Skip to main content
Information Security

Timeline for Would FreeBSD and OpenBSD have similar known-past-vulnerability stats if they were configured similarly?

Current License: CC BY-SA 4.0

18 events
when toggle format what by license comment
Jan 10, 2022 at 0:17 vote accept MWB
Nov 18, 2021 at 20:41 comment added Steffen Ullrich @bobcat: Again, what exact configuration would you like to compare? You obviously don't want to use the default configuration but you want to have some kind of similar configuration. The nearest thing to get to this is to define a specific use case, configure each OS to best fit this use case and then compare the achievable security in this use case and the effort which was needed to achieve this security (i.e. comes by default or needs to be explicitly secured).
Nov 18, 2021 at 20:32 comment added MWB @SteffenUllrich "both configured with a weak root password" Indeed, the new title can also be intentionally misunderstood (that's why you gotta read the question itself). The title is an attempt at a summary. It's not always perfect. What do you think the title should have been? I'll try to misunderstand yours.
Nov 18, 2021 at 19:59 answer added MWB timeline score: 1
Nov 18, 2021 at 18:45 comment added Steffen Ullrich "Would FreeBSD and OpenBSD have similar known-past-vulnerability stats if they were configured similarly?" - just similarly? So you would be fine in comparing OpenBSD and FreeBSD both configured with a weak root password, SSH server reachable from outside and also for root? In this case - both would be broken quickly, so yes. Or what exact configuration you would like to compare?
Nov 18, 2021 at 18:41 comment added Steffen Ullrich "People seem to be answering the title, which is shorter, but more likely to be misunderstood." - actually, the original title "Can CVE stats be used to compare the security of OpenBSD and FreeBSD?" asked a very clear question with not much room for ambiguous interpretation. No wonder people answered it.
Nov 18, 2021 at 18:21 history edited MWB CC BY-SA 4.0
added 59 characters in body; edited title
Nov 18, 2021 at 17:52 comment added MWB @FireQuacker In general CVE counts are not a good indicator, because different projects receive different amounts of public scrutiny or are different in nature (kernel vs PDF viewer) But this question is specifically about FBSD and OBSD that are similar and do get a comparable amount of public scrutiny (see my comment above).
Nov 18, 2021 at 17:12 comment added Fire Quacker This looks very similar to Are CVE counts a good indicator of a software's security?
Nov 18, 2021 at 16:51 history edited MWB CC BY-SA 4.0
added 146 characters in body
Nov 18, 2021 at 10:29 answer added Ahervi timeline score: 1
Nov 18, 2021 at 6:33 answer added Steffen Ullrich timeline score: 3
Nov 18, 2021 at 5:17 history edited MWB CC BY-SA 4.0
added 3 characters in body
Nov 18, 2021 at 4:19 comment added securityOrange Who's the audience for this comparison?
Nov 18, 2021 at 3:49 comment added user I'm a little biased, so you'd have to take whatever I say with a grain assault, but OpenBSD has been conducting code audits and they've typically been pretty mindful about security. I would assume that they produce one of the most secure operating systems around (even if they lack in the features department). I've heard that they also have good documentation, so maybe that's also an indication of the codebase.
Nov 18, 2021 at 3:42 comment added MWB @user Public scrutiny is a factor in CVE stats, obviously. But I would guesstimate that they get a comparable amount of public scrutiny: FBSD is a bit more popular (~3x ?), but OTOH OBSD attracts security-minded folks, so I would guess it's a wash in this department.
Nov 18, 2021 at 3:35 comment added user My software doesn't have any CVEs assigned to it, but I can assure you that it's not very secure.
Nov 18, 2021 at 3:33 history asked MWB CC BY-SA 4.0
toggle format