Linux: Fewer Bugs than Rivals?

re: Linux: Fewer Bugs than Rivals?

Larry Osterman — Fri, 07 Jan 2005 16:49:00 GMT

Let me just point to:
http://www.schneier.com/blog/archives/2005/01/linux_security_1.html

for a counterpoint on that particular report from one of the members of the board of directors of the Honeypot project (which produced that report).

'nuf said.

re: Linux: Fewer Bugs than Rivals?

Mike Dimmick — Fri, 07 Jan 2005 17:08:00 GMT

I've noticed that most of these reports simply do a superficial scan using lint or an equivalent. These are the simple bugs that everyone should be catching (that commercial Unix vendors are not is of course interesting). They're often pretty trivial and often inconsequential - fixing these bugs or not makes little difference to the overall stability, security or reliability of the system.

The more serious bugs are interaction and interface bugs - where one component misuses another or where a chain of particular events causes inconsistent interpretations of data. Or just wholly wrong interpretations of data. These kinds of bug are impossible to find with static analysis tools, because it's impossible to come up with a heuristic for them.

Linux may be hot on type 1, but I have strong doubts about type 2. The Linux community's utter failure to test code before check-in or release - and barely after release - does not inspire confidence.

Note that Windows is never compared simply because the 'researchers' don't have access to the Windows source. As a result they take 'commercial' source that was submitted to them - typically because it is known to have bugs that need to be tracked down - and then suggest that this is somehow representative of all commercially-developed software.

re: Linux: Fewer Bugs than Rivals?

karl — Fri, 07 Jan 2005 17:13:00 GMT

how's this for a headline:

THIS JUST IN : NERDS AREN'T OBJECTIVE

re: Linux: Fewer Bugs than Rivals?

John Groban. — Fri, 07 Jan 2005 17:15:00 GMT

Then why doesn't firefox have a similar number of holes as ie? Why does apache have less issues than iis?

Oh, there was an openssl bug that bit about three projects we were doing internally and four products we used from outside. Obviously thats seven different bugs!

re: Linux: Fewer Bugs than Rivals?

I'm Not Buying It — Fri, 07 Jan 2005 17:15:00 GMT

<blockquote>When you start to include things like Sendmail, Bind, Apache, NFS, CUPS, a GUI, etc. in a Linux distribution, you start to notice that there are regular updates to these packages to fix bugs, security issues, or vulnerabilities.</blockquote>

The big difference of course is that with Linux you get to pick and choose - if you don't want Sendmail, Bind, Apache and all the rest on your system, you don't get it. If only one could say the same with infection vectors like Internet Exploiter [sic] and Windows Media Player!

In other words, it's ridiculous for you to say that such comparisons are unfair, seeing as it's your very own employer's fault that Windows is bundled with all sorts of stuff a lot of people neither want nor need.

re: Linux: Fewer Bugs than Rivals?

Picky — Fri, 07 Jan 2005 18:19:00 GMT

Just because the bugs are not listed on Slashdot like every MS bug does not mean that they are not there.

Take a look at <a href="https://bugzilla.mozilla.org/buglist.cgi?product=Core&product=Firefox&product=Mozilla+Application+Suite&product=Thunderbird&product=Toolkit&bug_status=UNCONFIRMED,NEW,ASSIGNED,REOPENED,RESOLVED&chfield=%5BBug%20creation%5D&chfieldfrom=-0d">Bugzilla</a>. There are 31 bugs listed <i>today</i> as of 7 AM PST. <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=277393">This one</a> looks fun, with the browser not POSTing the data properly.

re: Linux: Fewer Bugs than Rivals?

Alex Papadimoulis — Fri, 07 Jan 2005 19:04:00 GMT

No matter. 2005 is the year of Linux. We have Microsoft right where we want them.

re: Linux: Fewer Bugs than Rivals?

Linux has better copy and paste — Fri, 07 Jan 2005 19:39:00 GMT

You seem to have a bug in your copy and paste

Here:

https://bugzilla.mozilla.org/buglist.cgi?product=Core&product=Firefox&product=Mozilla+Application+Suite&product=Thunderbird&product=Toolkit&bug_status=UNCONFIRMED,NEW,ASSIGNED,REOPENED,RESOLVED&chfield=%5BBug%20creation%5D&chfieldfrom=-0d

Keep in mind that many of "unprocessed" bugs are duplicates and/or feature requests.

re: Linux: Fewer Bugs than Rivals?

Jerry Pisk — Fri, 07 Jan 2005 19:45:00 GMT

John, Firefox doesn't seem to have as many holes due to Mozilla's policy - http://www.mozilla.org/projects/security/security-bugs-policy.html. Security bugs are kept in secret and not publicly announced. Apache has somewhat less issues than IIS because IIS has lot more features. Apache only servers server side includes and static files, IIS does much more (ASP for one). It's comparing apples and oranges.

re: Linux: Fewer Bugs than Rivals?

gumby666 — Sat, 08 Jan 2005 02:49:00 GMT

Jerry, so include mod_perl, mod_python and/or mod_php in with the Apache stuff. Perhaps that's more apples to apples?

-------------------------------------

Initial poster:
"Windows" is pretty vague. A standard desktop Windows doesn't include a webserver, DNS server, FTP server, or many of the other things which come with a standard linux distribution. Somehow it still manages to have a number of reports bugs, mostly all relating to IE, ActiveX, CHM and other 'standard' Windows things, giving it higher numbers than a linux distro that incorporates multiple servers (name/print/file/web/etc).

Ok, let's don't stop at the kernel

Do the math — Sat, 08 Jan 2005 17:57:00 GMT

To the original post:

The debian distro currently has over 16,000 software packages.

Even if you had one critical bug per day (for the whole distro)
that would give each package an average of
one critical bug per every 43 years.

What would this average be for Microsoft?

re: Linux: Fewer Bugs than Rivals?

Jerry Pisk — Sun, 09 Jan 2005 05:40:00 GMT

Gumby - yes, but you'd have to include more than that. OpenSSL's package for one, and that one has had quite a few security problems lately (that translated directly to apache's mod_ssl).

As for which system is more secure - the one that is setup properly. If you know what you're doing you can have perfectly safe Windows server and if you don't then Linux is not going to save you.

re: Linux: Fewer Bugs than Rivals?

KT — Tue, 11 Jan 2005 21:43:00 GMT

> The debian distro currently has over 16,000 software packages.

Obviously, the more packages installed the better chances of exploiting some bug. But from what I've read the real problem isn't how many bugs on a system, but how many *critical* bugs is on a system. The articles I read said it's in this area that Windows is weak. Then again it also depends on the sysadmin. If you're patching your system, only running necessary services, and not installing every package under the sun (pardon the pun), and you've got a good firewall, intrusion detection, etc. setup then you're far ahead of the guy who just installs Windows/Linux and does nothing else.

Linux: Weniger Fehler als die Herrausvorderer?

shermanns blog — Thu, 13 Jan 2005 12:49:00 GMT

Durch Zufall bin ich beim Surfen auf einen Artikel von Barnaby Jeans gestossen.

Er schreibt in seinem Artikel "Linux: Fewer Bugs than Rivals?" über Linux und Windows und alles.
Er versucht Linux mit Windows zu vergleichen, da er ja, wie er angibt, sei

Redmond Mag - February 2005

TrackBack — Fri, 25 Feb 2005 01:42:00 GMT

Redmond Mag - February 2005

Linux Jabs from Microsoft Employees

TrackBack — Fri, 25 Feb 2005 04:14:00 GMT

Linux Jabs from Microsoft Employees