On Sun, Dec 29, 2019 at 01:29:12PM +0100, Henry Jensen wrote: > Greetings, > > for those who didn't watched it, there is an accompanied site at > https://isopenbsdsecu.re/ > > Summary: There are a lot of claims. The speaker basically said, that > some mitigations are "cool", but other, more or less, useless. > > Further accusations are, that OpenBSD still uses e-mail and cvs and not > more advanced CI tools. > > I can't say anything to the more technical claims about useless > mitigations, since I am not a OS developer. Is there going to be a > response from the OpenBSD team? > > Regards, > > Henry
Hi Henry, Thanks for sharing this, the writer of the web site was very detailed in explaining Windows, Linux and OpenBSD (and perhaps others?) who mitigate vulnerabilities. I for one was able to learn a bit off this, but I'm gonna keep an open mind about it all. I don't see it as accusations as noone is being accused here. Security in my view is hard to get right, and in my view OpenBSD strives to do everything right. Mistakes happen everywhere. Let's not forget that OpenBSD is an open source project and as such isn't like Microsoft who is closed source. Also there is differences in licensing with regard to Linux. I'd like to point to the last line of this website: "This could likely be improved with systematic security engineering." I think OpenBSD does a very good job already, read Theo's commits. If they aren't systematic then I don't know what is. Also consider the difficulties an open source project faces in a capitalist world. Even in the communist world it would struggle, so let me repeat, consider the difficulties an open source project faces _in the world_. Time is the master here, and OpenBSD has finite time and resources, much less than Microsoft has. So even comparing Windows with OpenBSD is not a fair scale. I'm glad I was able to give my biggest donation this year. Next year will not be as high I think but I will try to match next decade with this last decade. Should be fun, and I hope everyone else has fun too. Regards (and happy new year/decade to all), -peter