Re: Alas and alack.

To: debian-user@lists.debian.org
Subject: Re: Alas and alack.
From: Dave Sherohman <esper@sherohman.org>
Date: Tue, 28 Jan 2003 11:11:45 -0600
Message-id: <[🔎] 20030128171145.GG12964@sherohman.org>
Mail-followup-to: Dave Sherohman <esper@sherohman.org>, debian-user@lists.debian.org
In-reply-to: <[🔎] 3E36A89D.4080106@ncia.net>
References: <[🔎] 3E36A89D.4080106@ncia.net>

On Tue, Jan 28, 2003 at 10:58:21AM -0500, alex wrote:
> Has the Linux security bubble burst?
> 
> http://www.informationweek.com/story/IWK20030124S0013/1

I would say "no", for five reasons:

1)  Langa suggests that part of the reason behind the current rise in
Linux security flaws being found is because more crackers are
targeting it.  If this is true, then they're probably finding a lot
of problems that have been around for a while.  If security problems
are being fixed faster than new ones are being introduced, this will
drop off instead of remaining at the current rate.  It is too soon to
say whether this will happen or not, but there's no strong reason to
accept Langa's assumption that it will not.

2)  To try and normalize for the existence of multiple Linux
distributions, Langa does a straight comparison of the number of
security fixes released by Red Hat 7.2 vs. Windows XP.  He does not,
however, take into account the number of issues addressed by each
patch.  In my experience, Linux tends towards 'one bug, one patch',
while Microsoft waits around a bit, then issues a single mega-patch
that fixes dozens of problems all in one shot.  You cannot,
therefore, expect a simple count of how many patches have been
released to be a meaningful comparison.

3)  Stating that "if it's unfair to lump all open source software
together for bug-counting purposes, it's also unfair to do the same
thing for all Microsoft software," Langa chooses to not include MSIE,
MSOE, or any other Microsoft products in the XP bug count.  It is
unclear, however, whether the Red Hat bug count includes browsers,
mail clients, etc. distributed as part of Red Hat Linux.  If it does,
then the MS bug count should include all 'standard' Windows apps.

4)  Langa dismisses claims of quick bug fixes for open source
software on the basis that they're taking longer to be packaged these
days.  He neglects to mention that updated OSS packages are typically
available days to weeks after an exploit is discovered, while
commercial software vendors (not just MS) tend to take weeks to
months to produce an update, if they even bother to issue a patch at
all instead of leaving it until the next version is released or
denying that the problem exists.  Plus, of course, it is possible to
obtain the raw patches and apply them yourself without waiting for
the official update.  (Few people do this these days, but that's not
the software's fault.)

5)  A lot of Microsoft's problems look to me like design issues and
their patches tend to just cover up specific ways of exploiting the
design flaws - treating the symptoms while ignoring the underlying
problem.  OSS tends to be more likely to apply a band-aid today, to
cover up the immediate problem, and then get to work on the
underlying problem ASAP.

-- 
The freedoms that we enjoy presently are the most important victories of the
White Hats over the past several millennia, and it is vitally important that
we don't give them up now, only because we are frightened.
  - Eolake Stobblehouse (http://stobblehouse.com/text/battle.html)

Reply to:

Follow-Ups:
- Re: Alas and alack.
  - From: Derrick 'dman' Hudson <dman@dman.ddts.net>

References:
- Alas and alack.
  - From: alex <radsky@ncia.net>

Prev by Date: RE: LinkSYS BEFSR41 router
Next by Date: Re: Using VIA C3 and Woody?
Previous by thread: Re: Alas and alack.
Next by thread: Re: Alas and alack.
Index(es):
- Date
- Thread