Tony Lambiris wrote:
>
> On Wed, Oct 04, 2000 at 10:01:00PM -0400, Kenneth E. Lussier wrote:
> > I have a simple question. Several people today have mentioned that
> > OpenBSD is more secure. I won't get into that. But, several people made
> > the claim that there hasn't been a single remote exploit in OpenBSD in
>
> Someone misinformed you, because at www.openbsd.org, in big red letters:
> "Three years without a remote hole in the default install!" -- Quote
Quote: "During my time in the senate, I took the initative in inventing
the internet" --Al Gore.
Quote: "Lowest prices in New England!!" Ernie Boch, Boch Toyota
Must be true......
> Also, almost all of the vulnerabilities you have listed are not part of the
> base install. They are ports you can add at a later date if you wish. As well,
> some of the other exploits can happen under 'certain conditions'. The rest are
> proof-of-concepts.
As are most of the Linux vulnerabilities. Wu-ftp certainly isn't part of
the OS ;-)
> You should've done your research before writing that last line. I'm not going
> to get into it for multiple reasons (for one, I already have, and two,
> openbsd.org has all the answers to your questions), but saying that the OpenBSD
> team isn't looking for bugs is probably the most absurd statement I've heard
> all year.
Actually, the two presidential candidates promising to uphold the
Constitution was a far more absurd statement, but that's another story
;-) You misunderstood my statement. It was quite simple: I managed to
find listings of vulnerabilities, and you yourself stated below that
there were four vulnerabilities in 1999 and seven in 2000. How is that
vulnerability free??
> Not only has the OpenBSD team, and others audited the _entire_ source code
> and fixed _many_ vulnerabilities (how many times have the other BSD's posted a
> vulnerability, just to have an OpenBSD developer follow up with, "This has been
> fixed in OpenBSD since 1998"). Not only that, but they practice proactive
> security. That means when they write new code, they have security in mind while
> writing it, unlike alot of other coders, where they will fix the bug once the
> problem arises.
I give up, how many times? As for fixing a problem once it is discoverd,
I'm glad to see that they follow the open source model.
> I highly suggest you peruse openbsd.org, and while you're there, check out the
> FAQ.
Nah... I'm actually very happy with Linux. I have no interest in going
from SysV to BSD.
> Also, just to be fair, these stats were taken from securityfocus.com:
> Number of OS Vulns by year..
> 1999: OpenBSD = 4, Redhat = 41
> 2000: OpenBSD = 7, Redhat = 40
>
> Hmm, 11 or 81. Which seems more secure to you?
Now, there are a few flaws with this:
1) RedHat is not an OS, it's a distribution.
2) Linux has never claimed to be vulnerability free.
3) I never made mention of which one was more secure. I asked about the
claim of OpenBSD being vulnerability free. And, by your own admission,
it isn't.
As to your question, which seems more secure, IMHO, neither of them. No
OS is secure. If you rely on the OS to be the only security, and leave
everything as is "by default" (there's that phrase, again), then you
will most likely have problems.
Kenny
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
