On Tue, Aug 14, 2001 at 01:04:20PM -0700, Seth Cohn wrote:
>
> --- Christopher Maujean <[EMAIL PROTECTED]> wrote:
> > Free/Open/Net BSD's are secure by default....
>
> By that logic, yes, Debian base is as secure.
Which logic would that be? Does Debian have developers working full
time on bug squashing and integrating cryptography? The thing about
OpenBSD's base install, is that it's really everything you /need/, if
not the flashiest variant. Apache, bind, and ssh are not part of
Debian's base install. If you install the same services on a Debian
system that come with OpenBSD's base system, the Debian machine will be
nowhere near as secure. While those services are in OBSD's base system,
the are not enabled by default. When debs for those services are
installed on Debian, they will be started immediately, and the system
will start those services everytime the system is rebooted.
Saying Debian is as secure by default as OpenBSD is a little like saying
Windows98 is more secure by default than Debian.
> Maybe more secure, since the security upgrades will happen
> the first time you run an upgrade.
>
To nit pick, it is then no longer the original install. And, BTW, one
does have to do some apt configuration before the security updates will
come in, so that's not truly a default feature. (Why security.debian.org
is by default commented out in sources.list, even after a network
install from one of the officially listed "sources", I will never know ...)
It's true, OpenBSD does not have a binary update scheme. However,
source patches come much faster than binary patches, I believe I posted
a message about this some time ago in regards to a sudo glitch. I got
a source patch in my mailbox approx 5hrs after the bug was posted o
bugtrack. I ran apt-get twice a day, every day for 4 or 5 days before
I got an updated sudo .deb.
You're always free to make up your own binary management system ...
http://www.jakemsr.com/openbsd/binpat/
"Secure by default" pervades every aspect of OpenBSD, not just the
install. Many things, including the kernel, have what some consider low
resource limits compiled in. Binary server packages don't start the
server immediately upon install. (This is my biggest peeve with
Debian, although I understand this behaviour may be changing.)
--
<[EMAIL PROTECTED]>
Debian's claim to fame is apt/dpkg
OpenBSD's claim to fame is OpenSSH
Which matters more to YOU?
