[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Openwall GNU/*/Linux 3.0 is out, marks 10 years of the project


I am pleased to announce that we have made a new major release of
Openwall GNU/*/Linux, version 3.0.  ISO images of the CDs for i686
and x86-64 are available for download via direct links from:


The ISOs include a live system, installable packages, the installer
program, as well as full source code and the build environment.
The download size is under 450 MB (for one CPU architecture).

Additional components, such as OpenVZ container templates, are available
from the appropriate directories on the mirrors:


Openwall GNU/*/Linux (or Owl for short) is a small security-enhanced
Linux distribution for servers, appliances, and virtual appliances.
Owl live CDs with remote SSH access are also good for recovering or
installing systems (whether with Owl or not).  Another secondary use is
for operating systems and/or computer security courses, which benefit
from the simple structure of Owl and from our inclusion of the complete
build environment.

This release marks roughly 10 years of our project - development started
in mid-2000, and Owl 0.1-prerelease was made public in 2001.  Curiously,
most other "secure" Linux distros that appeared at about the same time
are no longer around.  (EnGarde Secure Linux appears to be the only
exception, but it is completely different both in approach to security
and in functionality.)

With the 3.0 release, the Owl 2.0-stable branch is formally discontinued.
We intend to proceed with further development under Owl-current and to
maintain the newly-created Owl 3.0-stable branch until the next release,
as usual.  (Owl 3.0-stable will be made available as soon as it starts
to differ from the 3.0 release.)

Here's how upgrades from Owl 2.0-release, 2.0-stable, or from pre-3.0
Owl-current to Owl 3.0 may be performed:


(To upgrade from an even older version of Owl, you need to upgrade to
Owl 2.0-release in the same fashion first.)

Many of the enhancements since Owl 2.0 are documented in the change log:


They include:

- x86-64 support;
- move to RHEL 5.5-like Linux 2.6 kernels (with additional changes);
- kernel in an RPM package designed to allow for easy non-RPM'ed
kernel builds as well (optional);
- integrated OpenVZ container-based virtualization support (optional);
- "make iso" and "make vztemplate" targets in the build environment
(to easily generate new Owl CD images and OpenVZ container templates);
- ext4 filesystem support (in fact, Owl 3.0's installer offers ext4 by
default, with ext3 and ext2 still available as options);
- xz compression support (LZMA, LZMA2) throughout the system (not only
xz* commands, but also support in tar, rpm, less, color ls output);
- a few new packages (smartmontools, mdadm, cdrkit, pciutils, dmidecode,
vzctl, vzquota, xz);
- lots of package updates;
- improved hardware compatibility and more intuitive installation process;
- credentials logging in syslogd (the sender's UID and PID are logged
unless the sender is root);
- key blacklisting support in OpenSSH;
- and many other enhancements and corrections.

A curious detail is that there are no SUID programs in a default install
of Owl 3.0.  Instead, there are some SGIDs, where their group level
access, if compromised via a vulnerability, can't be expanded into
root access without finding and exploiting another vulnerability in
another part of the system - e.g., a vulnerability in crontab(1) or
at(1) can't result in a root compromise without a vulnerability in
crond(8) or in a critical system component relied upon by crond(8).

Feedback is welcome via the owl-users mailing list.  Specifically, you
may use this opportunity to vote for changes to make and features to
implement during post-3.0 development leading up to the next release.



P.S. John the Ripper achieves over 50M c/s at cracking DES-based
crypt(3) on a quad-X7550 machine (32 cores, 64 logical CPUs), with one
of the OpenMP patches:


It also achieves over 20M c/s on a more humble dual-X5460 machine
(8 cores, 8 logical CPUs), cracking 400k passwords from Gawker:


Oh, and there's a new OpenMP-enabled build for Mac OS X here:


This one is by Erik Winkler, as usual.

I just thought you might enjoy these items too. ;-)