One bug found is a testament to the great diligence and culture around security of OpenBSD. Especially if you take into account the amount of resources they have been able to achieve this with.

+1

It is also a testament to solid engineering and attention to good security practices in general. These still work, also against fancy new AI attackers.

When sophisticated attacks become cheaper to run, maybe it will (finally) be cheaper to do more solid engineering instead of doing it quick and dirty and ending up in indefinite bug-squashing mode.

While I agree, OpenBSD also doesn't fully implement features/functionality.

If your operating system only does 20% of what another operating system can do, it's easier for you to have 80% less bugs.

That's not a knock, it's a design philosophy of OpenBSD (which is to do the minimal needed, and no more, in the most simplistic way).

If they can provide only 20% of the functionality and only 1% of the bugs, that's a compelling trade-off for many use-cases! (and a bit closer to the reality IMHO)

That does not match my experience with obsd. It is not so much minimalism as they are not afraid to reinvent the wheel. A obsd install is full of services, more than most linux installs I have seen.

For example you can imagine my disappointment when I discovered what a pain in the ass it is to get a pflow producer working on linux after doing the first one on openbsd.

I'd say it's true. They chose to not implement SMP until consumer CPUs surprised them by going multi thread.

And obsd has no Bluetooth, right? A pretty big subsystem to drop because security.

And as a counter example here you have openbsd "we are going to install a bgp daemon on every single device, because you never know when you may need one"

I am not complaining, I like the feeling that I could single handedly rebuild the internet using only what is found in an openbsd base install. But wow, considering the size there is a lot in there. They definitely punch above their weight.

But Bluetooth is basically a giant blast of security vulnerabilities. On the consumer side, yes, it's a big subsystem to drop, but on the server side, it's a little bit different!

I'm not an OpenBSD expert, but seems like you should be able to pass BT through USB and then do that in a subsystem or an isolated environment like a VM.

Exactly, the entire AI industry has been trying to create an AI powered security arm race. I am not necessarily blaming them.

Hard to know how much has been thrown into this but I would bet a lot.

So far I have been very surprised we haven't been flooded by those type of announcements. If you look you will always find something and OpenBSD is the top price.

They are throwing tokens at codebases and finding mostly vulnerabilities in cases that have not been worth the limited time and effort of the chronically underfunded and understaffed professional groups. There’d be a lot more value in the companies giving the money they spend on their synthetic text extruders to the organizations doing quality security research work.

> they are ... finding ... vulnerabilities ... that have not been worth the time and effort ...

that's kinda the entire point

one bug is all it takes

In theory.

But real defenses are generally multi-layered. And in that context, a Swiss cheese slice with only one hole is still extremely valuable.

Well, that's where OpenBSD falls short, it lacks facilities to really enforce defense in depth - even NetBSD has some better features in this regard.

I don't think that's true? It runs most services as their own separate users, with pledge+unveil to limit what they can access even more. That's very much depth.

LPEs do need to be fixed, but for most people it's not a threat model they need to worry about.

this is a misconception

yes, most company settings don't run untrusted code, and OpenBSD is mostly used for servers not employee devices

but that doesn't mean LPEs aren't quite relevant, because they matter for pretty much everyone if combined with other vulnerabilities, like RCE, supply chain attack etc.

and while RCE are becoming less common, supply chain attacks have been increasingly more common