On Fri, Feb 13, 2004 at 11:24:59AM +0000, Andrew Suffield wrote: > On Thu, Feb 12, 2004 at 05:09:46PM -0600, Manoj Srivastava wrote: > > 1) Do you think that OpenBSD 's repuation as a secure OS is > > justified? Does the secure part of OpenBSD provide a useful platform > > for your needs? Would SELinux meet or exceed the needs for a > > secure OS for you? > > I think that regular Debian equals or beats the exact claims made as > to openbsd's "security" (which aren't much - just regarding holes in > the default install that can lead to a remote root compromise). Note > that this mostly says "We have a default install that doesn't do > anything, too". Umm.. it's really a default install with no network services, which is usually quite ok for most users. Our "default" general install is much more bloated. Our priorities have improved from release to release but, in the eternal struggle of what's default, we have chosen usability vs. security. OpenBSD has chosen the former. > > In terms of real-world security there appears to be no difference > between Debian and openbsd at this time. SELinux would be > significantly better, but Debian can hardly claim to support that at > present. I disagree on the differences: W^X and protection against stack overflows (ProPolice), introduced in 3.3 [1] make a significant difference IMHO, Debian kernels or user-level programs do not provide any kind of protection against buffer/stack overflows currently [2]. Also, the user-space has been audited, something we cannot say we have done ourselves. [3] Regards Javi [1] http://www.openbsd.org/33.html [2] Although we have the exec-shield and Adamantix (PaX) patches are now available in testing/unstable. [3] Aside from the excellent work Steve Kemp has done for the moment auditing some programs, mostly games, provided in Debian. http://www.steve.org.uk/Debian/
Attachment:
signature.asc
Description: Digital signature