Package management in OpenBSD

Posted on 2018-03-29
If you have experience running any of the popular Linux distributions like Debian GNU/Linux, Arch Linux, Fedora, OpenSUSE, etc., and are trying out OpenBSD, one of the easiest things to get confused about is the package management, it's a bit different on OpenBSD.

With a few exceptions most popular Linux distributions has some kind of package manager installed in order to handle installation of third party applications in binary format. Arch has "pacman", Debian has "apt" (and several others), Fedora uses "dnf", and Alpine has "apk".

The different BSD systems also has package managers. FreeBSD has "pkg" and OpenBSD has "pkg_add".

Common to all these popular Linux distributions and FreeBSD is that packages regularly gets updated. The rolling-release distributions like Arch, Void, and the Debian "testing" version, gets updated regularly with new features, bug fixes, and security fixes from upstream, whereas the non-rolling release distributions, such as the Debian "stable" version, Linux Mint, Fedora, etc. only gets updated when serious bugs or security flaws are discovered, new features or releases of software are only available when the Linux distribution itself has reached a new release cycle.

FreeBSD is also a rolling-release system where you can run the "pkg" package manager with two different settings. The "latest" option turns FreeBSD into a rolling release like Arch or void, providing mostly bleeding edge software, whereas the default option "quarterly" only gets updates 4 times a year. This option was chosen as the default setting in order to have the software "mature" a bit first (kinda like Debian stable on steroids). One thing that is a bit different on FreeBSD from all the other systems is that FreeBSD currently separates the base system into its own. The base system never gets upgraded with "pkg", you have to use "freebsd-update" for that. However this is changing.

With OpenBSD on the other hand you don't get any binary package upgrades! You don't get new features, bug fixes, or even security fixes!

The reason for this is mainly due to a lack of resources.

On OpenBSD you generally have four different options to choose from:

  • You wait until the next release of the operating system because then you can use the package manager to upgrade all your third party packages. Depending on what software you're using, this might be okay. Not every bug fix or security fix is important. You need to determine that for yourself.
  • You track the "stable" branch and use the ports system to build and compile the packages yourself from source code. On OpenBSD the ports in the "stable" branch only gets fixes for serious bugs and security flaws, new features are not added. This is what most people on OpenBSD do and this is the preferred method.
  • You track the "current" branch. The "current" branch do get binary upgrades for the packages on a regular basis, however the "current" branch is for development. On OpenBSD the developers sometimes test new mitigation techniques that can make third party packages crash or stop working. All the developers on OpenBSD use the "current" branch and because of limited resources this is the only place where you'll find binary upgrades for the packages. OpenBSD "current" can be considered a rolling release, however stuff might break completely.
  • You setup your own custom build system that automatically build binary packages from ports and you then install those using the package manager. This is what some people do on FreeBSD who either require to build a lot of packages with custom settings, or who want even more bleeding edge software that the "latest" settings provide. People on FreeBSD use poudriere for that, but that doesn't exist for OpenBSD.

So to sum up, OpenBSD does not provide security updates for packages outside of the "current" branch. You will need to use the "stable" ports for security fixes. In order for a port to get updated it usually requires a CVE. The "current" branch will only work on "current". Things must be kept in sync with the base system version so you cannot simply use packages for "current" on the "stable" branch. The base system however always gets both security and bug fixes.

One big disadvantage on OpenBSD is that you need to track updates manually using the mailing list. Depending on how busy you are and on how many different setups you're dealing with, this can become quite tiresome, especially when you need to track software with multiple dependencies.

In the past, before ports and packages, you would need to manually get the source code for the applications you wanted to run. Then you would try to compile them, make a lot of changes and conditional compilation options, and keep doing that until the software would compile without any errors. Then you would have to figure out if the software had any dependencies (tools or libraries) that also needed to be compiled following the same process. When you where done you could use the diff utility to create a patch that you could send to the application developer and maybe he or she would then add your changes into the next release of the software. Later someone thought about sharing such diffs with other people using revision software and after some depate on different mailing lists the first version of the ports system was incorporated into FreeBSD version 1.0 in December 1993.

On OpenBSD, whether you follow "current" or "stable", getting the ports system up and running requires that you use CVS.

Lets take a look at an example.

First you need to add the normal user "foo" to the "wsrc" group:

# user mod -G wsrc foo

This change takes effect with foo's next login.

Then you must create the ports directory and set its permissions manually:

# cd /usr
# mkdir ports
# chgrp wsrc ports
# chmod 775 ports

Then you checkout the branch you're following using CVS. To fetch the "stable" src tree, you specify the branch you want with the "-r" option:

$ cd /usr
$ cvs -qd checkout -rOPENBSD_6_2 -P ports

Once you have the tree checked out, you can update it at a later time with:

$ cd /usr/ports
$ cvs -q up -Pd -rOPENBSD_6_2

Once you have the ports tree in place on your system, you can search for software. Just use make search key="searchkey" as shown in this example:

$ cd /usr/ports
$ make search key="rsnapshot"
Port:   rsnapshot-1.3.1p0
Path:   net/rsnapshot
Info:   remote filesystem snapshot utility
Maint:  Antoine Jacoutot <>
Index:  net sysutils
B-deps: :net/rsync
R-deps: :devel/p5-Lchown :net/rsync
Archs:  any

The search shows that the application "rsnapshot" has one dependency called "rsync". The ports system will automatically fetch and compile that too:

$ cd /usr/ports/net/rsnapshot
$ su
# make install

You can then find all the packages you have just compiled and installed in "/usr/ports/packages" and you can deploy these to other machines if needed.

However, compare all that to the following examples:

On Debian:

# apt update
# apt full-upgrade

On FreeBSD:

# pkg update
# pkg upgrade

On Arch:

# pacman -Syu

On Void:

# xbps-install -Su

As a result of the above "tiresome" procedure on OpenBSD, some people decided to create M:Tier's OpenBSD packages and binpatches:

Keeping your installed OpenBSD packages up to date is hard and time-consuming. Nobody wants to read the mailing lists to spot security fixes and/or updates never mind wanting to build new packages from their ports tree and manually install them on each of their servers and/or desktops. For this reason M:Tier is launching a new package repository which includes the latest security fixes and critical updates. It's easy to setup and even easier to maintain. you don't need to do anything anymore. M:Tier will even notify you by e-mail if there's an update available (unless you opt-out).

The M:Tier team comprises various open source developers, some from the OpenBSD project itself. However, I personally have no experience using their services.

Regarding the OpenBSD base system, you can always keep that upgraded with binary upgrades using syspatch.

I hope you have found the information above useful.

OpenBSD is still fantastic, you just need to choose the right tool for the job and plan how you can manage these challenges in an effective manner.

If you have any comments or corrections feel free to email them to me.

Further reading

Ports collection

OpenBSD Ports

FreeBSD packages and ports

M:Tier's OpenBSD packages and binpatches

A discussion about M:Tier's solution on Hacker News