[cperciva]

Alternatively, switch to an operating system like FreeBSD which doesn't take a YOLO approach to security. Security fixes don't just get tossed into the FreeBSD kernel without coordination; they go through the FreeBSD security team and we have binary updates (via FreeBSD Update, and via pkgbase for 15.0-RELEASE) published within a couple minutes of the patches hitting the src tree. (Roughly speaking, a few seconds for the "I've pushed the patches" message to go out on slack, 10-30 seconds for patches to be uploaded, and up to a minute for mirrors to sync).

[gucci-on-fleek]

I'm somewhat skeptical here, because I notified the FreeBSD security team of a vulnerability a few years ago, and I never got a response, even after a follow-up email a few weeks later. To be fair, my report was about a non-core component, and the vulnerability wouldn't be very easy to exploit, but Debian, OpenBSD, SUSE, and Gentoo all patched it within a week [0].

That being said, I'm not suggesting that anyone should judge an entire OS based off of how they handle a single minor report, since everything else that I've seen suggests that FreeBSD takes security reports quite seriously. But then you could also use this same argument for the Linux kernel bug, since it's pretty rare for a patch to be mismanaged like this there too :)

[0]: https://www.maxchernoff.ca/p/luatex-vulnerabilities#timeline

[kevans91]

While not receiving a response isn't ideal, I note that we actually have two secteams: secteam@ and ports-secteam@; something like luatex should go to the latter, but their level of activity has been kind of hit or miss in my experience. Curating security issues in ports is kind of hard due to the size of it and we probably more often than not end up getting hit with patching things a little after disclosure because of it.

[stingraycharles]

Linux Kernel doesn’t differentiate between security bugs and other bugs, which is the main complaint here I think. They have the same process.

So the issue is bigger than the mishandling of a single issue, it’s a fundamental process issue around security for one of the most impactful projects in the entire space.

[landr0id]

FreeBSD didn’t have user land ASLR until 2019 and, amongst other mitigations, still doesn’t have kASLR. It’s not a serious operating system for people who care about security. If you want FreeBSD and security take Shawn Webb’s HardenedBSD.

[kelnos]

Last I read, ASLR is a good thing to have, but overall is usually not difficult to defeat. It's a speed bump, not a brick wall.

I don't think it's reasonable to say that an OS that lacks it isn't "serious" about security.

[landr0id]

>Last I read, ASLR is a good thing to have, but overall is usually not difficult to defeat.

For local attackers there may be easier avenues to leak the ASLR slide, but for remote attackers it's almost universally agreed it significantly raises the bar.

>I don't think it's reasonable to say that an OS that lacks it isn't "serious" about security.

When they implemented it in 2019 it had been an 18-year-old mitigation. If you are serious about security, you implement everything that raises the bar. The term "defense-in-depth" exists for a reason, and ASLR is probably one of the easiest and most effective defense-in-depth measures you can implement that doesn't necessarily require changes from existing code other than compiling with -pie.

[abrookewood]

Is there anywhere that provides a good overview of the various OS protection technologies/approaches that exist and which OSes have implemented them?

[user3939382]

So you have one example in hand and trash talked FreeBSD’s entire security team. Bold claims are fine but this is lazy.

FreeBSD isn’t secure, I suspect you’re sitting on a pile of 0 days for it?

[landr0id]

Ask yourself why Mythos was so easily able to develop a remote STACK buffer overflow vulnerability.

[nozzlegear]

Define "so easily"?

[landr0id]

They exploited a linear stack buffer overflow. Not a write-what-where or arb write. A linear stack buffer overflow in 2026! There are at least two distinct failures there:

1. No strong stack protectors.

2. No kASLR.

That's 20-year-old exploit methodology.

[krupan]

If you are switching to a BSD for security reasons, why FreeBSD? Isn't OpenBSD the super secure one? Sorry, it's been a while since I've looked at those projects

[loloquwowndueo]

The person suggesting FreeBSD is a FreeBSD developer (Colin Percival - actually according to Wikipedia FreeBSD engineering lead), would be weird for him to suggest openbsd.

[Rendello]

I'm reminded of another legendary HN thread:

https://news.ycombinator.com/item?id=35079

[guiambros]

Also hilarious to see Drew Houston responding a bit later on the same thread:

> we're in a similar space -- http://www.getdropbox.com (and part of the yc summer 07 program) basically, sync and backup done right (but for windows and os x). i had the same frustrations as you with existing solutions.

> let me know if it's something you're interested in, or if you want to chat about it sometime.

>drew (at getdropbox.com)

[liamwire]

It may well have been your point, but that it's the exact same person makes this even better

[Rendello]

It was, yes. I was trying to figure a way to bring it up but I didn't want to imply that the comment here was ignorant for not knowing the account. It's the opposite, HN accounts have so little fanfare and we all talk in the same threads, it's fun!

[Dylan16807]

> would be weird for him to suggest openbsd

Okay. But the question isn't about him, the question is about the actual merits. And he's a good person to ask for a compelling argument about the merits.

If you ask Bill Gates why you should use MS-DOS in particular, not DR DOS, the answer is not "it would be weird for Bill Gates to suggest DR DOS".

[krupan]

Why did you assume I didn't know that?

[andai]

I haven't switched to BSD but I've been thinking about it for a while. I just saw Vultr has both FreeBSD and OpenBSD!

[dijit]

FreeBSD is quite lax when it comes to security- especially defaults and configs.

The preference is for usability over security.

Famously: https://vez.mrsk.me/freebsd-defaults

I appreciate your work on the project, but I can’t in good conscience suggest people switch while are such bad defaults.

[tclancy]

There’s always a guy. It’s great that your favorite distro is definitely safer. An order of magnitude fewer exploits will mean only a few thousand or so, I suppose. Ozymandis used Gentoo.

[dag100]

Calling FreeBSD "just a distro" is verging on insulting. It's an operating system.

[tclancy]

Apologies, "OS". I am not a native speaker of whatever place that considers these fightin' words.

[pocksuppet]

Distros are operating systems.

[dag100]

But operating systems are not distros.

Less laconically, distros generally refer to the userland parts of the operating systems rather than the actual kernel. FreeBSD does not use the Linux kernel so calling it a distro, which typically refer specifically to Linux distros, wouldn't be accurate.

[Dylan16807]

Where are you messing with userland-only options? In my experience a Linux distro not only comes with a kernel, it's almost always a kernel specific to the distro. So I don't understand that reason.

As far as Linux versus not Linux, "distro" feels fine to me for Unix systems.

[LoganDark]

FreeBSD is not a distro. It's not even Linux; it's a completely different kernel and operating system that traces back to even before Linux. It's honestly closer to Darwin than it is to Linux; macOS is technically a BSD. (Not FreeBSD though.)

[steve1977]

Darwin is its own thing really. There are parts from BSD, there are also parts from Mach and there are also unique parts.

[LoganDark]

Of course. Linux does not share any heritage with BSD though.

[Melatonic]

Except that they are both based on Unix and (generally) made to run on x86 processors. Which is a pretty big similarity

[LoganDark]

Linux is not based on Unix. AFAIK it was inspired by Unix, but does not actually share anything.

[shakna]

Well, as they're a FreeBSD dev, I would be surprised if they pointed anyone in a different direction.

[GalaxyNova]

FreeBSD is not a distro

[stackghost]

What does the D in BSD stand for again?

[tom_alexander]

That's more of a historical artifact. The BSDs started as just "BSD": a set of patches for AT&T Unix that were _distributed_ by Berkeley. Eventually the patches became complete enough to be an entire operating system. _Then_ the various BSDs that we know today (FreeBSD, OpenBSD, NetBSD, DragonflyBSD) all forked and became completely independent operating systems. For decades, FreeBSD's kernel and userland has been developed independently from the OpenBSD kernel and userland which is developed independently from NetBSD's kernel and userland, etc. You could not take an OpenBSD program and run it on FreeBSD. Even recompilation from source isn't necessarily enough since the BSDs support different syscalls.

They are completely independent operating systems with a distant shared history.

Whereas on Linux, the distros are taking a common Linux kernel source, and combining it with their choice of common userlands like GNU. Debian has the same kernel and GNU userland that Arch and Fedora use. You could take a program compiled for Debian and run it on Arch, which is common these days due to Docker where you're pulling another distro's userland and running it on your distro's kernel. That is how Linux distros are "distros" whereas the BSDs are independent operating systems.

[radiator]

This seems too long and it does not even answer the question. The question was specific, and the answer could be only one word long.

[tom_alexander]

Do you honestly think stackghost doesn't know what the "D" stood for? They were making a point, not seeking information. My answer directly responded to the point they were making.

[shaky-carrousel]

Distribution. Which is a different word than distro, with a different meaning. Like smart and smartass.

[einsteinx2]

While you’re correct that FreeBSD is not a Linux distribution, the word “distro” is literally short for distribution. It doesn’t have a different meaning like smart and smartass, it’s more like repo and repository.

[beng-nl]

Distribution. But it’s not a Linux distribution.

[owl57]

And the U in GNU, while we're at it.

[eahm]

Also funny they never show Debian in those tests/videos.

[cperciva]

Debian is probably the best of all the Linuxes, but still suffers from split-brain: If patches are sent upstream first, Debian can't start digesting them until they're already public.

With FreeBSD there's never any question of "who should this get reported to".

[JoshTriplett]

> Debian can't start digesting them until they're already public

Not sure what you mean by this. Debian is able to handle coordinated disclosures (when they're actually coordinated), and get embargoed security updates out rapidly without breaking the embargo.

Is there some other aspect of this that you're referencing?

[cperciva]

The key words there are "when they're actually coordinated". Debian doesn't own the Linux kernel, and the kernel developers don't bother with coordinated disclosure, so the happy path of coordinated disclosure only happens when reporters make the non-obvious choice of reporting vulnerabilities to people other than the maintainers.

[JoshTriplett]

Fair enough; yeah, at the point where the embargo failed, it was important that patches get to distros as fast as possible in order to ship the fixes.

[pavon]

The fact that the kernel security team has decided coordinating disclosure is someone else's problem so it happens inconsistently.

[goodpoint]

No, Debian has its own security team and receives embargoed vulnerabilities and patches.

[juujian]

How so?

[homebrewer]

Has everyone here already forgotten about the WireGuard tire fire?

https://lwn.net/Articles/850098

https://news.ycombinator.com/item?id=26507507

tl;dr: deeply insecure WireGuard implementation committed directly into the FreeBSD kernel with zero review.

Was this process problem fixed?

[wolvoleo]

Ars also has a great writeup on this: https://arstechnica.com/gadgets/2021/03/buffer-overruns-lice...

But yeah as I understand lessons were learned.

[f30e3dfed1c9]

Been constructing a lot of infrastructure servers recently, almost all of them FreeBSD VMs running under bhyve on FreeBSD physical hosts. It's a very simple, clean, pleasant environment to work in. And they all run tarsnap. ;-)

[JackSlateur]

https://news.ycombinator.com/item?id=48077971

[fsflover]

https://news.ycombinator.com/item?id=48077971

[voidUpdate]

I've kept hearing about BSD recently, how hard is it to actually switch to? I'm guessing Linux executables don't work on it since it's not Linux, do all your packages have to be made specifically for BSD?

[brewmarche]

My experiences from dabbling with it a few months ago:

In general everything needs to be compiled for FreeBSD, but the ports collection is quite extensive. For example you will find Firefox, wayland, GNOME, KDE, xfce, … even dotnet was on there.

Problems arise with properietary stuff like Spotify, Widevine DRM etc. However, FreeBSD has a Linux emulation layer (providing syscalls), dubbed ‘Linuxulator’. I managed to run the Spotify Linux desktop client but the Spotify website wouldn’t let me log in, didn’t research further. AFAIK the emulator is limited though, not implementing all syscalls.

There is also podman for FreeBSD and in addition to running FreeBSD containers (using Jails under the hood I guess?) it can run Linux containers as well (using the Linuxulator in addition then?).

It also comes with a hypervisor called bhyve if you want to run VMs

There is a handbook on their website describing how to set up a system (including desktop environment) if you want to give it a go.

[wolvoleo]

For spotify, just use spotify-qt :)

I don't think docker works in the linuxulator though. That's the one thing I miss sometimes.

[Melatonic]

I could be wrong but I think Jails are separate from containers on BSD?

[brewmarche]

I thought that podman uses jails under the hood on FreeBSD, but it is a guess. The podman code seems to reference jails: <https://github.com/search?q=repo%3Acontainers%2Fpodman%20fre...>

But jails of course are older and can be used on their own, I didn’t want to imply they’re the same thing

[wolvoleo]

Yes they do but there's a team of maintainers that do just that. There's even ports of software which isn't officially supported on FreeBSD.

[SV_BubbleTime]

If you are asking, it’s not for you.

[ComplexSystems]

While I am sure FreeBSD is more secure than your average Linux distro, I sure hope they are using these new AI models to harden everything.

[pjmlp]

Only to be thrown out of the windows with a plain "curl | sh".

[skydhash]

curl | sh is more prevalent in Linux where you can expect a stable ABI from the kernel and sometimes GNU libc. No such things in BSD land. Packages are built against a release always. They don't maintain binary compatibility.

[pjmlp]

Hardly an argument against random shell scripts execution, quite often elevated.

Not everyone installs only what is available in pkgsrc.

[bananamogul]

FreeBSD just slaps at the problem. OpenBSD solves it.

I kid, I kid...