On Sun, Sep 27, 2015, at 01:11 PM, Matt Hamilton wrote: > > On 27 Sep 2015, at 18:01, Theo de Raadt <dera...@cvs.openbsd.org> wrote: > > > >> Quernus <m...@quernus.co.uk> wrote: > >>> On 27 Sep 2015, at 16:10, Stuart Henderson <s...@spacehopper.org> wrote: > >>> > >>>> On 2015-09-27, Quernus <m...@quernus.co.uk> wrote: > >>>> > >>>> I actually run OpenBSD in a VM on FreeBSD using bhyve which gives me the > >> best > >>>> of both worlds. > >>> > >>> This has an impact on security, of course. > >> > >> In what way? If you mean the hypervisor does not provide adequate > separation > >> between VMs then that is not really an issue as I control the host and all > >> VMs. If any are compromised then I have bigger issues. > > > > We don't need to make precise claims about which parts will break, nor > > how. > > I’m not asking that. I was just curious as to what the basis was for > the > ‘this has an impact of security’ statement with no context or backup > of > the statement. > > > The problem here is the process of gluing all-the-parts together > > without evaluating what is oging on. You need not talk about big > > issues once things go worng -- you do have big issues right from the > > start, just like everyone else. > > > > Once you hook a system up to the internet, it is the internet that is > > trying to push the buttons of the system. > > Indeed, hence the statement ‘This has an impact on security, of > course’ > could be applied to attaching any software or hardware of any kind to any > kind > of network. Writing this email ‘has an impact on security, of > course’. > Opening my front door in the morning 'has an impact on security, of > course’. > It is a uselessly vague statement on it’s own. > > > By combining many disparate pieces together, you require all those > > layers of software to make the right decisions, and never make wrong > > decisions. You require all the programmers to be largely infallable. > > > > You are testing all the parts at once. > > > > There's a general rule which may apply here: > > > > More software, more bugs. > > > > It is clear that your priority is on gaining more operational > > features, rather than greater quality. > > Yup. Alas, utopia doesn’t exist. We all have to make compromises and > prioritise our requirements and trade offs. For me, this is a very nice > blend > of security, manageability and convenience for my use-case. YMMV. > > > I know lots of people are doing the same. Anyways, good luck with it > > long term. > > Thanks! I’m blogging about how it is turning out. So far seems to be > working > pretty nicely.
You really don't get it. Running OpenBSD in a VM gives you no security benefits of OpenBSD. Your base security will be your host, in this case FreeBSD. And on top of that you are running a very complex piece of software, the VM. Who knows what security holes are in it.