I hate to see angry messages on LWN.net (although I have to admit that, even while angry, the
current posters are making more useful points than I see on most other web fora).
I like the note at the top of the LWN.net comment editor page: "Please try to be polite,
respectful, and informative".
Let me point out that this isn't so much an issue of Good vs. Evil as much as a question of
different people having different needs. The Linux kernel does a fine job of evolving
quickly, supporting lots of hardware, improving the common cases of performance issues, and so
forth. There are plenty of people whose security needs can be aptly summed up as "Whatever my
distribution and the Linux core team think is best is probably good enough.". Those people
have no need for more specific information about vulnerabilities, and would not be able to use
that information if they had it. Perhaps they are using Linux exclusively on non-networked,
single-user jobs, for example.
It's not that those people *ought* to value specific security vulnerability disclosures more
than they do -- it's just that they personally have no need of such disclosures.
On the other hand there are people who do need more specific information. They may be
responsible for networked, multi-user Linux installations with great value at stake, for
example. They may need, and know how to use, vulnerability disclosures in precise detail as
to the window of vulnerability and how to fix or workaround each issue. As far as I currently
understand it, those people are not being served.
Now again, this isn't a matter of Good vs. Evil. Linus, and GregKH, and the rest of the Linux
folks have no moral obligation to provide what those folks need. If Linus and company care to
start providing it, that would be fine. If not, then perhaps someone else (such as PaXTeam
and his partners) would provide that information about Linux, or perhaps those users would be
better off if they switched from Linux to Solaris or OpenBSD or something.
But again, for the third time, those users switching from Linux to Solaris or OpenBSD or
something would not be an Evil. The world would not become a worse place. Indeed, if the
maintainers of those other operating systems were better prepared to provide the kind of
service that those users need, then the world would be a better place.
For what it is worth I have worked in computer security for a long time, and for years I
tended to assume that my peers who insisted on running only OpenBSD or FreeBSD and refused to
rely on Linux for security were just being show-offs. Nowadays I'm beginning to think that
they had justification for their choice.
P.S. Just to make sure everyone got the point, if it is true, as I just alleged, that many
open-source-loving computer security professionals refuse to trust Linux's security, then this
is not Evil. It's no big deal. They get along fine in their jobs and you get along fine in
yours, so when replying to this note, please try to be polite, respectful, and informative.