On 2020-05-07 14:10, Consus wrote: > On Thu, May 07, 2020 at 04:00:15PM +0200, i...@aulix.com wrote: >> Dear OpenBSD fans, >> >> Can you please comment negative appraisal from the following website: >> >> https://isopenbsdsecu.re/quotes/ >> >> I did not want to hurt anyone, just looking for a secure OS and >> OpenBSD looked very nice to me before I have found this website. >
Perhaps you could cite which part as the parts I read should seem without merit to anybody? > The fun thing to do: offer $50k rewards for code execution > vulnerabilities and wait for results. > "Apple has lately been slapping proprietary mitigations around like there’s no tomorrow. But thing is, mitigations are often delicate creatures, with rather fragile assumptions. Having too many of them in one place can easily make them break one another, as happened here with execute-only memory vs PAN." I am sure that examples of mitigations leveraging and protecting each other, or an exploit failing because of multiple mitigations is far more common than them hurting each other. "I put a lot more faith in privilege separation and reduction than in all the mitigations. I’d be really impressed by a move to a safe language… most everyone is late to that party, so it’s a chance for someone to pull ahead if they wanted bragging rights" I wouldn't want to read an OS written in Rust and I would love to see secure developments in C even if it hampers potential performance. Things like Go are not suitable for an OS with many small programs. Also, OpenBSD is one of the pioneers of privilege separation and most Go programs are not privilege separated at all. I quickly lost interest, sorry. IMO, the main thing that causes exploitations is carelessness. OpenBSD cares and is careful!
