OpenBSD's security stance being the stuff of legend, I'm curious how many vulns have been found over the last couple months while the big model companies are flaunting their ability to find exploits. It'd be super cool to see it remain tiny.
OpenBSD's security stance being the stuff of legend, I'm curious how many vulns have been found over the last couple months while the big model companies are flaunting their ability to find exploits. It'd be super cool to see it remain tiny.
According to https://openai.com/index/patch-the-planet/
Linux: 24 LPEs, plus many additional vulnerabilities.
OpenBSD: 1 LPE.
FreeBSD: 7 LPEs, plus many additional vulnerabilities.
Not sure what that says, though. Perhaps the models are more likely to find Linux issues because of the training.
Linux LPEs have never been been in short supply, even before the AI age.
I wonder how many of the Linux the LPEs are related to drivers, which I understand there are more of..
Or Linux development is significantly more active.
This is an external audit. Why would Linux activity make a difference here? Are you theorizing that the churn causes bugs?
> Are you theorizing that the churn causes bugs?
Seems to be the case.
How many times do you see a bug investigation and it's determined when the bug was introduced?
Do you ever look at the diff that introduced it to understand what was going on in the project at the time? Often, it's in service to a new feature. Sometimes the original change is questionable when you consider you traded it for a severe bug.
When more code is written, more bugs are written.
Or, if the act of debugging is removing the bugs from software, then the act of programming is to put the bugs in the software.
Yes, "en-bugging" :)
I think "embuggening" has better cromulence.
Use it as a verb, like embiggening. :)
Linux is a much larger project receiving changes to tons of systems from lots of different sources. The combined behaviour of those things working together is massively harder to understand and test.
Copyfail being introduced by an optimization made to some random crypto module is a good example of this.
The Linux kernel is generally much larger than OpenBSD which is quite minimal.
But I do agree with you - not directly related to activity.
As another commenter said, number of bugs increases with lines of code changed.
I completely agree with that
If you add 5 new pieces of hardware support in Linux vs 1 new in OpenBSD, I would expect more issues in Linux.
It is quite possible that Linux is the bigger target so it gets more focus. Vulnerabilities there are generally considered more valuable and notable. It would be very difficult to use these numbers to get a meaningful "more secure" stance as there are tons of variables.
Linux also has a ton of extra functionality so I think you’d also have to do some adjustment for “as a user would I be at risk?” versus “can I be a user because it supports my needs?” Some of that would be unfavorable for many users (e.g. a Linux user who is exposed due to a network protocol or file system they’ll never use) but that’s certainly not true of every feature.
That cuts both ways, though. If the functionality is present by default but I'm not using it, that's just extra vulnerability surface. (Of course, if I do want that feature, then its absence is kinda a problem)
Linux also has a ton of bloat. Configuring your own kernel has become an exercise in frustration because documentation is worse "There is no help for this kernel option" and a lot of things are enabled "by default".
From a quick search, Linux kernel is ~40 million loc, freebsd ~9 million, openbsd ~3 million. Number of bugs compared to lines of code leaves FreeBSD looking worse than Linux.
If this is just counting the kernel, than Linux is probably a bigger target both i terms of current code size and the amount of churn in the codebase as things change over time. Some of the LPEs might (I've not checked) be in modules that are not commonly loaded, which mitigates their overall significance somewhat.
In the less likely even that this is counting what laymen would call Linux or BSD, i.e. both the kernel and common libraries & tools, then Linux definitely has a wider attack surface. Though some of that surface is shared as some userland parts are common to both.
As with your assessment, I'd agree that these flat numbers without looking for further context don't really give enough for a one-is-more-or-less-secure statement.
The commit logs over the last few months have highlighted when an issue was found by a program. They usually name the submitter and the tool.
I think of it more as their attention to quality in their code:
Given the 'quality' of most code, especially under commercial pressure, it's no surprise that much more effective tools will find many more vulnerabilities. Did OpenBSDs quality approach work in this respect?
A local escalation in BSD is still apparently worth a front page post here, so that seems pretty good.
I wonder why we don’t see more about local escalations in Windows. Of course, being closed source is a little bit of a barrier, but these tools can read assembly pretty well, right?
I’ve heard a couple people say that Microsoft has patched a record number of bugs internally this year so it might be the case that it’s simply more opaque because it’s initiated internally and doesn’t involve a public Git repo or a third-party researcher.
You don't hear about them because you're probably not paying attention to where all the Windows admins hang out. Nearly every single patch tuesday over the past couple of years has been an emergency race to get things patched as soon as you can, for both local and remote exploits.
> OpenBSD's security stance being the stuff of legend,
More so their marketing.
What does openbsd marketing look like?
Mostly Comic Sans.
Pretty sure you're familiar with their claims.
I'm not actually, because I'm damn sure I've never seen a piece of openbsd marketing in my life. All i know is that they're oriented around security and are notorious about rejecting patches.
Yes, you know that because of their marketing.
Do you have an example of this?