-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I don't want to spam this list with OS discussion, but I think yours is an important point, so I'll give my perspective briefly.
This is one of the main aspects of OpenBSD that make it better suited for firewalls etc. than for desktops. One of the main tenets of OpenBSD is "secure by default". There have only been two remote holes in the default install in the last seventeen or so years, so there generally isn't a serious need for base updates. Keeping up with the occasional patches is a good idea, which is done manually by default. This generally takes a file download and about three copied-and-pasted commands. The announce mailing list lets you know about these, and there are scripts to apply them automatically.
If you're running a Tor relay,, Tor might be the only thing you install. I also have Vim, SSHGuard, and possibly a library or two for Arm, but that's it. Hopefully, all relay operators keep up with the Tor community enough to stay on a supported version, if not the newest one. The updates are rare enough that I haven't found manual compilation an issue. My OpenBSD node is currently on 0.2.5.10.
If compilation is considered tedious, though, I or someone like me could start more aggressively maintaining the Tor port. I was actually considering this recently, although I have no prior experience with port development. There are almost 9,000 ports, and they're only updated as quickly as they're developed.
Libertas
On 11/05/2014 12:07 PM, Zack Weinberg wrote:
On Wed, Nov 5, 2014 at 11:20 AM, Niklas Kielblock niklas@spiderschwe.in wrote:
Is there much of a difference between setting up Tor on OpenBSD vs. Linux or other Unix(like) systems?
Or is this just about setting up OpenBSD in general, or additional security for relays (disk encryption, memory protection) whose use isn't common on most general servers?
Well, the thing *I* don't feel I have the least idea even where to begin with, with *BSD in general, is reliable automatic installation of security updates for both the base system and the ports. I can figure everything else out once and write it into /etc and be done with it. But if I have to manually monitor for bug fixes in all the installed software, and manually update local source code copies and recompile every time, well, that's three chores that computers are better at than I am.
(Actually, the ports system has blown up in my face often enough that I'm convinced it has fundamental design flaws -- and this was in the much less demanding environment of a development VM. I would be much more comfortable with a BSD that accepted the maxim that there can be only one package manager and nothing may escape its gaze.)
zw _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays