You think they can't be competitive because there was some awful code that briefly made it into their development branch and was promptly caught before it could be released? I'd agree that there's room to improve the review process, but it's hard to be too critical of a process by citing a successful case of it working.
OP has probably never run FreeBSD and is likely commenting about an article they read a while back. I’ve run a sever for years and it’s been rock solid. Hardware support is not as good as other BSDs. Most people dont jump on the release candidates and incorporate them into their products, like PFSense did. One big exception is Netflix.
Not to mention the developer who did that seems like an absolute piece of work.
> The Macys' attempts to force their tenants out included sawing through floor support joists to make the building unfit for human habitation, sawing holes directly through the floors of tenants' apartments, and forging extremely threatening emails appearing to be from the tenants themselves. The couple fled to Italy to avoid prosecution but were eventually extradited back to the US—where they pled guilty to a reduced set of felonies and served four years and four months each.
That's not entirely right, I did run FreeBSD for a while and understand why people value it. My current understanding is simple: the smaller audience allows for flaws to be overlooked through internal dynamics like social proof.
Like I said, I'm not an infosec guy, all I can refer to is a somewhat informed gut feeling. A comparatively small audience which is convinced that it belongs to the "good" group is inherently vulnerable, the article just made some of those dynamics visible.
FreeBSD doesn't have OVAL data, and invented their own crappy XML format and disclose vulnerabilities via mailing lists (without any automateable parseable format, because it's emails). [1]
OpenBSD's erratas are maintained as patch files that people would have to merge in themselves. Literally [2]
So yeah, I'd argue to use Arch over BSD anytime. They patch vulnerabilities upstream first, don't diverge in their packages from upstream when it comes to backports, and patch critical vulnerabilities within less than 24 hours on average, if they are patchable. [3] and [4]
Also, don't use Debian or Ubuntu. Security-wise they are a nightmare due to soooooo many wrongly labelled issues, where they put in "too diverged from upstream" and dozens of other freetext-labels as a reason to not fix critical RCEs. Impossible to maintain security-wise.
