Neither point is moot.
if they're finding security holes (as you cited), then it's clearly being audited.
Their proactive auditing has meant they find very few vulnerabilities these days.
The most intense part of our security auditing happened immediately before the OpenBSD 2.0 release and during the 2.0->2.1 transition, over the last third of 1996 and first half of 1997. Thousands (yes, thousands) of security issues were fixed rapidly over this year-long period; bugs like the standard buffer overflows, protocol implementation weaknesses, information gathering, and filesystem races. Hence most of the security problems that we encountered were fixed before our 2.1 release, and then a far smaller number needed fixing for our 2.2 release. We do not find as many problems anymore, it is simply a case of diminishing returns. Recently the security problems we find and fix tend to be significantly more obscure or complicated
If you look at their errata page you see that for an entire release (6 month period) they only had 1 or 2 security patches per release for the last 3 releases. http://www.openbsd.org/errata51.html
and the underlying OS security would be there regardless of whether you have a fat virtualisation layer on top or a thin chrooted environment.
Not necessarily true, https://forums.virtualbox.org/viewtopic.php?p=17930
. The virtualisation layers adds a whole bunch of voodoo magic so it doesn't work like bare metal, for this reason OpenBSD has very little support for running as a guest on any virtualisation platform nor do they guarantee the same level of security.
However I do have issue with you stating that jails offer more security than virtual machines when breaking out of chroot has already been well documented and containers will use a lot of the same shared memory that VMs did in the exploit you referenced.
Firstly the speaker himself said its harder to break out of chroots then exploiting virtual devices. Secondly which implementation of chroot breakout are you referring to? Please send me an example where an OpenBSD chroot has been broken out of and privileged escalation occurs with their memory protection technologies. You speak of shared memory exploitation but I sent you a page which lists all the tech that prevents that.
Keep in mind not all Operating Systems takes this approach to security by implenting cryptography directly into the core components of the OS. Other OS may rely on damage control like MAC or they rely on virtualisation instead. There was a whole debate (http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd
) on this but the author didn't understand OpenBSD approach to security.Edited by CaptainBlame - 9/13/12 at 5:37am