On Thu, May 24, 2001 at 05:30:14AM -0800, Ethan Benson wrote: > On Thu, May 24, 2001 at 05:41:08AM -0700, Jacob Meuser wrote: > > On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: > > > On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: > > > > > > > > > BS, when was the last time you installed OpenBSD? I just did an install > > > > > > 2.5 > > That was what, 2 years ago? > > 1.5 years or so yes, i haven't messed with openbsd in a while, i was going > to use it for my firewall but there were some problems with it so i > ditched in favor of debian. OpenBSD's security reputation is a bit > exaggerated, with some good admining a linux box can be just as > secure... > True, proper administration is more important to security than what OS is run. To some degree, OpenBSD's reputation may be somewhat exaggerated, but they do actively smash bugs, and correct problems in OpenSource code. They're also the people behind OpenSSH, so that adds to the hype a bit.
> i was also quite annoyed by its complete lack of upgradability, i > tried twice in testing to upgrade the dist from one version to another > it failed and made a mess every time, screw that i don't think much of > rebuilding a box every 6mo -> 1 year just to keep up with the times. > I just upgraded a server and a firewall/router using the standard upgrade procedures. I had no problems. It's true that there's nothing like 'apt-get upgrade', but, at least in my experience, less than an hour every six months is a reasonable amount of time to spend upgrading. > > Ah, they probably caught the problem shortly before 2.6 release, > > and didn't have time to fix ftp code, but changing rc.conf was doable. > > heh your almost as cynical as i am ;-) > I like to call it practical ;) > > Anyway, as of 2.9, portmap, rstatd, ruserd, time, daytime, comsat, > > sshd and identd are enabled by default. > > hmm maybe my memory is funky but that seems like more then i saw out > of the box... it still had more crap running then i prefer. > Yes, you should always disable things you don't use. That's one thing I like about OpenBSD, they assume you're not goung to use much, and if you are, then you should know how to enable it. There's no point in starting a service before you've had a chance to look at the config file. > > Like I said, I didn't want to start a discussion about OpenBSD vs Linux, > > I have seen posts from you saying that you like some features of OpenBSD, > > /sbin/nologin for example. > > its a nice system, i like the simplicity and clean design, its like > debian in that. but upgrading the whole thing is simply impossible. > well maybe grabbing all source from CVS and doing make world will do > it, but i didn't try it. the `official' upgrade system is broken. > > > I'm just curious why the 'r' tools are apparently so vulnerable in > > Linux. If the OpenBSD folks are willing to risk creditability by > > claiming that their default install has no remote holes, while > > enabling portmap and rstatd by default, why can't Linux users feel > > safe running those daemons also? > > well openbsd claims to have audited everything they enable by default, > and everything in their base install (which is VERY lean). from I have to disagree with this. Sure you don't get zope, but you get sendmail, bind, apache, perl, gcc, lynx, ftpd, ftp, ppp, pppd, sh, ksh, csh, egrep, sed, less, more, vi, ed, ex, mg ... Pretty much everything you need, if not the most extravagant. Oh yeah, and X also. The main difference, IMHO, is that OpenBSD is more current than Debian, or just about any "stable" distro. Look what's in 2.9 -> http://www.openbsd.org/29.html > reading bugtraq they seem to have a very bad habit about fixing bugs > quietly and not bothering to send patches upstream, instead posting > sarcastic messages along the lines of `oh yeah we fixed that in CVS 3 > years ago' (check out the recent joe DEADJOE vulnerabity for an > example). > Well, you /could/ just check their sources. They're on the web you know. http://www.openbsd.org/cgi-bin/cvsweb/ They're published in public, what more do you really want? It's pretty easy to find out when and who made changes to a CVS repo, and they're pretty particular about proper Changelogs. > of course i could be wrong, and all upstream developers are just > blackholing openbsd security patches. > Well, to some degree this may be true. Sometimes the OpenBSD developers, Theo de Raadt in particular, kind of come off as rude and pretentious. Just check the [EMAIL PROTECTED] mailing list archives for some entertaining flames :) <[EMAIL PROTECTED]>
