On Mon, Mar 30, 2009 at 07:22:08PM -0400, Aaron W. Hsu wrote: > It's much easier for people in -STABLE to just run the stable packages. > That is still probably the best advice for most people.
Yes. Also, due to various exploit mitigation techniques in OpenBSD, many bugs that show up in ports are not exploitable or harder to exploit: http://cvs.openbsd.org/papers/ven05-deraadt/index.html If you additionally use things like noscript in firefox, as a desktop user you are already much safer than most other desktop users out there. The case in question is as far as I understood a dial-up system that is used for daily work like editing documents, reading mail and browsing the web. What kind of security does that really need? OpenBSD -stable base + release packages + plus noscript sounds good enough to me. This combination already makes you a very unattractive target compared to others out there. Many people use much less security than that and they are fine. (Most desktops on the planet use way too little security obviously but that's another problem...) If you run critical and publicly accessible OpenBSD servers, of course you will want to patch all services from ports you are running as soon as security updates become available upstream. And when you're running these kinds of servers there's certainly no harm in learning how to patch ports yourself. Although it might be tedious to do, but that's why we have the current -stable ports situation. > On the other hand, I don't think anyone would complain if there were > someone tracking the security updates and making sure that they got in > to -STABLE or at least that the patches were sent to po...@. http://openbsd.rutgers.edu/4.4-stable/ looks like a good start. Do all those patches get posted to po...@? Do people use them? If so, that's a great start. Is this the new de-facto standard -stable ports tree yet? Stefan
