Weekly Edition
Return to the Front page
| |||||||||||||||||||||||||||||||||||||||||||
Ubuntu, security response, and community contributionsA recent interview with Mark Shuttleworth is raising a few eyebrows. The Austrian news site derStandard sat down with Ubuntu founder and Canonical CEO Shuttleworth at GUADEC in Istanbul asking about many aspects of Ubuntu, desktops, and Linux in general. His answers to questions about synchronizing releases with other major distributions included some controversial claims. Last May, Shuttleworth suggested that the major enterprise distributions (Red Hat, SUSE, Debian, and Ubuntu) should coordinate their release cycles to foster better stabilization of Linux components. None of the other distributions have expressed much in the way of interest in that plan—at least publicly—though Shuttleworth says there have been some interesting discussions behind the scenes. In answer to a question about the belief that Ubuntu has much more to gain than either Red Hat or Novell, Shuttleworth said:
Well we have a better security track record than Red Hat, we do that by
focusing very hard on security, making sure the updates are available as
fast as possible on Ubuntu, independent studies have generally ranked
Ubuntu number one.
Below is a table that summarizes the response time for a few vulnerable packages over the last several months. It shows when the vulnerability was first announced along with the first update from each of four major distributions. Note that some distributions fixed the vulnerability at different times for different versions, so the date below is the first; other distribution versions may have waited longer for an update.
There doesn't appear to be any clear "winner", though Red Hat seems to beat Ubuntu in most cases—at least on this set of vulnerabilities. It would be much easier to do this kind of comparison if Ubuntu followed Red Hat's lead and published regular assessments of its security performance. It is rather easy to make sweeping statements, referring to unnamed "independent studies", while it is much harder to actually gather the information and present it. Red Hat's transparency on its security performance is something that all distributions should strive for—especially those who would tout their security response. But the security issue is just a part of a fairly pervasive perception that Ubuntu and Canonical are not contributing very much back to the community. That is the underlying concern that Shuttleworth is addressing. He continues:
So what I'm trying to say here, that the notion that Canonical wouldn't
contribute anything in such a situation and it would be a one way flow is
something I disagree with. Look for example at the fact that Ubuntu has
usually better hardware support, if we all were on the same kernel the
others could take the drivers we put in there and have hardware support
that is just as good as Ubuntu.
While supporting more hardware is an excellent goal, doing it by merging unsupported drivers into the kernel is not the recommended path. As Red Hat kernel hacker Dave Jones puts it:
Does no-one else see the hypocrisy in this statement ? Here's how it reads
to me... "It would be great if everyone just shipped the Ubuntu kernel and
debugged the random crap we merge that we don't have the resources to do
ourselves".
If only there were some kind of process of getting drivers merged upstream to kernel.org. Perhaps then we COULD be on the same kernel. Oh wait, there is a process. Ubuntu just chooses to ignore it. Canonical, unlike the other major enterprise distribution vendors, is not known for its kernel contributions. It is a much smaller organization than Red Hat or Novell, so its support organization is rather small as well. Trying to support lots of hardware is a difficult task. Doing it with out-of-tree and binary-only drivers makes it that much harder. Historically there has also been friction between Ubuntu and its upstream distribution, Debian, at least partially because of a perception that it does not contribute back. It is against this backdrop that Shuttleworth is speaking. The fact that he feels that he needs to defend Ubuntu speaks volumes. Some of the complaints might be written off to jealousy over the popularity of Ubuntu, but there is a fair amount of truth to them as well. Canonical and the Ubuntu community have done some fairly amazing things in a short period of time, but they did it by leveraging lots of work by Debian and others. It is important to be a contributing member of the larger Linux ecosystem, so Ubuntu and Canonical need to work to remove this perception of the distribution—regardless of its merits. Talk alone won't do that, action is required. (Log in to post comments)
Ubuntu, security response, and community contributions Posted Jul 17, 2008 4:11 UTC (Thu) by jbailey (subscriber, #16890) [Link] The size of Canonical's support organisation has nothing to do with its ability to support its customers - it's reasonable for the support staffing to scale to the customer base. A UK-based Linux magazine rated Canonical's and RedHat's support as tied for first place in an August 2007 publication. While the plural of anecdote isn't data, it was certainly a nice award to achieve. (obDisclosure: I used to work as the Operations Manager for the Global Support and Services department of Canonical, and started the commerical support department. Forgive me if I feel the need to defend it a bit. *g*)
Ubuntu, security response, and community contributions Posted Jul 17, 2008 6:01 UTC (Thu) by Cato (subscriber, #7643) [Link] I use Ubuntu and like it a lot, but I don't think the kernel team is resourced properly - significant stability bugs including freezes are a problem that I've experienced. See http://lwn.net/Articles/287825/ for more. I'm actually quite happy with Ubuntu features but would like more work on stability.
Ubuntu, security response, and community contributions Posted Jul 17, 2008 6:28 UTC (Thu) by apokryphos (guest, #42130) [Link] It's really hard to argue that there is some clear two-way flow for Canonical/Ubuntu (in terms of contribution) in the same way that there is for Red Hat or Novell. For example, SUSE employ some 15 developers to work on OpenOffice.org alone (not even considering the other major desktop developers in, say, X, KDE, GNOME, etc), while Canonical's _entire_ desktop development team consist of some 3 developers last time I checked. Their concentration seems to have always been rather to just re-package Debian's snapshots and perhaps create a few distro-specific tools, than to work on FOSS projects upstream.
Ubuntu, security response, and community contributions Posted Jul 17, 2008 9:54 UTC (Thu) by cortana (subscriber, #24596) [Link] Well, you forget where they pointlessly repackage software that is already in Debian... :)
Ubuntu, security response, and community contributions Posted Jul 17, 2008 6:56 UTC (Thu) by mjcox@redhat.com (subscriber, #31775) [Link] Note that the Red Hat BIND update was actually released on the 8th July and immediately available by RHN and web: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1447... However due to email list problems the email notification wasn't able to be sent to the enterprise-watch-list and rhsa-announce mailing list until some hours later on the 9th. (On 10th July we released updated packages for Red Hat Enterprise Linux 5 only because the sample and default configuration file still specified a single source port).
Ubuntu, security response, and community contributions Posted Jul 17, 2008 10:36 UTC (Thu) by pointwood (guest, #2814) [Link] This is a relevant blog post I think: http://blog.phunnypharm.org/2008/07/canonical-and-linux-k... Sounds like the numbers are quite wrong in regards to kernel contributions: "So how did Greg make this mistake? After talking with him it seems he was only checking for canonical.com addresses. It was only recently that we started using canonical.com as a habit for upstream work (we used to use ubuntu.com)."
Ubuntu, security response, and community contributions Posted Jul 17, 2008 13:17 UTC (Thu) by willy (subscriber, #9762) [Link] The problem with Ben's retort is that it /still/ shows Ubuntu in a bad light. While 92 is certainly better than 6, it doesn't compare favourably to the other companies working on Linux. See https://www.linuxfoundation.org/publications/linuxkerneld... (which is only considering commits up to 2.6.24). Ubuntu don't make it into the top 27 companies listed there -- Snapgear are the last ones listed with 285 commits. Other 'small' distros are better represented there, eg Mandriva with 329 commits. Even the 'black hole of open source where developers go and are never heard from again' (Google) has almost a thousand commits. Even *I* have three times as many commits as the whole of Ubuntu/Canonical. $ git-log v2.6.25 |grep ^Author |grep -c ubuntu 89 $ git-log v2.6.25 |grep ^Author |grep -c canonical 3 $ git-log v2.6.25 |grep ^Author |grep -c 'Matthew Wilcox' 294 Maybe that's unfair, I am paid to work on kernel development after all. How about comparing to someone who has a full-time job that isn't kernel development? $ git-log v2.6.25 |grep ^Author |grep -c lwn.net 31 Of course, these aren't terribly useful statistics. If I split all my patches into eight parts, I get eight times as much credit. If I submit a whitespace patch that took 5 seconds to create, that gets just as much credit as a brain-bendingly difficult bug that took me a week to track down. 'Number of commits' is about as relevant as 'lines of code' (and if you still think that's relevant, there's a great book from 1975 by Fred Brooks that you really need to read) I don't want to bash Canonical. I think Ubuntu is a great thing, and shows what can be done when you take Debian and put some incredible marketing behind it. They're increasing the size of the Linux pie and increasing the credibility of Linux on the desktop. I just have a problem with them trying to portray themselves as great contributors when they're not. I'd also like to spur them to become better contributors. No, they aren't going to be able to compete with Red Hat, but they could compete with Mandriva.
Ubuntu, security response, and community contributions Posted Jul 17, 2008 14:37 UTC (Thu) by nhippi (subscriber, #34640) [Link] > I'd also like to spur them to become better contributors. No, they aren't going to be able to compete with Red Hat, but they could compete with Mandriva. At least they could try to beat Debian ;) Currently we have the situation that the heavily overworked Debian kernel maintainers contributed more (7) patches than the canonical|ubuntu employees (5) (git-log v2.6.25...v2.6.26). And I didn't even start counting Debian maintainers who contribute to kernel outside the Debian context... Certainly I hope too that ubuntu will spur up and start cleaning up and contributing atleast some of the out-of-tree drivers they currently bundle.. I'm sure there are low hanging fruits there :)
Ubuntu, security response, and community contributions Posted Jul 17, 2008 19:55 UTC (Thu) by khc (subscriber, #45209) [Link] To be fair, I think you also need to take into account the time the entities have existed.
Ubuntu, security response, and community contributions Posted Jul 18, 2008 12:00 UTC (Fri) by willy (subscriber, #9762) [Link] I don't think that's a big factor. Remember, we only have git history going back to 2.6.12-rc2, which was April 2005. Warty Warthog was released in October 2004, so Ubuntu's existence predates the git history by over 6 months. I don't know how long Canonical existed before they made their first release of Ubuntu, but I'm pretty sure it did not leap fully-grown and armed from the head of Mark.
Ubuntu - poorer security than Fedora Posted Jul 17, 2008 13:58 UTC (Thu) by dwheeler (guest, #1216) [Link] Ubuntu is a good distro, but I prefer Fedora _specifically_ for its security. Fedora is generally much faster at repairing vulnerabilities, and Fedora is less likely to be harmed by a newly-disclosed vulnerability in the first place. First, for response, just look at your sample. 4/6 times Fedora was faster, often by 2-4 weeks. 1/6 they released the same day. 1/6 Ubuntu was one day faster, and only by a fluke of email addressing. Fedora also has lots of protective mechanisms for 0-day vulnerabilities, so it's a lot less likely that an unknown vulnerability will be as harmful in the first place. SELinux is the most obvious and pervasive mechanism, but the various exec-protection mechanisms are a big deal too. I think this is at least as important, even though it gets less press. There's no need for distro-bashing; they're both good, and there is no magic in what Fedora is doing. Fedora 9 copies in upstart from Ubuntu, simply because Ubuntu's upstart was better than what Fedora had. Ubuntu just needs to learn from Fedora in what THEY do right, and copy the good stuff.
Ubuntu - poorer security than Fedora Posted Jul 17, 2008 15:38 UTC (Thu) by i3839 (guest, #31386) [Link] What exec-protection mechanisms? I thought most of those were pushed upstream? (Things like gcc's stack protection, address space randomization, non-executable stack, data and heap, etc. are, no idea how much they were written by Red Hat in the first place though.) Only thing left AFAIC was non-exec protection on non x86_64 x86. That's what I like about Red Hat, that nowadays they push stuff upstream so that everyone benefits from it. If distros would do that more they'd make each other's lives easier and improve the whole.
Ubuntu - poorer security than Fedora Posted Jul 17, 2008 15:48 UTC (Thu) by nix (subscriber, #2304) [Link] Other parts of exec-shield, like the 'ASCII armoring' (to make it impossible to embed the address of a function in a shared library in an string and then get it into an overflowed string via C string-handling functions) haven't gone upstream yet :( I wonder why not?
Ubuntu - poorer security than Fedora Posted Jul 17, 2008 16:04 UTC (Thu) by riel (subscriber, #3142) [Link] IIRC Linus made it clear that he did not want them. I do not remember the reason, but it made sense at the time :)
Ubuntu - poorer security than Fedora Posted Jul 19, 2008 20:19 UTC (Sat) by ceplm (subscriber, #41334) [Link] All this stuff is unless when not used. What are the default CFLAGS in Ubuntu? The Red Hat distros are known to use quite paranoid ones.
Ubuntu compile-time hardening Posted Jul 21, 2008 8:33 UTC (Mon) by mdz@debian.org (subscriber, #14112) [Link]
Ubuntu - poorer security than Fedora Posted Jul 21, 2008 8:51 UTC (Mon) by i3839 (guest, #31386) [Link] That isn't true, most is done by the kernel, only stack protection is useless when not enabled, so buffer overflows are still a danger, but less if the kernel makes the stack non-executable and randomizes the address space. And as the poster below linked to, Ubuntu seems to enable those flags too.
Chance prefers the prepared mind... Posted Jul 17, 2008 16:12 UTC (Thu) by mmcgrath (guest, #44906) [Link] "There's no need for distro-bashing; they're both good, and there is no magic in what Fedora is doing. " No magic, just hard work and experience. Shameless plug: http://join.fedoraproject.org/
Ubuntu, security response, and community contributions Posted Jul 17, 2008 16:07 UTC (Thu) by madscientist (subscriber, #16861) [Link] I certainly don't want to be an apologist for Ubuntu, although I do use it myself. But I think comparing them to Red Hat etc. is not really fair: although the total userbase of Ubuntu is quite impressive, the number of paying customers for Canonical has got to be a very small fraction of what a company like Red Hat has. Thus, Red Hat has a viable positive cash flow and can afford to fund this kind of development... indeed, that's exactly why people pay them! Canonical is still being floated by Shuttleworth's fortune (as he's stated recently) and simply doesn't have the resources to spend. That said, I do think Shuttleworth's chest-pounding given Ubuntu's position is unfortunate and ill-advised... if not outright false. They do some things better than anyone else but they have a long way to go to catch up to Red Hat, SuSE, etc. in other areas. Finally, I think some here are being too hard on Ubuntu. They do create new technology and they do publish it. Upstart was already mentioned as an example. They also have Launchpad which, whatever you think of it, has some very nice features. I do have to say that most bugs I file with Ubuntu ARE pushed up-stream. That process is getting much better IMO. And finally, Ubuntu brings something to the GNU/Linux community which is extremely difficult to create and also impossible to quantify: opportunity and marketing, and a kind of "average user legitimacy". I know that virtually all the technology in Ubuntu was there before and/or was provided by someone else, but putting it together to create that "buzz" and really concentrating on growing the user base and what that takes is a big task. While it's not a technical achievement, it's very hard to do and that success DOES help every GNU/Linux user and distribution. As technologists too often we base all our opinions on measurable criteria such as number of bugs fixed, changes merged, etc. but there are other yardsticks that are important as well.
Ubuntu, security response, and community contributions Posted Jul 17, 2008 16:50 UTC (Thu) by mikov (subscriber, #33179) [Link] And finally, Ubuntu brings something to the GNU/Linux community which is extremely difficult to create and also impossible to quantify: opportunity and marketing, and a kind of "average user legitimacy". I know that virtually all the technology in Ubuntu was there before and/or was provided by someone else, but putting it together to create that "buzz" and really concentrating on growing the user base and what that takes is a big task. While it's not a technical achievement, it's very hard to do and that success DOES help every GNU/Linux user and distribution. As technologists too often we base all our opinions on measurable criteria such as number of bugs fixed, changes merged, etc. but there are other yardsticks that are important as well. I agree 100%. I have my own gripes with Ubuntu (see below), but in my eyes in recent years it has made more for Linux acceptance than the rest of the vendors combined. Yes, they used work done by others - Debian, RedHat, etc without contributing much software, but so what ? This is what free software is about. There is nothing immoral or unethical what Ubuntu is doing! If you don't want Ubuntu to use your software, then don't make it free, I say ... The problem with Ubuntu, as I see it, is that they don't have the resources to fix bugs and probably lack the leverage with upstream. What happens if you complain to Canonical support about a problem ? If its not a configuration issue, they are probably just going to have to wait like the rest of us for the next upstream release, hoping that it addresses that specific problem. So, I don't see why I would pay them for support.
Ubuntu, security response, and community contributions Posted Jul 17, 2008 19:01 UTC (Thu) by jspaleta (subscriber, #50639) [Link] "Yes, they used work done by others - Debian, RedHat, etc without contributing much software, but so what ? This is what free software is about. There is nothing immoral or unethical what Ubuntu is doing!" Let's be very very clear. There is a distinct different between the Community of Ubuntu users and developers... and Mark Shuttleworth and Canonical. As much as Shuttleworth would want to blur the distinction so that he can wrap him statements up in the goodwill of the Ubuntu community concept to armor them from criticism he does so at the expense of the Ubuntu community. The problem is not the Ubuntu community, the problem is Mark Shuttleworth, is making some very aggressive statements that are quite simply.. over-reaching..and not properly supported. He's burning goodwill with upstream projects in doing so. This vulnerability response statement is just the latest example. And I think its perfectly appropriate that people start asking him why his company has not invested in a transparent vulnerability reporting process for Ubuntu users... but is instead relying on unnamed independent studies to bolster statements to the press. It doesn't have to be like Red Hat's, but shouldn't Ubuntu LTS users have something in the same general shape? I think that's a perfectly reasonable sort of question for Ubuntu users to ask of Shuttleworth and Canonical. But he's made other high profile statements..to the press and to the public..aggressive statements, which challenge and undermine the processes and work that upstream projects are using. Statements about hardware support and about syncing with upstream development to match Canonical's business interests have been high profile challenges that simply have not been backed up by his company's own actions..a lack of engaging the upstream projects and to help them do better before going to the press with the idea. I feel somewhat bad for the Canonical engineers who are engaged with upstream. Shuttleworth is actually de-valuing what they are doing by making public statements which are out of proportion with the development work they are doing. He really needs to let those engineers lead these sorts of discussions as part of upstream project conversations. I wonder if he can do that, take a backseat to the engineers in public facing conversations. Maybe he just doesn't understand the value of restraint. Are the things Shuttleworth has made headlines for recently things that Canonical can drive sustainable development for? I think active community Ubuntu users need to really ask Shuttleworth and Canonical in general some very hard questions concerning sustainability of the work they are doing under the Ubuntu brand. I believe that Debian as a community reached a sustainable level of development based on the available resources, and that Debian as a project is going to have a long successful career serving a specific purpose. It might be frustration in some respects, but I believe they've built a sustainable process. I'm not so sure Canonical has. It's an outstanding question, whether Canonical through the creation of the Ubuntu community has enough resources to sustain the perceived growth happening in the Ubuntu uptake. Is Canonical overreaching beyond its own engineering capabilities with its Ubuntu OEM deals? Is it overreaching with its Ubuntu LTS edition? What happens to Ubuntu if the answer is yes? Supporters of Canonical admit that they don't have the staffing commitment of Red Hat to directly support upstream development in the say way. If that is so, then shouldn't all these sorts of engineering initiatives from Canonical scare the crap out of you as a Ubuntu community member because it continues to spread engineering resources even thinner? How transparent is Canonical's business plans as it relates to your volunteer commitment and needs as a Ubuntu community member? Like I said, I think Ubuntu community members need to be a bit more critical of Canonical and Shuttleworth. -jef
Ubuntu, security response, and community contributions Posted Jul 17, 2008 16:50 UTC (Thu) by acathrow (guest, #13344) [Link] Quote: "They do create new technology and they do publish it. Upstart was already mentioned as an example. They also have Launchpad which, whatever you think of it, has some very nice features." Unfortunately launchpad is NOT open source. https://help.launchpad.net/FAQ "Like Sourceforge and Google Code Hosting Launchpad is not open source. Unlike those other services, we have committed to making Launchpad Free Software."
Ubuntu, security response, and community contributions Posted Jul 17, 2008 17:07 UTC (Thu) by madscientist (subscriber, #16861) [Link] Yes, I know; I hope they will fulfill their commitment sooner rather than later and release it. I made an unfortunately confusing juxtaposition here. Saying "they also" was meant to separate this sentence from the last more definitively. Launchpad was created in large part to allow them to interact more fully with "upstream" maintainers, but they haven't published it, unless you consider making it available as a web service that anyone can subscribe to, "publishing".
Ubuntu, security response, and community contributions Posted Jul 17, 2008 19:59 UTC (Thu) by skvidal (subscriber, #3094) [Link] "Launchpad was created in large part to allow them to interact more fully with "upstream" maintainers, but they haven't published it, unless you consider making it available as a web service that anyone can subscribe to, "publishing"." No, No one considers that 'publishing'. That's offering access to a closed-source service. Same as google or hotmail, etc. If you want to see an open source and published hosting system, take a look at fedorahosted.org -sv
Ubuntu, security response, and community contributions Posted Jul 17, 2008 20:18 UTC (Thu) by madscientist (subscriber, #16861) [Link] I don't need to look there; I use savannah.gnu.org all the time.
Ubuntu, security response, and community contributions Posted Jul 17, 2008 22:48 UTC (Thu) by nix (subscriber, #2304) [Link] google or hotmail or lwn ;) (still no source? how many years is it now?) *yanks chain* ;}
Ubuntu, security response, and community contributions Posted Aug 15, 2008 13:24 UTC (Fri) by tekNico (guest, #22) [Link] > google or hotmail or lwn ;) > (still no source? how many years is it now?) At least five. It would still be nice to get it, however I doubt that a specialized, Quixote-based CMS would get much attention: nowadays the momentum in Python web frameworks gathers around Django, Turbogears/Pylons, and Zope2/3/Plone.
Ubuntu, security response, and community contributions Posted Jul 21, 2008 19:25 UTC (Mon) by ddaa (guest, #5338) [Link] > If you want to see an open source and published hosting system, take a look at fedorahosted.org I do not know this, but I am sure it is very nicely done. However you miss an important point in the text you quoted: > "Launchpad was created in large part to allow them to interact more fully with "upstream" maintainers Launchpad is much more than just a hosting solution. It was designed from day one to encourage collaboration between upstream projects, distributions and end users, in all the possible combinations. Ever since Ubuntu started, Launchpad was being worked on with the explicit goal of bridging various gaps that make it hard to contribute to the free software ecosystem. For several years, the Launchpad staff was nearly the size of the ubuntu-core staff (we are talking in dozens of people here). That strongly suggests that Canonical is genuinely interested in contributing back. Disclaimer: I was a Launchpad developer from June 2004 to January 2008.
Ubuntu, security response, and community contributions Posted Jul 22, 2008 19:24 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link] "Ever since Ubuntu started, Launchpad was being worked on with the explicit goal of bridging various gaps that make it hard to contribute to the free software ecosystem." The real way is to open it up to the community and not have a bitkeeper like situation which will only lead inevitably to people redoing something like it from scratch because they see the benefits but don't want to rely on a centralized proprietary service.
Ubuntu, security response, and community contributions Posted Jul 22, 2008 21:36 UTC (Tue) by ddaa (guest, #5338) [Link] > The real way is to open it up to the community People at Canonical disagree, for numerous reasons including avoding fragmentation, keeping the problem space simpler, and preserving opportunities for revenue. > and not have a bitkeeper like situation which will only lead inevitably to people redoing something like it from scratch because they see the benefits but don't want to rely on a centralized proprietary service. This is a strawman. Proprietary end-user software like bitkeeper is very different from internet services like Launchpad. And even if people eventually did succeed at implement a better, more free, and more successful Launchpad, that would not invalidate the pioneering work that Canonical funded to ease the flow of knowledge in free sofware.
Ubuntu, security response, and community contributions Posted Jul 23, 2008 0:56 UTC (Wed) by mmcgrath (guest, #44906) [Link] > And even if people eventually did succeed at implement a better, more > free, and more successful Launchpad, that would not invalidate the > pioneering work that Canonical funded to ease the flow of knowledge in > free sofware. You trying to convince us or yourself? The issue here is canonical embracing open source with one hand and stealing from it with the other. No rules are being broken there but the high and mighty "we know best" attitude is the mark Canonical is leaving on the very community it relies on. The smoke and mirrors people think is the success haven't been founded in any reality I've seen and people will start to notice that. Afterall, Mark continues to hemorrhage money into Canonical at least until he gets bored. I've yet to see any solid numbers of Ubuntu's success beyond Google trends. People will get bored as they realize those in charge continue to hold a carrot in front of them, they'll move on.
Ubuntu, security response, and community contributions Posted Jul 23, 2008 19:10 UTC (Wed) by ddaa (guest, #5338) [Link] In your reply, the tone alone indicates that your are not interested in constructive discussion. Or if you are, you need to improve your writing skills. I acknowledge the effort you made in writing this comment. Sadly, as it is written, it would be very difficult to reply to while keeping the discussion meaningful.
Ubuntu, security response, and community contributions Posted Jul 23, 2008 19:13 UTC (Wed) by mmcgrath (guest, #44906) [Link] I'm a technician, not a writer. How about this: Ad hominem. Why attack the argument when you can attack the speaker? What a common fallacy you've just committed. No need to respond, your actions will speak louder, let us know when that launchpad is OSS. Have a nice day.
Ubuntu, security response, and community contributions Posted Jul 23, 2008 19:49 UTC (Wed) by ddaa (guest, #5338) [Link] How interesting. I made a point of attacking only your writing. I even suggested you might be of good faith but that you just failed at clear expression.
Ubuntu, security response, and community contributions Posted Jul 23, 2008 1:16 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link] Other than the possible revenue from keeping it proprietary, I don't consider the other excuses even applicable especially since the memories of companies using the "fragmentation" card against free and open source software for years is still fresh, Java being among the latest to turn around. The way to avoid fragmentation is providing a way for community to participate, innovate and not using control. Distributed services with open protocols is the long term sustainable approach. Centralized proprietary services just won't scale. The inherent problems of proprietary software is similar whether the software is running in the client or the server and in some ways more problematic given the rise of people and entities hiding behind software as a service to avoid facing the question. Creating walled gardens is no innovation. One symptom of the many problems with this approach is the workflow of translations not going to upstream by default and getting locked up into the distribution unlike transifex (http://transifex.org) which Fedora project seeded and follows the upstream by default model like the rest of the distribution in addition to being free and open source.
Ubuntu, security response, and community contributions Posted Jul 23, 2008 19:47 UTC (Wed) by ddaa (guest, #5338) [Link] You are touching a lot of topics in this comment. So I could only give very short answers to each of the points you touched. > Other than the possible revenue from keeping it proprietary, I don't consider the other excuses even applicable I do not think that per-seat licensing of the Launchpad code is a practical business model for Canonical. But I do not claim to know beforehand what all the revenue opportunities could be. A sensible entrepreneur avoids discarding possible unseen revenue streams unless there is a compelling reason to. > the memories of companies using the "fragmentation" card against free and open source software for years is still fresh, Java being among the latest to turn around. The way to avoid fragmentation is providing a way for community to participate, innovate and not using control. That is true for user-runnable software. And Canonical understands that very well as is demonstrated by the development processes of Ubuntu and Bazaar. Fragmentation, when talking about Launchpad, means something else: the value of Launchpad comes from the inter-relations between the numerous project communities that are using it. Multiple distinct Launchpad services would make interactions within any single instance total to less than it could be. More total users increase the value the project, lost opportunity decreases it. It is not a clear-cut issue. > Distributed services with open protocols is the long term sustainable approach. Centralized proprietary services just won't scale. This is a good point, and using a federated design was considered early on. This direction was not chosen to "keep the problem space simpler", as I said in the message you are replying to. Avoiding the additional complexity of a decentralized design was a good engineering decision in its own right. > The inherent problems of proprietary software is similar whether the software is running in the client or the server and in some ways more problematic given the rise of people and entities hiding behind software as a service to avoid facing the question. Let's agree to disagree. In my view, they are apples and oranges. > One symptom of the many problems with this approach is the workflow of translations not going to upstream by default and getting locked up into the distribution unlike transifex (http://transifex.org) which Fedora project seeded and follows the upstream by default model like the rest of the distribution in addition to being free and open source. Discussing the particular perceived shortcomings of Launchpad translations would distract us of what I regard as the main point of this thread, and I do not claim to understand this part of Launchpad well enough to address your concerns.
Ubuntu, security response, and community contributions Posted Jul 24, 2008 2:20 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link] You said Canonical employees disagreed with opening the source code and giving access to the community inorder to retain potential revenue opportunities. I merely conceded that is a understandable excuse (though I disagree completely with the decision to keep it proprietary). I don't know why you even bought up "per-seat licensing". Sensible people working within a community would want to gain trust by not acting inconsistently or giving outlandishly false claims (c.f security history) whether they are entrepreneurs or not. Anything else is just short sighted and not even within their self interest. Multiple distinct instances need not ever decrease the value of the service at all. It depends on how well you federate it. Sure, it is more complex but that is price you need to pay for working with a distributed community of producers and consumers. In my view, the workflow of translations is a clear direct result of a deliberate strategy to keep the content within the distribution essentially closed within itself instead of helping the broader upstream community. The problem is well known and has never been addressed so far. This combined with the decision to keep the source code closed doesn't indicate or inspire good faith.
Ubuntu, security response, and community contributions Posted Jul 17, 2008 19:57 UTC (Thu) by mmcgrath (guest, #44906) [Link] "although the total userbase of Ubuntu is quite impressive" It is? What number is that? And where did it come from?
Ubuntu, security response, and community contributions Posted Jul 18, 2008 23:26 UTC (Fri) by stickster (guest, #40146) [Link] Why don't we ever see responses to this question of statistics?
Ubuntu, security response, and community contributions Posted Jul 19, 2008 6:08 UTC (Sat) by madscientist (subscriber, #16861) [Link] Because I have much better things to do with my time. Really? This is what you want to argue about, that Ubuntu is not running on enough machines to justify my statement that it has a userbase that is quite impressive? What kind of statistics are you hoping to see, and where would they come from? Maybe Google can give us some numbers, based on the browser ID strings they track. Try filing a lawsuit; it worked for Viacom. Let me know what you come up with.I'm willing to take the fact that it's won the top spot in every desktop distro contest for the last few years, it's #2 on the Linux Counter list just a point or two behind Debian (which is pretty good considering that that list is unknown beyond long-time, harder-core Linux users--not necessarily the prototypical Ubuntu user), that it's being pre-installed on Dell desktops and laptops, that it's available from Best Buy both online AND boxed in the store, etc. etc. If that's not good enough for you, then fine: we'll just agree to disagree, because I don't have the energy to argue about something so silly.
Ubuntu, security response, and community contributions Posted Jul 19, 2008 13:46 UTC (Sat) by stickster (guest, #40146) [Link] Statistics gathering doesn't have to be so random and haphazard. Fedora does it openly and transparently, as described here: https://fedoraproject.org/wiki/Statistics The smolt project was created as a non-Fedora, cross-distribution effort to help with this need, and other distros have been repeatedly invited to participate so that we can confidently talk about the size of the overall installation/user base. Novell, for example, has recently joined in. (Smolt also produces useful hardware metrics too.) Over 15 years into the Linux story, there's no sense in making these numbers up or sticking our heads in the sand. I doubt that a driver like accurately showing market size would be considered silly by anyone basing their business on Linux. But I understand that many people would rather not argue about it; so be it.
Ubuntu, security response, and community contributions Posted Jul 19, 2008 16:58 UTC (Sat) by madscientist (subscriber, #16861) [Link] I think accurate stats are great, and I'd love to see them. I don't know much about smolt but I see no reason why it shouldn't be supported in Ubuntu. Ubuntu has already the Ubuntu Hardware Database, and it does have a nice user interface to report hardware info, but the web site seems really lame and/or broken when I checked it. There's also popcon, originally from Debian, where you can register to have the packages you use reported upstream: this is used to make sure that the CD, which has limited space, has the most popular packages installed. But you can also find out some info about how many machines are running Ubuntu: http://popcon.ubuntu.com/ The problem with these as stats gathering vehicles is that not only are they off by default (which probably every such package will always be, and I don't disagree with that) but they aren't even publicized, so unless you happen to run across them you won't use them. In order to be anywhere close to accurate there has to be more "advertising". Maybe an option to restrict the data uploaded, for people who aren't interested in publishing details but would like to be counted. I also found this with a one-minute Google search, from last year: http://www.starryhope.com/tech/2007/ubuntu-just-how-popul... I'm saying that I'm not willing to get into an argument about whether or not Ubuntu has "an impressive userbase" or not. For one thing, it's completely ambiguous--if I'd said it has 82% of the desktops then I would expect to be challenged to justify that statement. However, I believe my statement is obviously correct given any objective look at the Linux ecosystem. If we want to talk constructively about possible ways we could get more accurate statistics I'm all for that.
Ubuntu, security response, and community contributions Posted Jul 17, 2008 21:39 UTC (Thu) by bronson (subscriber, #4806) [Link] > Well we have a better security track record than Red Hat Funny, I was just checking some SSL certs this morning hoping they weren't generated on an Ubuntu machine. Why would the BDFL say this?? It's a divisive and questionable statement to make even if it were true. It's a poor way to build a community. I'm typing this on Ubuntu Hardy. Great distro. But most secure? "ranked number one?" Not in my experience.
Ubuntu, security response, and community contributions Posted Jul 18, 2008 20:05 UTC (Fri) by nlucas (subscriber, #33793) [Link]
While I also don't think Ubuntu QA is notorious for it's track record you are actually mentioning the case they did everything right, from finding the bug to upstream fixing it (it was a Debian bug, not Ubuntu).
Ubuntu, security response, and community contributions Posted Jul 19, 2008 21:17 UTC (Sat) by ceplm (subscriber, #41334) [Link] Security doesn't mean just patching fast, but also checking whether the patches make sense. Which apparently the one from Debian for OpenSSL didn't, but the distribution with better security record just didn't bother to take a look at patches for OpenSSL.
Ubuntu, security response, and community contributions Posted Jul 21, 2008 10:37 UTC (Mon) by nlucas (subscriber, #33793) [Link] What you are asking may be nice words, but if any derived distro did that it would be more work than starting one from scratch.
Ubuntu, security response, and community contributions Posted Jul 21, 2008 19:46 UTC (Mon) by ddaa (guest, #5338) [Link] > Why would the BDFL say this?? It's a divisive and questionable statement to make even if it were true. Mark Shuttleworth is the SABDFL. The BDFL is Guido von Rossum. Mark has been known to occasionally say and do things that were less than technically inspired (enforcing some custom hack on spatial nautilus) or politically appropriate (inviting suse developers to join). That teaches us a few things:
It seems it happened again. I guess he stands corrected: he has certainly read this article. Disclaimer: I worked at Canonical for four and half years.
Ubuntu, security response, and community contributions Posted Jul 18, 2008 5:45 UTC (Fri) by oconnorcjo (subscriber, #2605) [Link] While I think that it is nice when distributions contribute to various projects and developers, I actually WISH that more distributions had Ubuntu's philosophy of USABILITY. I know for example redhat has tons of developers working on making software better in general but when I install their system, I find I have to make a ton of tweaks and some things just don't ever play right. It looks to me that Ubuntu developers actually spend the most time making their FINAL PRODUCT better. For years I had been waiting for redhat/mandrake/suse to install a minimum list of applications that covered the spectrum of what needed doing on one CD where everything "just worked" (including the proprietary stuff). Then Ubuntu arrives late on the scene and does it!!! As far as I am concerned the only thing I want Ubuntu to do is make a Clean/Friendly/Stable distribution. I feel that Ubuntu is the only distribution that understands the quote "10% of the time is to get 90% done and the other 90% of the time is to get the last 10% done".
Ubuntu, security response, and community contributions Posted Jul 18, 2008 18:36 UTC (Fri) by jspaleta (subscriber, #50639) [Link] Is Canonical working with upstream projects to get Ubuntu's specific usability improvements incorporated upstream? If not, do you trust Canonical's ability to be able to continue to provide the engineering work necessary to keep those sorts of un-integrated patches separate as the upstream projects continue to change over time? While Canonical most certainly has the ability to collect large downstream patches without leading an effort to get them into the upstream projects, doing things this way may not be in the best long term interests of the Ubuntu community of users... like yourself. An attempt to maintain usability enhancements as a series of downstream patches may give Canonical a short-term competitive advantage for its own business reasons in an effort to position Ubuntu as leading the field. But doing so comes at a cost of long term sustainability and maintainability that has a direct impact on the Ubuntu userbase...and no one else. Over time those patchsets will require more and more engineering resources to maintain because of the rate of change in upstream projects. Engineering manpower that will not come from upstream, and in fact will over time decrease the ability of Canonical engineers to interact with upstream to fix the issues as the patchset becomes very large. This should be a concern for you as a Ubuntu user, especially if you are a Ubuntu user who plans to use the LTS edition without paying for a support contract. -jef
Ubuntu and hardware support regression Posted Jul 22, 2008 0:07 UTC (Tue) by wt (guest, #11793) [Link] I believe that Ubuntu's hardware support is not as good as it could be. For instance, I have a Dell 1420n laptop that shipped with Feisty. It ran Gutsy and now runs Hardy. With the upgrade to Hardy, the sound driver is broken. I would have expected the Ubuntu folks to take care not to break a somewhat flagship piece of hardware that ships with their distribution. If you look on the Dell website, the 1420n model still only ships with Gutsy last time I checked. To be fair, there is a work around (which is to run the real time kernel). However, it isn't something that a less than geeky user would even think to do, and the real time kernel sometimes fails to work with the sound also. I tried to participate in the bug reporting and fixing also, but I have gotten no replies from Ubuntu folks on the bug report, only others with similar problems. That this situation occurred in what Ubuntu is calling an LTS release is truly sad IMO. BTW, for anyone else with this problem, the next upstream kernel allegedly fixes this issue. Maybe there's a backport or something. wt
Ubuntu and hardware support regression Posted Jul 24, 2008 10:08 UTC (Thu) by Miladinoski (guest, #52970) [Link] Yup, I totally agree with you and I think that Hardy is Ubuntu's worst version 'till this date, I won't even upgrade to it, I had looots of problems doing that once, and then I reverted back to Gutsy.
Ubuntu and hardware support regression Posted Jul 24, 2008 11:20 UTC (Thu) by callegar (guest, #16148) [Link] Not likely that there will be a backport of a whole kernel to hardy. This has already been asked in many occasions as a remedy for the random freezes that the hardy kernel experiences on some hardware, but has been so far excluded. Possibly, there can be a backport of specific features from 2.6.x with x>24 to 2.6.24. To me it remains a mistery why kernel version x with patches including pieces of version x+k should be less of a jump in the dark than version x+k itself given that typically x+k will have already received more testing than x plus patches will ever have. Also to me it remains a mistery to me why distros do not package as an alternative to their own kernels the vanilla kernels from kernel.org.
Irony Posted Jul 24, 2008 16:25 UTC (Thu) by joeytsai (guest, #3480) [Link] I love how a paragraph begins with: "It is rather easy to make sweeping statements..." Then ends with: "...part of a fairly pervasive perception that Ubuntu and Canonical are not contributing very much back to the community." The article does a decent job of illustrating how Ubuntu does not contribute to the kernel, but to say Ubuntu doesn't contribute much to the community is not fair. The kernel is only one part of the puzzle, a part that already has plenty of attention. Say what you want about Ubuntu (I don't use it), but the fact is they pay people to contribute to free software. They distribute a decent distribution on a regular schedule and support it without cost. They have a thriving community. Etc. There may be many downsides to the arrival of Shuttleworth / Ubuntu / Canonical, but on the whole I think what they've brought to the table far outweighs them. Therefore, I thank them for their effort. Of course they can improve, and I hope they do. But even if they don't - I'll never be part of this "fairly pervasive" perception that they don't contribute.
|
|||||||||||||||||||||||||||||||||||||||||||