- Game of Trees, a tool that works with Git
- hw.sensors, a system to monitor hardware sensors
- LibreSSL, a secure way to connect to the internet, created from OpenSSL 1.0.1g
- mandoc, a tool to format help pages called man pages
- OpenBGPD, a program for a special internet protocol called BGP-4
- OpenIKED, a program for IKEv2
- OpenNTPD, a simpler tool to keep time accurate
- OpenOSPFD, a program for a special internet protocol called OSPF
- OpenSMTPD, a mail server that works with IPv4/IPv6, PAM, Maildir, and virtual domains
- OpenSSH, a secure way to connect to other computers
- PF, a firewall for IPv4/IPv6 that includes NAT, PAT, QoS, and traffic normalization
- pfsync, a tool to keep PF working well with high availability using CARP
- rpki-client, a tool to help validate BGP announcements using the Resource Public Key Infrastructure (RPKI)
- sndio, a tool for audio and music
- spamd, a tool to block unwanted emails with greylisting
- Xenocara, a special setup of X.Org for better performance
Some of these tools are now used in other operating systems, and many can be added to other Unix-like systems as extra features.
The Calgary Internet Exchange began in 2012 to help support OpenBSD.
In 2017, a project called Isotop started, aiming to make OpenBSD easier to use on desktops and laptops using xfce and later dwm.
Third-party components
OpenBSD includes many tools and programs from other sources. These tools often have special updates just for OpenBSD. Some of these tools are X.Org for graphics, Clang as the main compiler, GCC, Perl, NSD, Unbound, ncurses, GNU binutils, GDB, and AWK. These tools help users do many different tasks on the OpenBSD system.
Development
OpenBSD is always being improved, and anyone with the right skills can help. The leader, Theo de Raadt, helps organize the work. Every year, there are two big updates, and these updates are supported for a year. There are also smaller updates available more often.
People can update their OpenBSD systems in a few ways. They can use a tool called syspatch, update from a special area called CVS, or use another tool called sysupgrade to get the newest features. For most users, the basic OpenBSD kernel that comes with the system is the best choice.
Extra programs for OpenBSD are kept up to date by different people. These programs are built for each type of computer, and most people should use the ready-made versions instead of building them themselves. OpenBSD developers sometimes meet to work together and focus on getting things done. Many new versions of OpenBSD also have a special song.
Open source and open documentation
OpenBSD is famous for its clear and helpful guides. When OpenBSD started, its creator wanted everyone to be able to see the source code. Back then, only a few developers could usually see a project’s code. This team thought that wasn’t fair and made it hard for new people to help. So, they made a public system where anyone could view and work with the code. This let users join in more and showed OpenBSD’s promise to keep things open.
OpenBSD does not use secret code or parts that need special agreements to see. Because it comes from Canada, it can use strong security methods without rules from other countries. It also makes computer actions unpredictable to keep it safer. For example, it uses random numbers for different parts of the system. This helps find mistakes and makes it harder for bad people to attack. The project also believes in having clear information about hardware so developers can create better tools.
Closed source and proprietary code
OpenBSD sometimes includes small pieces of code that are not fully open. This is because some devices need special instructions to work, and these instructions come from the device makers.
The project leaders try to keep everything open while also making sure users can use many different devices with OpenBSD. They try to be practical and accept some risks when they include these special instructions.
According to the GNU Project, OpenBSD does include some small parts of code that are not fully open, called "blobs". These are used for device firmware or are needed by drivers that have open licenses.
Licensing
See also: Comparison of free and open-source software licenses and Free software license
OpenBSD has very careful rules about the licenses it uses. It prefers simple and open licenses like the ISC license and the BSD license. The project wants to keep the open spirit of the original Berkeley Unix, which allowed free sharing of its code.
In 2001, OpenBSD checked all its code to make sure every piece had the right license. They found many files without clear licenses or with rules that didn’t fit OpenBSD’s standards. To fix this, they contacted the original creators. Some code was removed, some was replaced, and some, like the multicast routing tools mrinfo and map-mbone, got new licenses so OpenBSD could keep using them. They also stopped using software made by Daniel J. Bernstein.
Because of these license issues, OpenBSD sometimes builds its own tools instead of using others. For example, they created the PF packet filter after finding the rules for IPFilter too limiting. PF started in OpenBSD 3.0 and is now used in many other systems. They also replaced some tools with simpler licenses, like switching from CVS and pkg-config to other options that fit OpenBSD’s rules better.
Funding
The OpenBSD project gets help mostly from regular users who buy CDs or make donations. In the early 2000s, it also got help from DARPA and the POSSE project, which gave money, equipment, and support for events.
In 2006, OpenBSD had money problems, and companies like the Mozilla Foundation and GoDaddy helped it keep going. Later, in 2014, a large donation in bitcoins and other gifts saved the project.
OpenBSD Foundation
The OpenBSD Foundation is a Canadian non-profit organization made to help manage support for OpenBSD and related projects like OpenSSH, OpenBGPD, and LibreSSL. Since 2014, big companies such as Microsoft, Facebook, and Google have given money to the foundation.
Distribution
OpenBSD can be obtained in different ways. You can get the source code using anonymous CVS, or download binary releases and development snapshots using FTP, HTTP, and rsync.
OpenBSD includes a package management system called pkg* tools to easily install and manage extra programs. These programs are stored as binary files and can be added, updated, or removed using the package tools. The system also has a ports collection, which contains makefiles and other tools needed to create these packages. The ports and the main operating system are developed and released together for each version.
Songs and artwork
OpenBSD had a special logo made by an artist named Erick Green when it began. Later, they picked a character named Puffy, a pufferfish, to stand for the system. Puffy shows up in songs and pictures for each OpenBSD release. These songs and pictures often share a fun story or an important idea about OpenBSD, sometimes by making funny versions of famous movies or songs.
Releases
The following table shows the version history of the OpenBSD operating system.
| Version | Release date | Significant changes |
|---|---|---|
| Unsupported: 1.1 | 18 October 1995 | OpenBSD CVS repository created by Theo de Raadt. While the version number used at this stage was 1.1, OpenBSD 1.1 was not an official OpenBSD release in the sense which this term subsequently came to be used. |
| Unsupported: 1.2 | 1 July 1996 | Creation of the intro(9) man page, for documenting kernel internals. Integration of the update(8) command into the kernel. As before, while this version number was used in the early development of the OS, OpenBSD 1.2 was not an official release in the subsequently applicable sense. |
| Unsupported: 2.0 | 1 October 1996 | |
| Unsupported: 2.1 | 1 June 1997 | Replacement of the older sh with pdksh. |
| Unsupported: 2.2 | 1 December 1997 | Addition of the afterboot(8) man page. |
| Unsupported: 2.3 | 19 May 1998 | Introduced the haloed daemon, or aureola beastie, in head-only form created by Erick Green. |
| Unsupported: 2.4 | 1 December 1998 | Featured the complete haloed daemon, with trident and a finished body. |
| Unsupported: 2.5 | 19 May 1999 | Introduced the Cop daemon image done by Ty Semaka. |
| Unsupported: 2.6 | 1 December 1999 | Based on the original SSH suite and developed further by the OpenBSD team, 2.6 saw the first release of OpenSSH, which is now available standard on most Unix-like operating systems and is the most widely used SSH suite. |
| Unsupported: 2.7 | 15 June 2000 | Support for SSH2 added to OpenSSH. |
| Unsupported: 2.8 | 1 December 2000 | isakmpd(8) |
| Unsupported: 2.9 | 1 June 2001 | Filesystem performance increases from softupdates and dirpref code. |
| Unsupported: 3.0 | 1 December 2001 | E-Railed (OpenBSD Mix), a techno track performed by the release mascot Puff Daddy, the famed rapper and political icon. After license restrictions were imposed on IPFilter, IPFilter was removed from base, and the pf packet filter was developed. pf is now available in DragonFly BSD, NetBSD and FreeBSD. |
| Unsupported: 3.1 | 19 May 2002 | Systemagic, where Puffy, the Kitten Slayer, battles evil script kitties. Inspired by the works of Rammstein and a parody of Buffy the Vampire Slayer. First official remote security hole - OpenSSH integer overflow |
| Unsupported: 3.2 | 1 November 2002 | Goldflipper, a tale in which James Pond, agent 077, super spy and suave lady's man, deals with the dangers of a hostile internet. Styled after the orchestral introductory ballads of James Bond films. |
| Unsupported: 3.3 | 1 May 2003 | Puff the Barbarian, born in a tiny bowl; Puff was a slave, now he hacks through the C, searching for the Hammer. It is an 80s rock-style song and parody of Conan the Barbarian dealing with open documentation. In 2003, code from ALTQ, which had a license disallowing the sale of derivatives, was relicensed, integrated into pf and made available in OpenBSD 3.3. First release adding the W^X feature, a fine-grained memory permissions layout, ensuring that memory which can be written to by application programs can not be executable at the same time and vice versa. |
| Unsupported: 3.4 | 1 November 2003 | The Legend of Puffy Hood where Sir Puffy of Ramsay, a freedom fighter who, with Little Bob of Beckley, took from the rich and gave to all. Tells of the POSSE project's cancellation. An unusual blend of both hip-hop and medieval-style music, a parody of the tale of Robin Hood intended to express OpenBSD's attitude to free speech. i386 platform switched executable format from a.out to Executable and Linkable Format The GPL licensed gzip was replaced by retooling the existing compress tool to include its functionality. The GPL licensed grep was replaced with FreeGrep, an updated BSD licensed grep. This new grep is now also available in NetBSD. A public domain diff was updated and used to replace the GPL licensed diff previously included. Code from the LGPL licensed was relicensed to allow pf to feature passive operating system detection. Address space layout randomization (ASLR) by default Basic sysctl hw.sensors API introduced for hardware monitoring. |
| Unsupported: 3.5 | 1 May 2004 | CARP License and Redundancy must be free, where a fish seeking to license his free redundancy protocol, CARP, finds trouble with the red tape. A parody of the Fish Licence skit and Eric the Half-a-Bee Song by Monty Python, with an anti-software patents message. CARP, an open alternative to the HSRP and VRRP redundancy systems available from commercial vendors. GPL licensed parts of the GNU tool-set, bc, dc, nm and size, were all replaced with BSD licensed equivalents. AMD64 platform becomes stable enough for release and is included for the first time as part of a release. |
| Unsupported: 3.6 | 1 November 2004 | Pond-erosa Puff (live) was the tale of Pond-erosa Puff, a no-guff freedom fighter from the wild west, set to hang a lickin' on no-good bureaucratic nerds who encumber software with needless words and restrictions. The song was styled after the works of Johnny Cash, a parody of the Spaghetti Western and Clint Eastwood and inspired by liberal license enforcement. OpenNTPD, a compatible alternative to the reference NTP daemon, was developed within the OpenBSD project. The goal of OpenNTPD was not solely a compatible license. It also aims to be a simple, secure NTP implementation providing acceptable accuracy for most cases, without requiring detailed configuration. Because of its questionable security record and doubts of developers for better future development, OpenBSD removed Ethereal from its ports tree prior to its 3.6 release. Added support for I2C master/slave devices |
| Unsupported: 3.7 | 19 May 2005 | The Wizard of OS, where Puffathy, a little Alberta girl, must work with Taiwan to save the day by getting unencumbered wireless. This release was styled after the works of Pink Floyd and a parody of The Wizard of Oz; this dealt with wireless hacking. |
| Unsupported: 3.8 | 1 November 2005 | Hackers of the Lost RAID, which detailed the exploits of Puffiana Jones, famed hackologist and adventurer, seeking out the Lost RAID, Styled after the radio serials of the 1930s and 40s, this was a parody of Indiana Jones and was linked to the new RAID tools featured as part of this release. This is the first version released without the telnet daemon which was completely removed from the source tree by Theo de Raadt in May 2005. |
| Unsupported: 3.9 | 1 May 2006 | Attack of the Binary BLOB, which chronicles the developer's fight against binary blobs and vendor lock-in, a parody of the 1958 film The Blob and the pop-rock music of the era. Enhanced OpenBGPD feature-set. Improved hardware sensors support, including a new IPMI subsystem and a new I2C scan subsystem; number of drivers using the sensors framework increased to a total of 33 drivers (compared to 9 in the prior 3.8 release 6 months ago). |
| Unsupported: 4.0 | 1 November 2006 | Humppa Negala, a Hava Nagilah parody with a portion of Entrance of the Gladiators and Humppa music fused together, with no story behind it, simply a homage to one of the OpenBSD developers' favorite genres of music. Second official remote security hole - buffer overflow by malformed ICMPv6 packets |
| Unsupported: 4.1 | 1 May 2007 | Puffy Baba and the 40 Vendors, a parody of the Arabic fable Ali Baba and the Forty Thieves, part of the book of One Thousand and One Nights, in which Linux developers are mocked over their allowance of non-disclosure agreements when developing software while at the same time implying hardware vendors are criminals for not releasing documentation required to make reliable device drivers. Redesigned sysctl hw.sensors into a two-level sensor API; a total of 46 device drivers exporting sensors through the framework with this release. |
| Unsupported: 4.2 | 1 November 2007 | 100001 1010101, the Linux kernel developers gets a knock for violating the ISC-style license of OpenBSD's open hardware abstraction layer for Atheros wireless cards. softraid added with support for RAID levels 0,1, and 5 plus CRYPTO, CONCAT, and RAID 1C Usability of sensorsd improved, allowing zero-configuration monitoring of smart sensors from the hw.sensors framework (e.g., IPMI or bio(4)-based), and easier configuration for monitoring of non-smart sensors. |
| Unsupported: 4.3 | 1 May 2008 | Home to Hypocrisy |
| Unsupported: 4.4 | 1 November 2008 | Trial of the BSD Knights, summarizes the history of BSD including the USL v. BSDi lawsuit. The song was styled after the works of Star Wars. sparc64 port now supports many recent processors: Sun UltraSPARC IV, T1, and T2; Fujitsu SPARC64 V, VI, and VII. New System-on-a-Chip PowerPC port for Freescale devices malloc(3) randomization, guard pages, and randomized (delayed) free The hw.sensors framework is used by 68 device drivers, after 7 new drivers were added as of this release. |
| Unsupported: 4.5 | 1 May 2009 | Games. It was styled after the works of Tron. The hw.sensors framework is used by 72 device drivers. |
| Unsupported: 4.6 | 18 October 2009 | Planet of the Users. In the style of Planet of the Apes, Puffy travels in time to find a dumbed-down dystopia, where "one very rich man runs the earth with one multinational". Open-source software has since been replaced by one-button computers, one-channel televisions, and closed-source software which, after you purchase it, becomes obsolete before you have a chance to use it. People subsist on soylent green. The theme song is performed in the reggae rock style of The Police. smtpd(8), privilege-separated SMTP server tmux(1) terminal multiplexer The hw.sensors framework is used by 75 device drivers. |
| Unsupported: 4.7 | 19 May 2010 | I'm Still Here |
| Unsupported: 4.8 | 1 November 2010 | El Puffiachi. iked(8) IKEv2 daemon ldapd(8) LDAP daemon |
| Unsupported: 4.9 | 1 May 2011 | The Answer. rc.d(8) daemon control |
| Unsupported: 5.0 | 1 November 2011 | What Me Worry?. |
| Unsupported: 5.1 | 1 May 2012 | Bug Busters. The song was styled after the works of Ghostbusters. |
| Unsupported: 5.2 | 1 November 2012 | Aquarela do Linux. nginx(8) HTTP server SSLv2 disabled |
| Unsupported: 5.3 | 1 May 2013 | Blade Swimmer. The song was styled after the works of Roy Lee, a parody of Blade Runner. Position-independent executables (PIE) by default for seven hardware platforms |
| Unsupported: 5.4 | 1 November 2013 | Our favorite hacks, a parody of My Favorite Things. |
| Unsupported: 5.5 | 1 May 2014 | Wrap in Time. signify(1) cryptographic signatures of release and packages 64bit time_t on all platforms (Y2K38 ready) |
| Unsupported: 5.6 | 1 November 2014 | Ride of the Valkyries. Apache HTTPD removed from base |
| Unsupported: 5.7 | 1 May 2015 | Source Fish. |
| Unsupported: 5.8 | 18 October 2015 | 20 years ago today, Fanza, So much better, A Year in the Life. (20th anniversary release) doas(1) replacement of sudo |
| Unsupported: 5.9 | 29 March 2016 | Doctor W^X, Systemagic (Anniversary Edition). W^X enforced in i386 kernel pledge(2) process restriction |
| Unsupported: 6.0 | 1 September 2016 | Another Smash of the Stack, Black Hat, Money, Comfortably Dumb (the misc song), Mother, Goodbye and Wish you were Secure, Release songs parodies of Pink Floyd's The Wall, Comfortably Numb and Wish You Were Here. vmm(4) virtualization (disabled by default) Removed vax and 32-bit SPARC support |
| Unsupported: 6.1 | 11 April 2017 | Winter of 95, a parody of Summer of '69. syspatch(8) utility for binary base system updates new arm64 platform |
| Unsupported: 6.2 | 9 October 2017 | A three-line diff inteldrm(4) Skylake/Kaby Lake/Cherryview devices clang(1) base system compiler on i386 and amd64 platforms |
| Unsupported: 6.3 | 2 April 2018 | SMP is supported on arm64 platforms. Several parts of the network stack now run without KERNEL_LOCK(). Multiple security improvements have been made, including Meltdown/Spectre (variant 2) mitigations. Intel CPU microcode is loaded on boot on amd64. pledge() has been modified to support "execpromises" (as the second argument). |
| Unsupported: 6.4 | 18 October 2018 | unveil(2) filesystem visibility restriction. |
| Unsupported: 6.5 | 24 April 2019 | Support for parsing NMEA 0183 altitude and ground speed hw.sensors. |
| Unsupported: 6.6 | 17 October 2019 | sysupgrade(8) automates upgrades to new releases or snapshots. amdgpu(4) AMD RADEON GPU video driver. |
| Unsupported: 6.7 | 19 May 2020 | Made ffs2 the default filesystem type on installs except for landisk, luna88k and sgi. |
| Unsupported: 6.8 | 18 October 2020 | 25th anniversary release. New powerpc64 platform. |
| Unsupported: 6.9 | 1 May 2021 | 50th release. |
| Unsupported: 7.0 | 14 October 2021 | 51st release. New riscv64 platform. |
| Unsupported: 7.1 | 21 April 2022 | 52nd release. loongson support was temporarily discontinued for this release. |
| Unsupported: 7.2 | 20 October 2022 | 53rd release. |
| Unsupported: 7.3 | 10 April 2023 | 54th release. Immutable permissions on address space regions. "xonly" support on many architectures. Support for full-disk encryption in the installer (via softraid driver) |
| Unsupported: 7.4 | 16 October 2023 | 55th release. |
| Unsupported: 7.5 | 5 April 2024 | 56th release. |
| Unsupported: 7.6 | 8 October 2024 | 57th release. |
| Supported: 7.7 | 28 April 2025 | 58th release. |
| Latest version: 7.8 | 22 October 2025 | 59th release. |
Related articles
This article is a child-friendly adaptation of the Wikipedia article on OpenBSD, available under CC BY-SA 4.0.
Images from Wikimedia Commons. Tap any image to view credits and license.