>Matt is a nice guy, shame if this comment got to him directly.
I noticed this reply to your comment - it was here briefly but has now been deleted. This "Matt" referred to is presumably the CEO. The comment seems to read like a freelancer.com employee trying to threaten you? Your observation on their corporate culture may not be far off...
An interesting counter-point, but rather poorly written, and far too short. You need to flesh your ideas and accusations out properly, and your ending line makes for a lazy and frankly rather pathetic conclusion. You should invest a lot more time into editing and review.
Thank you for reminding me why I read HN comment sections. I appreciate this sort of earnest, well-intentioned dialogue. It is unfortunately not so prevalent on the wider web.
The issue of official binpatches is not a critical problem, but it is still a problem. It is a security and usability issue simply not present in the vast majority of nix systems, and that should be acknowledged rather than downplayed, as this facet of OpenBSD is usually an unpleasant surprise for potential converts.
Repeating "secure by default" seems rather disingenuous when a freshly-installed system needs extra attention, and cannot automatically fetch the latest security updates.
Updates may be "trivial" to you, but they are still clearly more complex than the average system, as they require individual attention and recompilation. These speedbumps to security are not what "secure by default" implies.
Alternatively, relying on a third-party tool (and having to vet that extra party) is not "secure by default" either.
Your final points are distracting from the issue and verging on ad-hominem. Firstly, first-party binpatches are so prevalent that noticing their absence is hardly significant scrutiny. Secondly, just because OpenBSD is very good in some areas doesn't mean we can ignore deficiencies in other areas.
We are not talking about the same thing. I am not arguing they should be more responsible for third-party codebases, this is not an issue of ports vs base. This is far more an issue of infrastructure, of source vs binary. Simply offering binpatches for their core OS would still be a huge step forward.
The fact that virtually every other nix system, large and small, can provide this standard functionality, and the OpenBSD project cannot. Having to rely on third parties for convenient updates is an obvious potential security issue. Firstly because it discourages updates in the first place, but secondly because I now have to trust m:tier as well as the OpenBSD devs.
That is why I say embarrassing - they are one of very few projects to lack this feature, and this feature is an important part of a secure system. OpenBSD is all about being "hands off" and "sane by default" and yet paradoxically their update process is much more involved and hands-on!
Does it seem a little embarrassing to anyone else that this is necessary? OpenBSD is supposedly the most secure nix platform available, and yet users have to resort to third-parties to get functionality that is available on nearly every other nix system by default.
>https://github.com/jondubois
>Matt is a nice guy, shame if this comment got to him directly.
I noticed this reply to your comment - it was here briefly but has now been deleted. This "Matt" referred to is presumably the CEO. The comment seems to read like a freelancer.com employee trying to threaten you? Your observation on their corporate culture may not be far off...