On Sat, Oct 30, 1999 at 10:44:54AM -0400, Paul McHale wrote:
> This was my mistake.  There is a link on the openBSD site to "ports".  This
> link is to the xBSD general repository which I mistakenly thought was the
> openBSD repository.  The ProFTP program is part of the general repository.
> Sorry for the confusion.

That's probably the OpenBSD specific ports you're referring to. The
security status of them is a little hazy to me, since I haven't seen
anything which states they've been audited for security like the base
OpenBSD has, but I can't say for sure they haven't been, either.

> I also assume this means that openBSD is more secured as long as what you
> need comes with openBSD as part of their closer reviewed distribution.
> Installing anything else would presumably cause the same bugs under openBSD
> as it would under freeBSD.

This is true, your security will only be as strong as the weakest
software you have running... OpenBSD actually comes with an FTP daemon
(which is used as the basic ftpd for Debian, it used to be part of the
netbase package), I don't think it's as feature-filled as ProFTPD, but
it's presumably a lot more secure.

> openBSD code review must have been quite an impressive effort to say the
> least...

I think it took them about 1.5-2 years all up, with the majority of the
problems being found and fixed in the first 6 months. Very impressive
indeed, I think they have a claim to "no remote root exploits" since the
audit now.

[ Matthew Gregan ]      [ GPG ID: B63A1E95 ]      [ [EMAIL PROTECTED] ]
[ GPG fingerprint:  FB83 2911 F170 B31C 9E4A  E382 CA8A A2F6 B63A 1E95 ]

Attachment: pgpqJCIB9dNgz.pgp
Description: PGP signature

Reply via email to