Long term support considered harmful
 

http://www.tedunangst.com/flak/post/...idered-harmful

I would say both sides of that debate have good arguments. A short support cycle forces people to upgrade sooner, causing bugs to disappear sooner, whereas a long release cycle removes the need to upgrade often. Those in the latter camp could argue that frequent upgrades are inconvenient for large networks. Possibly servers as well, although that would be mitigated by the safer upgrades. Myself, I prefer long periods between upgrades, but I found the last OpenBSD upgrade to be easy. If every upgrade is as flawless as that one, I could quickly get used to frequent upgrades.

As often, everything has two sides.
Yes, upgrading more often may wash out old bugs faster.
But it also increases the chance of being hit by new bugs.

I am somewhat irritated that OpenBSD has the same support cycle as Fedora (never realized that before, since I only had short testing runs with OpenBSD), yet we recommend OpenBSD for servers, while usually Fedora (and other distributions with short support cycles) is dismissed for that use case. Yes, I know that OpenBSD still is more secure and stable, due to the different focus of the development team, but how can we ever know with such a short release cycle (read:testing phase)?
Or am I missing something?

Anyways, following that logic, wouldn't a rolling release model fit best for OpenBSD?

There is a testing phase built in to the 6 month development period, that is, they're not developing, adding new features right up to the May 1st release date of OpenBSD 5.7. The team asks for bug reports and a number of users run OpenBSD -current and help with bug fixing.
I've been an OpenBSD user since 5.0 and it is my favourite BSD.

This quote was posted on DaemonForums today. It shows the difference between the rapid release model used by some Linux distributions and the one used by OpenBSD. If Fedora operates anything like Ubuntu, new software will be added before it is ready in order to meet the release deadline. OpenBSD only adds new software if it can be made ready before release. If it is not yet ready, the software must wait for a later release. I do not know how similar Fedora's attitude toward adding new software is to Ubuntu's, but Fedora is known for having occasional bugs.

So OpenBSD's release model works like Debian's, with some type of freeze phase, only much shorter. That makes sense, thanks for clarifying.

OpenBSD is an operating system. As such OpenBSD should be compared (roughly) with the Linux kernel rather than a Linux distribution such as fedora/Red Hat who do not develop their own kernel and base system - if it should be compared at all.

In general terms, OpenBSD (as with other BSD forks) is much smaller than a given Linux distribution and almost everything in the base system is developed by OpenBSD developers, or if not, extensively audited and/or specially built to conform (for example X.org (xenocara) which has proper privilege separation as standard among other things (yes OpenBSD actually has X.org as a 3rd party component of it's base system unlike other *BSDs where it's a port).
They are their own upstream, as such their testing process is probably much more streamlined and do not include the same 3rd party software as a Linux distribution like fedora or Debian (who pretty much throw anything and everything into the mix) and happen to have a well proven track record. They also manage to develop software such as OpenSSH, OpenNTPD and LibreSSL and more.

The 'best' OpenBSD branch is OpenBSD -current. You could consider this "rolling", but in the Linux world, that term usually refers to some Linux distribution which constantly pushes out 'bleeding edge software' ready or not. OpenBSD -current is anything but that.

http://www.openbsd.org/faq/faq5.html#Flavors

The important difference here between OpenBSD and your example fedora, is that, as is the case with most *BSD operating systems, the base system is OpenBSD, the ports tree is not - it's 3rd party software. In most *BSD OSs ports install to the /usr/local target, rather than /

This means that ports can be built and installed as a non root user.

It's best to read the official explanation: http://www.openbsd.org/faq/faq15.html#Intro

A given OpenBSD -release provides pre-built ports known as 'packages', to update these at all, you have three options:

1) Wait 6 months until the next OpenBSD release and ports rebuild.
2) Follow the -stable branch and build from source via the ports tree.
3) Sort it out yourself.

If you go to the openbsd-misc mailing list asking questions about out of date ports, you can expect to get ignored.

Thanks for the further clarification, I think I understand it now.

You missed one.

4) Use pre-built binary packages from a 3rd party such as M:Tier (https://stable.mtier.org/)


Also, last time I looked into this, while there is a -stable branch for base, there was no maintained -stable branch of 'ports'.

I didn't miss it, I didn't cover it, as it's not part of the official release/ports tree.

Just as there are ports for -release and -current, there are ports for the patch branch (-stable). I happen to use them.

I tend to use binary packages. I will occasionally use ports from the -release branch. At the moment I don't have ports installed. As my openbsd box is now a faster machine I may use ports on 5.7.

It's fine to use binary packages and stick to -release + errata patches. In fact I might revert to that when 5.7 is released as these days I'm short of time to rebuild the base system and especially ports when something gets updated.

Thanks for the reply. I am quite comfortable now with patching -release with errata. If it works, why mess with success? OpenBSD 5.7 is shaping up to be a stellar release. :)

Interesting, I'm certain that when I looked into this a few years back there was no ongoing maintenance of '-stable' ports due to developer resourcing issues and the consensus was that if you needed updates between releases you ran current. Maybe things have gotten better now though. I see the FAQ says that -stable ports are supported for the latest release only, so that's still 6 months shorter than the base, so clearly resourcing is still something of an issue but its something.

Long term support is good.

But when we see news that security bugs were undetected for long times, there is hardly any reason to panic for bugs.

Just keep updating to reduce the chance of being hacked.

And openBSD is good for sure.