Why so few security advisories for NetBSD compared to other BSDs or OSes?

kyle7755

So I'm curious about NetBSD and wondering if it is safe to use for a daily driver desktop. I was doing my research and notice that on the security mailing list there isn't a lot of activity. I already subscribe to the OpenBSD and FreeBSD mailing lists for security vulnerabilities having run both of those BSDs and they have multiple security vulnerabilities every few months. NetBSD hasn't had any this year and only two last year. Is the security really that good or is no one looking for bugs? I mean I work as a system admin and my work's windows server and Red Hat Linux systems get DOZENS of bug fixes / security fixes each and every month!

Thank you for your time and I hope you don't think I am attacking NetBSD, I'm just curious why the "crickets chirping" is found on the security mailing list about any bugs found?

Also, when bugs are found is there any way to patch except for recompiling the entire OS?

Thanks in advance!

Jay

kyle7755 you can find about recent advisories here

https://netbsd.org/support/security/

JuvenalUrbino

kyle7755 Is the security really that good or is no one looking for bugs?

NetBSD definitely cares about security. To a certain extent, it aligns with OpenBSD's approach in having a clean code design, with a simple and understandable codebase. See the commit guidelines.

That said, it's practically to be taken for granted (imho) that NetBSD doesn't see many security advisories because there aren't many eyes looking at the code. Security by obscurity is not a great thing to rely upon, but on the other hand, how many evil doers are trying to catch and exploit bugs in the NetBSD code?

rvp

kyle7755 It depends on whether someone is a filer, a lumper, or a splitter. Read through a sample CHANGES to see this in action. All the entries there are fixes, big or small. A lot of the fixes don't have a PR attached. Some devs. file a formal PR first, then fix it (filer). Some of the bugs fixed might have security implications but have not been tagged as such (lumper).

Jay

For applying bug patches you don't need to recompile kernel. You can just binary update NetBSD to latest branch using sysupgrade.

kyle7755

Jay When is a new .1 release released? After so many bug fixes are found?

jmcunx

NetBSD like other BSDs have base and packages.

I am not too concerned about base since the risks are rather quite low. Plus I doubt there are any remote holes in base. Local vulnerabilities may exist, but for "desktop" use these are probably a non-issue.

I would be far more worried about packages from pkgsrc. You can see issues from the "daily insecurity output" mail sent out daily. In that reguard, NetBSD gives you better security warnings for packages then other systems (AFAIK). Using that report you could act on them.

Plus, for "desktop", I think the only major concern is Firefox (and other browsers), I noticed just recently Firefox was updated to the new version on 10.1. So at least for Firefox, you are kept up to date. I think the same could be said for Thunderbird, but I am a mutt user so I have no opinion or knowledge about TB.

HTH