logoalt Hacker News

cpercivatoday at 12:17 AM12 repliesview on HN

Alternatively, switch to an operating system like FreeBSD which doesn't take a YOLO approach to security. Security fixes don't just get tossed into the FreeBSD kernel without coordination; they go through the FreeBSD security team and we have binary updates (via FreeBSD Update, and via pkgbase for 15.0-RELEASE) published within a couple minutes of the patches hitting the src tree. (Roughly speaking, a few seconds for the "I've pushed the patches" message to go out on slack, 10-30 seconds for patches to be uploaded, and up to a minute for mirrors to sync).

Replies

gucci-on-fleektoday at 5:09 AM

I'm somewhat skeptical here, because I notified the FreeBSD security team of a vulnerability a few years ago, and I never got a response, even after a follow-up email a few weeks later. To be fair, my report was about a non-core component, and the vulnerability wouldn't be very easy to exploit, but Debian, OpenBSD, SUSE, and Gentoo all patched it within a week [0].

That being said, I'm not suggesting that anyone should judge an entire OS based off of how they handle a single minor report, since everything else that I've seen suggests that FreeBSD takes security reports quite seriously. But then you could also use this same argument for the Linux kernel bug, since it's pretty rare for a patch to be mismanaged like this there too :)

[0]: https://www.maxchernoff.ca/p/luatex-vulnerabilities#timeline

show 1 reply
krupantoday at 1:19 AM

If you are switching to a BSD for security reasons, why FreeBSD? Isn't OpenBSD the super secure one? Sorry, it's been a while since I've looked at those projects

show 2 replies
landr0idtoday at 1:19 AM

FreeBSD didn’t have user land ASLR until 2019 and, amongst other mitigations, still doesn’t have kASLR. It’s not a serious operating system for people who care about security. If you want FreeBSD and security take Shawn Webb’s HardenedBSD.

show 3 replies
tclancytoday at 1:59 AM

There’s always a guy. It’s great that your favorite distro is definitely safer. An order of magnitude fewer exploits will mean only a few thousand or so, I suppose. Ozymandis used Gentoo.

show 5 replies
dijittoday at 7:52 AM

FreeBSD is quite lax when it comes to security- especially defaults and configs.

The preference is for usability over security.

Famously: https://vez.mrsk.me/freebsd-defaults

I appreciate your work on the project, but I can’t in good conscience suggest people switch while are such bad defaults.

f30e3dfed1c9today at 5:03 AM

Been constructing a lot of infrastructure servers recently, almost all of them FreeBSD VMs running under bhyve on FreeBSD physical hosts. It's a very simple, clean, pleasant environment to work in. And they all run tarsnap. ;-)

eahmtoday at 12:24 AM

Also funny they never show Debian in those tests/videos.

show 2 replies
homebrewertoday at 7:06 AM

Has everyone here already forgotten about the WireGuard tire fire?

https://lwn.net/Articles/850098

https://news.ycombinator.com/item?id=26507507

tl;dr: deeply insecure WireGuard implementation committed directly into the FreeBSD kernel with zero review.

Was this process problem fixed?

ComplexSystemstoday at 5:09 AM

While I am sure FreeBSD is more secure than your average Linux distro, I sure hope they are using these new AI models to harden everything.

pjmlptoday at 6:59 AM

Only to be thrown out of the windows with a plain "curl | sh".

show 1 reply
bananamogultoday at 4:35 AM

FreeBSD just slaps at the problem. OpenBSD solves it.

I kid, I kid...