[wplug] A little BSD/Linux history question

Bill Moran wmoran at potentialtech.com
Tue Feb 22 16:43:23 EST 2005 

Patrick Wagstrom <pwagstro at andrew.cmu.edu> wrote:

> You might want to check out Bastille Linux  at
> http://www.bastille-linux.org/.  They provide hardened binaries that
> have been verified by many people.  Also, it's a misnomer to think that
> OpenBSD gets its security from looking just at the kernel.  It's lots of
> other things, like making sure all other programs are audited and only
> installing minimal packages.  It's more of a mindset sorta thing that
> they have.  Also, there is some licensing related issues.  One of the
> goals of OpenBSD is to have only BSD licensed software.  This is part of
> the reason for the creation of OpenCVS.  Apparently they've got a good
> roadmap on where to go for everything except replacing GCC.

Actually, the roadmap has seemed pretty clear for that as well, it's
called the Tendra project

> On Tue, 2005-02-22 at 16:23 -0500, Zachary Uram wrote:
> > Is there a Linux analog to Openbsd? I know of some distros that
> > Trustix and add-in security solutions like SeLinux (ACLs) and Kerberos
> > but I've never heard of additional vetting of code for security flaws
> > beyond the normal auditing that occurs with kernel development. Or
> > because Linux has so many eyes examining the kernel is the result the
> > same as with OpenBSD?

I agree with pretty much everything else that Patrick said, with this
one addition:

Simply having a lot of eyes look at the code will never match the
quality of OpenBSD.  First off, their code review process is much
more than just "eyes on code" ... it's a concerted effort to identify
and correct coding practices that are known to be difficult to secure,
and replace potential problems before they are discovered.  There's
a lot that's been written and said on "Proactive Security", which is
what they call this process.

Additionally, OpenBSD has a number of things added to the kernel, which
other kernel developers often find dubious.  Things that are specifically
added to increase security.  Many other OSes won't use these things
because they can hurt performance and compatability with some applications.
But OpenBSD puts security very, very high on their list of must-haves.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com

More information about the wplug mailing list