[HN Gopher] OpenBSD KDE Plasma Desktop
___________________________________________________________________
OpenBSD KDE Plasma Desktop
Author : brynet
Score : 197 points
Date : 2024-01-08 18:07 UTC (4 hours ago)
(HTM) web link (rsadowski.de)
(TXT) w3m dump (rsadowski.de)
| Erratic6576 wrote:
| Also for arm?
| brynet wrote:
| The kde-plasma and kde-plasma-extras packages are available in
| -current aarch64 packages, perhaps you can test it?
| rashkov wrote:
| What a massive, multi-year effort by one or two individual
| developers. My utmost respect to this kind of contribution that
| underpins so much of the software that I use every day
| shmerl wrote:
| What's the state of Wayland on *BSDs?
| pimeys wrote:
| Works pretty well on FreeBSD. I think not yet on OpenBSD.
| brynet wrote:
| There is experimental support for Wayland/sway in OpenBSD
| -current, with lots of recent ports activity.
|
| https://marc.info/?l=openbsd-misc&m=170176226313427&w=2
| doublepg23 wrote:
| Some notes here on OpenBSD
| https://xenocara.org/Wayland_on_OpenBSD.html
| LanzVonL wrote:
| People have it working OK but it'll never be part of the base
| system.
| rubymamis wrote:
| What are some pros and cons of using OpenBSD instead of Linux?
| hospitalJail wrote:
| You join the social club of people who say "Its not Linux!"
|
| I even had chatgpt try to come up with valid reasons and it
| struggled.
| zilti wrote:
| If you are the kind of person who uses ChatGPT for such
| questions, you wouldn't understand it anyway
| codetrotter wrote:
| Either you are prompting it wrong, or you got unlucky, or you
| are stuck on GPT3.5 still and it's less capable compared to
| GPT4 than I remember.
|
| Me:
|
| > Give me a short list of five top things that OpenBSD is
| superior over Linux for
|
| ChatGPT:
|
| > OpenBSD is known for its strong emphasis on security,
| simplicity, and code correctness. Here's a brief list of five
| aspects where OpenBSD is often considered superior to Linux:
|
| > 1. Security by Default: OpenBSD is renowned for its
| security-oriented design. The system is configured with
| secure defaults, and security features are integrated
| directly into the core system, not as add-ons.
|
| > 2. Code Quality and Audit: The OpenBSD project places a
| high priority on clean, readable, and well-documented code.
| Regular code audits are conducted to identify and fix
| security vulnerabilities and bugs.
|
| > 3. Integrated Cryptography: OpenBSD includes various
| cryptographic tools and libraries as part of its base system,
| making it easier to implement secure applications.
|
| > 4. Pf (Packet Filter): OpenBSD's native firewall, pf, is
| highly regarded for its flexibility and efficiency. It's
| often considered more straightforward and powerful than
| iptables, commonly used in Linux.
|
| > 5. Documentation and Man Pages: OpenBSD's documentation,
| especially its man pages, is extensive and well-maintained.
| It provides detailed and up-to-date information on system
| commands, configurations, and daemons.
|
| > It's important to note that while OpenBSD excels in these
| areas, the choice between OpenBSD and Linux depends on
| specific use cases and personal preferences.
|
| And then for the cons, flip the question around and ask
| ChatGPT for a list of five ways in which Linux is superior
| over OpenBSD. (Left as an exercise for the reader.)
| technofiend wrote:
| It's a legit question, but if you have to ask, then most likely
| OpenBSD is not for you. I don't say that out of some elitist or
| gatekeeping motive, rather I think most people who use it have
| a specific need for it, or feel strongly about the principles
| behind the OS, which are security first and secure-by-default.
|
| Here's a breakdown of some technical differences between the
| two, but really if you want to explore alternatives to Linux or
| even Linux alternatives I highly recommend you do so, even
| OpenBSD, but I respectfully suggest you have a use case in mind
| first.
|
| https://www.geeksforgeeks.org/difference-between-linux-and-o...
|
| The security first/secure-by-default mindset in OpenBSD means
| the _core_ distribution is very locked down. By that I mean
| there 's very little in the base OS in terms of services.
| OpenBSD had a robust "ports" selection for things you may need
| to add.
|
| My use case for OpenBSD _was_ as a firewall, but it was
| eventually retired because it just couldn 't keep up with my
| network speeds. It still is a secure unix server for things
| like radius authentication of wireless clients.
| rubymamis wrote:
| Compared to a Linux distro, would an end user have much
| better security out-of-the box, or would one need to be tech-
| savvy enough for that?
| opencl wrote:
| OpenBSD out of the box is an extremely minimal setup
| compared to the default install of most Linux distros.
|
| A lot of the security of the default install comes from
| minimizing the attack surface by having very few services
| running. So you do not need to be tech-savvy to make it
| secure, but you might need to be tech-savvy to turn it into
| a usable system for your use case.
| seanw444 wrote:
| To add: it's not _just_ the fact that it 's barely
| running anything that makes it secure, but the things
| that you _do_ run have effort put into making their
| codebase secure as well. Such as the various daemons,
| like httpd.
| kuon wrote:
| I stil use OpenBSD as firewall as I love PF. But I have the
| same problem as it cannot easily firewall 10G link. I am
| curious, what did you migrate to?
| technofiend wrote:
| I keep switching things around. Virtualization comes with
| its own limits but is a fast way to prototype things like
| 'how hard is it to get IPV6 PDUs working in this new os?'
|
| Pfsense is ok, but CE went a year without an update while
| they worked on other branches. Most recently their switch
| to kea dhcp broke some minor things like mapping static
| DHCP addresses to DNS entries. I believe that's fixed now,
| but need to confirm you can also still specify a DHCP
| option which some network devices need.
|
| Opnsense is also decent and has the advantage of a regular
| update cadence, but I believe the UI is less newbie
| friendly. Fedora has the advantage of a UI to let you
| quickly review firewall rules, although the cli is
| perfectly workable once you get the syntax down.
|
| Honestly I like OpenBSD's pf too but it couldn't keep up
| with a one gigabit network connection on your typical
| AliExpress firewall appliance, and I couldn't get it there
| virtually on an HP 360 Gen 8 or Gen 9 with decent Xeon CPUs
| and network cards. Probably a limitation of the network
| drivers for the network cards emulated by ESXi. I resisted
| being nerd sniped by that because my wife needs reliable
| Internet so there was no time to putter.
|
| What are you using that lets OpenBSD achieve better than
| gigabit speeds?
|
| tl;dr: For now I'm using PFSense because I have a friend I
| supply with tech support and he uses whatever I use and
| it's safe for him to play around in PFSense on his own.
| dbolgheroni wrote:
| Just a minor note that you don't need a 3rd-party http daemon
| since there is one in base.
|
| https://man.openbsd.org/httpd
| technofiend wrote:
| Thank you, I stand corrected: it's been a while and my
| faulty memory had httpd outside of core. I edited my upline
| comment to remove the erroneous example because I don't
| want to add noise.
| Apocryphon wrote:
| What's the most casual user-friendly distro of *BSD out
| there? GhostBSD?
| zilti wrote:
| They're derivatives with their own kernel each, so in that
| regard the question does not make much sense. Due to its
| large amount of binary packages though, I'd say FreeBSD it
| is out of the big three.
| Apocryphon wrote:
| Just trying to identify what's the
| Mint/Ubuntu/Zorin/elementary OS equivalent of BSD in
| terms of ease of use.
| taylortbb wrote:
| The point is that they're not really comparable.
| Mint/Ubuntu/etc all ship the same Linux kernel, that's
| why they're called distros. They're different
| distributions (distros) of the same software (Linux
| kernel, etc).
|
| The different BSDs aren't distros, they are different
| kernels that are developed in parallel. Obviously there's
| shared history there, and some shared userspace, but
| FreeBSD and OpenBSD aren't just two different BSD distros
| of largely the same software.
| zilti wrote:
| Probably still FreeBSD, even though I'd claim NetBSD's
| documentation is a tad better. (And Ubuntu really does
| not stand out as beginner-friendly compared to e.g.
| openSUSE)
| parker_mountain wrote:
| I'd say that if you're trying to find the
| Mint/Ubuntu/Zorin/elementary of BSD, then it's not really
| for you. The BSD ecosystem isn't really driven by ease of
| use, today they're more interested in various niches -
| hardware appliances, OS research, etc.
|
| If you're curious about what unix is and what a bsd is, I
| would recommend netbsd or openbsd in a vm.
| Apocryphon wrote:
| Well of course they're not trying to replace macOS, for
| instance, but when an OS gets big enough to have
| offshoots and different front-ends and desktop
| environments and so forth, one would assume there are at
| least experimental attempts emphasizing ease of use, just
| like there are experiments to develop offshoots for any
| other purpose, from power users to pen testers. At least
| like, someone's toy project on GitHub or SourceForge. I
| just assumed BSD was big and well-established enough to
| have such efforts.
|
| Besides GhostBSD, looks like there's also Lumina,
| MidnightBSD, FuryBSD, and TrueOS/Project Trident?
|
| https://lumina-desktop.org
|
| http://www.midnightbsd.org
|
| https://distrowatch.com/table.php?distribution=furybsd
|
| https://itsfoss.com/trueos-bsd-review/
| stonogo wrote:
| They're definitely trying to replace MacOS:
| https://hellosystem.github.io/docs/
| CodeCompost wrote:
| Would it be fair to say the Arch Linux users will feel
| right at home with FreeBSD? They seem to have similar
| concepts.
| somat wrote:
| I would suggest openbsd. it is not user friendly in the
| "hide all complexity from the user" sense but more like
| "this system is simple enough to understand yet full
| featured enough to work in".
|
| The way I like to explain it is. if you like the unix
| operating environment, It is hard to do better than openbsd
| for a desktop system. If you are expecting something more
| like a mac or windows environment, there are options, but I
| suspect you would be better off with linux(or mac or
| windows for that matter).
|
| Openbsd is comfortable in a way that is hard to explain.
| While largely this is just what what a person is used to.
| with obsd I have a good feel on how it works and goes
| together. something I never really felt with linux. however
| you do lose a lot of the network effect advantages that
| linux has.
| antiframe wrote:
| > What's the most casual user-friendly distro of *BSD out
| there? GhostBSD?
|
| MacOS?
| radiator wrote:
| Pro: A website can never steal your SSH keys, because firefox
| is limited, via unveil(2), to only seeing your ~/Downloads
| folder.
|
| Con: Every time you need to upload a file using your browser,
| you have to move it to this folder first.
| elric wrote:
| You can do similar things in Linux with firejail, but there
| are a lot of folks who feel uneasy about the safety of
| firejail.
| radiator wrote:
| Besides firefox, more than 80 userland programs have their
| access to the filesystem restricted with the use of unveil.
| PrimeMcFly wrote:
| If Theo stopped being so resistant to solutions like
| AppArmor, then OpenBSD could have a real security layer
| instead of toys like unveil and pledge.
| okasaki wrote:
| 2024-01-08 22:34 ubuntu@knope:~$ sudo apparmor_status
| apparmor module is loaded. 185 profiles are
| loaded. 104 profiles are in enforce mode.
| (...) 124 processes have profiles defined.
| 122 processes are in enforce mode.
|
| including firefox and chromium
| bayindirh wrote:
| Also, there's AppArmor which is enabled in Debian and SuSE
| which transparently limits applications' reach without they
| realize.
| belthesar wrote:
| Transparent limitation is a double-edged sword. From an
| adversarial perspective, it's good since I'm not
| advertising what my system can and can't do, and poorly
| written software may get hung up on timeouts waiting for
| things to happen. On the other hand, those same benefits
| against an adversary are negative constraints to
| usability, as now silent failures can happen on a system,
| requiring you to watch your AppArmor logs like a hawk
| when using new software.
|
| Ultimately, less of a concern for servers that likely
| have limited scope and use cases, but a significant
| decrease in usability for workstations.
| bayindirh wrote:
| You need to write an AppArmor profile to limit your
| software. It's an opt-in system.
|
| The workflow is you put a test system to "complain" mode
| and use your software as intended, and add the required
| permissions to the profile by looking at the logs to see
| what your app is doing. Then you put AppArmor to
| enforcing mode, add the profile to production system and
| your application is sandboxed. Iteratively refine as
| necessary.
|
| Debian desktop comes with AppArmor enabled. Nothing has
| been broken so far.
| mike_hock wrote:
| And every time you upgrade to the next major release, you
| start again from square one because the requirements of
| your software have changed. You get it to work and things
| seem to be fine. Over time, you start noticing things
| that are subtly broken, until something just fails
| completely and doesn't work. The fix turns out to be
| trivial when you give it another go two days later, but
| at the time it happened you really didn't have the nerve
| to deal with it right then.
|
| After two dist upgrades, you realize that this approach
| isn't workable.
| PrimeMcFly wrote:
| > And every time you upgrade to the next major release,
| you start again from square one because the requirements
| of your software have changed.
|
| Nah. That's a huge exaggeration. Most software doesn't
| change its base behavior like that and certainly not with
| every new release, and certainly browsers don't.
| bayindirh wrote:
| Well, I have two Debian desktop installations. One is
| six, the other one is ten years old. I never had a
| problem with either.
|
| This is without adding the numerous servers which I just
| install and forget, and they work without any problems
| for years.
|
| edit: Yes, they're dist-upgraded all the time.
| Am4TIfIsER0ppos wrote:
| "To upload a file move it to your downloads directory" lmao
|
| Can you "unveil" more places, without recompiling?
| codetrotter wrote:
| It would have cost them nothing to unveil a hypothetical
| ~/Uploads directory in the process of patching it to unveil
| ~/Downloads
| amatecha wrote:
| You can trivially-easily add it yourself by editing a
| text file, unveil is configurable per-process.
| codetrotter wrote:
| True, but defaults are worth a million
| SoftTalker wrote:
| Yes, configurable in /etc/firefox/unveil.main
| codedokode wrote:
| Unveil looks like a hack or a patch. Why do applications have
| access to whole filesystem by default?
| bayindirh wrote:
| Because there's already UNIX file permissions which prevent
| applications to reach places they shouldn't. Confine a
| daemon to its own user, chroot it, and it's a sitting duck
| in its own universe.
|
| You add more layers with cgroup/AppArmor/SELinux in Linux,
| Jails in FreeBSD, unveil on OpenBSD, etc.
|
| You harden as much as necessary. Not "drowned by default".
| mike_hock wrote:
| > Because there's already UNIX file permissions which
| prevent applications to reach places they shouldn't
|
| Right. Just set up a separate user for Firefox using a
| single unprivileged command from your user account or a
| few clicks in your DE, then launch Firefox as that user
| using another single command or click. Being subordinate
| to your main user account, the Firefox user's files and
| directories can easily be managed from your main user and
| you can move files between subordinate users using just
| an (unprivileged) chown or chgrp. Accidentally launching
| applications as your main user is not possible and the
| system strongly encourages you to create separate,
| subordinate users for all your applications and is
| designed from the ground up to make this simple and it
| works out of the box.
|
| Oh wait, that's not even remotely how any of this works.
| On a workstation, the "user account" is an almost
| completely useless concept (as set up and implemented in
| reality). That's why we have jails/namespaces/etc. Hacks
| that are piled on top of the useless mess of "user
| accounts" (all running as the same user, on workstations)
| trying to solve the same problems, but ultimately failing
| at providing any kind of comprehensive solution with a
| coherent vision. Software cannot take anything for
| granted anymore. Anything that looks like a writable file
| could be a read-only bind mount. Any mundane syscall
| could get it SIGKILLed for no reason other than that
| somebody forgot to add it to the whitelist. But from the
| user's perspective, there's no reasonable level of
| security by default.
| bayindirh wrote:
| Considering how we use jails/namespaces and other similar
| technology, your analogy sounds off. First of all,
| security is always set up in layers. A different user and
| chroot doesn't exclude the use of jails, or other kernel
| level security systems like AppArmor/SELinux. They are
| layered on top of each other as necessary.
|
| Also, namespaces is not solely a security mechanism. Yes
| it allows isolation, but it allows resource limitation,
| too. So you can partition your system to slices and show
| a particular set of resources to an application (I'm sure
| you're way more knowledgeable than me in that regard).
|
| On the other hand, security starts with application
| itself. Then you start to add extra containment barriers
| if you don't trust the software in question.
|
| What I understand is our realities are completely
| disparate, and this is not how we hold the mechanisms I
| talk about. This might be due to the environment each of
| us live in, or due to our requirements, I don't know.
|
| But, what I know is, the state of security is not as
| bleak as you portray, and necessity is mother of
| invention. Except SELinux, AppArmor, and FireJail all of
| the technologies we talk here are essentially built as
| virtualization, or virtualization-like technologies. They
| bring additional security as a secondary effect, and
| they're good at that.
|
| > Software cannot take anything for granted anymore.
|
| This is why we have stat calls, defensive programming,
| APIs and exception handling. The first rule of system
| programming is to never take anything for granted.
|
| I have reached to the end of the time I have for today,
|
| Have a nice day and a nice year.
| radiator wrote:
| I guess it has always been like this in Unix, but also in
| other Operating Systems.
| enriquto wrote:
| > What are some pros and cons of using OpenBSD instead of
| Linux?
|
| Pros: htop only fills half of your terminal, and you know
| exactly what each process does because you put them there. A
| few well-written man pages are the complete documentation of
| the system. The whole thing is run by a handful of shell
| scripts.
|
| Cons: exactly the same text, but read with a different tone.
| user3939382 wrote:
| Yep I love it. ps -ax gives you like 12 processes and the
| role of each is obvious and essential. The OS isn't doing
| anything you didn't ask it to, you can actually understand
| the OS. Try that on a default Ubuntu install, it's like
| macOS, just totally and literally out of control.
| yeeeloit wrote:
| > you can actually understand the OS.
|
| The way you describe FreeBSD is how I imagine an OS should
| be. I'm going to make it a goal this year to get a server
| up and running. Thanks.
|
| -- Rant
|
| Linux gives me more inferiority complex than any other
| technology I've ever touched.
|
| Sure, something like a database system, or a moderately
| large code base or framework is complicated, and
| intimidating, and it might take many years to get a grip
| on, and understand, let alone master. But Linux? I just
| don't get it. I've tried for years, read books about it,
| etc. etc.
|
| But in the end it's voodoo to me, and I'm always left
| searching for answers to problems, unable to solve them
| myself. The answers are always just rote step-by-step; do
| this and copy this command, problem solved. Why? how?
| nothing makes sense!!!
|
| I always have the sense that somewhere out there is the
| holy bible of Linux, the missing piece of the puzzle; read
| this and it will all make sense.
|
| Admittedly I've never compiled a distro. So in some respect
| I'm guilty of not going into the deep end. I suspect that
| if I learnt systems programming, and really go into the
| thick of it... then somewhere I might start to find my
| feet.
|
| But it's easier to just believe that I'm stupid, and Linux
| is beyond my ability to comprehend.
| exe34 wrote:
| Have you tried LFS? You can copy and paste, but you have
| to read the commands and figure out what they're doing.
|
| This will give you an overall theoretical idea of how
| things are laid out - but you have to realise that every
| new version of something, there's some developer
| somewhere who wants to exercise their creativity and make
| something really clever and cool (to them), so it
| probably won't make any sense to you after the upgrade.
| That's the point you realise you're on the eternal
| treadmill of trying to keep your system doing what you
| need it to do, without freezing in the vulnerabilities.
| wharvle wrote:
| Relaxing. Like back when you could attach WireShark to your
| local network and not see a single damn thing happen for tens
| of seconds at a time unless you pressed a button somewhere.
|
| ... But also when computers wouldn't do anything useful
| unless you pressed a button. Or a bunch of buttons, more
| likely.
| WhackyIdeas wrote:
| What you describe about WireShark sounds zen.
| wharvle wrote:
| It really was. Just my own machine's traffic makes it
| scroll faster than I can read, these days. Every web page
| and program constantly phoning home up and and including
| sending real-time mouse cursor locations, mdns, UDP
| local-network-device-discovery traffic, all kinds of
| stuff.
| sneed_chucker wrote:
| Pros: lightweight, really good docs, security as a design goal,
| designed from the top down as a complete OS so the userland
| generally all plays nice together and feels more coherent and
| less bloated than a typical Linux distro
|
| Cons: hardware compatibility/drivers (especially for WiFi and
| GPU) is worse than Linux, finding help online is worse than
| Linux, software availability and compatibility tends to be
| worse than Linux, but generally you can get everything you need
| especially if you're willing to build from source.
|
| Subjective: Lots of Linuxisms that people are used to having
| aren't present on BSD. For example, no docker, no systemd, no
| Snap/AppImage/Flatpak, and no eBPF. This is true even on
| FreeBSD, which is the most Linux-like of the family. BSDs have
| their own answers to most of the problems that these tools
| solve, but you'll have to learn those tools and your Linux
| knowledge and muscle memory will be mostly useless.
| PrimeMcFly wrote:
| Pros: More of the software has been audited. That's it really.
| There's nice documentation but that's true for many linux
| distros as well, and much of the security claims are overblown.
|
| Cons: Lack of available software and software compatibility.
| Lack of good security options to restrict software and the
| system.
| LanzVonL wrote:
| You can understand RC. You _CAN 'T_ understand systemd. For me
| that's a big one. But I bailed on Linux once it came out that
| the Indians and Chinese had teamed up to backdoor it.
| yeeeloit wrote:
| > Indians and Chinese had teamed up to backdoor it.
|
| link?
| ivan_gammel wrote:
| This reminded me of an old meme:
| https://knowyourmeme.com/memes/how-does-one-patch-kde2-under...
| Apocryphon wrote:
| Regional BSD memes, amazing
| sph wrote:
| This needs its own post. I love that a country's president
| mentioned UNIX in an official address, as well as that #anime
| IRC channel.
|
| EDIT: posted at https://news.ycombinator.com/item?id=38917307
| pmarreck wrote:
| meanwhile I swap window managers with a single-line config change
| on NixOS
| sintax wrote:
| after googling for 8 hours because the last time you had to do
| that change was 6 months ago and you forgot all about it. At
| least, that was my experience.
| WhackyIdeas wrote:
| Fantastic effort! I have such a love for OpenBSD but
| unfortunately have a system with an Nvidia 4090 which is of
| course unsupported. Maybe one day I will see if I can dual boot
| this on my Intel based Mac which has an AMD GPU.
| sho_hn wrote:
| Plasma dev here. Amazing work, this made me smile :-)
| unstruktured wrote:
| Keep up the good work! I love KDE.
| sho_hn wrote:
| Thanks for using what we make!
| ognarb wrote:
| Also a KDE dev here and I also love when people port KDE
| Software to more platforms.
|
| Related someone is porting KDE applications to Haiku
| https://discuss.kde.org/t/haiku-porting-efforts/9032 and
| someone else is working on gitlab CI/CD directly to the
| Microsoft Store https://blogs.kde.org/2023/12/20/gitlab-
| microsoft-store
| albertzeyer wrote:
| He said that it took multiple years of work to get this
| running. I wonder if such effort could be simplified somehow?
| Maybe from KDE side?
| foresto wrote:
| > A special thanks to all who support my work with a small
| donation on GitHup.
|
| I was hoping the GitHup link was a play on words that would lead
| to an interesting unix-related project. Alas, it's just a typo.
| Maybe next time. :)
| LAC-Tech wrote:
| Love the man pages, love doas (I use it on my main linux
| machine), love that it has an HTTP server in the main install.
| But the filesystem is so basic that people recommend a UPS just
| so your data doesn't get corrupted during a power outage.
|
| I hope OpenBSD gets some corporate love one day, because that's
| probably the only way you're going to get a modern file system
| written for it.
___________________________________________________________________
(page generated 2024-01-08 23:00 UTC)