steve szmidt wrote:
> I personally agree with most but this is not entirely correct. OBSD uses
> amongst other things random memory allocations, priviledge separation and
> revocation. ProPolice handles buffer overflows, and so on. These features
> keeps the machine secure in user space as well.
Agreed -- these features are very good to have. Linux is incorporating
some aspects of the OpenBSD kernel with grsecurity and SELinux. Other
projects such as OpenWall deal with stack invalidation. TCP ISN
randomization has been addressed. Distros are doing a better job of
shipping "secure by default" configurations. You could say that Linux
kernel development is cherry picking the best features of OpenBSD (and
vice versa). It's certainly not as cohesive as OpenBSD, but allows more
of a buffet approach.
It's also important to keep in mind that AFAIK, the ports tree does not
undergo the same code audit as the base. 99% of the exploits come from
applications, not from the kernel. This is true for Linux and perhaps
doubly so for OpenBSD.
> I'm not so sure if I'd give up the above OBSD features for the faster stack.
> When you leave x86 OBSD get's even better as you can get even better (more
> security minded processors) with f.ex. Sun.
I have to disagree here. I'm willing to trade some security for the
better performance, better support (hw/sw and vendor), and better ease
of use/configuration. This is more for practical reasons than anything
else. It's hard enough to convince a manager to replace his IIS box with
Linux; imagine installing OpenBSD and not having SATA or SMP support
(almost ubiquitous for my customers' x86 systems)?
> Linux has a tremendous forward momentum and offers a number of compelling
> reasons to use with something like SELinux. My problem is that after seing
> how ingenious good hackers are, I don't want to give up on some of these
> features that OBSD offers.
Not even for the cool penguin mascot?!?!
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:23:06 EDT