Does HardenedBSD offer benefits for Tor relays #9
Description
This is fairly meta, but why not.
I'm currently in the process of standardizing on "BSD by default" for my growing fleet of four modest Tor middle relays. I appreciate the very straightforward reasons expressed so well by the Tor BSD Diversity Project and I’ve picked up on that as a way to start working on my own Linux monoculture. It seems like I currently run the only two BSD-based Tor relays in Finland (edit: this is not true at all, there are a handful. Looked through a list very sloppily!).
I particularly enjoy FreeBSD and the in-place upgrade path offered through ‘freebsd-update’.
Recently, I’ve been curious about HardenedBSD, as this fork fills in some of the odd blanks in FreeBSD, such as a PaX-like implementation of ASLR. I’m looking forward to their upcoming FreeBSD 11.0-RELEASE based release.
So, my question as an enthusiast, non-CS person: is HardenedBSD likely to mitigate any tangible risks of Tor relays being compromised through known or unknown vulnerabilities? That is, when compared to running vanilla FreeBSD and always applying relevant OS and Tor patches in a timely fashion.
Or are HardenedBSD's benefits in the case of Tor on a dedicated machine or VM small enough to be outweighed by the potential hassle of relying on the continuity and QA of a new project?
Maybe I’m overthinking this, but I find platform choices like these to be interesting dilemmas.