| On Tue, Jan 28, 2003 at 10:58:21AM -0500, alex wrote:
| > Has the Linux security bubble burst?
| > 
| > http://www.informationweek.com/story/IWK20030124S0013/1

On Tue, Jan 28, 2003 at 08:35:16AM -0800, nate wrote:
| as usual, this is very misleading.

Uh-huh.

| the article that the MS hotmail guys wrote about pros vs. cons of
| freebsd vs win2000 was interesting though, check it out if your
| curious(highlights are available in the archives of
| www.theregister.co.uk)

Nice.  Thanks for mentioning it.

http://www.theregister.co.uk/content/archive/28226.html
http://www.securityoffice.net/mssecrets/hotmail.html


On Tue, Jan 28, 2003 at 11:11:45AM -0600, Dave Sherohman wrote:
| I would say "no", for five reasons:
[...]
| 3)  Stating that "if it's unfair to lump all open source software
| together for bug-counting purposes, it's also unfair to do the same
| thing for all Microsoft software," Langa chooses to not include MSIE,
| MSOE, or any other Microsoft products in the XP bug count.

| It is unclear, however, whether the Red Hat bug count includes
| browsers, mail clients, etc. distributed as part of Red Hat Linux.

Just follow his link to the errata page.  It includes updates to
python, apache, xinetd, gdb, perl, mysql, vim, etc., etc.  Counting
only kernel-related errata (since that is the only component with the
name "linux") I see 6 security, 3 bugfix, 1 enhancement release.  Some
of those releases were less than a week apart.  So, as Dave mentioned,
if RedHat (or Linux) had waited a week before releasing the patch they
could have lumped the fixes together and further skewed the count.

| If it does, then the MS bug count should include all 'standard'
| Windows apps.

It should.  Even more so since all of those applications are developed
by the same organization (Microsoft).  OSS applications are developed
by "random" individuals who have little or no connection with each
other.

| 4)  Langa dismisses claims of quick bug fixes for open source
| software on the basis that they're taking longer to be packaged these
| days.  He neglects to mention that updated OSS packages are typically
| available days to weeks after an exploit is discovered,

How long was it between the time Theo discovered the problem with
openssh and the time debian provided the solution in binary form for
all supported architectures?  IIRC it wasn't more than a week, or
maybe a week and a half (which includes figuring out _how_ to fix the
problem!).  Debian's security update mechanism flies in the face of
Langa's claim that OSS updates take nearly as long as commercial
updates anyways.  He also failed to mention that, since you have the
source, you have the opportunity to fix the problem on your own
(immediate!) or hire someone to do it for you.  You don't have to wait
until someone else decides the problem is worth fixing.

-D

-- 
Pride goes before destruction,
a haughty spirit before a fall.
        Proverbs 16:18
 
http://dman.ddts.net/~dman/

Attachment: msg26927/pgp00000.pgp
Description: PGP signature

Reply via email to