It is not an excuse, you are perhaps just not familiar with how software is handled by OpenBSD and other free operating systems. You have a base system, which includes the kernel, user land, etc. Then on top of this you have ports and packages, usually in a different source tree.
Unless you have a nearly insane amount of resources, vetting all those ports and packages is incredibly hard if not impossible (think Canonical and Red Hat level of funding, when on a good year OpenBSD raises ~USD 500,000 and Red Hat's revenue is in the billions) and even then there will generally be different tiers of support. Thus, the strongest guarantees will always be with the base system as it is installed by everyone and outside of Linux also developed by a single team. Yes, plenty of ports such as Firefox on OpenBSD have some great security patches applied, but expecting all the over 10,000 ports to have the same level of quality and attention applied as what is in base is unrealistic no matter how much security and correctness is a priority.
I have maintained ports and packages across the Linux and BSD ecosystems for a good while now and I have more confidence in what OpenBSD has in ports based on my own experience compared to several Linux package managers. However, that does not mean that I will try to pull out a random OpenBSD package and expose it to the Internet before doing due diligence.
No worries, glad to help. I should also have added that on OpenBSD (and BSDs in general) base is much more complete than on most Linux distributions. I run a web, name, and mail server using OpenBSD and I do not need a single port or package for this. SMTP daemon, DNS daemon, web server, TLS certificate handling, etc. It is all in base and works together coherently, which is what draws people like me to BSDs.
That is not the same as in base though. For example, the NixOS developers maintain a large chunk code to generate scaffolding around systemd and to build code via Nix. They do not take a web server, fork it, and maintain it (alternatively, write that web server from scratch as is the case for httpd(8)). When I set up that OpenBSD server, I install the base system, place the configurations, start the daemons, and I am set. Not a single line of code runs outside of what is in the base repository.
I realise that the way BSDs do things is very different from Linux, but in BSD land the same people write the kernel, user land, and maintain the ports tree. With this I am not saying it is superior, but it does lead to a very different experience both as a developer and user. Yes, there are some exceptions to this like clang, the AMD GPU driver, etc. But the overall picture is true.
There are some library functions to support databases in base, but that is probably not what you are asking for. Likewise, to the best of my knowledge there is no TUN/STUN server. However, you likely have both in ports.
Not sure if you are asking these as "Gotcha questions", if not, sorry, reading tone, etc. over the Internet is hard. If you are though, you are missing the point of what OpenBSD is and asking those questions is akin to walking into a Burger King and asking for sushi or how Linux interoperates with proprietary Windows drivers.
OpenBSD is the answer to what happens when a bunch of programmers get together around a shared history (BSD), goals (security, sane defaults, etc.), and very limited resources (Linux may be on the order of magnitude of a million times more users and funds). For example, based on reading tech@ for a few years, I am certain that the OpenBSD developers would love to have a new file system (people on Hacker News love to complain about FFS2), but the problem is that they are acutely aware of their own limitations. Ignoring the licensing issues with say ZFS, they do not have the funds and manpower to bring it into base (and maintain it as well, which everyone conveniently seem to forget is a cost) given how complex and large of a piece of code it is. So, an OpenBSD solution to what a new file system will look like will always be different from what we see out of Windows, Linux, etc. This, to me, is a good thing, because I like software diversity and history has shown that out of the OpenBSD community comes amazing pieces of software that makes its way into the rest of the ecosystem: OpenSSH, OpenSMTPD, tmux, LibreSSL, etc.
As a user, it forces you to rethink the cost of what you run and to some degree change your habits. I, for example, thought I "needed" a media server, but instead I have a directory serving videos over HTTP via httpd(8) and I just use the default directory listing and copy a URL into VLC to watch. Now, you may cry "That is not the same as a media server!" and I am not claiming it is, but I am getting along with no dependencies and fewer lines of code and am happily watching my videos regardless of any objections. Plus, I bet my "media server" upgrades come with a lot less drama.
Is not Gotcha for sure cause I know *BSDs has been a reference(s) for decades in the UNIX world, like bonding, firewalls and jails, is "still I don't get it". Your answer helped me anyways, thanks.
Right, the difference is those daemons are written by other teams/people who have various experience/knowledge/security requirements for their software.
The daemons in OpenBSD base are all written and maintained by the same team with members who have similar knowledge, expectations and experience with regard to software and security, etc.
Unless you have a nearly insane amount of resources, vetting all those ports and packages is incredibly hard if not impossible (think Canonical and Red Hat level of funding, when on a good year OpenBSD raises ~USD 500,000 and Red Hat's revenue is in the billions) and even then there will generally be different tiers of support. Thus, the strongest guarantees will always be with the base system as it is installed by everyone and outside of Linux also developed by a single team. Yes, plenty of ports such as Firefox on OpenBSD have some great security patches applied, but expecting all the over 10,000 ports to have the same level of quality and attention applied as what is in base is unrealistic no matter how much security and correctness is a priority.
I have maintained ports and packages across the Linux and BSD ecosystems for a good while now and I have more confidence in what OpenBSD has in ports based on my own experience compared to several Linux package managers. However, that does not mean that I will try to pull out a random OpenBSD package and expose it to the Internet before doing due diligence.