On Fri, May 12, 2017 at 03:41:05AM +0200, Kim Blackwood wrote: > [...] > Qubes-OS seems to me as a solution of "patching".
IMO this is real point in this thread - virtualization as a security meansure against buggy software doesn't make any change to that software. Virtualization or containers are not any security solution, real solution is to analyze design of existing applications and really abandon ones which are crap in security point of view, even if they have fancy features. This is hard work to be done, OpenBSD devs are great guys because they devote their personal energy to this "invisible" effort. Just look at privsep changes implemented after Heartbleed issue. Virtualization and containers make sense but what we all need is to support people - if we cannot send diffs - who are brave enough to make radical cuts in existing open-source eco system, either while publicly denouncing existing buggy applications and telling people loudly to stop using them, or sending radical diffs to make those apps start moving to more secure design. (If this would reveal as being impossible, then moving to the former stand.) Let's thank all OpenBSD devs and ports' maintainers for their great work. j.