I am too lazy to research it and still wondering. Can someone give me a basic explanation of it?

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      2
      ·
      9 months ago

      I wouldn’t recommend OpenBSD as it is fairly obscure compared to Linux. I’ve yet to see a real world example of how it is somehow better

      • dsemy@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        ·
        9 months ago

        They developed new system calls (pledge and unveil) which restrict they system calls and file access of programs (here’s a good writeup by Andreas Kling after he added support in SerenityOS: https://awesomekling.github.io/pledge-and-unveil-in-SerenityOS/). As an example, the Firefox port for OpenBSD uses them to heavily restrict what random websites can do or get from your system.

        Just one example since you’ve somehow yet to see any.

        • Baut [she/her] auf.@lemmy.blahaj.zone
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          I heard of Chimera multiple times now, but everytime I look into it it doesn’t seem to be more interesting and useful than say Alpine.
          Do you have any write-ups about the security advantages of Chimera Linux?

          • scratchandgame@lemmy.ml
            link
            fedilink
            Tiếng Việt
            arrow-up
            1
            ·
            9 months ago

            I mean Chimera is using FreeBSD userland, and they expressed why GNU coreutils used by most distro have “problem”. Since we are talking about BSD. (OpenBSD’s userland is less in feature and it is cleaner)

            (so that’s bring an advantage in security lol)

            While coreutils may seem lightweight enough to not cause any issues already, there are some specific reasons the system uses a BSD-derived userland. The primary one is probably that the code of the BSD versions is overall much cleaner and easier to read. There are no cursed components such as gnulib, the codebase is leaner, and more aligned with the project’s goals.

      • dsemy@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        2
        ·
        edit-2
        9 months ago

        Did you read it? The author is clearly biased against OpenBSD.

        As an example, he dedicates quite a lot to talk about “ROP gadgets removal” (which is an ineffective mitigation employed by OpenBSD), however he also states:

        Anyway, removing ROP gadgets the way OpenBSD is doing it doesn’t add a large amount of complexity, doesn’t harm performances nor debuggability, so why not, but it doesn’t make exploitation significantly harder, at all.

        When you consider the fact that some mitigations which were considered overkill were proven significant with time (for example, OpenBSD was completely unaffected by Spectre v1 and similar exploits since they disabled hyperthreading), statements like these make it clear to me that the author is biased.

        Edit: This is not to say the website is deceptive, it’s just that it doesn’t provide a good analysis or comparison of the security of different systems IMO.