Martin Braun <yellowgoldm...@gmail.com> wrote: > As we all know on the front page of OpenBSD it says "Only two remote holes > in the default install, in a heck of a long time". > > I don't understand why this is "such a big deal". > > A part from the base system in xBSD, OpenBSD - so far - also contains a > chrooted web server, that can't be used for much else than serving static > content, and then the X system, which also can't be used for anything > before installing some third party application. > > All in all the default install is pretty useless in itself and I am going > to quote "Absolute OpenBSD" by Michael Lucas: > > «You're installed OpenBSD and rebooted into a bare-bones system. Of > course, a minimal Unix-like system is actually pretty boring. While it > makes a powerful foundation, it doesn't actually do much of anything.» > > So we need those third party applications to start the party, yet none of > these applications receives the same code audit, security development and > quality control as OpenBSD does.
There are many quality daemons in base, including mail, web, and name servers among others. They do receive the same code audit, security development, and quality control that everything else in base gets. > As soon as we install a single third party application our entire operating > system is, in theory at least, compromised as these third party > applications gets installed as root. I don't buy this. Theo and friends are not the only competent developers in the world. There is plenty of well-written software that is simply not within the scope of this project. Be careful what you install, but realize that unless you make everything yourself from TTL chips, you're going to have to trust someone to write good code. (and manufacture good hardware!) > Maybe I am just plain stupid, but could someone explain to me the point in > "bragging" about only two remote holes in the default install, when the > default install is useless before you add some content to the system, > unless you're running a web server serving static content only. The default install doesn't have the web server running. By your logic you are "compromised" as soon as you type /usr/sbin/httpd. The point is that the developers are proud of their accomplishment and show it. Nobody is claiming that OpenBSD is infallible. See errata.html or source-changes for evidence - Martin