Showing messages 1 through 5 of 5.

• Not Quite
  2004-10-29 16:30:13  riplin [Reply | View]
  
  
  > 400 major ones (right...)) distributions is in fact a major weakness
  
  No, it is a major strength. For example buffer overflows rely on the overwriting code to be in the exact right place for it to work at all. With Windows all copies of a program are identical, for a particular version.
  
  For Linux the compilation may have different CPU target (386,486,586,etc) and different options and different optimizations which mean that there are 400 different 'right places' to overwrite with a buffer overflow vulnerability, and that does count the variations that may occur if the user has recompiled.
  
  This means that a particular attack that is targetted at, say, RedHat 8, misses the target on Mandrake, SUSE, and all the other hundreds.
  
  The buffer overflow (given one exists) may crash the program, but it most likely won't cause execution of malicious code.
  
  As there is still only one actual source tree the problem may be fixed just once and then each distro, or the user, recompiles. Generally this makes it pointless for the malware writer to even bother trying.
  
  Think of it as shooting a gun randomly in a Zoo. In the Windows Zoo any bullet fired randomly will kill anything it hits. In a Linux Zoo each bullet has to tailored to a particular animal such that a Lion bullet won't kill a chimpanzee, though it may knock him off the tree.
  

• Not Quite
  2004-10-29 08:10:24  unoengborg [Reply | View]
  
  
  You get it slightly wrong. Bugs are usually fixed in one codebase, the one that the maintainer of the broken program holds. The role of the distributers is quality assurance. They make sure the fix doesn't break anything in their distro. (As it normally shouldn't). So its more like the bug is fixed in one codbase and tested in 400.
  
  True, windows update is unheard of in the Linux world, instead we have aptget, yum, and some distibution dependent update mechanisms that work just as well as windows update, with the exeption that they update all programns not just the OS.
  As a further precasion most Linux distros use digital signatures to ensure the validity of the source of the update.
  

• Not Quite
  2004-10-28 23:42:03  RichardJC [Reply | View]
  
  
  ``You'd have to fix the hole in 400 separate copies of the codebase, something version control was designed to prevent the need for but which linux groups seem to have abandoned...''
  
  Its somewhat better on Linux. Consider the recent flaw in a JPeg rendering library that hit both Microsoft and Linux systems. Because the Linux shared library system works so well, Linux users just update the one copy of the library on their systems. Tools like aptitude, a nice wrapper around apt, make that easy. Aptitude will even automatically remove the library if it is no longer needed. The end result - the library is fixed once; all applications benefit.
  
  Conversly, on Windows, every application has its own copy or is statically linked to the library. Its a workaround to DLL-Hell. Dot-Net promises a Linux like fix for it, but is not here enough yet, so Windows user have to get updates for every application on their system that uses the JPeg code.
  
  Windows Update only benefits Microsoft's own applications. Does it even benefit Office, or is it Windows System only? Whatever - it doesn't help that non-Microsoft photo viewer you got with your camera. Did you remember to update all of the programs on your system that use JPegs?
  
  The Linux Shared Library system was designed as a multi user system. Unlike Windows which, in the past was always single user to the core, and even now I think would load a seperate copy of each application and all its libraries into memory for every instance running, Linux shares library and even application code between running instances.
  
  Thats how applications can be quoted as "10M RAM plus 2M per additional user". The JPeg library need only be on the system in one place, and need only be loaded into RAM once, no matter how many applications or even distinct users are using it.

• Not Quite, jwenting
  2004-10-28 07:50:21  bairdcarr1 [Reply | View]
  
  
  Perhaps you haven't used Linux in a while...
  
  Windows Update is a very pale comparison to the "mechanism" built into many (most/all) linux distros. Apt, urpmi, up2date ring a bell? Not only for updates, but for upgrading your entire OS and all the software over the internet (at least with Apt, which comes with debian based systems, and is installable on rpm based systems). Very impressive, and very cool. There is just no comparison with Windows. Forget all your commercial and pirated CDs, Linux/Open Source is just plain easier.
  
  Microsoft only occasionally provides updates to its own software. Windows Update is vital, and at one time I thought it was even cool. But it is only good for MS products, and with the possible exception of SP2, has utterly failed to provide any solution to the desperate onslaught of attacks on their products.
  
  SP2 is a step in the right direction for home users, but I imagine the benefits to many companies like mine are negligible due to the fact that we have to turn off some of the new features in order to continue using several pieces of software unique to us. All is FAR from perfect in the Windows world, as if it weren't obvious to everyone.
  
  OSX even has a better update "mechanism" than Windows Update. And OSX is stable, has superior security, and is very easy to use. Being a Linux user, it is still very limiting for me, but at least I enjoy the sound it makes when you turn the computer on.
  
  I realize I am a Linux zealot, but who is more trustworthy in promoting a product, someone who has a financial stake in the product, or someone who loves it? That love has been earned. There was noone talking to me about Linux when I first started using it. I was on my own. It proved itself by just working, not with cool sounds, pretty pictures, or promotional videos.
  
  I have been a Windows/Amiga/Mac/Unix/Linux admin for 11 years at the same company. The vast majority of machines run Windows. It was my experiences with Windows that led/drove me to Linux, and I am continually in awe of the power and resources available to me with this one OS.
  
  I am constantly running to keep up with problems on our Windows workstations. I have only touched our Linux workstations (constantly used, multiple users) once in 2 years, and then only to start a network upgrade of the system. Simply amazing. The same is true with our various Unix/Linux servers. They just continue to work, I almost forget they are there. A few haven't been rebooted in a couple of years or more.
  
  That is in stark contrast to any Windows workstation/server at work, home, at a friends home, or at another client's office. Whereever you go, the story is the same. People write articles about "The Linux Hype", but ignore "The Windows Hype". The windows hype is that Microsoft makes a useable OS that is easy to use, requires less administration, has a lower TCO.
  
  Let me clear that up for you. If my network were all Linux, I could be the only Admin at my company, sitting at home in my boxers, eating cheetos, connected in via secure shell, working on systems without the users having to leave their chairs or know I am there. Such a peaceful network that would be... sigh...
  
  Sure, we would save a lot of money and not require the constant workstation upgrades to keep up with the Windows world, etc, etc...
  
  But then again, most admins like me are just leeches living off all the problems people have with Windows. I wouldn't enjoy all the extra work, job security, etc if we lived in a Linux world. So you see, I am dependent upon Windows sucking.
  
  --- end of rant

• Argument from ignorance is frustrating
  2004-10-28 07:37:36  Anonymous_Coward [Reply | View]
  
  
  A battle of wits and my opponent is unarmed. Oh, well.
  
  There are not 400[0] copies of the codebase, there is typically one, sometimes 2, rarely 3. That's not how it works. Perhaps your distro has a small collection of favourite patches for large items like the kernel or OpenOffice, perhaps not, but it's all built from and folded into one set of sources.
  
  We do not claim to be invulnerable to phishing scams. We just claim that installing the kinds of malware which plagues MS-Windows is orders of magnitude harder. As in this case. You'd have to have the root password to install the malware, and we generally don't give the users that because unlike MS-Windows we don;t need to run, for example, accounting programs as Administrator.
  
  Anyone with the root password is going to know that their updates arrive on the canonical file server and are automatically picked up and installed by their package manager (apt, URPMI, yum, yast, pkg, whatever) provided that the crypto keys match.
  
  How much else don't you know?