(no title)

With a current kernel and updated userland? the no-password root ssh after flashing is vulnerable to others in your local network yes, keep it offline until pubkey-only auth is configured. To save against dropbear exploits, bind ssh to the internal-ethernet interface and if installed, access uhttpd/LuCI only via this tunnel. Other than that it seems equal to other default distribution installs. Apparmor/selinux steps up ubuntus/fedoras game yes, I don't know how much of this has been a concern yet in OpenWrt, a recent talk touches shortly on it. It seems to be a clean, easy-to-configure distribution that is alive and well after the remerge that just got a recent stable-release. Secondary vectors like package-system are a factor. But despite being reliant on the vendor, it buildable by the end-user. I applaud their efforts.

Have you got links or keywords I can search for details about that? (I'm in the middle of a decision about moving to an OpenWRT or Mikrotik router...)

Yup, I do. Have used it on and off since my Wrt54gs.

My point was about availability of updates. Third partu firmwares seem to have a lot more updates than factory ones.

LEDE also merged back with OpenWRT so I hope that improves things.

Rather than poke holes, do you have any suggestions?

Why do you say openwrt is not secure? Just curious to learn.

One thing I hated about ddwrt was how hard it was to get a TLS download and/or hash. Like seriously, if I'm putting this on my router I don't want it coming down by http!

So we should just stick with the inscrutable pre-installed proprietary firmware?