Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Any vulns in any package in OpenBSD's package repositories that they audited should count as a vuln against OpenBSD itself.

If OpenBSD users installed it through OpenBSD repositories and are running it will they be affected? Yes? Then it counts against the system itself.



I'm not sure that's fair; was log4j a vulnerability in Ubuntu itself? How about libwebp ( https://news.ycombinator.com/item?id=37657746 )?


> I'm not sure that's fair;

It's the way most distros handled security vulnerabilities, though. Without looking, I'm certain Ubuntu has a security advisory for that vulnerability.

So I agree it might not be fair on the face of it or if doing a technical analysis or something, but if you want to compare OpenBSD security to other Linux distros by vulnerability count, (and so many who don't know better do), then vulnerabilities should be measured in the same way across both systems.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: