The OpenBSD 5.4 release just came out. That’s what I run on my laptop, so as soon as I could I did the upgrade. Once I had downloaded the install/upgrade ISO image and burned it onto a CD, I started.
Time to boot from the media and do a complete installation of the base operating system: 15 minutes.
Time to download the kernel source, install it, and build and install a fresh kernel: 10 minutes. (This wasn’t at all necessary, I only changed the kernel console message colors from white-on-blue to red-on-black!)
At that point I would be done installing or upgrading a server. But since this is a laptop and I want the friendly and very capable graphical environment, I had installed a large set of packages for the last several versions.
Time for the package management system to grind through all the interdependencies of the packages, download them, and install them: almost 5 hours!
Trying to put those times in perspective makes it look even worse. Yes, the package upgrade was limited by my bandwidth, but so was the base OS installation as I used the smaller installation image that must download the distribution archives from the Internet.
While I thought I had installed a lot of packages, and I suppose I did in some absolute sense, I have installed less than 10% of the packages available for my amd64 architecture.
As for the kernel, the latest Linux kernel occupies about 130 MB for the monolithic core and all modules. That’s versus just 9.3 MB for the OpenBSD 5.4 kernel.
In Learning Tree’s Cloud Security Essentials course we talk about how difficult it is to design a secure system; and given a secure design, to implement it accurately and at least reasonably bug-free; and even given that, to keep the configuration cautious while still functional.
Complexity adds opportunities for errors in design, implementation, and configuration. The odds are much more in our favor with simpler designs.
If I had been building a server, I probably would have added up to twenty packages to give me a friendlier command shell and
vim editor, some tools for handling various archive formats, a PHP package or two for the web server, and, of course,
lsof for trouble-shooting and security work.
With the KDE desktop environment and wanting to accomplish a variety of user tasks, I have a little over 700 packages on my laptop.
Here is another case where the cloud — when used as intended — can be moresecure.
Cloud servers are remote rack-mounted servers (you just never get to see the racks). Yes, you can run graphical desktop tools on them, but why would a serious server administrator need to do such a thing? Ask Microsoft, the recommended installation of Windows Server 2012 is entirely command-line based, no graphics.
Keep it simple and be safer!