> 29. des. 2019 kl. 13:29 skrev Henry Jensen <hjen...@mailbox.org>: > > Summary: There are a lot of claims. The speaker basically said, that > some mitigations are "cool", but other, more or less, useless. > > Further accusations are, that OpenBSD still uses e-mail and cvs and not > more advanced CI tools. > > I can't say anything to the more technical claims about useless > mitigations, since I am not a OS developer. Is there going to be a > response from the OpenBSD team?
I did not attend the talk, I only leafed through the slides (thanks for posting the link!), so my impression is likely colored by that. I wouldn’t hold my breath for an «official» response. That said, this all reminds me of several earlier talks and rants where the speaker seems to be unaware that OpenBSD commonly has been the first to implement a security feature as *the default* and in a way that it would be extremely hard to disable without a system rebuild, likely breaking seemingly unrelated bits in the process. If you look closer, a lot of the firsts listed more often than not are «feature introduced as a non-default option». As to the lack of «public» review, keep in mind that OpenBSD was the first to make its version control (cvs then, cvs still) world-readable and visible in real time. At the time the normal mode of operation for open source projects was occasional release tarballs thrown over the wall with almost complete silence between. For public discussion of code, OpenBSD has tech@. Private mailing lists exist (invite-only, developer-only) as far as I am aware mainly used for discussions that would benefit from being out of the public eye for now. Slide 43 has me thinking this person can not actually have been reading tech@ much at all, and the note about «systematic security engineering» subjectively reminds me of several earlier similar posts about OpenBSD practices not following to the letter somebody’s favorite «formal verification» model or what the buzzword du jour turns out to be. That said, even OpenBSD probably has areas with potential for improvement, I’m just not all that convinced the presenter has actually been looking in the right places. Slides for my sometimes-repeated propaganda piece (now probably in need of refreshing here and there) at https://home.nuug.no/~peter/openbsd_and_you/ <https://home.nuug.no/~peter/openbsd_and_you/> contains links to relevant material, at least. Please feel free to refer there or directly to the material itself. All the best, Peter — Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
signature.asc
Description: Message signed with OpenPGP
