LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Interview: Kristen Carlson Accardi

LWN.net Weekly Edition for July 24, 2008

Tracing: no shortage of options

Interview: Wind River's John Bruggeman

LWN.net Weekly Edition for July 17, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

it's not a problem of the monoculture at all

it's not a problem of the monoculture at all

Posted Jun 25, 2002 19:06 UTC (Tue) by BogusUser ((unknown), #2254)
Parent article: The Apache vulnerability, full disclosure, and monocultures

What if you do have e.g. 5 open source implementations of web servers
that all take about 20% of the server installations?

in terms of the LWN argue it would be safer to drive like this,
but they are on error. when you do have 5 web servers then you
have 5 mostly different codebases, 5 times the places where
vulnerabilities might waiting to compromise the community.

its simply a problem of having enough developers, code reviewers
and lab tests plus the usual out in the wild "tests" with hackers.
when your software lacks inspection due to its magnitued then it
can only get worser when you have 5 of that magnitude.

tell the world that open standards are a good thing
and that open source standard software is just the better choice.

but a different aspect - what if there were 5 webservers out there?
would you expect them to have all the same features?
would you expect at least on of them to provide you
all the features you need for your business?

compare to the desktop browser war on open source desktops -
which of them does Java, SSL and a few more features?
why do we need all those wanne be browsers
whilst only a few fullfill the practical needs
but an unknown amount of them is most likely having security
vulnerabilities? same for the crowds of MP3 audio/video players...

and for a last argue, there must be measures to make standard
open source software more secure. think of the SEL package
for the Linux kernel and its userland counterpart.
did you ever notice that there is no BeOS, no BSD (net, free, open)
and no hurd version of the SEL package around? Thats where choice
does developers drive mad. good development is done only once.

I want to remeber the cleanup of the multiple instances of the
zip algorithm in the linux kernel some half year ago. And i want
to remember the Amiga OS that had really only a single implementation
of "printf" in the whole system, regardless of application, system
or kernel caller - they all used the same prooven codebase. If there
would ever pop up a bug, then the fixing would be a single operation.

Dont complain that a single bug can have such a magnitude of affected
systems due to "monoculture" (in fact Apache does have only some 50%
share if i remember correctly). Only a widespread system can ensure
that open source community has the man power to maintain it. If we
had multiple of such software then the number of bugs that a certain
system with a particular software will suffer wont get better. It only
will take longer time to get fixes and updates carried out due since
the number of developers (and developer time) per software package
will significantly shrink.

A healty open source community must have a strong look onto its own
effectiveness (like using bitkeeper), else it will spent a good deal
of its working hours with useless tasks. Thats not true in all cases,
e.g. where there are different promising approaches to follow and
different requirements to fullfill, but its true in general for the
whole community. Re-inventing the wheel over and over again wont
benefit anyone, despite the one that feels great about.

Regards, Alex.

(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.