Argue: FreeBSD over Ubuntu

[vand777]

Even when it's not?

Whether it's Windows, OS X, Linux, FreeBSD or whatever other technology platform, blindly choosing a particular platform "because it's the best" without doing due diligence to determine the actual, real merits of the platform is not doing your job (if you're employed in this space). "Best" is also highly subjective, and depends on the rest of your environment, the skill-set of the people employed, the availability of support, etc.

As I said in my post:

But the balanced view would be that the answer depends on what services your server will be running.

...

I do think that the correct answer depends on what your servers will be running and what are business requirements to scalability/performance/features. Without this taken into account the answer will be too generic.

At my company we, for example, run Asp.Net MVC4 apps on MS Windows Server 2008R2/2012 (on IIS, using Nginx on FreeBSD as frontend) because we believe that Microsoft has better native support for such apps than Mono. Everything depends on what's the purpose of server. What apps/services it will be running.

 

[devildetail]

And there I was - looking at a very basic FreeBSD installation. With my first priority being the need to get DistroWatch up and running as soon as possible, I was about to start configuring the system, installing the necessary ports, and restoring the essential services. Normally, I'd consider this a fairly enjoyable task, were it not for the fact that it was getting late and I was feeling increasingly tired. "Ah, if only it were Debian and not FreeBSD," I told myself, "everything would be up and running in a snap!" Then, rather than spending a better part of the night setting up a fresh FreeBSD installation, I decided to ask the technician to install Debian instead.

How is it possible that they did not have a disaster recovery procedure?. You must perform backups of the operation systems, plus data and applications. This not a question of Debian vs FreeBSD, it is a lack of disposition.

 

[sulman]

That simply means he never documented anything. Document everything...

We've all done it, and continue to do it, but this is the most important thing in system administration. Time and again.

 

[da1]

Please don't go off-topic .

I'm more interested in arguments concerning the topic rather than how someone did something.

 

[fonz]

The US-CERT National Vulnerability Database has more vulnerabilities for Linux than Windows.

Which is relevant in a FreeBSD vs. Ubuntu comparison how exactly?

 

[da1]

My question exactly. Moreover, when you say Linux, I don't think one is inclined to think of Ubuntu.

 

[jrm@]

Which is relevant in a FreeBSD vs. Ubuntu comparison how exactly?

I haven't any formal training in logic, but I did watch the Holy Grail, so I'll take a shot at it.

Ubuntu has a Linux kernel. Thus, Ubuntu would be affected by many of these vulnerabilities. FreeBSD, having fewer vulnerabilities, is superior, with respect to security, when compared to Ubuntu.

@fonz, I hope my recollection is correct that you have a healthy sense of humour.

 

[cpm@]

Yum! Yum!

@gpatrick,

Take a look at the other OSVDB Browse categories and note that you can even click on a Creditee's name and see all of the vulnerabilities that they have discovered here: http://osvdb.org/browse

Comparison between FreeBSD and Ubuntu (according to OSVDB the FreeBSD statistics are worst) :\

PS. IMHO, the rivalry spoils many things in the IT/Community world.

 

[fonz]

A specific search for "ubuntu" and "freebsd"

That's better

 

[RichardET]

The OpenSUSE forums were hacked last week. I asked the forum head what software they use, it's SUSE Enterprise Server. It's no FreeBSD.

 

[J65nko]

@RichardET, I don't think it is fair to point to an OS when it is very likely that the compromise is caused by an application i.e. forum software.

 

[fonz]

@RichardET, I don't think it is fair to point to an OS when it is very likely that the compromise is caused by an application i.e. forum software.

Exactly. Sure enough the OpenSUSE forum runs on OpenSUSE, that's hardly a surprise. But it doesn't say which forum software (vBulletin, PHPBB, etc.) they use.

 

[ShelLuser]

Exactly. Sure enough the OpenSUSE forum runs on OpenSUSE, that's hardly a surprise. But it doesn't say which forum software (vBulletin, PHPBB, etc.) they use.

It's very safe to conclude that they run vBulletin.

If you go to their forum you'll notice a small disclaimer at the bottom: "Search Engine Friendly URLs by vBSEO 3.5.2 PL2". Clicking on the link gets you to the vBSEO website which is described as: "Professional vBulletin SEO with a 5 Minute Installation of vBSEO".

Although it is theoretically possible that another forum provides a compatibility layer for vBulletin modules I somewhat doubt that this is the case here.

 

[SirDice]

A specific search for "ubuntu" and "freebsd" on the US-CERT NVD returns:

        3-months  3-years    All
Ubuntu        82     1035   2911
FreeBSD        5       33    454

Maybe that is irrelevant data.

Be careful when comparing those values. Don't just blindly look at the numbers. Things like security bugs in Apache, or other applications not directly related to the Linux OS (if there is such a thing), tend to get lumped together as Ubuntu/RedHat/SUSE "vulnerabilities" whereas on FreeBSD they would not, only security bugs in the base OS get counted. Security bugs in ports are usually not taken into account (and shouldn't be). Just like a bug in Acrobat Reader isn't a security vulnerability of Windows but of the Acrobat software, the software just happens to run on Windows.

If you want to make a proper comparison you'll have to filter out everything but the kernel and some GNU base utilities and/or libraries.

 

[throAU]

If you want to make a proper comparison you'll have to filter out everything but the kernel and some GNU base utilities and/or libraries.

It depends how you want to compare. I'd argue that what actually matters is effort expended to secure vs. number of vulnerabilities in the install.

Most modern Linux distributions seem to install a LOT of stuff by default that you would need to remove to secure the machine to the same degree as a default install of FreeBSD base.

To be fair, Ubuntu and FreeBSD probably shouldn't be compared at all. FreeBSD is a better comparison to a minimal install of Debian.

If you're looking for a BSD style competitor for Ubuntu, it is probably more fair to compare to PC-BSD, as they both include a similar environment out of the box and have a similar goal or usage scenario.

 

[da1]

If you're looking for a BSD style competitor for Ubuntu, it is probably more fair to compare to PC-BSD, as they both include a similar environment out of the box and have a similar goal or usage scenario.

True, however, we are talking about a person that would happily replace the FreeBSD OS on the servers with Ubuntu.

 

[SirDice]

It depends how you want to compare. I'd argue that what actually matters is effort expended to secure vs. number of vulnerabilities in the install.

Most modern Linux distributions seem to install a LOT of stuff by default that you would need to remove to secure the machine to the same degree as a default install of FreeBSD base.

True. But I just don't like it when people call an Apache issue a Linux vulnerability. Because it isn't. Chances are that the same vulnerable Apache is in our ports tree.

 

[kpa]

True. But I just don't like it when people call an Apache issue a Linux vulnerability. Because it isn't. Chances are that the same vulnerable Apache is in our ports tree.

It's hard to know if the vulnerability is a Linux only one or affects all platforms without taking a closer look what the Linux distribution has done with Apache. Often the distribution specific patches are really substantial in size and you have to know the internals of the software to make a judgement.

 

[dndlnx]

The OpenSUSE forums were hacked last week. I asked the forum head what software they use, it's SUSE Enterprise Server. It's no FreeBSD.

The FreeBSD servers were compromised just recently, they wouldn't build/update any new packages for a long time. I remember because I had just switched to using packages...

Now I'm back to ports, so it's all good.

 

[kpa]

The FreeBSD servers were compromised just recently, they wouldn't build / update any new packages for a long time. I remember because I had just switched to using packages...

Now I'm back to ports, so it's all good.

Did you ever bother to actually read the details of the compromise? It was a leakage of an SSH private key on one of a developer's home machines, nothing to do with the operating system used on the servers.

 

[dndlnx]

Yes, I recall this. I wasn't saying it had to do with FreeBSD. All I cared was, they didn't build packages for months.

 

[throAU]

True. But I just don't like it when people call an Apache issue a Linux vulnerability. Because it isn't. Chances are that the same vulnerable Apache is in our ports tree.

If it is shipping with the OS, then as far as I'm concerned it is an OS vulnerability. If the Linux distribution guys want to complain that it isn't an OS vulnerability, then they should strip their OS back to what they consider to be their own responsibility.

As an end user, I don't care who writes the software. If, for example, I obtain application A with OS B from vendor C, then IMHO it is vendor C's responsibility to ensure that it is secure and patched promptly. The original author/publisher of application A is not really relevant - if I wanted to be responsible for tracking down security fixes direct from the author for every application on the system, I wouldn't be running a distribution, I'd run Linux from scratch or whatever.

If the distribution vendor can't support the software they ship, they should stop shipping it.

 

[kpa]

I

If the distribution vendor can't support the software they ship, they should stop shipping it.

This is the whole distribution vs. OS debate in a nutshell. If you bundle software in highly customized form with the OS as many Linux distributions tend to do it's no longer third party software. It's the responsibility of the bundler to keep it in shape.