LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

the Linux process for generating many rare flaws

the Linux process for generating many rare flaws

Posted Jul 20, 2008 11:06 UTC (Sun) by nix (subscriber, #2304)
In reply to: the Linux process for generating many rare flaws by njs
Parent article: Quotes of the week 

It isn't, of course. If anything we can get better metrics on bug density, 
because the source is open and all bugfixes to public trees visible (even 
if they aren't marked up as 'security' all the time, they're all bugs and 
from the POV of stopping them happening it doesn't matter if they're a 
security bug or a 'mere' data-corruption bug).

On that note, am I the only one who considers it utterly bizarre that 
crash bugs are considered by some more serious than data-corruption bugs 
merely because some of the crash bugs are remotely-triggerable, while 
data-corruption bugs rarely are? The consequences of data-corruption bugs 
are so much worse, yet the crash bugs are 'security holes! patch now!'...

(Log in to post comments)

the Linux process for generating many rare flaws

Posted Jul 20, 2008 18:08 UTC (Sun) by zooko (subscriber, #2589) [Link] 

(About whether the Linux kernel development process is more likely to introduce security holes
than alternative development processes.)

"It isn't, of course."

What -- where do you get your confidence?  I think that it is plausible that the Linux kernel
development process produces more bugs and security holes than alternative processes, such as
for example the way that OpenBSD or Solaris are developed.  (I also think that the Linux
development process produces new features and improvements faster than the OpenBSD process
does.)

I'm not entirely confident of this -- I could be wrong.  But how did you become so confident
of the opposite hypothesis?

the Linux process for generating many rare flaws

Posted Jul 20, 2008 18:56 UTC (Sun) by nix (subscriber, #2304) [Link] 

The question was whether the problem was *unique* to Linux's development 
process. Of course it isn't. Proprietary systems have security holes too.

You don't need 'confidence' to know that.

the Linux process for generating many rare flaws

Posted Jul 20, 2008 22:01 UTC (Sun) by njs (subscriber, #40338) [Link] 

I read "it isn't, of course" as responding to my question about how black-hat scrutiny was
something unique to Linux's development process.  These threads get a little spread out...

I would still be curious to hear your response to my original post, because a priori I don't
see why any one of Linux/Solaris/OpenBSD's models should be better.  (Actually, I don't have a
lot of confidence in OpenBSD myself, because I've gotten the impression that in general it's
buggier -- probably just due to lack of manpower, and prioritizing security features
proportionately higher than non-security testing and bugfixes.  And I don't like non-security
bugs much better than security bugs.)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds