Comment by π drh3xx
Re: "Practical security for supply chain attacks?"
I think you should be OK with OpenBSD using chroot and pfrules. Could you isolate further using per app routing domains? I'm also hoping VM client SMP will materialise.
OpenBSD has a lot of memory based protections too such as W^X, guard pages and use of ASLR.
Other than that I can only make the painful recommendation not to trust crates.io, npm etc... pick particular versions or git commits and audit all the code. Then if you have to upgrade a dependency for a project audit the diff's since (thankfully should be much quicker) and choose more established dependencies in general as they should be more stable code bases between major releases. I wouldn't recommended using any unaudited code in general.
2025-06-30 Β· 10 months ago
1 Later Comment
π°οΈ repeater [OP] Β· 2025-07-01 at 05:44:
@drh3xx: Yes, upon further reflection, I feel safe enough forging ahead with OpenBSD. I'll give it a try! Thanks for your comments.
As for crates.io and the like, I definitely do not pull in unaudited dependencies for my own projects. I do, however, sometimes want to contribute to an open-source project that is not my own, and it's not realistic for me to audit everything before I check out the project and build it (and its myriad of dependencies). Depending on the scale of the project and the language(s) involved, I may be able to get away with vmm in such cases.
Original Post
Practical security for supply chain attacks? β I'm considering running OpenBSD on my laptop, but I'm concerned about supply chain attacksβboth in transitive dependencies of packages added via pkg_add, and in dependencies of software I'm actively developing and building. On something like Fedora, I have Flatpak + Flatseal for GUI apps like Firefox and GIMP, and I have good VM options for command-line applications and for building software. On OpenBSD, however, all I really have are chroot, pf...