- still in FreeBSD 13.x base but no longer in FreeBSD 14.x base (removed)
- FreeBSD 14.x will use dma(8) from DragonflyBSD instead
ntpd(8)
- its in FreeBSD base system so ntpd(8) bugs translate to FreeBSD bugs
- they can change that to chronyd(8) so they will have chronyd(8) bugs instead
openssl(8)
- same as with ntpd(8)
- not a lot of software is ready to move to libressl(8)
- HardenedBSD (security oriented fork of FreeBSD) moved to libressl(8) some time ago but they went back because patching 'all the world software was taking too much time'.
portsnap(8)
- is now deprecated - gitup(8) or git(8) can be used to update FreeBSD Ports tree
A lot of complaints are not that FreeBSD is insecure - but that some things are not enabled by default - this is not a security hole.
Anyone can enable SWAP encryption (in installer) or enable basic firewall config (after install). Not everyone needs that.
FreeBSD is like a framework with available options - you enable/use what you like and thats it.
For example why FreeBSD would dump TCP Wrappers features when it works properly? A lot of people rely on that (older configs/automations/...)
FreeBSD does not dump older features 'just like that' because now they are not fancy.
FreeBSD is not OpenBSD.
OpenBSD tries to enable each possible security mechanism by default - yet they still have security holes sometimes (like all software).
Not to mention that a lot of important stuff does not work on OpenBSD. WINE? Nvidia drivers? Bluetooth? Netflix? Virtualization of Windows or Linux? Any secure filesystem with checksums like ZFS? Running Linux binaries?
Yes you can be secure when almost nothing is available - but I believe that is not the right path.
I respect OpenBSD attitude and path - but I could not use it daily as it does not have features I need and use daily.
The FreeBSD Foundation and FreeBSD Project members have been investing in and working on improving FreeBSD security for at least the last several years. Much of that "FreeBSD – A Lesson in Poor Defaults" blog post is outdated/incorrect/conjecture.
sendmail(8)
- still in FreeBSD 13.x base but no longer in FreeBSD 14.x base (removed)
- FreeBSD 14.x will use dma(8) from DragonflyBSD instead
ntpd(8)
- its in FreeBSD base system so ntpd(8) bugs translate to FreeBSD bugs
- they can change that to chronyd(8) so they will have chronyd(8) bugs instead
openssl(8)
- same as with ntpd(8)
- not a lot of software is ready to move to libressl(8) - HardenedBSD (security oriented fork of FreeBSD) moved to libressl(8) some time ago but they went back because patching 'all the world software was taking too much time'.
portsnap(8)
- is now deprecated - gitup(8) or git(8) can be used to update FreeBSD Ports tree
A lot of complaints are not that FreeBSD is insecure - but that some things are not enabled by default - this is not a security hole.
Anyone can enable SWAP encryption (in installer) or enable basic firewall config (after install). Not everyone needs that.
FreeBSD is like a framework with available options - you enable/use what you like and thats it.
For example why FreeBSD would dump TCP Wrappers features when it works properly? A lot of people rely on that (older configs/automations/...)
FreeBSD does not dump older features 'just like that' because now they are not fancy.
FreeBSD is not OpenBSD.
OpenBSD tries to enable each possible security mechanism by default - yet they still have security holes sometimes (like all software).
Not to mention that a lot of important stuff does not work on OpenBSD. WINE? Nvidia drivers? Bluetooth? Netflix? Virtualization of Windows or Linux? Any secure filesystem with checksums like ZFS? Running Linux binaries?
Yes you can be secure when almost nothing is available - but I believe that is not the right path.
I respect OpenBSD attitude and path - but I could not use it daily as it does not have features I need and use daily.
Hope that helps.