Non-fiction: OpenBSD

Overview

OpenBSD is a free, Unix-like operating system project launched in 1995 by Theo de Raadt, known for its uncompromising emphasis on security, code correctness, and open development. Originating as a fork of NetBSD, it established a reputation for careful engineering, a minimal and coherent base system, and permissive licensing that encourages reuse. Rather than being a book, it is a long-running non-fictional work of software and governance whose practices and artifacts have shaped modern computing far beyond its user base.

Origins and Philosophy

After disagreements within NetBSD’s leadership, de Raadt founded OpenBSD in Calgary with the guiding idea that openness and scrutiny produce safer software. Transparent development, readable code, and thorough documentation became non-negotiable norms. From the outset, the project pursued security by default: the installer enables almost no network services, configuration files favor least privilege, and features are added only when they can be audited and maintained. Being based outside the United States during an era of cryptography export restrictions also allowed OpenBSD to integrate strong cryptography early, making it a proving ground for secure networking.

Security Practices and Innovations

OpenBSD’s hallmark is proactive security. The developers continuously audit the entire codebase, not just hot spots, to remove undefined behavior and logic flaws. They introduced exploit mitigations that later became industry standards, including W^X to separate writable and executable memory, address space layout randomization, stack protection, randomized mmap, privilege separation and revocation, and later the pledge and unveil system calls that confine programs to promised operations and file trees. Safer interfaces such as strlcpy and strlcat were created to reduce buffer overflows and then adopted elsewhere. This layered approach aims to make classes of bugs unexploitable, not merely patched after the fact.

Ecosystem and Notable Subprojects

Several widely used tools were born in OpenBSD. OpenSSH replaced insecure remote login protocols and became an Internet staple across operating systems. The PF packet filter, created after licensing friction with a prior firewall, set a model for clear, expressive rule sets and has influenced or been adopted by other systems. The project also produced OpenBGPD and OpenNTPD for network services, OpenSMTPD for mail transfer, a simple and auditable httpd, relayd for proxying, doas as a minimal privilege escalation tool, signify for release verification, mandoc for documentation, and LibreSSL as a cleanup of OpenSSL after serious vulnerabilities surfaced. Together these show a preference for small, auditable tools that do one job well.

Development Culture and Releases

OpenBSD follows a steady six-month release cycle, with disciplined feature freezes and broad testing. The base system is integrated and consistent, while third-party software is managed through a ports tree that builds signed binary packages. Manual pages are the definitive documentation, kept in sync with the code so administrators can trust them. The project supports multiple architectures to keep assumptions honest and the code portable. Funding comes from donations and historically from merchandise and CD sales, and its developer hackathons pioneered the focused, in-person collaboration model for open source. The project’s aesthetic identity, from straightforward man pages to the Puffy blowfish mascot, reinforces its culture of clarity and seriousness.

Impact and Legacy

Even for users who never install it, OpenBSD’s influence is pervasive. OpenSSH secures the world’s servers and development workflows; PF and security techniques inspired other kernels and toolchains; and its insistence on permissive licensing and auditability nudged vendors toward freer, better-documented interfaces. OpenBSD demonstrates that meticulous engineering, principled defaults, and relentless simplification can make general-purpose systems both safer and more pleasant to operate.