[crazygringo]

> and that only rarely needs to ship a security patch. OpenBSD comes to mind.

How is that accomplished? Are OpenBSD programmers somehow vastly more competent, that they make security mistakes only 0.1% as often as other OS's?

I find that hard to believe. People are people.

> If software has frequent security updates over a long period of time, that implies that the authors of the system will continue to repeat the mistakes that led to the vulnerabilities in the first place.

Why would that be the case? Authors come and go, systems live on.

Security updates arise from a combination of auditing/testing and competence. 100 times as many security updates can arise simply because one OS is being used and battle-tested 100x more than another.

Nobody's smart enough to write code that "only rarely needs to ship a security patch". Not at the scope of an entire OS with thousands of people contributing to it.

[commercialnix]

> Are OpenBSD programmers somehow vastly more competent

Put simply, yes. If you read open OpenBSD's website what philosophies and practices drive how the OpenBSD project is run, you'll have an idea.

[vel0city]

OpenBSD still has security updates. Software packages often installed on OpenBSD-based systems often issue security updates. OpenBSD has a much smaller footprint than Windows and still has security updates.

[Osiris]

You realize that you are personally insulting 100k people you've never met by judging their individual skills and abilities despite knowing nothing about them?

It makes it very hard to put any credence into your opinion when you are so judgemental with no information.

[jjav]

> Are OpenBSD programmers somehow vastly more competent

It's not about competence, it is about priorities.

OpenBSD obsesses about security, so that's what drives the decision-making.

All public companies are driven by profit above all, with the product being just a mechanism to get more profit. As a direct consequence, quality (and security, which is part of quality) is not the top priority. Security is only relevant to the extent its absence reduces profits (which very rarely happens).

[pjmlp]

CCC has a talk about the effectiveness of OpenBSD decisions.

TL;DW It isn't as much as people think.