Those who sacrifice security to performance, deserve neither :-)

Founding fathers aside, if you're not connected to the internet or even wider LAN, but on some private lab running specific workloads, you don't need security from malicious side-loaded apps.

Oh yes you do.

"14 Popular Air-Gapped Data Exfiltration Techniques Used to Steal the Data" - https://thesecmaster.com/14-popular-air-gapped-data-exfiltra...

"A Survey on Air-Gap Attacks: Fundamentals, Transport Means, Attack Scenarios and Challenges" - https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10054827/

The data could be public anyway, like publicly funded research data. Not every number crunching means secrecy.

Also none of the above are about software level security.

You'll probably not doing those anyway, even if you have all the security fixes for cpu timing stuff (as was the context) enabled.

Pretty snarky comment in my opinion. From my understanding, OpenBSDs main reason for not supporting things (apart from the obvious lack of resources) is that they are not free (require blobs etc.).

Security concerns are typically solved in software by them as long as they can get access to the hardware in a free (as in freedom) way.

I actually applaud them for their hard stance and am happy that we have this end of the spectrum as well as the Linux end (pragmatic, just get devices to work somehow, willing to accept some non-freedom). It's certainly not the easiest path to follow.

> Pretty snarky comment in my opinion. From my understanding, OpenBSDs main reason for not supporting things (apart from the obvious lack of resources) is that they are not free (require blobs etc.).

Your comment reads as someone who doesn’t really interact with the OpenBSD ecosystem very much.

I’m pretty sure the commenter you’re replying to was referring to the fact that hyperthreading is disable by default on OpenBSD systems out of caution: https://news.ycombinator.com/item?id=17350278

And as for their attitude toward firmware blobs, while they ideally prefer them to be free, they only require them to be redistributable; this is a less hard stance than GNU. Plenty of OpenBSD drivers require proprietary blobs to function.

I mean, considering Intel has had one of the least performant SMT designs in history, easily being trounced by both SPARC and POWER, you'd probably still get 70% of the chips' total performance with them disabled.

Now, when they disable Zen SMT, then there might be a decent talking point.

Can I have context on whether they are innovation killers or prophets vindicated after years of mockery or somewhere in between?

Interesting question. I don't believe that neither Intel nor AMD have actually found a way to make SMT completely safe against Microarchitectural Data Sampling attacks, so maybe it's not actually possible?

If you only care about security, then I think OpenBSDs approach is currently the best, but it also seems like they got lucky a few times, like with Zenbleed, where they for unknown reason never really adopted the AVX to the same extend as Linux or Windows.

I mean, physically speaking, unless you are deliberately going fully Procrustean on your computations, there's no way to really avoid those types of micro-architectural side-channel disclosures. It's a trade-off. Either you get the computation result faster (but you have side-effects that can be measured as an alternate form of info disclosure), or you trade some minimum possible execution time to gain fewer side-channels through which unintended disclosure can happen.

Imo prophets.

How about people disabling JS by default?