On 2020-05-07 14:10, Consus wrote:
> On Thu, May 07, 2020 at 04:00:15PM +0200, i...@aulix.com wrote:
>> Dear OpenBSD fans,
>> Can you please comment negative appraisal from the following website:
>> https://isopenbsdsecu.re/quotes/
>> I did not want to hurt anyone, just looking for a secure OS and
>> OpenBSD looked very nice to me before I have found this website.

Perhaps you could cite which part as the parts I read should seem without merit
to anybody?

> The fun thing to do: offer $50k rewards for code execution
> vulnerabilities and wait for results.

"Apple has lately been slapping proprietary mitigations around like there’s no
tomorrow. But thing is, mitigations are often delicate creatures, with rather
fragile assumptions. Having too many of them in one place can easily make them
break one another, as happened here with execute-only memory vs PAN."

I am sure that examples of mitigations leveraging and protecting each other, or
an exploit failing because of multiple mitigations is far more common than them
hurting each other.

"I put a lot more faith in privilege separation and reduction than in all the
mitigations. I’d be really impressed by a move to a safe language… most everyone
is late to that party, so it’s a chance for someone to pull ahead if they wanted
bragging rights"

I wouldn't want to read an OS written in Rust and I would love to see secure
developments in C even if it hampers potential performance. Things like Go are
not suitable for an OS with many small programs.

Also, OpenBSD is one of the pioneers of privilege separation and most Go
programs are not privilege separated at all.

I quickly lost interest, sorry. IMO, the main thing that causes exploitations is
carelessness. OpenBSD cares and is careful!

Reply via email to