Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!solace!nntp.se.dataphone.net!nntp.uio.no!Norway.EU.net!EU.net!enews.sgi.com!news.be.com!news1.crl.com!nexp.crl.com!usenet From: "Jordan K. Hubbard" <jkh@FreeBSD.org> Newsgroups: comp.unix.bsd.openbsd.misc,comp.unix.bsd.freebsd.misc,comp.unix.bsd.misc Subject: Re: Stronghold and other binaries for OpenBSD 2.0 Date: Wed, 26 Mar 1997 18:00:41 -0800 Organization: Walnut Creek CDROM Lines: 43 Message-ID: <3339D4C9.167EB0E7@FreeBSD.org> References: <5hbjqi$20j@ocean.silcom.com> NNTP-Posting-Host: time.cdrom.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 3.01 (X11; I; FreeBSD 2.2.1-RELEASE i386) To: David Carmean <dlc@silcom.com> Xref: euryale.cc.adfa.oz.au comp.unix.bsd.openbsd.misc:26 comp.unix.bsd.freebsd.misc:37788 comp.unix.bsd.misc:2887 David Carmean wrote: > I only became aware of OpenBSD about a week ago, and have limited > admin experience and no installation experience with FreeBSD, and > no contact whatsoever with NetBSD. So why not give them all a try? They're free. :) > OpenBSD was recommended because of the security stance "out of > the box". My question is about binary application (read: commercial) Sigh. That stance is getting a little old. The OpenBSD people like to focus on this because it's one of the easiest areas to claim a general advantage without having to be too specific - how does one objectively measure "degrees of security", after all? You can't, really, you can only take someone's claims to that effect and either believe them or not - it's not an easy thing to verify. In any case, I think it's fair to say that all the *BSDs focus on security and work closely with organizations like CERT and FIRST. The OpenBSD group has done a lot of auditing, and this is good, but it doesn't automatically make them C2 secure or anything. Even if we'd done twice the auditing that OpenBSD has, I would never be so foolish as to claim that FreeBSD was the ultimate paragon of security right out of the box - Murphy dictates that there will always be at least one more security problem, and true security involves adding and configuring a lot of services away from the "out of box" configuration anyway (things like firewall configuration, tcp wrappers, getting users to use ssh, etc). So, in summary, we can claim good security just as OpenBSD can, but significantly better or worse than the other *BSDs? - I'd say they're all pretty equal. The truly _significant_ security issues get addressed in both groups, and just running around changing strcpy() to strncpy() wherever you see it does NOT automagically make you more secure. :-) > In particular, I need Stronghold to run on the box. Anyone > done so with OpenBSD? If so, which binary set? You'd probably have the most luck with the FreeBSD binaries. -- - Jordan Hubbard FreeBSD core team / Walnut Creek CDROM.