You are correct; OpenBSD is secure by default. And it's not subjective at all.

The homepage of https://www.openbsd.org proudly states "Only two remote holes in the default install, in a heck of a long time!" if they didn't have the evidence to support the statement, the internet would have forced them to remove it by now. ;-)

Remote (exploitable) holes are the ones we all care about.

▲

bombcar 3 hours ago | parent [-]

The key (and not saying it's bad, mind you) is that the default install has very few services installed, let alone running or open.

So even if Debian and OpenBSD ship the exact same web server, but Debian has it defaulted installed and on, but OpenBSD does not, then a remote exploit won't count against OpenBSD.

	▲	Melatonic 2 hours ago \| parent \| next [-]
		Isn't that a good thing for certain use cases ? If you are building an appliance type thing (say a storage or networking device) then you would want something minimalist you can add only the necessary services on. And arent those the types of devices the BSD (in general) are used for ? Less attack surface always equals less potential for bugs/flaws/exploits regardless of how good red teaming tools and workflows get. Now obviously for other use cases Linux could be a much better option.
	▲	binkHN 3 hours ago \| parent \| prev [-]
		There was a time when Linux distributions shipped lots of things on by default; OpenBSD bucked the trend and did not. This is less of an issue nowadays.