[hypeatei]

So we shouldn't provide simple hardening tools because it won't be used or applied how you'd like in 100% of software? This mindset in security circles really needs to stop.

If a piece of important or foundational software wants to lock itself down today, look at the myriad of convoluted "solutions" mentioned in a sibling comment. If you wanted to discourage progress in this area, that's how you'd design something. I'm not assuming malice, obviously, but it's certainly a product of the endless nitpicking and "not good enough, doesn't cover <niche usecase>" type of thinking.

EDIT:

> and the ones that do will likely be lazy

I'd argue the opposite, any developer taking the time to add some pledge calls to their code is probably mindful of security and wants to improve it. If you wanted to be lazy, you'd just... not implement pledge at all since it'd get in your way and be too restrictive.

[charcircuit]

It's not that we shouldn't provide it, but it doesn't make sense invest into when OpenBSDs security is so far behind the rest of the industry. A program being able to steal your .ssh keys without you knows is unacceptable. Not only that but programs can keylog you, take pictures of what you are doing, or take remote control of your computer.

[munchlax]

I doubt you could keylog my openbsd server that I remote into over ssh or serial.

I also doubt you can take pictures of me when it doesn't have cameras attached. If it did and you were to take pictures, you'd see some blinking leds and cables all day.

And I highly doubt you could take remote control even if I had openssh open to the public.

Perhaps your industry just doesn't care about the same things the openbsd community does.

Edit: I missed the ssh key stealing. My keys are always encrypted.

[charcircuit]

Bash aliases and PATH aren't protected so malware can change ssh to something else and steal your encryption password to decrypt your keys.

[munchlax]

Yeah but how does the malware get there?

It would be very powerful to get malware into ports and packages. It would also be noticed rather quickly. OpenBSD developers tend to run everything through dynamic tracers and other debugging tools.