From owner-freebsd-questions Thu Jun 25 20:48:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA26949 for freebsd-questions-outgoing; Thu, 25 Jun 1998 20:48:16 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id UAA26942 for ; Thu, 25 Jun 1998 20:48:12 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0ypPUY-0002h4-00; Thu, 25 Jun 1998 21:48:02 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id VAA01014 for ; Thu, 25 Jun 1998 21:47:55 -0600 (MDT) Message-Id: <199806260347.VAA01014@harmony.village.org> To: questions@FreeBSD.ORG Subject: Re: *BSD* - What's the difference, scope on compatibility, level of mutual code exchange, etc.... Date: Thu, 25 Jun 1998 21:47:55 -0600 From: Warner Losh Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG : Actually, I would say that NetBSD has security that is as good as that : of OpenBSD, as does (largely) FreeBSD. Hmmm. Although I'd love to say that FreeBSD's security is as good or better than OpenBSD's, that likely isn't the case. The same is true of NetBSD. All three have security that is actually quite good compared to many commercial OSes. However, OpenBSD's overall security is better than both FreeBSD's and NetBSD's. There are many many places where bugs that are fixed in OpenBSD have yet to be integrated into FreeBSD or NetBSD. The vast majority of them have no known exploits associated with them, but some likely do or could have them. OpenBSD also has more "high security" features than either FreeBSD or NetBSD. These include a stronger cryptographic password hashing algorythm and integrated IPSEC stuff, etc. There are political reasons why NetBSD and FreeBSD don't have these features, as they are readily available as add ons for both systems, but not technical. OpenBSD is based in Canada, and according to many people's reading of Canadian law, it can export crypto stuff of Canadian origin whereas FreeBSD and NetBSD, being largely based in the US, have to be more careful about what they include due to the US's lovely export policy. OpenBSD has been extremely proactive in fixing bogus code and containing it when they can't fix it. For example, named runs chroot'd by default in OpenBSD, but doesn't in either NetBSD or FreeBSD. I know that many people are working on a source tree audit in FreeBSD similar to the wonderful work that Theo has done in OpenBSD. The project has fallen on hard times, but every so often things are committed from it. The bigs nasty holes have been fixed, but there may still be some smaller ones, or cases that should be cleaned up, even though they might not be exploitable. I know that NetBSD has fixed many problems, but honestly don't know the level of their auditing activity. OpenBSD's ongoing efforts in this area lead the pack. For every day use, I'd say it is about a wash which one has the "best" security for that. If you need the more advanced features, I'd steer towards OpenBSD with NetBSD or FreeBSD being in the running if there are considerations other than security (device driver support, possible performace gains with the others, etc). I'm doing my part to help narrow the gap between FreeBSD and OpenBSD, but my "todo" list is something like 150 commit messages long and growing. Hopefully things will change for me soon such that I'll get more of a chance to fix these things. Anyway, that's my personal perspecitive. Others may disagree with it. The "management" of *BSD may or may not view things the same way that I do. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message