For many years Apple was even less secure than Windows. Linux and OpenBSD are leaders when comes to security. They're collaborating with each other. Nothing else come even close. Windows, macOS, FreeBSD are the least secure operating systems. Windows is insecure by design, Apple OS was always a toy and had broken security for years (ASLR afair). When comes to 'catching up' it seems everyone is trying to catch up with Linux. Linux had incomplete ASLR implementation in 2001, OpenBSD got full one in 2003, Apple in 2011 (and it was broken afaik), Windows since Windows 10 and it wasn't enabled by default. Next time get your facts straight.

I'm happy that we have the freedom of choice. OpenBSD puts security first. Linux puts usability first.

Micro: If I am maintaining my own hardware and I have restricted access to very few users/services then I would use OpenBSD on an AMD64 system*.

Macro: If I am using multiple cloud instances with many users and services that has different levels of access I would prefer using Linux over BSD. AWS seems to be doing the same if you look at Lambda or Fargate.

FreeBSD and OpenBSD are not maintaining architectures other than AMD64. There are many known vulnerabilities that are not planned to be fixed ever and their docs are even outdated: https://wiki.freebsd.org/Speculative...ulnerabilities

*My first choice would actually be custom ISA on a custom OS but that's out of the scope here.

Since Vista - 2007.

Of course it is enabled by default and you are lying as usual.

You have some serious disorders.

Go to therapy or something.​ Maybe confabulation can be cured. I don't know.

The back and forth between Jeff Xu and Theo goes back and forth several times. But Theo basically gets to the point that he's (politely) losing patience and just lays it out bare faced: This proposed syscall isn't for the benefit of the Linux community, it's for Chrome (Google) and only for Chrome - and it's not even a well considered change. He doesn't go QUITE so far to say it, but basically I can see Theo thinking this is the Chrome team trying to push its will on everyone else without bothering to negotiate in good faith. OpenBSD as a group has experienced this in the past with mimmutable() - which Theo says was specifically designed to do what Jeff is currently proposing, but were ignored entirely - presumably because of NIH syndrome.

FreeBSD monitors what OpenBSD does and imports relevant changes. Why do you think FreeBSD belongs in the "low security" bracket?

MS told me you're a liar:





You don't have to share with me what your friends are telling to you. Just do it.

P.S. when comes to Vista it had something that their laughable marketing called ASLR. The truth is It had nothing common with ASLR.

Theo de Raadt begs to differ:

You confuse stuff. Most important ASLR is for memory allocations - and that one is always on.

1st. Yes ASLR for base adress of executable is not forced. But Microsoft since like 2007 by default uses /dynamicbase flag on all builds from their tools. If flag is set, ASLR mandatory is on, and since ASLR protects against exploits done in popular programs, those popular programs have /dynamicbase flag on. The reason why it is not default is because some programs not built with that flag on can crash + stuff from older systems. MS actually takes care a lot on backwards compability.

2nd. Weakness of ASLR in windows mostly is about 32 bit versions of windows.
If thing is compiled with /dynamicbase on, and you have 64 bit windows, you essentially have proper ASLR.

And Windows Vista in 2007 had already kernel level ASLR.

And btw. Microsoft has settings that certain executables even if they don't have /dynamicbase on, they still have manual overwrite to use mandatory ASLR on them anyway. For example, excel.exe has forced ASLR on, so even if somehow you got executable without /dynamicbase on, it would still work as if it is on by default.