Luke Maurits

Why I use NetBSD

Introduction

People are often surprised to hear that somebody is using NetBSD as a desktop or server operating system on i386 hardware, like I am. NetBSD has a well earned reputation for being the Unix that runs on anything and everything (including toasters), but this reputation has also given most people the idea that NetBSD has nothing to offer people running non-obscure hardware which is supported by more mainstream systems like FreeBSD or those based on the Linux kernel. This is unfortunate, because NetBSD has a lot to recommend it even for people who aren't running VAXen or Dreamcasts.

Here are some reasons why NetBSD is my operating system of choice.

NetBSD is small, light and simple

NetBSD requires XXX MB of hard drive space and 8 MB of RAM. You can download a roughly 240 MB .iso which includes everything you need to install a working system - you are not forced to download a 600 MB CD which has had useless packages crammed into every spare kilobyte. There is no graphical installer, and God willing their never will be.

NetBSD gives me a clean slate

NetBSD's base system is one of the few these days which actually deserves the term ``base''. It is a basic, uncustomised Unix system and that's it. NetBSD does not install web servers and browsers or scripting languages by default. It does not install vim for me and symlink vi to it without asking. If I install X, it does not presume to know what window manager I want to use or how I want it to look and feel and do the corresponding installation and configuration for me.

Moreso than on any other operating system I've tried, everything about a NetBSD system is the way it is because the administrator made it that way. I like it that way.

NetBSD's package management system, pkgsrc, is awesome

NetBSD's package management system, pkgsrc, is an unsung hero of package management. For all the rage about Debian GNU/Linux's APT, Gentoo Linux's portage and FreeBSD's ports, few people even seem aware of pkgsrc as an alternative with a lot of solid features, some of them rare, some even unique to pkgsrc.

Portability

Everyone knows that NetBSD runs on anything with a transistor in it, but not everybody realises that pkgsrc is developed to be portable as well. Yes, that means you can use pkgsrc to manage the software you have installed on your FreeBSD or OpenBSD boxes, your Linux boxes, even your Solaris boxes. This means that when you learn pkgsrc, you are learning a transferrable skill which you can still benefit from even if you use another OS later, not a skill which applies only to a single Linux distribution.

License management

Pkgsrc is aware of the license each of its pieces of software is distributed under. You can provide pkgsrc with a list of licenses which you consider acceptable and then if you try to install a piece of software not realising that you don't agree with or can't comply with its license, pkgsrc will stop and warn you and will not install the package until you adjust your liste of acceptable licenses. This is particularly handy for avoiding commercial use of software whose license prohibits it and avoiding evil licenses, like the Apache 2 license. I am unaware of any other package management system that does this. Emailed corrections on this point are welcome.

Simple security auditing

The pkgsrc developers maintain a file detailing known security vulnerabilities in all of their packages. The pkgtools/pkgaudit package can read this file and alert the user to any vulnerable packages which are installed on the machine it is running on, so that these can be promptly patched or removed. If you set up cron jobs to automate downloading the latest copy of the vulnerability list and running the check, you'll never miss another third party vulnerability again. No having to monitor mailing lists and trying to remember what versions of what libraries you have installed - you just get told. Further more, whenever you try to install a new package, pkgsrc will try to check it for known vulnerabilities first and warn you if any are found, so you can't unknowingly install a package which is known to be vulnerabile.

This is really cool, and seems to be fairly unique. FreeBSD's ports system has something similar, called portaudit, but OpenBSD's ports system certainly does not. I have been unable to find anything on the web about a similar thing for Gentoo's portage or Debian's apt-get, which seem the most likely linux package systems to include such a tool. Emailed corrections on this point are welcome.

NetBSD has clear separation of base sytem and extra packages

In NetBSD, everything that is installed by the pkgsrc package management system goes into (by default) /usr/pkg/. This includes configuration files, which go in /usr/pkg/etc/. There is never any ambiguity as to whether a given file was installed as part of the base system or installed by an administrator at a later date.

NetBSD has some advanced and unique security features

While OpenBSD is the operating system that most people associate with security, NetBSD is certainly not a poor performer in the security arena. The document Recent Security Enhancements in NetBSD gives a detailed overview of many present and planned security features of the operating system.

Disk encryption

NetBSD's disk encryption framework, CGD, provides support for a range of ciphers and keysizes, and is well documented. This is in contrast to OpenBSD's XXXconfig, which offers exactly one cipher and key size.

File integrity

NetBSD's veriexec framework provides kernel-level verification of the integrity of both binary and text files using cryptographic hash functions. If veriexec is used correctly, trojaned binaries will not be executed and modified config files will not be read. This is enforced by the kernel, not a userland program, so even in the event of a root compromise there is still some assurance of integrity. I am not aware of any other operating system which provides a feature like this. Emailed corrections on this point are welcome.

Monitoring third-party package vulnerabilities

As discussed above, NetBSD's pkgsrc package management system enables nearly effortless monitoring of third-party package vulnerabilities.

NetBSD's internals are clearly documented

The NetBSD website includes a document entitled NetBSD internals which, while incomplete, does an excellent job of detailing a lot of what goes on under the hood of NetBSD. It even lets the reader know exactly which source files contain the code responsible for various things! For someone like me who is interested in operating systems and dreams of one day understanding enough to be able to contribute to one, such a resource is invaluable.

As far as I know, neither FreeBSD or OpenBSD have this sort of documentation available. FreeBSD has a published book, and there is an older book which is probably still somewhat relevant to OpenBSD, but NetBSD takes the cake here.

Some not-so-great things about NetBSD

Just to show that I'm not a hopeless NetBSD zealot who is blind to all faults, here are a few things about NetBSD I certainly don't like:

Binary drivers in the kernel

Too much concern about looking professional

Relatively recently, the NetBSD project, like the FreeBSD project, ditched its old and well-loved logo (the group of daemons raising a flag over a pile of shattered computers, Iwo Jima style) for a bland orange flag, in the interests of being less offensive and easier to reproduce on letterheads and the like.

If you're looking for an improvement upon NetBSD in this department, once again look no further than OpenBSD, the only one of the BSDs (in my opinion) which maintins the feel of an operating system written by hackers for hackers. The OpenBSD project has a fun, cartoon mascot who appears on tshirts and posters, and each release is accompanied by a song! The developers have made it very clear that they are writing OpenBSD for themselves alone - if other people like it and want to use it, great, but if a certain decision makes the project less appealing to the Masses or Big Business, the Masses and Big Business lose.