[technion]

I don't know if it's what Thomas is referring to, but I ran OpenBSD in production for several years at a previous job. I found that, in practice, actually getting our platform to do what we wanted involved large amounts of ports (ie, outside the base system) to be installed. Sometimes, dozens of them. And this is where obviously your mileage will vary, because that depends what your servers are doing.

OpenBSD's incredible code quality quite obviously doesn't apply to the ports tree (and that's not their fault) but we quite often ran into less popular products and third party libraries where the ports were updated in the order of weeks later than things like RedHat RPM for the latest vulnerability.

At point I backported a hotfix myself, the requirement of which was not conducive to security.

Disclaimer: This was years ago, things may have changed.

[ben_bai]

The ports tree is obviously not audited by OpenBSD. The code comes from all over the net and the only thing OpenBSD does is enforce security mitigations/64bit time_t/arc4random/other coding practices in the base system, fix broken ports, send patches upstream and try to drag the whole open-source software community to better coding practices.