> Never mind the actual security and quality of the code
Security is not about code quality, it's about how quickly you can mitigate mistakes. And "quickly" meaning since around 2005ish that it is done in an automated manner.
For BSDs, you will always need a dedicated person that is not only able to read code, but also able to maintain patchsets, roll out an update mirror for themselves, and understand _every line of code_ of the distribution, because BSD doesn't have a workflow to let package maintainers communicate what happened in CVEs so that their using parties can consume that data in an automated manner.
Nobody will do that job correctly, because nobody can. If you claim you can do, you must be the all knowing "God of compliance" how you put it. If you think you don't make programming mistakes, guess what, you are wrong.
Get over your elitarian opinion and realize that all humans make mistakes, therefore automated tools must adapt to that scenario and ease up mitigating those issues.
And that's where open industry standards like OVAL come in.
Security is not about code quality, it's about how quickly you can mitigate mistakes. And "quickly" meaning since around 2005ish that it is done in an automated manner.
For BSDs, you will always need a dedicated person that is not only able to read code, but also able to maintain patchsets, roll out an update mirror for themselves, and understand _every line of code_ of the distribution, because BSD doesn't have a workflow to let package maintainers communicate what happened in CVEs so that their using parties can consume that data in an automated manner.
Nobody will do that job correctly, because nobody can. If you claim you can do, you must be the all knowing "God of compliance" how you put it. If you think you don't make programming mistakes, guess what, you are wrong.
Get over your elitarian opinion and realize that all humans make mistakes, therefore automated tools must adapt to that scenario and ease up mitigating those issues.
And that's where open industry standards like OVAL come in.