On Thu, Mar 24, 2022 at 09:56:29AM -0400, Demi Marie Obenour wrote: > As per private discussion with Theo de Raadt, OpenBSD does not consider > bugs in its xnf(4) that allow a backend to cause mischief to be security > issues. I believe the same applies to its xbf(4). Should the support > document be updated?
I think that's already reflected in the support document: 'Status, OpenBSD: Supported, Security support external' Since the security support is external it's my understanding OpenBSD security team gets to decide what's a security issue and what is not. That however creates differences in the level of support offered by the different OSes, but I think that's unavoidable. It's also hard to track the status here because those are external components in separate code bases. Could be added as a mention together with the Windows note about frontends trusting backends, but then I would fear this is likely to get out of sync if OpenBSD ever changes their frontends to support untrusted backends (even if not considered as a security issue). Thanks, Roger.
