There has been a definite decline in the 'production' usage of OpenBSD. I think this is for two reasons. A) as you mentioned catch, the typical installation is on an enthusiasts machines; and many of those have abandoned it in favor of the more up to date and easier to use FreeBSD. B) Where OpenBSD used to be very popular in small ISP's and InfoAssurance/InfoSec applications, there are now dedicated, 'supported' commercial products on the market from folks like RSA, and EdgeBlue (BlueCoat) that have largely replaced them.

Also in my expreience anyway, IS budget managers seem to be very uncomfortable with products that don't come with a large degree of accountability on the part of the vendor. That's one reason why we continue to purchase licenses for TrustedSolaris. Besides being a great OS for our financial data/SAP, knowing that a Sun security engineer is only a phone call away gives folks a warm fuzzy.

Last, but most important these days for 'real' system managers working at companies in the U.S. is the dreaded and mandatory SOX Audit . If you haven't heard of this yet, and are an IS/IT manager or administrator, look out it can be painful. Systems like OpenBSD, and for that matter many Linux distro's don't have the necessary support to run products like Symantec's ESM; an absolute must if you need to provide 'proof' that several hundred UNIX servers have proper access controls, and that full system/group/user auditing is taking place on each one. Personally I love OpenBSD and am a big supporter, but realize that without some big comercial 'must-have' security product that runs on it, it's days are most certainly numbered in 'real' environments.

Great post.

-- spurious