Package management in OpenBSD

Outdated content

Published on 2018-03-29. Modified on 2021-01-15.

If you have experience running any of the popular Linux distributions like Debian GNU/Linux, Arch Linux, Fedora, OpenSUSE, etc., and are trying out OpenBSD, one of the easiest things to get confused about is the package management, it's a bit different on OpenBSD.

UPDATE 2021-01-15: Third party packages now get binary updates for stable, but only security issues or other major fixes. The information below regarding OpenBSD is mostly outdated. Please see Security Updates. Simply use # pkg_add -u to update your third party packages.

With a few exceptions most popular Linux distributions has some kind of package manager installed in order to handle installation of third party applications in binary format. Arch Linux has pacman, Debian has apt, Fedora has dnf, and Alpine has apk. The different BSD systems also has package managers. FreeBSD has pkg and OpenBSD has pkg_add.

Common to all these popular Linux distributions and FreeBSD is that binary packages regularly get updated. The rolling-release distributions like Arch Linux, Void Linux, and the Debian Linux "testing" version, get updated regularly with new features, bug fixes, and security fixes from upstream, whereas the non-rolling release distributions, such as the Debian Linux "stable" version, Fedora, etc. only get updated when serious bugs or security flaws are discovered, new features or releases of software are only available when the Linux distribution itself has reached a new release cycle.

FreeBSD is also a rolling-release system where you can run the pkg package manager with two different settings. With the setting latest FreeBSD is turned into a rolling release like Arch Linux or Void Linux, providing mostly bleeding edge software, whereas the default option quarterly only gets updated 4 times a year. This option was chosen as the default setting in order to have the software "mature" a bit first (kinda like Debian "stable" on steroids). One thing that is a bit different on FreeBSD from all the other systems is that FreeBSD currently separates the base system into its own. The base system isn't touched by the package manager and you have to use the tool freebsd-update for that. However that is changing.

With OpenBSD you don't get any binary package upgrades for third party packages. You don't get new features, bug fixes, or even security fixes. The reason for this is mainly due to a lack of resources.

On OpenBSD you generally have four different options to choose from:

• You wait until the next release of the operating system because then you can use the package manager to upgrade all your third party packages. Depending on what software you're using, this might be okay. Not every bug fix or security fix is important. You need to determine that for yourself.
• You track the "stable" branch and use the ports system to build and compile the packages yourself from source code. On OpenBSD the ports in the "stable" branch only gets fixes for serious bugs and security flaws, new features are not added. This is what most people on OpenBSD do and this is the preferred method.
• You track the "current" branch. The "current" branch do get binary upgrades for the packages on a regular basis, however the "current" branch is for development. On OpenBSD the developers sometimes test new mitigation techniques that can make third party packages crash or stop working. All the developers on OpenBSD use the "current" branch and because of limited resources this is the place where you'll find binary upgrades for the packages. OpenBSD "current" can be considered a rolling release, however stuff might break completely.
• You setup your own custom build system that automatically build binary packages from the ports collection and you then install those using the package manager. This is what some people do on FreeBSD who either require to build a lot of packages with custom settings, or who want even more bleeding edge software that the "latest" settings provide. People on FreeBSD use poudriere for that. On OpenBSD there is dpb - the distributed ports builder.

So to sum up, OpenBSD does not provide regularly security updates for third party packages outside of the "current" branch. You will need to use the "stable" ports for security fixes. In order for a port to get updated it usually requires a CVE. Packages from the "current" branch will only work on "current". Things must be kept in sync with the base system version so you cannot simply use packages for "current" on the "stable" branch. The OpenBSD base system always get both security and bug fixes.

In the past, before ports and packages, you would need to manually get the source code for the applications you wanted to run. Then you would try to compile them, make a lot of changes and conditional compilation options, and keep doing that until the software would compile without any errors. Then you would have to figure out if the software had any dependencies (tools or libraries) that also needed to be compiled following the same process. When you where done you could use the diff utility to create a patch that you could send to the application developer and maybe he or she would then add your changes into the next release of the software. Later someone thought about sharing such diffs with other people using revision software and after some debate on different mailing lists the first version of the ports system was incorporated into FreeBSD version 1.0 in December 1993.

On OpenBSD, whether you follow "current" or "stable", getting the ports system up and running requires that you use CVS.

Let's take a look at an example and pretend our user is called "foo".

First you need to add the normal user "foo" to the "wsrc" group:

# user mod -G wsrc foo

This change takes effect with foo's next login.

Then you must create the ports directory and set its permissions manually:

# cd /usr
# mkdir ports
# chgrp wsrc ports
# chmod 775 ports

Then you checkout the branch you're following using CVS.

If you are following "current":

$ cd /usr
$ cvs -qd anoncvs@anoncvs.ca.openbsd.org:/cvs checkout -P src

To fetch the "stable" src tree you need to use the "-r" option:

$ cd /usr
$ cvs -qd anoncvs@anoncvs.ca.openbsd.org:/cvs checkout -rOPENBSD_6_5 -P src

Once you have the tree checked out, you can update it at a later time with:

$ cd /usr/ports
$ cvs -q up -Pd -rOPENBSD_6_5

Once you have the ports tree in place on your system, you can search for software using the key="searchkey" option as shown in this example:

$ cd /usr/ports
$ make search key="rsnapshot"
Port:   rsnapshot-1.4.2p0
Path:   net/rsnapshot
Info:   remote filesystem snapshot utility
Maint:  Antoine Jacoutot <ajacoutot@openbsd.org>
Index:  net sysutils
L-deps:
B-deps: :net/rsync
R-deps: :devel/p5-Lchown :net/rsync
Archs:  any

The search shows that the application "rsnapshot" has one dependency called "rsync". The ports system will automatically fetch and compile that too:

$ cd /usr/ports/net/rsnapshot
$ su
# make install

You can then find all the packages you have just compiled and installed in "/usr/ports/packages" and you can deploy these to other machines if needed.

However, compare all that to the following examples:

On Debian Linux:

# apt update
# apt full-upgrade

On FreeBSD (pkg will automatically run the update option first):

# pkg upgrade

On Arch Linux:

# pacman -Syu

On Void Linux:

# xbps-install -Su

As the procedure on OpenBSD can become a bit tiresome, some people decided to create M:Tier's OpenBSD packages and binpatches:

Keeping your installed OpenBSD packages up to date is hard and time-consuming. Nobody wants to read the mailing lists to spot security fixes and/or updates never mind wanting to build new packages from their ports tree and manually install them on each of their servers and/or desktops. For this reason M:Tier is launching a new package repository which includes the latest security fixes and critical updates. It's easy to setup and even easier to maintain. you don't need to do anything anymore. M:Tier will even notify you by e-mail if there's an update available (unless you opt-out).

The M:Tier team comprises various open source developers, some from the OpenBSD project itself. However, I have no personal experience using their services.

Regarding the OpenBSD base system, you can always keep that upgraded with binary upgrades using syspatch.

Despite the problems described above OpenBSD is still amazing, you just need to choose the right tool for the job and plan how you can manage these challenges in an effective manner.

Further reading

• A discussion about M:Tier's solution on Hacker News
• Ports collection
• OpenBSD Ports
• FreeBSD packages and ports
• M:Tier's OpenBSD packages and binpatches