[calvinmorrison]

Do you think there's more value in combining 2 heterogenous systems (like openbsd up front, linux behind) than using one 'more secure' system throughout? I feel like the number of critical issues that have faced two systems at once is far fewer than a single system.

Also I think it shows value in having independent implementations of standards. If you have 5x different xz tools or C compilers or Javascript engines, the threat is chopped in half, plus you can easily compare reference outputs between them (RE: on trusting trust)

[ch0ic3]

For sure! An argument in OpenBSD circles is that contrary to popular belief one can have security through depth. This means that even though you'll never be 100% secure you can definitely make an attacker's job harder and their life more miserable. Of course, if the NSA wants to attack you then they'll probably succeed, but for your average script kiddy / botnet scanner / worm exploiting some vulnerability having multiple layers might be enough of a deterrent.

I'm not a security person but I also think a lot of malware damage comes from companies / users using misconfigured or outdated software. As such, if you were a sysadmin, knew what you were doing and had the time, then running GNU/Linux is probably fine, but I'm not super knowledgeable. I just want to host a website or run a tor-relay on a VPS and not have to worry about updating my system as soon as some 0-day is announced in glibc or systemd; even if it's in the service itself, my hope is that by using a non-mainstream OS the exploit might not initially target it, hence giving sufficient time to see the news somewhere and patch / update.

[wannacboatmovie]

It's common practice for the ultra paranoid to use two firewalls, from different vendors, back to back, for this reason.

[terlisimo]

There is a name for this https://en.wikipedia.org/wiki/Swiss_cheese_model