It is not as inflammatory as I expected. Yes, you can harden a linux distro beyond what OpenBSD does, but that's not the default and it's a lot of work to set everything up. OpenBSD also makes choices that go against performance, like rejecting hyperthreading, to avoid entire classes of problems. I wouldn't want to run it on my main computer to be honest, but if you're a rando setting up, say, a router, don't have much knowledge of security or time to invest, setting up OpenBSD in a secure manner will absolutely be a lot less effort than doing the dance on Linux. OpenBSD has less mitigations, but it also has less attack surfaces, it's the whole idea behind it, to be as KISS as possible, do less and be focused. Compare sudo (which, by the way, is regularly hit by major CVEs) to doas. Sudo is a staggering 223,957 lines of code! Most people have no idea how many things this thing can do and be customized to do. The vast majority of people don't use any of these features and just want a tool that gives them root privilege to run a command after they type their account password, but they are all a form of attack surface and make it difficult to review the code and tell when something is being done wrong.
Now, compare this to doas:
https://github.com/openbsd/src/blob/mas ... oas/doas.c
This is just 434 lines of code. Yes, it does a lot less than sudo. Most people wouldn't give a shit when it comes to this kind of utility. Your average C programmer can hold the entire code base in their head and have a good feel for what it does where and when. This is called having good taste in software development. The same philosophy is applied across an entire OS worth of tooling. GNU utilities in comparison are extremely bloated and have an infinite amount of flags nobody knows and almost never use.
By default, linux is an extremely insecure operating system. For example, the new IO subsystem (
io_uring) of the kernel is just impossible to secure. It's high performance but it's also a crapshoot for security. Google disables it on their servers, Android and ChromeOS, but your average Linux distribution does not. Someone unaware who just throws a distro onto a computer leaves a wide attack surface open.
Some of this guy's gripes also apply to Linux.
For example :
>No context for security issues
That's exactly the same for the Linux kernel (though, not the entire ecosystem thankfully: always remember that the attitudes of linux kernel dev doesn't really match the whole, while the *BSD are developed as a singular unit). Linus has constantly rejected treating security bugs as a class of its own, doesn't mention in changelogs what is or not important etc.
Also, while OpenBSD itself is an unpopular OS, so many could make arguments about it being too obscure for people to care about, remember that (and unlike the other BSD) they as a group have produced a great amount of software that dominates the landscape with a pretty good track record. Everyone uses OpenSSH. That's actually a part of the OpenBSD OS. It's developed primarily on and for OpenBSD and ported on other platforms.
> The portable OpenSSH follows development of the official version, but releases are not synchronized. Portable releases are marked with a 'p' (e.g. 4.0p1). The official OpenBSD source will never use the 'p' suffix, but will instead increment the version number when it hits 'stable spots' in development.
tmux is also developed on the OpenBSD cvs.
Overall, I think a lot of the software development world would benefit to listen to the philosophy behind OpenBSD, just not be as extremist - OpenBSD cannot be considered a usable desktop environment, unless you're an extreme autist who only uses his computer for very specific tasks. I believe there's a middle ground between the extreme minimalist of the OpenBSD and suckless factions and the gigantic bloat and retardation of GNU.
Developing a whole OS together instead of being a bunch of haphazard shit thrown in a random distro also leads to less friction in userland tooling. When Linux introduced new networking capabilities, the APIs were incompatible with net-tools and a whole new set of utilities were created by a bunch of assholes who were inspired by Cisco, whose cmdline interfaces are really unfriendly. When OpenBSD does something like that, the developers update both the kernel APIs and their userland utilities. They don't suffer from CADT and chaos. To this day I lament that ifconfig and netstat and other associated tools became deprecated and unmaintained in favor of the crap that is called ip.
Make no mistake: Linux is only good because the competition for general purpose computing (Windows, macOS) is worse. It's not because it's a pristine, beautiful design on its own. OSes suffer from the ecosystem chicken and eggs problems, we've only recently become able to comfortably use Linux as a gaming system without too much fuss, any OS that wants to compete will have a humongous amount of work to support other OSes ecosystems before getting there, as no one will adopt a platform where most of the software they need doesn't work or doesn't work with good performance. In no way Linux is immune to criticism, far from it.