A somewhat related note about branding.

My first "real" job was in the mid-90's; I was the first technical hire at a small Chicago ISP (EnterAct) that grew into a relatively large ISP (when I left, we were default-free peered to several tier-1 providers and had more POPs than I can name). It was great, and the team that started it --- two Big-5 accounting firm programmers --- was inspiring, particularly when it came to business strategy.

Anyways, very early on, EnterAct managed to maneuver into a reputation for premium customer support. We got that reputation by doing some concrete things differently than our competitors: we staffed an appropriate number of CSRs, trained them to be nice to customers, did a lot of gratuitous tech support for basic computer problems, and were flexible about resolving billing disputes. Sadly, a lot of those things were differentiators at the time. A couple years in and we were essentially able to hang "best customer support" on our list of features, and eventually we became the most popular ISP in Chicago largely based on that.

But something I came to notice pretty quickly: the things we were doing to earn that support reputation stopped being empirical differentiators pretty quickly. Our largest competitor, run by Karl Denninger, did us a continuing series of favors by pissing off their customers. But other large regional ISPs pretty quickly learned not to set fire to their customer base, and, by the end, I think our customer service was pretty much at par for the whole area; we were no longer truly different based on support. The reputation, however, never left.

That observation has stuck with me for my entire career. I think about it all the time. It's banal, I know: "early impressions count a lot", but there's a little more to it than that: you can weaponize an early impression by turning it into your market positioning and having some message discipline.

I left EnterAct for a job in Calgary with a company called Secure Networks (SNI), doing development and security research. For the year prior to leaving EnterAct, I had also been working with the OpenBSD project, mostly by writing all their security advisories, but also doing a bit of part-time security research. SNI operated the world's first commercial vulnerability research team, and had a very close relationship with Theo; we had a full time employee who had essentially led the first OpenBSD security audit. I went drinking with Theo many times, and vividly remember hanging out in his basement with Tim Newsham eating bad pizza and trying to find vulnerabilities in Daniel Bernstein's qmail (we found one that would work if integers were 128 bits, but ironically missed the LP64 bugs that Georgi Guninski found; it was 1997, though).

This is all a long prelude to a simple point, which is that I think OpenBSD's reputation for security works in a very similar way to how EnterAct's reputation worked. OpenBSD started doing something very different than FreeBSD, Linux, and (particularly) NetBSD: they did an OS-wide audit for vulnerabilities, and aggressively fixed apparent bugs whether or not we could demonstrate that they were exploitable. That was a great move. But it was so obviously great that pretty much everyone (with the possible exception of NetBSD) quickly adopted the practice.

Among security research insiders, OpenBSD's reputation became a little bit farcical. Not that OpenBSD was comically insecure --- it wasn't --- but that its reputation so far outstripped its actually differentiation. People found a bunch of vulnerabilities in OpenBSD and laughed as the claim at the top of the OpenBSD changed from "no vulnerabilities" to "no remotely exploitable vulnerabilities in the default install".

And at some point in the last 10 years, didn't OpenBSD's distro servers get owned up?

I'm sure the OpenBSD project would like its threat model to include NSA. But OpenBSD is not a meaningful ally in a contest between you and NSA. NSA wins that fight. OpenBSD's userland was much stronger than FreeBSD's in 1999, but I'm not sure I think their kernel is stronger in 2013, and that's probably what matters more.

Let me wind this bloviation up with a caveat: one thing a reputation for security gets you is a feed of talent that is interested in working on security problems. OpenBSD certainly got that. So for instance, OpenBSD's developers designed and built privilege-separated OpenSSH. There is a lot of good security work that has started inside the OpenBSD project, and I don't mean to talk any of that stuff down. I'd just be careful about taking the project's overall reputation to the bank, especially if you have serious adversaries.

Sorry for hanging this sprawling comment off your (simpler) point; I just don't want the root comment on the thread to be me talking down OpenBSD.

Just to make the call to action a little more direct, the donation link is here:

http://www.openbsdfoundation.org/donations.html

The headline might as well be a more Onionesque "After gaining power, politician turns out not to actually hold the strongly principled views he expressed while campaigning".

I'd be surprised if Obama holds any of the views he expressed during his campaign. A campaign is a marketing effort intended to install a team of people in power.

Generally speaking, the vast majority of power holders agree that aggressive spying is a good idea. This is closely related to their strong preference for maintaining the status quo across the board. We should not be surprised that Obama did not reverse any of Bush's controversial decisions because they were not actually controversial among those with power or with the potential to gain power.

Generally speaking, when an issue is touted as being highly controversial between the major parties, it consists of 98% solid agreement and 2% hyped up disagreement. The disagreement and the "fray" are part of the choreographed propaganda undertaken by powerful interests to create the illusion of dissent.

This discussion comes up every time only because some people seem to think OS development is like racking new x86 servers running RHEL.

Many of the machines do not have LOM. They have hardware failures instead. They hang because they get trashed building OpenBSD and ports pretty much 24/7. There is debugging and serial cables going on. Someone needs to push that NMI button and check the LEDs flicker like they should. Reboot them. Constantly update to the latest development version, making them panic quite a bit. Diagnose that. Installation procedure requires console access, monitor adapters, weird keyboards, ... They don't fit in racks properly. There are security concerns. Etc, etc.

It's wrong to think of the machine room as rack space than can be had for cheap somewhere else. It's much more like a lab (with the mad professor living on top, controlling the experiment).