In How Far Behind is Linux?, WSJ writer Lee Gomes sets up a beautiful strawman about the security of GNU/Linux versus Windows and knocks it down with its own answer. (The emphasis is mine).
Ubuntu’s claim to fame is that its developers have bundled not just Linux, but a shelf full of other important programs, such as Web browsers and word processors, into a single easy-to-install package. Once on your computer, it looks and acts much as Windows does. What’s more, Ubuntu updates itself every six months and notifies you if security updates are needed in the interim.
That last feature, incidentally, should disabuse an actual Ubuntu user of the notion that a non-Windows operating systems is security utopia, where hackers are powerless and children are all above average. I recently installed the April version of Ubuntu on my home machine and promptly was informed that more than 50 security patches to problems discovered in the interim awaited my downloading. Who does Ubuntu think it is? Windows?
I’m not sure who told Mr. Gomes that Ubuntu, for example, has never needed a security update. (If anyone actually did, I respectfully suggest that Mr. Gomes reconsider his use of that source.)
Yet I wonder how far you have to misunderstand the nice effects of free software to think that not only being able to bundle all sorts of utilities and applications through a single package manager and update them all through the same utility represents a problem.
I haven’t used Mac OS X in a while or Windows in a longer while, but I seem to recall the system updates on both completely failed to update software I’d installed myself apart from the base operating system.
It seems to me that getting regular security updates–as often as nightly–for all of the software installed on my machines is, indeed, one sign of better security. Certainly never needing security updates would be better yet, but no mainstream operating system is there yet. Until that point, I’ll stick with being able to update all of the software on my machine automatically, and consider that a tremendous improvement over the Patch Some Of Your Software Tuesday process.
When I was a kid a cardboard box represented a rocket ship. In Windows XP the labeling of the "package manager" Add/Remove Programs is basically the same thing.
It seems to me that getting regular security updates-as often as nightly-for all of the software installed on my machines is, indeed, one sign of better security.
As I've said in the past, a machine is only as secure as its least secure third party application. I seem to recall a nasty CVS vulnerability or three in the past.
That being said, I'm a Windows guy (who also does Solaris and Linux) and even I'm not fool enough to suggest that MS Windows is more secure than Ubuntu based on the number of security patches. It's the *severity* that matters, and MS Windows track record here is atrocious. How many "this bug could allow a remote user to take control of your system" bugs does it take to sink in? Those days *mostly* seem to be behind us thankfully.
I think some clarification is in order here, though. The Windows updates will also provide updates for the bundled software, e.g. Outlook Express and WMP. Third party applications typically notify you of updates independently. This is what Adobe Acrobat does, for example.
As for the "most secure OS", my vote is squarely in the corner of Solaris 10. :)
Bear with me.
Apple recently announced they are working on an SDK for the iPhone. There's been a lot of speculation that iPhone apps will be sold and distributed through iTunes.
Why not do a smiliar thing for OSX desktop apps? In fact, since iTunes runs fine on Windows, why not distribute Windows apps though iTunes? Apple could, at a single stroke, provide Linux-style distribution and automatic upgrades of software and become a leading distributor of PC software, making Microsoft look like a bunch of primeval chimps.
Ok so that last bit is a tad unlikely, but it would be so much fun to see it happen.
Your the one setting up the strawman, chrome.
Mr Gomes never said anything about 'better security.' He said 'disabuse an actual Ubuntu user of the notion that a non-Windows operating systems is security utopia', which is frequently the argument from FOSS'ers about the superiority of open source. Ya know, the argument that with more eyes watch the code, your less prone to let security slip.
(quote)
I’m not sure who told Mr. Gomes that Ubuntu, for example, has never needed a security update. (If anyone actually did, I respectfully suggest that Mr. Gomes reconsider his use of that source.
(unquote)
It is an easy mistake to make given that security updates are done so frequently and seamlessly with Linux, and given the security and the extreme rarity of security issues that actually impact the end user on Linux (as opposed to those issues that actually cause actual problems and require the interaction of the user). When you compare the user experience with Windows, it does seem like Linux never needs a security update.
Actually, I thought that review was fairly flattering. Especially considering it's from the WSJ!
He installs a 6 month old OS and gets only 50 security patches for every single piece of software on the computer. That's pretty good.
To remove the need for updates, declare the OS defect free. The ability to remotely install software without users' permission is a feature.
Few Windows/Linux comparisons point out the apples to oranges nature of such comparison. Windows contains only a few major programs (e.g. Internet Explorer, Windows Media Player) and some minor ones (e.g. Notepad, MSPaint). The average Linux distribution contains dozens of major programs, and hundreds of minor ones: with the potential of thousands more. Ubuntu, Gentoo, etc, can track the security updates for all the installed software in their distribution. Microsoft only tracks the updates for their own.