is adding guided encrypted root to their installer. 
. An Orange Site user asks if their security is any better than Linux 
my take on the OpenBSD question
I personally like OpenBSD because it runs on a lot of obscure hardware. I posted that extremely weird Chinese MIPS laptop (yes, not x86 or ARM, Intel or AMD - see this thread https://rdrama.net/h/slackernews/post/137520/homegrown-chink-laptop-marseyjewoftheorientnot-intel-or) and OpenBSD supports it entirely, the last remaining OS to do so. However, most of the OS itself is pretty meh. The filesystem situation is godawful and performance is balls on top of a lack of hardware support. The upgrade path is weird for anything but a server you’ll keep an eye on every six months (never got the obsession with “OpenBSD routers”). And I really don’t find the security posture to be anything but posturing - https://isopenbsdsecu.re/ is biased and troll-y but the info is good.
the drama
Good question: Is OpenBSD more secure than a mainstream Linux distribution, notably Debian, in their default configurations?
The code is less, but there are fewer developers too. For example, basic support for disk encryption (an important security feature) has been added to the installer in 2023 in OpenBSD.
Perhaps people familiar with the software development process in both could chime in.
Questioning OpenBSD’s security approach is bound to get bites.
Yes and No. Both modern Linux and OpenBSD have their pros and cons. For example, security works better in the onion layers, which can increase complexity. With Linux, you get a modern stack such as Linux containers or ZFS if you want those excellent filesystem features. Are you using containers for development and deploying apps? Using Linux would simplify the process (of course, you can set Linux VM under OpenBSD and run Docker). On the other hand, OpenBSD is a compact OS. Less code == fewer bugs (at least in theory). Some of their code, such as OpenSSH, is wildly used by Linux, Windows, and major IT vendors in their devices. OpenBSD devs do write reliable code. In short, use whatever gets your work done quickly, which also keeps you or your devs/users happy. That is all matter. Apart from that, it would be best if you took all other precautions to secure your OS, such as regularly applying patches, and firewalls, installing adblocker, not downloading unwanted stuff and clicking on the links, regardless of whether it is Win11, macOS, Debian/Ubuntu Linux, or OpenBSD.
Dude uses a lot of words not to say much or answer the question.
OpenBSD's default configuration has basically nothing running. Once you actually set it up for a use case, it isn't much better (you'll likely be running software you would on Linux that wasn't audited) and might even be worse given it lacks a lot of security features Linux has (meaning you have less control over how to lock down things in the case of a hack).
This is probably the biggest thing with openbsd that’s posturing -
Nothing besides the base system has security guarantees.
The second you install something with pkg_add you’re no longer running a “zero holes” system. Is it still cool the base system is designed with security in mind? Kind of. Is it really useful? Not particularly. Usually you have an OS to run other applications.
False. OpenBSD's daemons are patched, sandboxed and reviewed and lots of software it's compiled with secure CFLAGS and LDFLAGS among some tweaks for browsers with pledge and unveil.
It's not false. No significant services are running by default, and for it to do anything useful you have to install and/or enable whatever services you want. Semantics doesn't change that.
Again the dude is right. There’s some security shit they add but it’s mostly security theatre imo.
Linux has a richer set of security features available than OpenBSD, in some areas.
One is the mandatory access control of SELinux, used extensively in Android (probably the most widely-used Linux distribution of them all). This has no OpenBSD equivalent, as far as I know.
Another is that the Linux kernel has some compiled-in exploit mitigations enabled that OpenBSD doesn't, such as automatic bounds checks on fixed-size array access (based on UBSan).
That's not true. There is pledge(2) and unveil(2) (just to start) and the whole point of them is to make it usable. Some Linux distros have a basic config for SELinux, but if you need to change it for anything, it's so difficult that most people just end up disabling it, thus making it less secure than a default OpenBSD install.
Besides this, it changes the perspective of who is the best person to configure the secure features. OpenBSD makes this a decision for the developer of the application, who should know better about it than a random sysadmin who most probably won't even open the source code to know better (this is the approach SELinux takes).
pledge and unveil are not even close to being full alternatives to something like SELinux.
It’s pretty common in the *BSD space to come up with a couple good ideas and then beat them to death as though Linux doesn’t have a similar method or an older one that was invented first. 
…
Your comment is clearly sarcastic in tone, yet since the words are mostly truthful, I'll take your apology, and hope you actually learned something from this encounter, although it seems unlikely.
Best of luck to you.
New snappy quote? I saw this down thread and it’s very funny.
There’s plenty more seethe in the thread, including someone saying the OpenBSD community is very mean (they are).
Jump in the discussion.
No email address required.
Hang yourself
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
I have a beater x200 I’ll run libreboot on. Talk about a dramatic project, huh?
Darn ubports on the daily is impressive. I’ve run it on the og Pinephone but can’t say it’s amazing. That thing is a potato though.
My actual daily tech is Glowie-friendly. I use a Ryzen rig with Fedora, iPad M1, and iPhone 14PM.
Jump in the discussion.
No email address required.
Come to fosdem - there's a bunch of people sporting ubports as their daily driver all the time.
Pixel 3a with UBPorts is easily ran as a daily driver with its only bug currently being that GPS is fricking slow as shit (it doesnt cheat with positional approximation based on IP).
I still have a secondary set of tech to use in front of normies - which is a ryzen/radeon (DONT BUY RADEON HOLY FRICK ANYTHING POST NAVI SUCKS) setup running void, a samsung flip-phone and a samsung gear watch.
Jump in the discussion.
No email address required.
Hopefully some day I’ll go to a tech conference but I literally just got a real job. Flights to Europe ain’t exactly cheap either.
That’s pretty nuts. Glad the pixel hw works for a lot of people.
Isn’t that the fricking truth. I’m running 6.1 and my 6600 won’t drive 2x4k displays without constant lag spikes. I had an intel nuc with an iGPU that had no issues with it.
I really ought to fire up that in a VM, my meme distro of choice was always Guix but I understand that’s even crazier.
Jump in the discussion.
No email address required.
I reported the dpc latency multi-monitor issue to them over a year ago. They haven't really done shit about it still.
But also, this issue only occurs on windows so you deserve it.
Jump in the discussion.
No email address required.
naw this is linux 6.1
Jump in the discussion.
No email address required.
Im on 6.2 and its fine, so I assume its been fixed on linux.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
ROCm made me want to kill myself more than getting unpatched on-prem Exchange servers that are also running ESXi 6.0 (also without patches), a domain-wide AV that is configured specifically to configure frick-all, open RDP ports on NAT "for easier troubleshooting" and a PHP mess without any documentation for the CRM.
Also didn't I mention that the ticketing system was ConnectWise, which had NO DOCUMENTATION WHATSOEVER and is held together by c*m and prayers?
How are the first impressions (if its a cybsec/IT related position)?
Jump in the discussion.
No email address required.
Heck yeah dude. I love WFH and it’s easy. Glad to be doing IT work and no more wagie retail.
Our infra is a similar hellscape. I’ll spare the deets but we’re reliant on software from 04 that a one off company makes and doesn’t even want to give us licenses anymore lol. Along with all of our OSes being beyond EOL. Pretty funny I’m kind of clueless about the RHEL install because it’s from the same era I was in middle school. I’ve never used classic init in daily - always systemd or upstart at worst.
Ain’t really my place though, I’m there to keep a lot of the users off the sysadmins back.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
complaining about ring -3 shit is cope by people who are too lazy to install Linux or even stop using Google Chrome
Jump in the discussion.
No email address required.
More options
Context
More options
Context