I use OpenBSD at home for my router and my desktop. I don't plan to go back to Linux anytime soon. OpenBSD is robust, well documented, and simple.
On the other hand it lacks many fancy features. For example it filesystem is somewhat dated compared to ZFS or BFS. But that's the price to pay to get a stable, secure, and well polished operating-system.
Quite true, and if your serious about security, you'll be sure to follow any packages you're using. The benefit of OpenBSD is that it ships "Secure by Default", unlike a ton of other distro's:
"To ensure that novice users of OpenBSD do not need to become security experts overnight (a viewpoint which other vendors seem to have), we ship the operating system in a Secure by Default mode. All non-essential services are disabled. As the user/administrator becomes more familiar with the system, he will discover that he has to enable daemons and other parts of the system. During the process of learning how to enable a new service, the novice is more likely to learn of security considerations.
This is in stark contrast to the increasing number of systems that ship with NFS, mountd, web servers, and various other services enabled by default, creating instantaneous security problems for their users within minutes after their first install."
Yeah, i got a new server recently that comes with centos 5.3. When i ssh'd into the box i saw about 15 services running. I was like wtf why does a server need gpm and avahi ??
Most linuxes are pretty good these days about security, there was a time when it seemed like every redhat version came out of the box with a remotely exploitable hole.
But Ubuntu is locked down by default now. And their security responsiveness seems pretty good.
Security from external threats is what most people tend to look at, but OpenBSD takes security of local users just as seriously. Personally I would feel very uneasy about giving other users accounts on most *nix machines, but I wouldn't worry much about making an account on my OpenBSD box.
Yeah. There were some bad days with default linux installs circa 1998 or so (Red Hat 6.0 was a disaster, IIRC), but everyone learned their lesson and in fact linux distros have been extraordinarily proactive about security since. Witness Red Hat with SELinux, FORTIFY_SOURCE, ExecShield, etc...
One of the ironies is that the "only two remote holes in the default install" bit, while impressive compared to, say, Microsoft, is still two more than Red Hat and Ubuntu have shipped over the same period. (Disclosure: that's from memory. I'd have to look up dates on remote exploits to be sure.)
I guess I was counting since the first hole in 2002. Have there been any in common linux distros since then? OpenBSD got caught once.
But even so: Ubuntu has had zero remote holes in the default install in 5 years. I'm getting hung up on a divide by zero bug somewhere, but I think that works out better if you want to be pedantic about this stuff, no? :)
Seriously: it's a dumb marketing slogan, and it means next to nothing. In point of fact over the last 6-7 years OpenBSD doesn't have a particularly distinguished security record according to their own metric. It's better than Microsoft.
2002 and 2007, according to Wikipedia. I'm skeptical about OpenBSD being more secure overall, in the real world (who has time to apply patches manually?!) But, to be fair, I'm pretty sure Debian and Ubuntu had a big OpenSSL-related fiasco just recently.
There have been lots of security bugs. But no "remote holes in the default install", which is OpenBSD's marketing slogan. That's the point that I was making. It's a dumb metric.
On the other hand it lacks many fancy features. For example it filesystem is somewhat dated compared to ZFS or BFS. But that's the price to pay to get a stable, secure, and well polished operating-system.
PS: OpenBSD's manuals are awesome.