M
Martin C.E.
I only cane across this slightly old article recently (see below).
What is the conclusion - that what the author says is a true
reflection of the situation or that he is overstating his case?
Martin
===========
LANGA LETTER: LINUX HAS BUGS: GET OVER IT
Jan 27, 2003
http://www.informationweek.com/story/IWK20030124S0013/1
Fred Langa contends that some Linux proponents harm their cause by
hiding from the facts--it's just as buggy as Windows XP.
----
I made a private bet with myself when I ran an item in my newsletter
called "Linux Hacks On The Rise". It cited a study of software
problems reported by CERT--the Computer Emergency Response Team that
impartially tracks computing security threats. (CERT is part of a
federally funded research and development center at Carnegie Mellon
University in Pittsburgh.)
Among other things, the article said: "...more than 50% of all
[CERT] security advisories ... in the first 10 months of 2002 were
for Linux and other open-source software solutions."
My only point in bringing up this issue was to show that no operating
system is immune to bugs and security issues: As Linux grows in
popularity, it will have its own full share of problems.
It's hard to imagine a less inflammatory or more obvious assertion--
that all operating systems have bugs and security issues--but I won
my bet: Linux and open-source fans thought I was attacking them or
their preferred operating system. They deluged me with E-mails, many
irate, claiming that CERT (and I) were dead wrong.
The two most-common arguments against the report were:
1) There really aren't that many Linux/open source bugs, especially
compared with, say, Microsoft Windows. Many readers argued further
that CERT erred by counting the same bugs multiple times in different
distributions and versions of Linux or other open-source software;
these repeated bugs should have been counted as one meta-bug.
2) Open source bugs, when they do occur, aren't that big a deal
anyway because they can be fixed far faster than Windows bugs.
Trouble is, these arguments are based on old information: Yes, there
once was a time when both of the above statements were true, but in a
moment I'll show you some very current, non-CERT stats and info that
illustrate why both statements are now emphatically false. (We'll
get to the specifics in a moment.)
But this isn't a bad thing. Rather, I take it as a very positive
sign of the growing maturity and mainstream appeal of Linux and open
source software. Let me explain:
Linux's And Open Source Software's Excellent History
Linux (and the whole open source movement in general) got its
reputation for solid software and rapid fixes when this software was
used mostly by a relatively small group of extremely knowledgeable
people. They knew what they were doing, and generally ran their
software on stable, proven hardware platforms; or, when brand-new
hardware was used, it was used in fairly generic ways. (For example,
video card drivers for Linux tended not to support exotic feature
sets; Linux video usually operated at fairly conventional resolutions
and settings.)
This is a benign development environment. Any software can succeed
if it's placed only in the hands of a small group of knowledgeable
experts who can avoid many problems in the first place, and
participate in rapid repair of any unavoidable problems that do
occur.
And "rapid repair" was a very real thing: The open source arena
tended to attract some of the best and brightest of the world's
computing community; people who wanted to do good, and whose
contributions were almost always positive, focused on the continual
improvement of their software.
But things changed. The open source community has fragmented into
myriad competing segments, each with its own different, and
increasingly quasi-proprietary, distributions of software. Huge
numbers of new users of all skill levels have entered what once had
been an experts-only enclave. (Even Wal-Mart now sells cheap PCs
with Linux and open source applications preinstalled.) It's much
harder to produce software for an audience of all skill levels
running who-knows-what hardware, than for an audience only of experts
running a limited subset of known-good hardware.
And, not trivially, as the Linux/open source segment has grown, it's
finally attracted the attention of crackers (malicious hackers). You
see, crackers like to aim at the fat part of the bell curve because
that's where the most potential victims are. That's one of the
primary reasons why more people try to hack Microsoft software than
any other: If a malicious hacker wants fame or notoriety, Microsoft
software is the obvious target because more people use Microsoft
software than any other.
And to me, this is a key thing: When the Linux/open source community
was tiny, few hackers bothered to look for exploitable issues there.
It simply wasn't an attractive target. In other words, it wasn't so
much that Linux and similar software were truly free from exploitable
holes, but simply that no one was trying to find them.
But again, that all changed as Linux and open source software entered
the mainstream. Now that this software is a fully viable alternative
to conventional commercial software, an inevitable consequence is
that more problems will come to light. As novice users, funky
hardware mixes, and active cracking all come into play, the bug
counts are going up. In fact, way up.
Counting Bugs
There's no perfect, 100% reliable way of comparing bugs across
operating systems, especially in an environment where operating
systems usually ship with bundled software that may have its own,
separate quality issues. But let's start by looking just at the
operating system itself:
We can avoid CERT's problem of counting the same bug more than once
if we compare the security patch/update counts for one popular
distribution and version of Linux to one popular version of Microsoft
Windows. In this way, we won't have the Linux count skewed by the
same bug cropping up in hundreds of other versions and distributions;
or have the Windows count skewed by bugs in other Windows versions or
software products from Microsoft.
To further refine the comparison, let's look at operating system
versions that came to market at about the same date. This way, both
operating systems would have a more or less equal time during which
problems could come to light.
It turns out that Microsoft Windows XP and Red Hat Linux 7.2 were
released within a few weeks of each other. Both are still current
and are actively supported by their respective vendors. So, let's
take a look, starting on each vendor's patch/update pages:
For Red Hat Linux 7.2, you go to the Red Hat "errata" page https://
rhn.redhat.com/errata/ and from there to the page specific to version
7.2 https://rhn.redhat.com/errata/rh72-errata.html . There, you'll
see that, to date, Red Hat has issued 151 patches and updates (mostly
for security issues; that's what the "broken lock" icon means) for
that Linux version. For a very crude sense of scale, that works out
to an average of around 2.3 patches per week.
Next, let's do the same thing for XP Professional, starting on
Microsoft's errata page, the "HotFix & Security Bulletin Service";
use the pull-down menu to isolate just the XP-related items. You'll
see that the page lists 21 XP-specific patches and updates to date.
That's an average 0.35 patches per week.
But wait: Maybe that's not a fair count. After all, XP is the
newest Windows version, but RH 7.2 isn't the newest Linux version.
Red Hat's newest version is actually version 8.0, so let's look at
that. Its errata page lists 27 patches and bug fixes issued in the
four months the operating system has been available, an average of
around 1.6 patches per week, so far. That's a rate significantly
less than Red Hat's 7.2's, but still more than XP's.
These numbers may surprise you because we've all seen a veritable
blizzard of patches and updates issued from Redmond. But Microsoft
currently has 157 software products under active support, and a
typical PC may have not only a Microsoft operating system but also a
Microsoft browser, mail program, media player, office suite, and
more. In the aggregate, the total number of bugs and patches to keep
up with for all this software is daunting. And some of the issues
have indeed been severe. (For example, Outlook Express was for years
the very worst security hole on most PCs.)
But, if it's unfair to lump all open source software together for
bug- counting purposes, it's also unfair to do the same thing for all
Microsoft software. (Otherwise, to get an accurate assessment for
Linux systems, you'd have to include the bugs from open source
browsers and all other normal system add-ins or add-ons, on top of
Linux's own bugs.) Instead, to avoid an apples/oranges comparison,
it's better to look at specific brands, types, and builds of products
across similar amounts of time: That's the only accurate way to see
how, say, operating systems compare, or browsers compare, or E- mail
programs compare, and so on.
But what about the types or severity of bugs? In fact, I hear this a
lot from Linux partisans, that Microsoft bugs are "worse" than Linux
bugs. There's a lot of subjectivity in better or worse comparisons,
of course. But as a quick example, here's a Red Hat Linux 7.2 bug as
described on the Red Hat page:
A vulnerability has been found in the ptrace code of the kernel
(ptrace is the part that lets program debuggers run) that could be
abused by local users to gain root privileges.
Now here's an XP bug, as described on the Microsoft site:
Flaw in Windows WM_TIMER Message Handling Could Enable Privilege
Elevation: A security issue has been identified that could allow an
attacker to compromise a computer running Microsoft Windows and gain
complete control over it.
Which is "worse?" I actually think these are about the same--either
way, someone can take over your PC. But some Linux partisans will
insist that the Microsoft bug is somehow "worse." I disagree, but
don't take my word for it: Read the descriptions of some bugs from
the XP list and some from the Red Hat list, and make up your own
mind.
Does all this mean Linux is terrible? Not at all! Complex software
will always have bugs and security problems, and I consider Linux's
bugs to be in the fully normal range and not worth getting agitated
over. What's more, it's great to see such active bug-fixing as the
Red Hat pages indicate: There always will be bugs in any software,
and the rational thing to do is to fix them, rather than try to
convince others that the bugs aren't real or somehow don't count.
Does all this mean XP is inherently wonderful? Nope. XP's bugs are
fewer than Red Hat Linux 7.2, but also within the normal range, and
likewise merit neither ecstasy nor apoplexy. And, as I said before,
there's other Microsoft software--some of it bundled with XP--that
has much worse records.
So here's what it does mean: Linux is a normal operating system; so
is XP. Both have bugs, some major, some minor. Anyone who tells you
that Linux is "inherently more secure" or "much less buggy" than XP
simply isn't working from current facts. The reality is that bugs
happen, even in Linux: Get over it.
Speed Of Fixes
The second most-cited argument in reader mail was along the lines of:
"Open Source bugs aren't that big a deal because they can be fixed
far faster than Windows bugs."
Yes, under the very best and limited circumstances, this can be true:
A raw, initial fix can be posted online sometimes within hours of a
bug coming to light, and that's wonderful, when it happens. But that
initial posting is often in source code, or in a form that requires
that parts of the operating system or software be rebuilt or
recompiled by the user. And it's usually posted in special
developer-only portions of open- source Web sites. In other words,
the patch may be useful to a handful of expert users. That's great
for them, but what about everyone else?
Most patches take much longer to appear, and longer still to become
generally available to all affected users, in finished, tested,
easily installable form--even if, technically speaking, the initial
instance of the bug was stomped out very quickly. Given the growing
fragmentation of the open source community and the increasingly
quasi-proprietary distributions of Linux, how could it be otherwise?
It has to take time to get patches out.
Consider just two cases in point: The Open Source Mozilla project
ran three years late in development, and that was just a browser, not
an entire operating system. Linux itself took about 7 years before
it was even remotely ready for prime time. In the face of software
gestations this lengthy, I think it's hard to argue that open
source's supposed "fast fixes" actually mean much in real world
benefits.
This is a big chunk of Microsoft's problem, of course--it takes time
to release a finished, auto-installing patch for all versions and
builds of all affected in-use Microsoft software. This often makes
Microsoft patches appear weeks or months after a bug comes to light.
But as Linux and other open-source software face the same kinds of
market problems, their pace is slowing, too. It's inevitable. The
more complex and fragmented a software market is, the longer it will
take for fixes to diffuse out to all builds and versions. Complex
software takes time to write and debug: Get over it.
Put Down Those Flamethrowers
Don't get me wrong: I think the open source movement is a good
thing, and I like Linux--it's running right now on two of my office
PCs. And none of the above excuses or lessens the seriousness of
Windows' own problems with bugs and security issues.
But, as much as the partisans wish it were so, open sourcing isn't a
magic solution to the problems of bugs and security issues. As Linux
and other open-source software grow in popularity and extend into a
fragmented, uncontrolled mass marketplace, they will inevitably have
their own full share of bugs and security problems, same as with any
other software.
Anyone who tells you differently, or tries to convince you that their
favorite operating system is somehow immune to market forces, human
error, and plain malice, is doing both you and the operating system
they espouse a disservice.
END
What is the conclusion - that what the author says is a true
reflection of the situation or that he is overstating his case?
Martin
===========
LANGA LETTER: LINUX HAS BUGS: GET OVER IT
Jan 27, 2003
http://www.informationweek.com/story/IWK20030124S0013/1
Fred Langa contends that some Linux proponents harm their cause by
hiding from the facts--it's just as buggy as Windows XP.
----
I made a private bet with myself when I ran an item in my newsletter
called "Linux Hacks On The Rise". It cited a study of software
problems reported by CERT--the Computer Emergency Response Team that
impartially tracks computing security threats. (CERT is part of a
federally funded research and development center at Carnegie Mellon
University in Pittsburgh.)
Among other things, the article said: "...more than 50% of all
[CERT] security advisories ... in the first 10 months of 2002 were
for Linux and other open-source software solutions."
My only point in bringing up this issue was to show that no operating
system is immune to bugs and security issues: As Linux grows in
popularity, it will have its own full share of problems.
It's hard to imagine a less inflammatory or more obvious assertion--
that all operating systems have bugs and security issues--but I won
my bet: Linux and open-source fans thought I was attacking them or
their preferred operating system. They deluged me with E-mails, many
irate, claiming that CERT (and I) were dead wrong.
The two most-common arguments against the report were:
1) There really aren't that many Linux/open source bugs, especially
compared with, say, Microsoft Windows. Many readers argued further
that CERT erred by counting the same bugs multiple times in different
distributions and versions of Linux or other open-source software;
these repeated bugs should have been counted as one meta-bug.
2) Open source bugs, when they do occur, aren't that big a deal
anyway because they can be fixed far faster than Windows bugs.
Trouble is, these arguments are based on old information: Yes, there
once was a time when both of the above statements were true, but in a
moment I'll show you some very current, non-CERT stats and info that
illustrate why both statements are now emphatically false. (We'll
get to the specifics in a moment.)
But this isn't a bad thing. Rather, I take it as a very positive
sign of the growing maturity and mainstream appeal of Linux and open
source software. Let me explain:
Linux's And Open Source Software's Excellent History
Linux (and the whole open source movement in general) got its
reputation for solid software and rapid fixes when this software was
used mostly by a relatively small group of extremely knowledgeable
people. They knew what they were doing, and generally ran their
software on stable, proven hardware platforms; or, when brand-new
hardware was used, it was used in fairly generic ways. (For example,
video card drivers for Linux tended not to support exotic feature
sets; Linux video usually operated at fairly conventional resolutions
and settings.)
This is a benign development environment. Any software can succeed
if it's placed only in the hands of a small group of knowledgeable
experts who can avoid many problems in the first place, and
participate in rapid repair of any unavoidable problems that do
occur.
And "rapid repair" was a very real thing: The open source arena
tended to attract some of the best and brightest of the world's
computing community; people who wanted to do good, and whose
contributions were almost always positive, focused on the continual
improvement of their software.
But things changed. The open source community has fragmented into
myriad competing segments, each with its own different, and
increasingly quasi-proprietary, distributions of software. Huge
numbers of new users of all skill levels have entered what once had
been an experts-only enclave. (Even Wal-Mart now sells cheap PCs
with Linux and open source applications preinstalled.) It's much
harder to produce software for an audience of all skill levels
running who-knows-what hardware, than for an audience only of experts
running a limited subset of known-good hardware.
And, not trivially, as the Linux/open source segment has grown, it's
finally attracted the attention of crackers (malicious hackers). You
see, crackers like to aim at the fat part of the bell curve because
that's where the most potential victims are. That's one of the
primary reasons why more people try to hack Microsoft software than
any other: If a malicious hacker wants fame or notoriety, Microsoft
software is the obvious target because more people use Microsoft
software than any other.
And to me, this is a key thing: When the Linux/open source community
was tiny, few hackers bothered to look for exploitable issues there.
It simply wasn't an attractive target. In other words, it wasn't so
much that Linux and similar software were truly free from exploitable
holes, but simply that no one was trying to find them.
But again, that all changed as Linux and open source software entered
the mainstream. Now that this software is a fully viable alternative
to conventional commercial software, an inevitable consequence is
that more problems will come to light. As novice users, funky
hardware mixes, and active cracking all come into play, the bug
counts are going up. In fact, way up.
Counting Bugs
There's no perfect, 100% reliable way of comparing bugs across
operating systems, especially in an environment where operating
systems usually ship with bundled software that may have its own,
separate quality issues. But let's start by looking just at the
operating system itself:
We can avoid CERT's problem of counting the same bug more than once
if we compare the security patch/update counts for one popular
distribution and version of Linux to one popular version of Microsoft
Windows. In this way, we won't have the Linux count skewed by the
same bug cropping up in hundreds of other versions and distributions;
or have the Windows count skewed by bugs in other Windows versions or
software products from Microsoft.
To further refine the comparison, let's look at operating system
versions that came to market at about the same date. This way, both
operating systems would have a more or less equal time during which
problems could come to light.
It turns out that Microsoft Windows XP and Red Hat Linux 7.2 were
released within a few weeks of each other. Both are still current
and are actively supported by their respective vendors. So, let's
take a look, starting on each vendor's patch/update pages:
For Red Hat Linux 7.2, you go to the Red Hat "errata" page https://
rhn.redhat.com/errata/ and from there to the page specific to version
7.2 https://rhn.redhat.com/errata/rh72-errata.html . There, you'll
see that, to date, Red Hat has issued 151 patches and updates (mostly
for security issues; that's what the "broken lock" icon means) for
that Linux version. For a very crude sense of scale, that works out
to an average of around 2.3 patches per week.
Next, let's do the same thing for XP Professional, starting on
Microsoft's errata page, the "HotFix & Security Bulletin Service";
use the pull-down menu to isolate just the XP-related items. You'll
see that the page lists 21 XP-specific patches and updates to date.
That's an average 0.35 patches per week.
But wait: Maybe that's not a fair count. After all, XP is the
newest Windows version, but RH 7.2 isn't the newest Linux version.
Red Hat's newest version is actually version 8.0, so let's look at
that. Its errata page lists 27 patches and bug fixes issued in the
four months the operating system has been available, an average of
around 1.6 patches per week, so far. That's a rate significantly
less than Red Hat's 7.2's, but still more than XP's.
These numbers may surprise you because we've all seen a veritable
blizzard of patches and updates issued from Redmond. But Microsoft
currently has 157 software products under active support, and a
typical PC may have not only a Microsoft operating system but also a
Microsoft browser, mail program, media player, office suite, and
more. In the aggregate, the total number of bugs and patches to keep
up with for all this software is daunting. And some of the issues
have indeed been severe. (For example, Outlook Express was for years
the very worst security hole on most PCs.)
But, if it's unfair to lump all open source software together for
bug- counting purposes, it's also unfair to do the same thing for all
Microsoft software. (Otherwise, to get an accurate assessment for
Linux systems, you'd have to include the bugs from open source
browsers and all other normal system add-ins or add-ons, on top of
Linux's own bugs.) Instead, to avoid an apples/oranges comparison,
it's better to look at specific brands, types, and builds of products
across similar amounts of time: That's the only accurate way to see
how, say, operating systems compare, or browsers compare, or E- mail
programs compare, and so on.
But what about the types or severity of bugs? In fact, I hear this a
lot from Linux partisans, that Microsoft bugs are "worse" than Linux
bugs. There's a lot of subjectivity in better or worse comparisons,
of course. But as a quick example, here's a Red Hat Linux 7.2 bug as
described on the Red Hat page:
A vulnerability has been found in the ptrace code of the kernel
(ptrace is the part that lets program debuggers run) that could be
abused by local users to gain root privileges.
Now here's an XP bug, as described on the Microsoft site:
Flaw in Windows WM_TIMER Message Handling Could Enable Privilege
Elevation: A security issue has been identified that could allow an
attacker to compromise a computer running Microsoft Windows and gain
complete control over it.
Which is "worse?" I actually think these are about the same--either
way, someone can take over your PC. But some Linux partisans will
insist that the Microsoft bug is somehow "worse." I disagree, but
don't take my word for it: Read the descriptions of some bugs from
the XP list and some from the Red Hat list, and make up your own
mind.
Does all this mean Linux is terrible? Not at all! Complex software
will always have bugs and security problems, and I consider Linux's
bugs to be in the fully normal range and not worth getting agitated
over. What's more, it's great to see such active bug-fixing as the
Red Hat pages indicate: There always will be bugs in any software,
and the rational thing to do is to fix them, rather than try to
convince others that the bugs aren't real or somehow don't count.
Does all this mean XP is inherently wonderful? Nope. XP's bugs are
fewer than Red Hat Linux 7.2, but also within the normal range, and
likewise merit neither ecstasy nor apoplexy. And, as I said before,
there's other Microsoft software--some of it bundled with XP--that
has much worse records.
So here's what it does mean: Linux is a normal operating system; so
is XP. Both have bugs, some major, some minor. Anyone who tells you
that Linux is "inherently more secure" or "much less buggy" than XP
simply isn't working from current facts. The reality is that bugs
happen, even in Linux: Get over it.
Speed Of Fixes
The second most-cited argument in reader mail was along the lines of:
"Open Source bugs aren't that big a deal because they can be fixed
far faster than Windows bugs."
Yes, under the very best and limited circumstances, this can be true:
A raw, initial fix can be posted online sometimes within hours of a
bug coming to light, and that's wonderful, when it happens. But that
initial posting is often in source code, or in a form that requires
that parts of the operating system or software be rebuilt or
recompiled by the user. And it's usually posted in special
developer-only portions of open- source Web sites. In other words,
the patch may be useful to a handful of expert users. That's great
for them, but what about everyone else?
Most patches take much longer to appear, and longer still to become
generally available to all affected users, in finished, tested,
easily installable form--even if, technically speaking, the initial
instance of the bug was stomped out very quickly. Given the growing
fragmentation of the open source community and the increasingly
quasi-proprietary distributions of Linux, how could it be otherwise?
It has to take time to get patches out.
Consider just two cases in point: The Open Source Mozilla project
ran three years late in development, and that was just a browser, not
an entire operating system. Linux itself took about 7 years before
it was even remotely ready for prime time. In the face of software
gestations this lengthy, I think it's hard to argue that open
source's supposed "fast fixes" actually mean much in real world
benefits.
This is a big chunk of Microsoft's problem, of course--it takes time
to release a finished, auto-installing patch for all versions and
builds of all affected in-use Microsoft software. This often makes
Microsoft patches appear weeks or months after a bug comes to light.
But as Linux and other open-source software face the same kinds of
market problems, their pace is slowing, too. It's inevitable. The
more complex and fragmented a software market is, the longer it will
take for fixes to diffuse out to all builds and versions. Complex
software takes time to write and debug: Get over it.
Put Down Those Flamethrowers
Don't get me wrong: I think the open source movement is a good
thing, and I like Linux--it's running right now on two of my office
PCs. And none of the above excuses or lessens the seriousness of
Windows' own problems with bugs and security issues.
But, as much as the partisans wish it were so, open sourcing isn't a
magic solution to the problems of bugs and security issues. As Linux
and other open-source software grow in popularity and extend into a
fragmented, uncontrolled mass marketplace, they will inevitably have
their own full share of bugs and security problems, same as with any
other software.
Anyone who tells you differently, or tries to convince you that their
favorite operating system is somehow immune to market forces, human
error, and plain malice, is doing both you and the operating system
they espouse a disservice.
END
Of those