A recent interview with Mark
Shuttleworth is raising a few eyebrows. The Austrian news site
derStandard sat down with Ubuntu founder and Canonical CEO Shuttleworth at
GUADEC in Istanbul asking about many aspects of Ubuntu, desktops, and Linux in
general. His answers to questions about synchronizing releases with other
major distributions included some controversial claims.
Last May, Shuttleworth suggested that the major enterprise distributions
SUSE, Debian, and Ubuntu) should coordinate their release cycles
to foster better stabilization of Linux components. None of the other
distributions have expressed much in the way of interest in that plan—at
least publicly—though Shuttleworth says there have been some
discussions behind the scenes. In answer to a question about the belief
that Ubuntu has much more to gain than either Red Hat or Novell,
Well we have a better security track record than Red Hat, we do that by
focusing very hard on security, making sure the updates are available as
fast as possible on Ubuntu, independent studies have generally ranked
Ubuntu number one.
Below is a table that summarizes the response time for a few vulnerable
packages over the last several months. It shows when the vulnerability was
first announced along with the first update from each of four major
distributions. Note that some distributions fixed the vulnerability at
different times for different versions, so the date below is the first;
other distribution versions may have waited longer for an update.
|Package ||Announced ||Ubuntu ||Red Hat
||1 May ||3 June ||7 May ||20 June||1
||6 May ||3 June ||7 May ||20 June||12
||28 May ||17 June ||28 May ||4 June||30
||11 June ||13 June ||11 June ||13 June||11
|Firefox 1.5 and
||1 July ||2 July ||2 July ||11 July||11
||8 July ||8 July ||9 July ||11 July||8 July|
There doesn't appear to be any clear "winner", though Red Hat seems to beat
Ubuntu in most cases—at least on this set of vulnerabilities. It
would be much easier to do this kind of comparison if Ubuntu followed Red
Hat's lead and published regular
assessments of its security performance.
It is rather easy to make sweeping statements, referring to unnamed
"independent studies", while it is much harder to actually gather the
information and present it. Red Hat's transparency on its security
performance is something that all distributions should strive
for—especially those who would tout their security response.
But the security issue is just a part of a fairly pervasive perception that
Ubuntu and Canonical are not
contributing very much back to the community.
That is the underlying concern that Shuttleworth is addressing. He continues:
So what I'm trying to say here, that the notion that Canonical wouldn't
contribute anything in such a situation and it would be a one way flow is
something I disagree with. Look for example at the fact that Ubuntu has
usually better hardware support, if we all were on the same kernel the
others could take the drivers we put in there and have hardware support
that is just as good as Ubuntu.
While supporting more hardware is an excellent goal, doing it by merging
unsupported drivers into the kernel is not the recommended path. As Red
kernel hacker Dave Jones puts it:
Does no-one else see the hypocrisy in this statement ? Here's how it reads
to me... "It would be great if everyone just shipped the Ubuntu kernel and
debugged the random crap we merge that we don't have the resources to do
If only there were some kind of process of getting drivers merged upstream
to kernel.org. Perhaps then we COULD be on the same kernel. Oh wait, there
is a process. Ubuntu just chooses to ignore it.
Canonical, unlike the other major enterprise distribution vendors, is not known for its
kernel contributions. It is a much smaller organization than Red Hat
or Novell, so its support organization is rather small as well. Trying to
support lots of hardware is a
difficult task. Doing it with out-of-tree and binary-only drivers makes it
that much harder.
Historically there has also been friction
between Ubuntu and its upstream distribution, Debian, at
least partially because of a perception that it does not contribute back.
It is against this backdrop that Shuttleworth is speaking. The fact that
he feels that he needs to defend Ubuntu speaks volumes.
Some of the complaints might be written off to jealousy over the popularity
of Ubuntu, but there is a fair amount of truth to them as well. Canonical
and the Ubuntu community have done some fairly amazing things in a short
period of time, but they did it by leveraging lots of work by Debian and
others. It is important to be a contributing member of the larger Linux
Canonical need to work to remove this perception of the
distribution—regardless of its merits. Talk alone won't do that,
action is required.
to post comments)