First of all, Red Hat doesn't run telnet, sendmail, and ftp by default.As of the 6.x releases [of Red Hat], the server setup will enable every daemon that's installed. That's not much of a good thing if the system hasn't been properly setup.
Sorry, Inoshiro, but the original statement IS true. "server" setup is not the default; if you ask for server, the non-default install, you were explicitly asking for daemons to be enabled. It's not Red Hat's fault if you can't read their supplied documentation and figure that out. Furthermore, with current Red Hats, even the non-default server install doesn't enable the daemons. Get with the times, man! ;-)
some of the worst lies are those told with a straight face.
You could, you know, try actually contradicting my argument (most of which you snipped) instead of just spouting clichés.
All the applications that ship with OpenBSD, or which are in the OpenBSD ports tree, have been audited for maximum reliability and stability.
That's explicitly NOT true. NOTHING in the ports tree is guaranteed to have been audited. Read your system documentation; http://www.openbsd.org/ports.html explicitly states that "The ports & packages collection does NOT go through the thorough security audit that OpenBSD follows.
Although we strive to keep the quality of the packages collection high, we just do not have enough human
resources to ensure the same level of robustness and security."
This situation is only exacerbated by the daemons which ship in the base OS being secure only by lacking functionality. Consider ftpd; OpenBSD ships an audited ftpd in the base OS that is useless for most real-world applications (lacking virtual host support, etc.), and a bazillion unaudited ftpds in the ports tree which are what you're going to wind up actually running. Furthermore, even the base, audited, castrated, ftpd was recently subject to the exact same format string vulnerabilities as all the other unaudited functional ones. Ditto for the base lpr, and the base talkd, and the base....
Any bug can potentially be a
security bug, and OpenBSD is the pinnacle of audited code and security.
Nonsense, again. Yes, it's probably the most-audited in terms of percentage of shipped base code having been audited (though I'd bet that in terms of lines audited, Debian and Red Hat have audited more, or FreeBSD for that matter, now that they've begun auditing their ports tree), but audited != security. It does no good to audit your base ftpd and ignore proftpd (or whatever) when 95% of your users are going to rm your base ftpd and install something more functional. You haven't gained security by your audit, you've just lost usability. Security is not something that just magically happens because someone happens to have audited some code some place (witness the exploits for the auditedOpenSSH code which have been showing up on Bugtraq). That's even more true when you're probably not even going to use that audited code in favor of unaudited but more functional code available elsewhere.
[ Parent ]