Arrgh ... this got bounced the first time because "[EMAIL PROTECTED] is not subscribed to this list" Sofa king we Todd did. On Tue, Aug 14, 2001 at 11:30:07PM -0700, Seth Cohn wrote: > > The > > thing about > > OpenBSD's base install, is that it's really everything > > you /need/, > > that is arguable, and I'm not qualified to do it, but some > feel that the 'days since hacked' claim is because so > little is turned on by default. > Partly (OK mostly, I'm a little cynical about this also), but there is stuff running like portmapper and rstatd (AKA rpc.statd, which, well, is definitely NOT secure on many systems), so there's a bit more to it than init scripts. OpenBSD was the first OS to ship BIND chrooted, for example. > > Debian's base install. If you install the same services > > on a Debian > > system that come with OpenBSD's base system, the Debian > > machine will be > > nowhere near as secure. > > How so? I disagree. The Debian system can be (but agreed > is not by default) set to update into whatever fixes are > found for those services. > Because named, httpd, you-name-it-service is started BY DEFAULT immediately upon install, and the init scripts (or links) are modified to start the service upon reboot. Definitely not the case with OpenBSD. Installing packages/ports on an OpenBSD system will not start any services, and will not change anything in /etc (they are allowed to add config files, but cannot modify existing configs). Also, OpenBSD doesn't wait for problems to arise and then fix them. They look for the things that could lead to problems, and fix them before the crackers figure out the exploits. Just compare http://www.OpenBSD.org/security.html and http://www.Debian.org/security.html. > > While those services are in > > OBSD's base system, > > the are not enabled by default. > > Exactly, and since they are not, they are not counted as > part of the security issues. Leading to the inflated 'day > since hacked' claims. > My point is that by simply installing these services on Debian, you are creating a security hazard BECAUSE THE SERVICES ARE STARTED IMMEDIATELY. To me this makes no sense. Are you not supposed to read the manpages for a service before you activate it? Are you not supposed to read the config files before you activate a service? How do you do those things before you activate the service, if the service is activated when you get the files your supposed to be reading? > > Saying Debian is as secure by default as OpenBSD is a > > little like saying > > Windows98 is more secure by default than Debian. > > No... that's not fair. I think everyone agrees OpenBSD > makes security it's #1 focus. At Debian, it one of many > focuses. > > Debian by default is fairly secure. Compare this to a > default install of Redhat. It will take only a matter of > weeks before someone pops it with a hack. This is a know > fact, due to the poor defaults installed. > Weeks? You're being too nice Seth ;P My point is that Debian's base install has much less software than OpenBSD's base install, therefore it may be as secure, but also much less useful. > > To nit pick, it is then no longer the original install. > > and neither is turning on all of the needed stuff on an > OpenBSD box. > True, but at least I can know what I'm getting into before the service is started. Also, what you're saying is that you have to work to make Debian more secure, and you have to work to make OpenBSD insecure, no? > > It's true, OpenBSD does not have a binary update scheme. > > However, > > source patches come much faster than binary patches, I > > believe I posted > > a message about this some time ago in regards to a sudo > > glitch. I got > > a source patch in my mailbox approx 5hrs after the bug > > was posted o > > bugtrack. I ran apt-get twice a day, every day for 4 or > > 5 days before > > I got an updated sudo .deb. > > agreed. But someone is _paying_ Theo. The sudo maintainer > probably isn't being paid. > Granted, Theo gets paid to port UNIX to different vendors' hardware, and some of the CD sales go to his living expenses, but the OpenBSD project is as much a volunteer effort as Debian. Or are you implying that NO ONE was EVER paid ANYTHING for ANY of the software in Debian? I bet a good amount was developed by people who were making money off the software, although probably not from direct sales of the software. Think of an ISP for example. They're using Apache, and they find a bug, fix it, and send the patches to Apache.org. Sure, they volunteered the code, but in the end, they're making money off of it. Theo's not getting paid to release OpenBSD to the public. Debian developers are not getting paid to release .debs. However, in both instances, the work is volunteered because it makes it easier for the volunteer to make money. Or do you really think the sudo (and every other) maintainer has no practical (read: monetary gain) use for the software they are maintaining? Games aside (then again, maybe they're also working for a support company that pays them to know the software ... ) maybe. BTW, Theo did't make the commit, or the patch for that matter. And the patch, well, it changed a whole 2 lines of code. BTW, I get no money from OpenBSD, but I am the maintainer of a couple of its ports :) > Apples and Oranges. You know in high school, when they have you write those compare and contrast papers ... I actually wrote a four page paper comparing apples and oranges; got an A IIRC. I could probably pump out 10-12 pages of differences and similarities between OpenBSD and Debian. Is OpenBSD _more_ secure overall, yes. You said it, not me :) > Is it more full featured and as easy to use? Depends what you mean by full featured. Hardware support? Yes, Linux definitely supports more hardware. Does Debian have an organized method of dealing with source code? No. Are there more binary packages for Debian? Yes, by far. Are there administration front-ends in OpenBSD? No. Can OpenBSD run Linux binaries? Yes, I use the Linux StarOffice binary on OpenBSD. Can Debian run OpenBSD binaries? No. Can OpenBSD mount Debian partitions? Yes. Can Debian mount OpenBSD partitions? No. Are sendmail, httpd, sshd, named, pf and altq part of OpenBSD's base system? Yes. Are they part of Debian's base system? No. Can I install OpenBSD with one floppy? Yes. Can I install Debian with one floppy? No. Is IPsec part of Debian's base system? No. Is IPsec part of OpenBSD's base system? Yes. And as far as easy to use, well, easy is pretty subjective. I find OpenBSD easier than Debian because at least with OpenBSD, I know EXACTLY where I stand. I know it is up to me to make things work, and I know I have a wonderful built in manual that will be helpful. On top of that, the source for whatever program I'm wondering about is just a cvs up away. If you don't find reading manual pages and source code the easiest and quickest routes to problem solving, then why do you care about Open Source? If you honestly think that installing from source is the last resort, what difference does it make whether or not the source is available? No. In the > end, is there much difference? No. > I think there is, and I DO use both Debian and OpenBSD. > > Debian's claim to fame is apt/dpkg > > OpenBSD's claim to fame is OpenSSH > > Which matters more to YOU? > > No, Debian's claim is NOT apt or dpkg. Sorry. It's the > volunteer run, free software commitment. the apt stuff is > merely gravy. An RPM based Debian would still be a better > distro than most others. > > OpenBSD's claim is not OpenSSH, it's the focus on Security. > SSH is just part of that. And I will argue that OpenBSD is also a volunteer project that has an even stronger commitment to free software. You certainly don't think a BSD license is as restrictive as the GPL, do you? http://www.openbsd.org/[policy,goals].html If security was the only goal of OpenBSD, then sendmail would have been replaced with qmail (which, by the way, is what powers the Debian mail servers) and BIND would have been replaced by djbdns. This did not happen because of licensing. In fact, djbware (21 ports) were removed from the ports tree (the equivilant of 'contrib' in Debian, which DOES allow non-free software) because of licensing issues. So, we have two volunteer projects. One has produced a tool that has been ported to nearly every OS, one has not. That's what I was getting at. I mean, if I were a Solaris user, then Debian has done nothing for me, but OpenBSD has provided me with OpenSSH. > > As much as I admire Theo and his crew, and see the value in > doing what they do, I continue to run Debian. I'm not > ready or willing to switch to BSD for many reasons, some of > which are political/philosophical, some of which are more > concrete, like drivers and developement cycle speed. > I too have philosophical reasons for prefering OpenBSD over Debian. The philosophies of true freedom and trust. When I write software, I put it under a BSD style license. I don't give a flying fig if someone takes that code and sells it, or modifies and redistributes it. I make it for myself, and I share it. If someone likes it, or has something relevant to say about it, then I trust they will let me know. And if they don't let me know, well, that's fine too. I don't need some words and laws to force them to do ANYTHING. If they're right on, it will happen anyway. I've already agreed that Linux has better hardware support, but I VERY, VERY, VERY, VERY, VERY strongly disagree with the comment about development speed. OpenBSD puts out a new release every six months, give or take a week. When was potato released? It looks like 3.0 will be released before Woody also. And 3.0 will have pf, a packet filter, which is not a trivial piece of software, especially considering OpenBSD's standards, which wasn't even planned when 2.9 was released. And what are they working on at Debian ... dpkg/apt and some GUI front ends, what else? -- <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
