On Fri, Nov 09, 2007 at 02:27:16PM -0800, new_guy wrote: > Darren Spruell wrote: > > > > > > Sadly, justifying the obvious through these means is often a requirement. > > > > Here's an approach you might consider. Take a best practice / > > standards guide such as from NIST: > > > > http://www.itl.nist.gov/lab/bulletns/bltndec02.htm > > http://csrc.nist.gov/publications/drafts/800-44-Version2/Draft-SP800-44v2.pdf > > > > And for the points your organization feels are important (like what > > you've listed above), map how OpenBSD's implementation and OS approach > > addresses those points. > > > > Thanks... that's a good suggestion. I found the Secunia OS advisories very > telling as well. Comparing OpenBSD 3.x (85 Advisories) to Debian 3.x (577). > > http://secunia.com/product/
However, you should read their PLEASE NOTE: comment. Especially when you figure that the reports for Debian are for all the packages in debian (thousands of them) whereas OpenBSD doesn't have as many pieces. They specifically say not to use the number of advisories to compare the relative security of the products on which they report. You also have to look at the duration of support. OpenBSD comes out with a new version every six months. Debian comes out every few years. Since Debian is designed with continuous updates possible, the only impitus for a new OS version is new versions of software. Otherwise, the Debian security team takes security advisories in newer versions and backports them to the version supplied in the current "stable" branch. If you look specifically at, for example, Debian 3.1 (Sarge) and want to compare it with OpenBSD, you'd have to look at the dates from Sarge release to Etch (4.0) release and count the security advisories (which are both security and important bug fixes). Then look at the security advisories for OpenBSD in that time. Then weed out of Debian's count those updates that applied to applications that aren't in OpenBSD, and weed out bugfixes only (that may have been applied to OpenBSD -current but not backported in to -patch). The one thing you will find is that there have been more updates to any single version of the Linux kernel than to the OpenBSD kernel. Its the nature of the beast: Linux is all about new features to work on new hardware. To me the biggest difference between Linux and OpenBSD is one of philosophy. Linux is about making all kinds of toys work in a hot-plug way and allow people to boast about their uptime. OpenBSD is about security. If you add a new piece of hardware, do a reboot and forget about uptime as a quality indicator. Its not a fair comparision since OpenBSD handles USB stuff too but the philosophical difference is there. Doug.
