> On Sat, Oct 14, 2017 at 9:27 AM, Justina Colmena <[email protected]> wrote: > I have migrated from OpenBSD to Fedora for a couple of reasons -- and > these may be outdated, as it has been a while.
I take it "a while" has been quite a while - ? > * limited Unicode / UTF-8 support in OpenBSD: this was an issue > especially for installing databases such as MySQL and PostgreSQL > because there were no good sorting routines available for the > non-ASCII characters which are used in almost all languages except > rudimentary American English. OpenBSD has supported UTF-8 since...2010ish? A long time. > * the race conditions that were documented at one time in systrace, > the disappearance of that utility in OpenBSD, and the lack of its > development into anything similar to NSA's SELinux, with the detailed > security policies that are developed for different applications and > services -- such mandatory access control policies, effectively > enforced, for example, theoretically make chroot totally unnecessary > to secure apache httpd. This could be rephrased as Linux's lack of development of anything similar to pledge :-) If you missed pledge, Theo has several talks on YouTube about it, e.g.: 2015: https://www.youtube.com/watch?v=F_7S1eqKsFk 2017: https://www.youtube.com/watch?v=FzJJbNRErVQ What is your ultimate goal? A secure system? There are numerous security features that OpenBSD has that Linux doesn't have and refuses to add. Does Linux have pledge? Random PIDs? Does it use arc4random all over the place because it can? Which platform would you say has a more robust set of memory protections? You could probably go to openbsd.org/security.html and use it as a checklist of security features missing in other operating systems. Maybe for your needs, SELinux is a better choice but personally, it's all theory until someone's knocking on the door, and OpenBSD has more than proven itself in that context. Certainly, OpenBSD has the better track record. A picture is worth a thousand words...no idea what the animated gif exchange rate is, but this has always summed it up for me re: OpenBSD security: https://securityreactions.tumblr.com/post/80685010067/that-one-openbsd-box-during-the-pentest > * lack of support as a virtualization host -- this need not be the job > of OpenBSD per se, but perhaps a very lightweight, very secure > hypervisor, such as sel4 https://sel4.systems/ for example, could > be run with OpenBSD as its main guest and used to conrol other > guests under virtualizaton. OpenBSD has had native support for running as a VM host officially since 6.1 earlier this year: http://man.openbsd.org/vmm.4 To be fair, OpenBSD developed its support for VM hosting a lot later than other projects. That's just the nature of having a smaller team - they can't focus on everything concurrently. But it's been in the works since 2015: https://undeadly.org/cgi?action=article&sid=20150831183826 You can use vmm to run OpenBSD, Linux, etc. guests. E.g.: https://medium.com/@dave_voutila/docker-on-openbsd-6-1-current-c620513b8110 > I do want to mention, though, that vultr.com offers as one of its > options VPS preinstalled with OpenBSD. BTW, you can actually run OpenBSD on any VM/VPS provider that offers KVM. There's nothing special about Vultr other than that they streamline the install. Nothing against them and they're a fine provider, but it's trivial to run OpenBSD on thousands of VM providers. Typically you mount the ISO in the provider's Solus (or whatever) control panel, boot off it in the console, and then it's a standard bsd.rd install. -- andrew fabbro [email protected]
