[RaleyField]

> How does it compare to the maintainers-and-build-bots infrastructure of other open source operating systems?

Most other operating systems are badly run as well. Doesn't mean that adding another layer of potential insecurity is justified.

> Does trusting mtier really make that big a difference?

Yes. Is mtier running similar ship to mint? Do you have convincing argument that they don't?

[Gracana]

> Most other operating systems are badly run as well. Doesn't mean that adding another layer of potential insecurity is justified.

But if you go with another OS, that's the system you get and you miss out on the nice vulnerability mitigation technologies that are built into OpenBSD. Besides, which harmful thing is more likely to happen, your package repository gets owned, or someone sends a maliciously crafted request to your server?

> Is mtier running similar ship to mint? Do you have convincing argument that they don't?

I have no idea what "running similar ship to mint" means or implies.

[RaleyField]

> Besides, which harmful thing is more likely to happen, your package repository gets owned, or someone sends a maliciously crafted request to your server?

If you have ports closed because you run desktop then the former? It's fine do a little admin work (or it be a job of itself) on (production) servers, it's not if you just want to have secure desktop, which was my original complaint. Besides, there are plenty of examples in various projects where downstream got compromised, so why introduce another link that can potentially break.

> I have no idea what "running similar ship to mint" means or implies.

That they shipped infected isos. There are other examples where you'll see brilliant engineers give little to no thought to security, the fact that m:tier guys might contribute great work for openbsd doesn't mean that they can also keep artifacts secure and I as the end users shouldn't have to play sherlock to figure out if I can trust them.

[ams6110]

> users shouldn't have to play sherlock to figure out if I can trust them.

If you don't trust them, then apply the errata yourself and compile from source. It's not that difficult. If you have many machines you can do it on one, build a release and roll that out on the others.