This is incorrect. Security is definitely a first-class goal for them, not "just" clean and correct code.
That is, they do not only fix code, but try hard to ensure that code which doesn't match their quality goals can't do much harm. And this is security.
The topic at hand (vmm) is the best example for that. At a first glance, this is about creating a clean and correct hypervisor. But what is this good for? To be able to run less secure systems within OpenBSD without them doing too much damage.
Another example is pushing hard to enforce W^X on all kinds of applications, even browsers:
This doesn't fix any existing bugs, but it actively mitigates the damage that a bug may have (ideally, it prevents a buffer overflow bug from being actually exploitable).
| Our aspiration is to be NUMBER ONE in the industry for security
Sure, security by clean and correct code is their main measure to increase security. They call it "proactive security". But there's tons of stuff in OpenBSD which is "merely" mitigation.
> This is incorrect. Security is definitely a first-class goal for them, not "just" clean and correct code.
I get the impression that the dominant attitude among OpenBSD developers is that if you have to choose between simplicity and security, your basic approach is flawed and should be reconsider. This line of thinking - that you don't make things more secure by making them more complicated - also results in a simple yet powerful system.
So unless I am mistaken, "clean and correct code" and "security" are not two different goals, in a way they are two faces of the same coin.
