On Thu, May 24, 2001 at 05:41:08AM -0700, Jacob Meuser wrote: > On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: > > On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: > > > > > > > BS, when was the last time you installed OpenBSD? I just did an install > > > > 2.5 > That was what, 2 years ago? 1.5 years or so yes, i haven't messed with openbsd in a while, i was going to use it for my firewall but there were some problems with it so i ditched in favor of debian. OpenBSD's security reputation is a bit exaggerated, with some good admining a linux box can be just as secure... i was also quite annoyed by its complete lack of upgradability, i tried twice in testing to upgrade the dist from one version to another it failed and made a mess every time, screw that i don't think much of rebuilding a box every 6mo -> 1 year just to keep up with the times. > Ah, they probably caught the problem shortly before 2.6 release, > and didn't have time to fix ftp code, but changing rc.conf was doable. heh your almost as cynical as i am ;-) > Anyway, as of 2.9, portmap, rstatd, ruserd, time, daytime, comsat, > sshd and identd are enabled by default. hmm maybe my memory is funky but that seems like more then i saw out of the box... it still had more crap running then i prefer. > Like I said, I didn't want to start a discussion about OpenBSD vs Linux, > I have seen posts from you saying that you like some features of OpenBSD, > /sbin/nologin for example. its a nice system, i like the simplicity and clean design, its like debian in that. but upgrading the whole thing is simply impossible. well maybe grabbing all source from CVS and doing make world will do it, but i didn't try it. the `official' upgrade system is broken. > I'm just curious why the 'r' tools are apparently so vulnerable in > Linux. If the OpenBSD folks are willing to risk creditability by > claiming that their default install has no remote holes, while > enabling portmap and rstatd by default, why can't Linux users feel > safe running those daemons also? well openbsd claims to have audited everything they enable by default, and everything in their base install (which is VERY lean). from reading bugtraq they seem to have a very bad habit about fixing bugs quietly and not bothering to send patches upstream, instead posting sarcastic messages along the lines of `oh yeah we fixed that in CVS 3 years ago' (check out the recent joe DEADJOE vulnerabity for an example). of course i could be wrong, and all upstream developers are just blackholing openbsd security patches. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpc0XmTCnxoU.pgp
Description: PGP signature