Correct if I am wrong, but FreeBSD is an OS with all batteries included, aka no need to install packages because all packages that come per-installed in a Linux distro it’s built-in the FreeBSD OS. So, the no maintenance problems is not accurate, the difference is that everything is one big package, the OS, thus it still needs to be update, patched, and this may or not be more trickier then updating isolated packages, but I have no experience with BSD.
Not really. Distributions come with similar capabilities to what is in FreeBSD base. Additional software still need to be installed.
Yes and no. The “problem” is that you are updating everything (kernel and base), but on the other hand you cannot end with incompatible updates like it can happen with Glibc. Additionally the updates are less frequent as evolution of FreeBSD is slower than Linux.
1 Like
You mean Linux Distributions, If yes I know they still need us to install additional software packages.
So this can be a liability in terms of security, unless they are very quick to patch.
That’s why I like Arch and Manjaro, at least for personal workstations and own servers. They look like they are responsible communities and issue security fixes very quickly.
1 Like
It seems that OpenBSD is a good choice as well, doing some research they are quite fast maintaining the OS, where FreeBSD may fix things but they take longer to push the code out.
I wish we as a community create some centralized place to talk about this, and help each other to create a good foundation “for most cases”, it will be a net-positive to have some elders to take some stands about such topic.
Still researching
2 Likes
TLDR:
Security is not a blanket you can put over, it is a continual process of identifying and eliminating or mitigating risks. It requires effort, and understanding. Choosing a distro is a very very small component of this process.
Knowing your stack in detail, and being involved in those communities, watching the commits in those projects, checking your server and application logs, and grooming your attack surface, is far more important. And you can do that on Windows, BSD, and Linux equally.
wrt to the comments above there are a few misconceptions, happy to answer more but perhaps this is not the forum in that case.
I think the patch timeframes for FreeBSD are not different to Linux the kernel. If you include packages as well (OpenSSL, erlang, for example), its similar to most Linux distributions. Most of the last 5 years of security vulnerabilities have been in OpenSSL and in speculative execution bugs, which hit all OS equally. Who knows what the next years will bring?
In regard to packages and patching, Repository statistics - Repology has some rough data but as patches and CVEs are not uniformly reported, it’s not very accurate but you get the general idea. There’s not a great deal of difference in practice/
There is a perception that faster evolution of the kernel is somehow more secure, but you might also equate that to a faster rate of acquisition of new bugs and therefore more risk. The BSD communities are definitely smaller, but this also means there’s less people between you and how the sausage is made.
The typical FreeBSD system comprises 3 parts - kernel, base, ports:
The first 2 are installed at setup, and upgraded or patched (and developed) as a whole:
-
kernel.txz
-
base.txz - what your linux distro would provide: vi editor, compiler, grep, ifconfig, core daemons
-
by default, after install, you’ll only have ssh & ntpd enabled, the latter further secured using MAC framework rules. The attack surface is pretty low at this point
-
ports: these are added & updated as needed. You can expect security vulnerabilities in common packages to be updated in good time. Other stuff depends on, frankly, time & motivation of the committers concerned. This is no different to linux distros I expect, but I’m not informed enough to comment.
-
the attack surface now depends on whatever you installed. you can slap firewall rules, put things in containers (file & network flavours), as well.
Removing binaries from your system doesn’t make it more secure, as erlang is already a full compiler, there is a unix shell too, and I can download (or even type in) a binary if I want to exploit a system. Far better return on effort to have a secure architecture, limiting lateral movement, manage TLS certificates, minimise non-legitimate traffic, log offsite, backups and test your restores.
In general you are going to get the best “security bang for your buck” by picking one stack, and doubling down on learning as much as you can about it. The actual choice of distro/OS is not nearly as significant as having the knowledge & expertise to maintain it securely over time.
FreeBSD & OpenBSD have significantly better docs in general than Linux.
The Arch Linux wiki is amazing and I frequently refer to it for general UNIX software – even if I’m using it on FreeBSD.
Linux kernel docs are also very comprehensive.
NB I’m definitely biased as a FreeBSD committer, but I’ve still done more linux sysadmin than I have BSD work over the years in total, although it must be getting close these days!
8 Likes
Amazing explanation, thank you very much.
For what is worth, I have no clue about any BSD distro and details, so take my words as a naive programmer at the moment.
Agree - I wanted to double-like!
