[ymse]

Note: they explicitly state "only two remote holes...", one of which can be found in this very thread.

Security problems are usually clearly marked in the changelog: http://www.openbsd.org/errata59.html

What really annoys me with OpenBSD is that users are expected to download the CVS source and compile it to fix problems rather than upgrade to a dot-release.

For a normal user that's fine, but if you have a bunch of servers you'll need a sophisticated build/deploy infrastructure to stay updated.

[nickpsecurity]

That means no Internet-facing service has ever had a bug of the sort that often becomes code-injection. Or they didn't test for exploitability in the case of mitigations being bypassed. Neither one makes the claim stand up as it has hidden implication of "only two remote holes for amateurs and people ignoring mitigations."

"What really annoys me with OpenBSD is that users are expected to download the CVS source and compile it to fix problems rather than upgrade to a dot-release."

Yeah, that sounds like it could be annoying. They should have both options available given they already have to trust OpenBSD team to not backdoor their stuff.

[xorcist]

"Only two remote holes in the base install". That's because the base install contains very little in terms of remotely accessible services (only OpenSSH I believe?).