| ▲ | n4r9 3 days ago |
| I'm not that familiar with OpenBSD but my impression was that the team is extremely security conscious. To the point that "there is insecure software in there already" is not an excuse. Perhaps I'm wrong about that? |
|
| ▲ | ninjin 3 days ago | parent | next [-] |
| It is not an excuse, you are perhaps just not familiar with how software is handled by OpenBSD and other free operating systems. You have a base system, which includes the kernel, user land, etc. Then on top of this you have ports and packages, usually in a different source tree. Unless you have a nearly insane amount of resources, vetting all those ports and packages is incredibly hard if not impossible (think Canonical and Red Hat level of funding, when on a good year OpenBSD raises ~USD 500,000 and Red Hat's revenue is in the billions) and even then there will generally be different tiers of support. Thus, the strongest guarantees will always be with the base system as it is installed by everyone and outside of Linux also developed by a single team. Yes, plenty of ports such as Firefox on OpenBSD have some great security patches applied, but expecting all the over 10,000 ports to have the same level of quality and attention applied as what is in base is unrealistic no matter how much security and correctness is a priority. I have maintained ports and packages across the Linux and BSD ecosystems for a good while now and I have more confidence in what OpenBSD has in ports based on my own experience compared to several Linux package managers. However, that does not mean that I will try to pull out a random OpenBSD package and expose it to the Internet before doing due diligence. |
| |
| ▲ | n4r9 3 days ago | parent | next [-] | | Thanks v much for the info. You're right, I'm unfamiliar with this process and its resource constraints. | | |
| ▲ | ninjin 3 days ago | parent | next [-] | | No worries, glad to help. I should also have added that on OpenBSD (and BSDs in general) base is much more complete than on most Linux distributions. I run a web, name, and mail server using OpenBSD and I do not need a single port or package for this. SMTP daemon, DNS daemon, web server, TLS certificate handling, etc. It is all in base and works together coherently, which is what draws people like me to BSDs. | | |
| ▲ | 3 days ago | parent | next [-] | | [deleted] | |
| ▲ | n3storm 3 days ago | parent | prev [-] | | Most Linux distros can do that without any external or extra repository. | | |
| ▲ | ninjin 3 days ago | parent | next [-] | | That is not the same as in base though. For example, the NixOS developers maintain a large chunk code to generate scaffolding around systemd and to build code via Nix. They do not take a web server, fork it, and maintain it (alternatively, write that web server from scratch as is the case for httpd(8)). When I set up that OpenBSD server, I install the base system, place the configurations, start the daemons, and I am set. Not a single line of code runs outside of what is in the base repository. I realise that the way BSDs do things is very different from Linux, but in BSD land the same people write the kernel, user land, and maintain the ports tree. With this I am not saying it is superior, but it does lead to a very different experience both as a developer and user. Yes, there are some exceptions to this like clang, the AMD GPU driver, etc. But the overall picture is true. | |
| ▲ | seethishat 3 days ago | parent | prev [-] | | Right, the difference is those daemons are written by other teams/people who have various experience/knowledge/security requirements for their software. The daemons in OpenBSD base are all written and maintained by the same team with members who have similar knowledge, expectations and experience with regard to software and security, etc. |
|
| |
| ▲ | johnisgood 3 days ago | parent | prev [-] | | You could think of ports as 3rd party packages, whereas base is not. |
| |
| ▲ | anthk 3 days ago | parent | prev [-] | | OFC the correct solution there would be patch and pledge/unveil CDE. |
|
|
| ▲ | ch_123 3 days ago | parent | prev [-] |
| Most of the security guarantees are made about the base install of the OS, which is mostly code which the OpenBSD team maintains and develops. The code in ports is mostly subject to the same security issues that exist elsewhere, except where facilities of OpenBSD block them (or the code has been patched by the port maintainers). |
| |
