
OpenBSD binpatches and package updates - crasm
https://stable.mtier.org/
======
cisstrd
What this means:

Some people wanted bin-patches apparently, openbsd is heavily focusing on
using its resources as efficiently as possible and doesn't provide them, a
reliable 3rd party stepped up providing them for free, charging for binpatches
for older versions (a service model built on top of open source software,
nothing wrong with that)

A few points:

-) since mtier here tries to basically sell you something, they make it sound harder than it seems, checking the errata page, writing a 20 line script to get notified if the page is updated, that's enough

-) not every bug found is critical towards your own security, not every bug does need you to update (you can decide on an individual basis)

-) micro-managing (as one comment stated) is pretty much the opposite of what you do with openbsd, openbsd is secure by default, if you want to have anywhere near the same amount of security with some other OS have fun reading tons of documentation to harden the box yourself (and you still won't have all the same security mitigations)

-) updates are trivial: update, re-compile, reboot, if the bug is not critical for you then don't, or use -current (rolling release "development branch"), or use the bin-patch by mtier

-) I doubt some of the people here criticising "having to use" 3-rd party binpatches practice the same scrutiny in day-to-day life regarding it-security (seeing how other OSs deal with security they would probably be using openbsd by now then if they were)

-) considering the size of the openbsd project and how many critical pieces of security-focused utilities they maintain (openssh, libressl, opensmtpd, ...), how many security mitigations they implement, how well they do in regularly auditing their code and actually addressing bugs across multiple architectures quickly with patches provided (especially compared to so many so much larger projects), it's somewhat ridiculous for an outsider to criticise how they spend their time or resources (because in my opinion and in the opinion of many others, they actually do hell of a great job!)

~~~
can09
The issue of official binpatches is not a critical problem, but it is still a
problem. It is a security and usability issue simply not present in the vast
majority of nix systems, and that should be acknowledged rather than
downplayed, as this facet of OpenBSD is usually an unpleasant surprise for
potential converts.

Repeating "secure by default" seems rather disingenuous when a freshly-
installed system needs extra attention, and cannot automatically fetch the
latest security updates.

Updates may be "trivial" to you, but they are still clearly more complex than
the average system, as they require individual attention and recompilation.
These speedbumps to security are not what "secure by default" implies.

Alternatively, relying on a third-party tool (and having to vet that extra
party) is not "secure by default" either.

Your final points are distracting from the issue and verging on ad-hominem.
Firstly, first-party binpatches are so prevalent that noticing their absence
is hardly significant scrutiny. Secondly, just because OpenBSD is very good in
some areas doesn't mean we can ignore deficiencies in other areas.

~~~
cisstrd
OpenBSD does not try to be everything for every person and I think it's fair
to put some things in context. Just because other systems provide binary
patches for security issues (and I haven't so far named and will continue to
not name other OSs, but many have a lousy track record of doing so to begin
with), that does not make them automatically more secure than OpenBSD, which
has so many active pro-security measurements built in from the start and where
updates are provided, but not officially via binary patches. I think a lot of
the comments did not acknowledge the circumstances and see the greater picture
and my sense of a need for some further context was justified.

But your original comment was: "Does it seem a little embarrassing to anyone
else that this is necessary? OpenBSD is supposedly the most secure nix
platform available, and yet users have to resort to third-parties to get
functionality that is available on nearly every other nix system by default."

So no, I don't consider it to be embarrassing for a little project that does
so much in so many ways (part of it being that every single security issue is
addressed and patched swiftly across multiple architectures, full disclosure
is practised et cetera) to not provide binary patches while having an
experienced community accepting of this. This last part actually what makes
OpenBSD such an efficient catalyst for innovation, since people accept
breaking backwards compatibility, turning on security mitigations while it
might brake some stuff here and there, et cetera...

------
w8rbt
___" Keeping your installed OpenBSD packages up to date is hard and time-
consuming."_ __

I find it very easy. I follow stable and upgrade every six months. Upgrades
take about 30 minutes max.

~~~
phaer
You are talking about base, they are talking about packages (and -current
base).

~~~
w8rbt
I mean the system in general. I get new ports (like everything else) every six
months. And when security flaws are discovered in third party software, they
are fixed in the -stable branch of the ports tree.

[https://www.openbsd.org/faq/faq15.html#PortsSecurity](https://www.openbsd.org/faq/faq15.html#PortsSecurity)

------
can09
Does it seem a little embarrassing to anyone else that this is necessary?
OpenBSD is supposedly the most secure nix platform available, and yet users
have to resort to third-parties to get functionality that is available on
nearly every other nix system by default.

~~~
OrpheanBeholder
The OpenBSD project doesn't have the resources to provide this so m:tier
employs a couple of OpenBSD developers to provide this option for people who
want it. Not sure what is embarrassing about this.

~~~
saean
If openbsd developers do it, why don't they make it official and provide it
from openbsd.org? They could still plaster "this is thanks to funding from
mtier" on the site prominently.

~~~
sdkmvx
The OpenBSD developers are unwilling to do anything that makes some
architectures better than others, and M:Tier is unwilling to build stable
updates for everything. Perhaps this will change one day as hardware continues
to consolidate, but that's the way it is for now.

[http://www.openbsd.org/plat.html](http://www.openbsd.org/plat.html)

