On Tue, Dec 23, 2008 at 5:34 AM, Henning Brauer <lists-open...@bsws.de>wrote: > * Douglas A. Tutty <dtu...@vianet.ca> [2008-12-23 05:45]: > > On Tue, Dec 23, 2008 at 02:41:08AM +0100, Henning Brauer wrote: > > > * Jussi Peltola <pe...@pelzi.net> [2008-12-11 20:52]: > > > > On Thu, Dec 11, 2008 at 10:30:50AM -0800, Jeff_1981 wrote:
> > > many thing from ports are patched or otherwise modified for security > > > reasons, and many things are deliberately NOT in ports due to security > > > considerations. nontheless there is truth in your above statement; > > > averaged things from ports are not on the same level as openbsd. > > > > Has anybody done any comparisons to see how things from ports > > (especially commone things like firefox) compare to the competition's > > packages (rpms, debs, whatever)? I know that the ports don't get > > audited like base, but then I don't think anyone else's does either. > > > > In other words, if you need a box with multiple third-party apps, (lets > > say that none of them are server apps), (eg, firefox, a window manager or > > DTE, mutt, LaTex, gv, a pdf reader), which box would be more secure > > (with the same admin): OpenBSD with ports or a Linux (e.g. Debian)? > > easy - OpenBSD. Linux doesn't have propolice, randomized malloc/mmap, > randomized library addresses etc yadda yadda yadda. > > crappy applications are still crappy applications on OpenBSD, but > worse on pretty much any other OS. However, using Debian's packages as an example, the Debian security team backports security fixes from upstream versions to the version in Debian Stable in an effort to fix security bugs without introducing new features (and perhaps new bugs) by just having users install the latest version. IIUC, with ports right now, to get security fixes you have to run current and then you end up getting the latest verions of the upstream package. For conceptual purposes, I'm thinking of Firefox as the upstream package in question since it seems to have the most frequent security fixes of any one upstream package. With this in mind, is it still a safe or fair assumption that if you only want a box that does web browsing in the most secure mode possible (for a web browsing box), lets say for something like internet banking, is OpenBSD + Firefox from ports going to be more secure than e.g. Debian base + Iceweasel (their off-brand Firefox)? Doug.
