On 2008/01/10 14:44, Nikns Siankin wrote: > >> # Do not let serious problems sit unsolved. > >> OpenBSD doesn't need MAC because it has their own security flawed > >> systrace. > > > >i do not get the point. seriously, have you ever used systrace? > > Sure I do, but it's flawed now anyway.
even flawed, systrace is damn useful, porters use it all the time to help detect when ports need extra work to make sure they install things to the right place. > OpenBSD needs MAC. you haven't said anything to convince me about that... you might see a need for it, but plenty of people don't. > >> # Use of Cryptography. > >> OpenBSD uses file-backed encryption (svnd) which is very suited > >> for Full-disk-encryption. NOT. > > > >wrong. i use it on a whole raid 1 disk for example, no problems here. > > Me too. I'm talking about full-disk-encryption, which doesn't seem to > be easy hack. of course not. if it were easy, it would most likely be already available. it *is* being worked on though. see the last paragraph in http://www.onlamp.com/pub/a/bsd/2007/11/01/whats-new-in-bsd-42.html?page=last > >> # Full Disclosure. > >> OpenBSD at first denies remote exploitable flaws. > >> DoS flaws gets marked as reliability not security issues. > > > >what's the problem? > > Denial of Service stands for AVAILABILITY. > Information security goals are confidentiality, integrity AND availability. 'security fix' is a way of saying, look, this is *important*, read it right away, if it affects you and you can't work around, patch urgently. if you start calling every problem a security fix, people won't take the real security fixes seriously. of *course* people interested in availability should treat reliability fixes as a high priority too. and it's absolutely clear how OpenBSD errata are labelled so there's no excuse not to. but for some (I think most) people, a bug resulting in crashes is *far* less of a problem than a bug resulting in unauthorised control of your machines. so it's a good thing that they're labelled differently. > I get lot of response offlist. > It seems that people are afraid to discuss these issues onlist, > guess because of this "YOURE WHINER" or "DONT LIKE DONT USE" attitude. maybe also because, having just had a something of a flamefest, they're wary of fanning this fire.