SafekipediaOpenBSD
Adapted from Wikipedia · Discoverer experience
OpenBSD is a special kind of computer operating system that focuses on keeping things safe and secure. It was created in 1995 by Theo de Raadt, who started it by taking an existing system called NetBSD and making his own version. This new system was built to work well on many different types of computers and to do things the right way, with strong security built in from the start.
Because OpenBSD is free software, many other big companies use parts of it in their own products. For example, the safety features in Apple’s macOS computers, the basic tools in Android phones, and some important parts of Windows 10 all use ideas and code from OpenBSD. This shows how useful and reliable the system is.
The name “OpenBSD” tells us two important things: first, that anyone can see and use its code because it is available online, and second, that it works on many different kinds of hardware, from regular computers to newer types of processors. Even though it doesn’t have a fancy graphical interface by default, OpenBSD is powerful and trusted by people who care about keeping their computers safe.
History
In 1995, a person named Theo de Raadt started OpenBSD after leaving another project called NetBSD. He created OpenBSD to make a better and safer operating system. The first version was released in 1996, and since then, new versions have come out every six months.
In 2007, a group called the OpenBSD Foundation was created to help support the project. By 2024, OpenBSD had changed so much that none of the original files from NetBSD were left unchanged.
Usage statistics
It can be difficult to know how many people use OpenBSD because its developers do not keep track of user numbers.
In September 2005, a group asked 4,330 BSD users about their choices. About 32.8% said they used OpenBSD. More people used FreeBSD at 77%, while NetBSD was used by 16.3% and DragonFly BSD by 2.6%. The group that did the survey said their results might not be perfect because they shared the survey mostly with people already interested in BSD. This means it is hard to know exactly how many people use OpenBSD around the world.
Uses
OpenBSD has strong networking abilities and can work as a router or wireless access point. Its built-in cryptography and packet filter make it great for security tasks like firewalls, intrusion-detection systems, and VPN gateways.
Some versions of Microsoft's Windows Services for UNIX used code from OpenBSD. The pf firewall from OpenBSD is also used in FreeBSD and macOS. OpenBSD can be used on personal computers and includes many software packages like Firefox and Chromium.
OpenBSD can also be set up as a mail server, web server, FTP server, DNS server, router, firewall, NFS file server, or a mix of these. Starting with version 6.8, OpenBSD includes support for WireGuard directly in its software.
Security
See also: OpenBSD security features
After OpenBSD was created, its founder worked with a security company that made tools to find weak spots in software. This helped make security the main focus of OpenBSD.
OpenBSD has many features to keep it safe, like special tools to check for mistakes, ways to protect memory, and strong ways to keep information private. It also limits what programs can do to reduce risks. Developers often review the code to find and fix problems.
OpenBSD created a popular tool called OpenSSH, which helps computers talk to each other safely over the internet. The project believes in making computers simple and secure by default, so new users don’t have to worry about safety right away. Users can add more features themselves, thinking about safety first.
Subprojects
OpenBSD has helped create many useful tools and projects. Some of these include:
- bioctl, a tool to manage RAID similar to ifconfig
- CARP, a free tool to help computers work together, like Cisco's HSRP/VRRP
- cwm, a program to organize windows on your screen
- doas, a simpler way to give users special permissions instead of using sudo
- OpenBSD httpd, a web server program implementing httpd
- Game of Trees, a tool that works with Git
- hw.sensors, a system to monitor hardware sensors
- LibreSSL, a secure way to connect to the internet, created from OpenSSL 1.0.1g
- mandoc, a tool to format help pages called man pages
- OpenBGPD, a program for a special internet protocol called BGP-4
- OpenIKED, a program for IKEv2
- OpenNTPD, a simpler tool to keep time accurate
- OpenOSPFD, a program for a special internet protocol called OSPF
- OpenSMTPD, a mail server that works with IPv4/IPv6, PAM, Maildir, and virtual domains
- OpenSSH, a secure way to connect to other computers
- PF, a firewall for IPv4/IPv6 that includes NAT, PAT, QoS, and traffic normalization
- pfsync, a tool to keep PF working well with high availability using CARP
- rpki-client, a tool to help validate BGP announcements using the Resource Public Key Infrastructure (RPKI)
- sndio, a tool for audio and music
- spamd, a tool to block unwanted emails with greylisting
- Xenocara, a special setup of X.Org for better performance
Some of these tools are now used in other operating systems, and many can be added to other Unix-like systems as extra features.
The Calgary Internet Exchange began in 2012 to help support OpenBSD.
In 2017, a project called Isotop started, aiming to make OpenBSD easier to use on desktops and laptops using xfce and later dwm.
Third-party components
OpenBSD includes many tools and programs from other sources, often with special updates made just for OpenBSD. Some of these include X.Org for graphics, Clang as the main compiler for certain types of computers, GCC, Perl, NSD, Unbound, ncurses, GNU binutils, GDB, and AWK. These tools help users do many different tasks on the OpenBSD system.
Development
OpenBSD is always being improved, and anyone with the right skills can help. The leader, Theo de Raadt, helps organize the work. Every year, there are two big updates, and these updates are supported for a year. There are also smaller updates available more often.
People can update their OpenBSD systems in a few ways. They can use a tool called syspatch, update from a special area called CVS, or use another tool called sysupgrade to get the newest features. For most users, the basic OpenBSD kernel that comes with the system is the best choice.
Extra programs for OpenBSD are kept up to date by different people. These programs are built for each type of computer, and most people should use the ready-made versions instead of building them themselves. OpenBSD developers sometimes meet to work together and focus on getting things done. Many new versions of OpenBSD also have a special song.
Open source and open documentation
OpenBSD is well-known for its clear and helpful guides. When OpenBSD was started, its creator decided that anyone should be able to see the source code. At that time, only a few developers could usually see a project’s code. This team thought that was unfair and made it hard for new people to help. So, they created a public system where anyone could view and work with the code. This let users join more actively and showed OpenBSD’s promise to keep things open.
OpenBSD does not use secret code or parts that need special agreements to see. Because it comes from Canada, it can use strong security methods without rules from other countries. It also makes computer actions unpredictable to keep it safer. For example, it uses random numbers for different parts of the system. This helps find mistakes and makes it harder for bad people to attack. The project also believes in having clear information about hardware so developers can create better tools.
Closed source and proprietary code
OpenBSD sometimes includes small pieces of code that are not fully open. This is because some devices need special instructions to work, and these instructions are provided by the device makers.
The project leaders have to balance wanting to keep everything open while also making sure users can use many different devices with OpenBSD. They try to be practical and accept some risks when they include these special instructions.
According to the GNU Project, OpenBSD does include some small parts of code that are not fully open, called "blobs". These are used for device firmware or are needed by drivers that have open licenses.
Licensing
See also: Comparison of free and open-source software licenses and Free software license
OpenBSD has very careful rules about the kinds of licenses it uses. It prefers simple and open licenses like the ISC license and the BSD license. The project wants to keep the open spirit of the original Berkeley Unix, which allowed free sharing of its code. Some other popular licenses, like the Apache License and the GNU General Public License, are seen as too strict by OpenBSD.
In 2001, OpenBSD checked all its code to make sure every piece had the right license. They found many files without clear licenses or with rules that didn’t fit OpenBSD’s standards. To fix this, they contacted the original creators. Some code was removed, some was replaced, and some, like the multicast routing tools mrinfo and map-mbone, got new licenses so OpenBSD could keep using them. They also stopped using software made by Daniel J. Bernstein because he required approval for any changes, which OpenBSD couldn’t agree to.
Because of these license issues, OpenBSD sometimes builds its own tools instead of using others. For example, they created the PF packet filter after finding the rules for IPFilter too limiting. PF started in OpenBSD 3.0 and is now used in many other systems. They also replaced some tools with simpler licenses, like switching from CVS and pkg-config to other options that fit OpenBSD’s rules better.
Funding
The OpenBSD project mainly relies on support from everyday users who buy CDs or make donations. In the early 2000s, it also received help from DARPA and the POSSE project, which provided salaries, hardware, and funding for events.
In 2006, OpenBSD faced money problems, and companies like the Mozilla Foundation and GoDaddy helped it continue. Later, in 2014, a big donation in bitcoins and other contributions saved the project from closing.
OpenBSD Foundation
The OpenBSD Foundation is a Canadian non-profit organization created to help manage support for OpenBSD and related projects like OpenSSH, OpenBGPD, and LibreSSL. Since 2014, big companies such as Microsoft, Facebook, and Google have contributed to the foundation.
Distribution
OpenBSD can be obtained in different ways. You can get the source code using anonymous CVS, or download binary releases and development snapshots using FTP, HTTP, and rsync. Before version 6.1, you could order pre-packaged CD-ROM sets online for a small fee, which included stickers and a theme song. These helped support the project's costs for hardware and Internet services.
OpenBSD includes a package management system called pkg* tools to easily install and manage extra programs. These programs are stored as binary files and can be added, updated, or removed using the package tools. The system also has a ports collection, which contains makefiles and other tools needed to create these packages. The ports and the main operating system are developed and released together for each version.
Songs and artwork
OpenBSD used a special logo when it first started, created by an artist named Erick Green. Later, they chose a character named Puffy, a pufferfish, to represent the system. Puffy appears in songs and artwork for each release of OpenBSD. These songs and artworks often tell a fun story or share an important message about OpenBSD, sometimes by making funny copies of famous movies or songs.
Releases
The following table shows the version history of the OpenBSD operating system.
| Version | Release date | Significant changes |
|---|---|---|
| Unsupported: 1.1 | 18 October 1995 | OpenBSD CVS repository created by Theo de Raadt. While the version number used at this stage was 1.1, OpenBSD 1.1 was not an official OpenBSD release in the sense which this term subsequently came to be used. |
| Unsupported: 1.2 | 1 July 1996 | Creation of the intro(9) man page, for documenting kernel internals. Integration of the update(8) command into the kernel. As before, while this version number was used in the early development of the OS, OpenBSD 1.2 was not an official release in the subsequently applicable sense. |
| Unsupported: 2.0 | 1 October 1996 | |
| Unsupported: 2.1 | 1 June 1997 | Replacement of the older sh with pdksh. |
| Unsupported: 2.2 | 1 December 1997 | Addition of the afterboot(8) man page. |
| Unsupported: 2.3 | 19 May 1998 | Introduced the haloed daemon, or aureola beastie, in head-only form created by Erick Green. |
| Unsupported: 2.4 | 1 December 1998 | Featured the complete haloed daemon, with trident and a finished body. |
| Unsupported: 2.5 | 19 May 1999 | Introduced the Cop daemon image done by Ty Semaka. |
| Unsupported: 2.6 | 1 December 1999 | Based on the original SSH suite and developed further by the OpenBSD team, 2.6 saw the first release of OpenSSH, which is now available standard on most Unix-like operating systems and is the most widely used SSH suite. |
| Unsupported: 2.7 | 15 June 2000 | Support for SSH2 added to OpenSSH. |
| Unsupported: 2.8 | 1 December 2000 | isakmpd(8) |
| Unsupported: 2.9 | 1 June 2001 | Filesystem performance increases from softupdates and dirpref code. |
| Unsupported: 3.0 | 1 December 2001 | E-Railed (OpenBSD Mix), a techno track performed by the release mascot Puff Daddy, the famed rapper and political icon. After license restrictions were imposed on IPFilter, IPFilter was removed from base, and the pf packet filter was developed. pf is now available in DragonFly BSD, NetBSD and FreeBSD. |
| Unsupported: 3.1 | 19 May 2002 | Systemagic, where Puffy, the Kitten Slayer, battles evil script kitties. Inspired by the works of Rammstein and a parody of Buffy the Vampire Slayer. First official remote security hole - OpenSSH integer overflow |
| Unsupported: 3.2 | 1 November 2002 | Goldflipper, a tale in which James Pond, agent 077, super spy and suave lady's man, deals with the dangers of a hostile internet. Styled after the orchestral introductory ballads of James Bond films. |
| Unsupported: 3.3 | 1 May 2003 | Puff the Barbarian, born in a tiny bowl; Puff was a slave, now he hacks through the C, searching for the Hammer. It is an 80s rock-style song and parody of Conan the Barbarian dealing with open documentation. In 2003, code from ALTQ, which had a license disallowing the sale of derivatives, was relicensed, integrated into pf and made available in OpenBSD 3.3. First release adding the W^X feature, a fine-grained memory permissions layout, ensuring that memory which can be written to by application programs can not be executable at the same time and vice versa. |
| Unsupported: 3.4 | 1 November 2003 | The Legend of Puffy Hood where Sir Puffy of Ramsay, a freedom fighter who, with Little Bob of Beckley, took from the rich and gave to all. Tells of the POSSE project's cancellation. An unusual blend of both hip-hop and medieval-style music, a parody of the tale of Robin Hood intended to express OpenBSD's attitude to free speech. i386 platform switched executable format from a.out to Executable and Linkable Format The GPL licensed gzip was replaced by retooling the existing compress tool to include its functionality. The GPL licensed grep was replaced with FreeGrep, an updated BSD licensed grep. This new grep is now also available in NetBSD. A public domain diff was updated and used to replace the GPL licensed diff previously included. Code from the LGPL licensed was relicensed to allow pf to feature passive operating system detection. Address space layout randomization (ASLR) by default Basic sysctl hw.sensors API introduced for hardware monitoring. |
| Unsupported: 3.5 | 1 May 2004 | CARP License and Redundancy must be free, where a fish seeking to license his free redundancy protocol, CARP, finds trouble with the red tape. A parody of the Fish Licence skit and Eric the Half-a-Bee Song by Monty Python, with an anti-software patents message. CARP, an open alternative to the HSRP and VRRP redundancy systems available from commercial vendors. GPL licensed parts of the GNU tool-set, bc, dc, nm and size, were all replaced with BSD licensed equivalents. AMD64 platform becomes stable enough for release and is included for the first time as part of a release. |
| Unsupported: 3.6 | 1 November 2004 | Pond-erosa Puff (live) was the tale of Pond-erosa Puff, a no-guff freedom fighter from the wild west, set to hang a lickin' on no-good bureaucratic nerds who encumber software with needless words and restrictions. The song was styled after the works of Johnny Cash, a parody of the Spaghetti Western and Clint Eastwood and inspired by liberal license enforcement. OpenNTPD, a compatible alternative to the reference NTP daemon, was developed within the OpenBSD project. The goal of OpenNTPD was not solely a compatible license. It also aims to be a simple, secure NTP implementation providing acceptable accuracy for most cases, without requiring detailed configuration. Because of its questionable security record and doubts of developers for better future development, OpenBSD removed Ethereal from its ports tree prior to its 3.6 release. Added support for I2C master/slave devices |
| Unsupported: 3.7 | 19 May 2005 | The Wizard of OS, where Puffathy, a little Alberta girl, must work with Taiwan to save the day by getting unencumbered wireless. This release was styled after the works of Pink Floyd and a parody of The Wizard of Oz; this dealt with wireless hacking. |
| Unsupported: 3.8 | 1 November 2005 | Hackers of the Lost RAID, which detailed the exploits of Puffiana Jones, famed hackologist and adventurer, seeking out the Lost RAID, Styled after the radio serials of the 1930s and 40s, this was a parody of Indiana Jones and was linked to the new RAID tools featured as part of this release. This is the first version released without the telnet daemon which was completely removed from the source tree by Theo de Raadt in May 2005. |
| Unsupported: 3.9 | 1 May 2006 | Attack of the Binary BLOB, which chronicles the developer's fight against binary blobs and vendor lock-in, a parody of the 1958 film The Blob and the pop-rock music of the era. Enhanced OpenBGPD feature-set. Improved hardware sensors support, including a new IPMI subsystem and a new I2C scan subsystem; number of drivers using the sensors framework increased to a total of 33 drivers (compared to 9 in the prior 3.8 release 6 months ago). |
| Unsupported: 4.0 | 1 November 2006 | Humppa Negala, a Hava Nagilah parody with a portion of Entrance of the Gladiators and Humppa music fused together, with no story behind it, simply a homage to one of the OpenBSD developers' favorite genres of music. Second official remote security hole - buffer overflow by malformed ICMPv6 packets |
| Unsupported: 4.1 | 1 May 2007 | Puffy Baba and the 40 Vendors, a parody of the Arabic fable Ali Baba and the Forty Thieves, part of the book of One Thousand and One Nights, in which Linux developers are mocked over their allowance of non-disclosure agreements when developing software while at the same time implying hardware vendors are criminals for not releasing documentation required to make reliable device drivers. Redesigned sysctl hw.sensors into a two-level sensor API; a total of 46 device drivers exporting sensors through the framework with this release. |
| Unsupported: 4.2 | 1 November 2007 | 100001 1010101, the Linux kernel developers gets a knock for violating the ISC-style license of OpenBSD's open hardware abstraction layer for Atheros wireless cards. softraid added with support for RAID levels 0,1, and 5 plus CRYPTO, CONCAT, and RAID 1C Usability of sensorsd improved, allowing zero-configuration monitoring of smart sensors from the hw.sensors framework (e.g., IPMI or bio(4)-based), and easier configuration for monitoring of non-smart sensors. |
| Unsupported: 4.3 | 1 May 2008 | Home to Hypocrisy |
| Unsupported: 4.4 | 1 November 2008 | Trial of the BSD Knights, summarizes the history of BSD including the USL v. BSDi lawsuit. The song was styled after the works of Star Wars. sparc64 port now supports many recent processors: Sun UltraSPARC IV, T1, and T2; Fujitsu SPARC64 V, VI, and VII. New System-on-a-Chip PowerPC port for Freescale devices malloc(3) randomization, guard pages, and randomized (delayed) free The hw.sensors framework is used by 68 device drivers, after 7 new drivers were added as of this release. |
| Unsupported: 4.5 | 1 May 2009 | Games. It was styled after the works of Tron. The hw.sensors framework is used by 72 device drivers. |
| Unsupported: 4.6 | 18 October 2009 | Planet of the Users. In the style of Planet of the Apes, Puffy travels in time to find a dumbed-down dystopia, where "one very rich man runs the earth with one multinational". Open-source software has since been replaced by one-button computers, one-channel televisions, and closed-source software which, after you purchase it, becomes obsolete before you have a chance to use it. People subsist on soylent green. The theme song is performed in the reggae rock style of The Police. smtpd(8), privilege-separated SMTP server tmux(1) terminal multiplexer The hw.sensors framework is used by 75 device drivers. |
| Unsupported: 4.7 | 19 May 2010 | I'm Still Here |
| Unsupported: 4.8 | 1 November 2010 | El Puffiachi. iked(8) IKEv2 daemon ldapd(8) LDAP daemon |
| Unsupported: 4.9 | 1 May 2011 | The Answer. rc.d(8) daemon control |
| Unsupported: 5.0 | 1 November 2011 | What Me Worry?. |
| Unsupported: 5.1 | 1 May 2012 | Bug Busters. The song was styled after the works of Ghostbusters. |
| Unsupported: 5.2 | 1 November 2012 | Aquarela do Linux. nginx(8) HTTP server SSLv2 disabled |
| Unsupported: 5.3 | 1 May 2013 | Blade Swimmer. The song was styled after the works of Roy Lee, a parody of Blade Runner. Position-independent executables (PIE) by default for seven hardware platforms |
| Unsupported: 5.4 | 1 November 2013 | Our favorite hacks, a parody of My Favorite Things. |
| Unsupported: 5.5 | 1 May 2014 | Wrap in Time. signify(1) cryptographic signatures of release and packages 64bit time_t on all platforms (Y2K38 ready) |
| Unsupported: 5.6 | 1 November 2014 | Ride of the Valkyries. Apache HTTPD removed from base |
| Unsupported: 5.7 | 1 May 2015 | Source Fish. |
| Unsupported: 5.8 | 18 October 2015 | 20 years ago today, Fanza, So much better, A Year in the Life. (20th anniversary release) doas(1) replacement of sudo |
| Unsupported: 5.9 | 29 March 2016 | Doctor W^X, Systemagic (Anniversary Edition). W^X enforced in i386 kernel pledge(2) process restriction |
| Unsupported: 6.0 | 1 September 2016 | Another Smash of the Stack, Black Hat, Money, Comfortably Dumb (the misc song), Mother, Goodbye and Wish you were Secure, Release songs parodies of Pink Floyd's The Wall, Comfortably Numb and Wish You Were Here. vmm(4) virtualization (disabled by default) Removed vax and 32-bit SPARC support |
| Unsupported: 6.1 | 11 April 2017 | Winter of 95, a parody of Summer of '69. syspatch(8) utility for binary base system updates new arm64 platform |
| Unsupported: 6.2 | 9 October 2017 | A three-line diff inteldrm(4) Skylake/Kaby Lake/Cherryview devices clang(1) base system compiler on i386 and amd64 platforms |
| Unsupported: 6.3 | 2 April 2018 | SMP is supported on arm64 platforms. Several parts of the network stack now run without KERNEL_LOCK(). Multiple security improvements have been made, including Meltdown/Spectre (variant 2) mitigations. Intel CPU microcode is loaded on boot on amd64. pledge() has been modified to support "execpromises" (as the second argument). |
| Unsupported: 6.4 | 18 October 2018 | unveil(2) filesystem visibility restriction. |
| Unsupported: 6.5 | 24 April 2019 | Support for parsing NMEA 0183 altitude and ground speed hw.sensors. |
| Unsupported: 6.6 | 17 October 2019 | sysupgrade(8) automates upgrades to new releases or snapshots. amdgpu(4) AMD RADEON GPU video driver. |
| Unsupported: 6.7 | 19 May 2020 | Made ffs2 the default filesystem type on installs except for landisk, luna88k and sgi. |
| Unsupported: 6.8 | 18 October 2020 | 25th anniversary release. New powerpc64 platform. |
| Unsupported: 6.9 | 1 May 2021 | 50th release. |
| Unsupported: 7.0 | 14 October 2021 | 51st release. New riscv64 platform. |
| Unsupported: 7.1 | 21 April 2022 | 52nd release. loongson support was temporarily discontinued for this release. |
| Unsupported: 7.2 | 20 October 2022 | 53rd release. |
| Unsupported: 7.3 | 10 April 2023 | 54th release. Immutable permissions on address space regions. "xonly" support on many architectures. Support for full-disk encryption in the installer (via softraid driver) |
| Unsupported: 7.4 | 16 October 2023 | 55th release. |
| Unsupported: 7.5 | 5 April 2024 | 56th release. |
| Unsupported: 7.6 | 8 October 2024 | 57th release. |
| Supported: 7.7 | 28 April 2025 | 58th release. |
| Latest version: 7.8 | 22 October 2025 | 59th release. |
Related articles
This article is a child-friendly adaptation of the Wikipedia article on OpenBSD, available under CC BY-SA 4.0.
Images from Wikimedia Commons. Tap any image to view credits and license.