[eugeneionesco]

>I've used it on my laptop. Primarily because it has had few vulnerabilities and is very stable.

The OpenBSD propaganda works I see...

Do you really think the tools you use like your web browser, mail client etc, have less vulnerabilities on OpenBSD than on any other BSD or linux distribution, please...

[bch]

> Do you really think the tools you use like your web browser, mail client etc, have less vulnerabilities on OpenBSD...

A reasonable question, but presumptuously and poorly framed, I think. Mitigation efforts like privilege separation[0] (for daemons), ASLR[1], SSP[2], and now KARL[3] are designed to make things systemically better. I'm personally a NetBSD person, and don't see that ending anytime soon, but I do appreciate the work that OpenBSD does and pay attention with interest. I expect some of their work to be ported to my environment directly, and other effects to be felt tangentially. People running different or "weird" environments is a good thing.

[0] https://en.wikipedia.org/wiki/Privilege_separation

[1] https://en.wikipedia.org/wiki/Address_space_layout_randomiza...

[2] http://wiki.osdev.org/Stack_Smashing_Protector

[3] http://undeadly.org/cgi?action=article&sid=20170613041706

[saghm]

OT, but I've had trouble in the past when trying out NetBSD; I wanted to install it on my laptop with full disk encryption, but I clearly was missing something about how to do it properly, and I've never been able to find a good guide for it. Any chance you might know a blog post or something that details how to do this properly for a NetBSD newbie like me?

[bch]

I've run it in the past, but not recently. I'll see if something appears to me and try to post it here for you.

And good luck with your NetBSD journey, with or without FDE. I've thoroughly enjoyed my years with it as my primary OS.

[bch]

I'd start here - https://www.netbsd.org/docs/guide/en/chap-cgd.html and point your IRC client to #netbsd on irc.freenode.net.

[saghm]

Thanks! I've tried out most of the other common BSDs (FreeBSD, OpenBSD, DragonflyBSD, and TrueOS) but I've always had more trouble with NetBSD for some reason. Hopefully I'll have better luck with it this time!

[eugeneionesco]

All of those were developed on linux and linux distributions and were available on those before obsd...

[notaplumber]

Yes, browsers are a large attack surface. But I'd take a quick peek at the recent Security improvements section on this release page, and also OpenBSD's innovations page.

https://www.openbsd.org/innovations.html

OpenBSD was the second OS to enable W^X JIT on its firefox package, W^X being made mandatory system-wide, and in Theo de Raadt's most recent conference talk he mentions chromium being pledged. Both browsers are compiled as PIE by default.

http://undeadly.org/cgi?action=article&sid=20151021191401

[alexiacob]

That's not the point. Of course that the software will have the same number of bugs/vulnerabilities on OpenBSD. The question is how much damage an exploit/crash will do overall. OpenBSD has quite a few of protection mechanisms in place.

[bmh_ca]

> Do you really think the tools you use like your web browser, mail client etc, have less vulnerabilities on OpenBSD than on any other BSD or linux distribution, please...

Yes. OpenBSD employs several mechanisms that improve the security of every application e.g. W^X and stack protector.

See: https://www.openbsd.org/security.html

[eugeneionesco]

All of those are available on linux distributions, enabled by default.

Not only that, they were developed on linux distributions and available on them way before obsd.

[throwaway2048]

No, they are not.

[eugeneionesco]

Stack protector was developed by Immunix, W^X was developed by Openwall, both for linux.

[bjpbakker]

Actually "your web browser, mail client etc" do a lot of system calls to do networking et al, so yes, they do have less vulnerabilities than on Linux.

[eugeneionesco]

I don't think you know where the vast majority(95%+ ) of browser vulnerabilities are...