[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: strange log entry

On Thu, May 24, 2001 at 05:30:14AM -0800, Ethan Benson wrote:
> On Thu, May 24, 2001 at 05:41:08AM -0700, Jacob Meuser wrote:
> > On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote:
> > > On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote:
> > > > >
> > > > BS, when was the last time you installed OpenBSD?  I just did an install
> > > 
> > > 2.5
> > That was what, 2 years ago?
> 1.5 years or so yes, i haven't messed with openbsd in a while, i was going
> to use it for my firewall but there were some problems with it so i
> ditched in favor of debian.  OpenBSD's security reputation is a bit
> exaggerated, with some good admining a linux box can be just as
> secure...
True, proper administration is more important to security than
what OS is run.  To some degree, OpenBSD's reputation may be
somewhat exaggerated, but they do actively smash bugs, and correct
problems in OpenSource code.  They're also the people behind OpenSSH,
so that adds to the hype a bit.

> i was also quite annoyed by its complete lack of upgradability, i
> tried twice in testing to upgrade the dist from one version to another
> it failed and made a mess every time, screw that i don't think much of
> rebuilding a box every 6mo -> 1 year just to keep up with the times.  
I just upgraded a server and a firewall/router using the standard
upgrade procedures.  I had no problems.  
It's true that there's nothing like 'apt-get upgrade', but, at least
in my experience, less than an hour every six months is a reasonable
amount of time to spend upgrading.  

> > Ah, they probably caught the problem shortly before 2.6 release,
> > and didn't have time to fix ftp code, but changing rc.conf was doable.
> heh your almost as cynical as i am ;-)
I like to call it practical ;)
> > Anyway, as of 2.9, portmap, rstatd, ruserd, time, daytime, comsat,
> > sshd and identd are enabled by default.  
> hmm maybe my memory is funky but that seems like more then i saw out
> of the box... it still had more crap running then i prefer. 
Yes, you should always disable things you don't use.  That's one thing
I like about OpenBSD, they assume you're not goung to use much, and 
if you are, then you should know how to enable it.  There's no point
in starting a service before you've had a chance to look at the config 
> > Like I said, I didn't want to start a discussion about OpenBSD vs Linux,
> > I have seen posts from you saying that you like some features of OpenBSD,
> > /sbin/nologin for example.
> its a nice system, i like the simplicity and clean design, its like
> debian in that.  but upgrading the whole thing is simply impossible.
> well maybe grabbing all source from CVS and doing make world will do
> it, but i didn't try it.  the `official' upgrade system is broken.  
> > I'm just curious why the 'r' tools are apparently so vulnerable in 
> > Linux.  If the OpenBSD folks are willing to risk creditability by 
> > claiming that their default install has no remote holes, while
> > enabling portmap and rstatd by default, why can't Linux users feel 
> > safe running those daemons also?
> well openbsd claims to have audited everything they enable by default,
> and everything in their base install (which is VERY lean).  from

I have to disagree with this.  Sure you don't get zope, but you get
sendmail, bind, apache, perl, gcc, lynx, ftpd, ftp, ppp, pppd, sh, ksh, 
csh, egrep, sed, less, more, vi, ed, ex, mg ...  Pretty much everything
you need, if not the most extravagant.  Oh yeah, and X also.  The main
difference, IMHO, is that OpenBSD is more current than Debian, or
just about any "stable" distro.  Look what's in 2.9 ->

> reading bugtraq they seem to have a very bad habit about fixing bugs
> quietly and not bothering to send patches upstream, instead posting
> sarcastic messages along the lines of `oh yeah we fixed that in CVS 3
> years ago' (check out the recent joe DEADJOE vulnerabity for an
> example). 
Well, you /could/ just check their sources.  They're on the web you 
know.  http://www.openbsd.org/cgi-bin/cvsweb/  They're published
in public, what more do you really want?  It's pretty easy to find
out when and who made changes to a CVS repo, and they're pretty
particular about proper Changelogs.
> of course i could be wrong, and all upstream developers are just
> blackholing openbsd security patches. 
Well, to some degree this may be true.  Sometimes the OpenBSD
developers, Theo de Raadt in particular, kind of come off as rude
and pretentious.  Just check the misc@openbsd mailing list archives
for some entertaining flames :)


Reply to: