What's completely missing here is a big topic: compliance and security
Both OpenBSD and FreeBSD have laughable security disclosures and absolute lack of any compliance processes, which is the most important part as a vendor of anything.
FreeBSD even got that far that they invented their own VuXML format (without a spec, of course) instead of adopting an open standard like OVAL, which is used by most enterprise distributions. In the BSD world, vulnerability disclosures happen via mailing lists, aka, bad luck if you missed the email. And that's the definition of being 100% unreliable.
OpenBSD doesn't even have a VuXML file. Only free form text archive of emails that is unparseable.
I don't understand how anyone can claim they are so super duper secure in their development cycle, while not even having a web page of security disclosures that happened in the past. It's pretty damn narcisstic to be honest.
So *BSD is a joke because all the apparatus, "compliance processes" and "standards" are not followed? Is that the gist of it?
Never mind the actual security and quality of the code and professionalism of the people involved. The dances are not performed and the compliance Gods are not appeased.
> Never mind the actual security and quality of the code
Security is not about code quality, it's about how quickly you can mitigate mistakes. And "quickly" meaning since around 2005ish that it is done in an automated manner.
For BSDs, you will always need a dedicated person that is not only able to read code, but also able to maintain patchsets, roll out an update mirror for themselves, and understand _every line of code_ of the distribution, because BSD doesn't have a workflow to let package maintainers communicate what happened in CVEs so that their using parties can consume that data in an automated manner.
Nobody will do that job correctly, because nobody can. If you claim you can do, you must be the all knowing "God of compliance" how you put it. If you think you don't make programming mistakes, guess what, you are wrong.
Get over your elitarian opinion and realize that all humans make mistakes, therefore automated tools must adapt to that scenario and ease up mitigating those issues.
And that's where open industry standards like OVAL come in.
> So *BSD is a joke because all the apparatus, "compliance processes" and "standards" are not followed? Is that the gist of it?
No one said anything like that. They're just saying it's harder for developers and businesses to utilize them as they do other projects that use standard formats and practices. Relax.
Missing one of the infrequent emails from the security mailing list would be hard but my boxes also email me about vulnerabilities they are exposed to so it would be very hard to ignore them.
Both OpenBSD and FreeBSD have laughable security disclosures and absolute lack of any compliance processes, which is the most important part as a vendor of anything.
FreeBSD even got that far that they invented their own VuXML format (without a spec, of course) instead of adopting an open standard like OVAL, which is used by most enterprise distributions. In the BSD world, vulnerability disclosures happen via mailing lists, aka, bad luck if you missed the email. And that's the definition of being 100% unreliable.
OpenBSD doesn't even have a VuXML file. Only free form text archive of emails that is unparseable.
I don't understand how anyone can claim they are so super duper secure in their development cycle, while not even having a web page of security disclosures that happened in the past. It's pretty damn narcisstic to be honest.