Comment by 🛰️ repeater
Re: "Practical security for supply chain attacks?"
If there is a package P for some Rust application A, and that application has some dependency X, which itself has some dependency Y, and the author of Y's GitHub account is compromised and Y has malicious code added in a new version, all that has to happen are some dependency bumps for P to be compromised too. The author of X is likely not studying the changes in Y, and the authors of P and A are almost certainly not either. The same problems are there when building software and pulling down dependencies to an even greater degree—which, as a software engineer, I cannot avoid doing.
While a VM is more secure than chroot + pf rules, I do think the latter is probably fine. A lack of setuid/setgid binaries leaves few avenues for privilege escalation, and a reverse shell is not possible given the firewall. Also, the chance that any given bit of malware contains an OpenBSD-specific exploit is far below 1%.
All that said, I still wish vmm had SMP support for guests. I'm not offering to write it, so I can't complain, of course. Hopefully, they'll get there in the coming years. In the meantime, perhaps I'm better off running Linux for the sake of hosting VMs if I want the added security, any of which can be running OpenBSD.
2025-06-30 · 10 months ago
2 Later Comments ↓
🐐 drh3xx [mod] · 2025-06-30 at 11:31:
I think you should be OK with OpenBSD using chroot and pfrules. Could you isolate further using per app routing domains? I'm also hoping VM client SMP will materialise.
OpenBSD has a lot of memory based protections too such as W^X, guard pages and use of ASLR.
Other than that I can only make the painful recommendation not to trust crates.io, npm etc... pick particular versions or git commits and audit all the code. Then if you have to upgrade a dependency for a project audit the diff's since (thankfully should be much quicker) and choose more established dependencies in general as they should be more stable code bases between major releases. I wouldn't recommended using any unaudited code in general.
🛰️ repeater [OP] · 2025-07-01 at 05:44:
@drh3xx: Yes, upon further reflection, I feel safe enough forging ahead with OpenBSD. I'll give it a try! Thanks for your comments.
As for crates.io and the like, I definitely do not pull in unaudited dependencies for my own projects. I do, however, sometimes want to contribute to an open-source project that is not my own, and it's not realistic for me to audit everything before I check out the project and build it (and its myriad of dependencies). Depending on the scale of the project and the language(s) involved, I may be able to get away with vmm in such cases.
Original Post
Practical security for supply chain attacks? — I'm considering running OpenBSD on my laptop, but I'm concerned about supply chain attacks—both in transitive dependencies of packages added via pkg_add, and in dependencies of software I'm actively developing and building. On something like Fedora, I have Flatpak + Flatseal for GUI apps like Firefox and GIMP, and I have good VM options for command-line applications and for building software. On OpenBSD, however, all I really have are chroot, pf...