LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Wheeler: Insecure open source software libraries?

Wheeler: Insecure open source software libraries?

Posted Apr 8, 2012 10:59 UTC (Sun) by khim (subscriber, #9252)
In reply to: Wheeler: Insecure open source software libraries? by rqosa
Parent article: Wheeler: Insecure open source software libraries?

It seems like you're insisting that the upstream app developer must do "quality assurance" on every possible OS or distribution that the app can possibly run on.

No. If some platform uses programs designed for other platform - it's their choice, in this case OS designers should provide Q&A. This is very common case: it happens every time new version of OS is released (as usual Linux desktop developers shirk this responsibility, but other OS vendors are more serious about it).

But yes, if developer releases program for some platform (especially if said program is sold for $$) then s/he must do Q&A - or else why release anything at all?

That's just fundamentally impossible in the absence of an OS monoculture, and by its very nature GNU/Linux cannot become a monoculture.

You don't need monoculture. Android releases include a lot of customizations - yet most of them don't affect app developers at all. The observed problems are mostly caused by changes in hardware (for example all the programs which assumed you can use trackball to move around are basically unusable on Galaxy Nexus S… yet they still run and use can use them with external mouse).

Linux users understand this is so and still keep using it, because the benefits of non-monoculture outweigh the downsides.

Sorry, but this is bullshit. This description may cover some small percentage of Linux users but most of them think that when something does not work on Fedora (usually because of SELinux) it's our fault even if the identical package works on Ubuntu. So no, they don't “understand this”. If you'll visit any FOSS conference you'll see how many former Linux users finally understood it… and decided that life is too short to play these games. Most of them are now MacOS users, but some returned back to Windows.

(Log in to post comments)

Wheeler: Insecure open source software libraries?

Posted Apr 8, 2012 18:31 UTC (Sun) by rqosa (subscriber, #24136) [Link]

> But yes, if developer releases program for some platform (especially if said program is sold for $$) then s/he must do Q&A - or else why release anything at all?

The developer shouldn't try to do QA on every Linux distribution out there — doing it on just one major distro should be sufficient, and the user community will figure out how to get it to work on any other distro where there's enough demand for the app in question.

> Android releases include a lot of customizations - yet most of them don't affect app developers at all.

You could say the same thing about Windows — when it's preinstalled on PCs, it usually has customizations specific to that PC model and its manufacturer. As far as the platform APIs are concerned, though, it's still a monoculture.

> If you'll visit any FOSS conference you'll see how many former Linux users finally understood it… and decided that life is too short to play these games.

Yaaawwwnnnnn… We've heard a billion variations on the theme of "Linux is dying" (much of which was thinly-disguised propaganda FUD) for more than a decade now, and it's not even once been true. As far as I'm concerned, the Linux user experience just keeps getting better and better as time goes on, and that could hardly happen if users were abandoning the platform in droves.

> Most of them are now MacOS users, but some returned back to Windows.

Funny you should say that. 11 years ago, I thought that Mac OS X was great — it should run all the Unixy stuff I'm used to, plus most of the proprietary stuff that's not available on Linux, so what's not to like? Then I tried to actually use it, and quickly got frustrated by how many hoops I had to jump through to do things that on Linux would have needed little more than "apt-get install foo" or "./configure && make install". Since then I've been unwillingly dragged back to it at least once, and it was just as bad as ever.

I dare you to try this: build the latest Git snapshot of FFmpeg on Mac OS X. I tried that once (well, except FFmpeg was still using SVN back then), and it went something like this: first I had to untar the Fink tarball into a directory, then figure out how to change sone config file to enable building source packages from the unstable branch of Fink, then run the command to build it — which made it download lots of stuff, compile said stuff, download lots more stuff, compile it, and on and on and on until I ran out of patience.

Wheeler: Insecure open source software libraries?

Posted Apr 9, 2012 1:49 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

>Then I tried to actually use it, and quickly got frustrated by how many hoops I had to jump through to do things that on Linux would have needed little more than "apt-get install foo" or "./configure && make install"

So that's why you use fink ( http://www.finkproject.org/ ) or simply do "./configure && make install" on Mac OS X.

Oh, and there's that newfangled marketplace for consumer software.

Wheeler: Insecure open source software libraries?

Posted Apr 9, 2012 21:48 UTC (Mon) by rqosa (subscriber, #24136) [Link]

> So that's why you use fink ( http://www.finkproject.org/ ) or simply do "./configure && make install" on Mac OS X.

Did you read the paragraph below that? Like I said there, I did use Fink — and even so, I found it very frustrating to do things that were easy to do with Linux distributions / package managers.

For one thing, there seemed to be lots of packages which were available only as source packages in the "unstable branch" (I forget the exact terminology it used), which required me to edit a config file to switch to that branch (or else the package manager would say that the package in question doesn't exist), and I had a hard time finding the documentation that explained how to make that change. And then once I got that far, trying to build the package made it take a huge amount of time downloading and compiling dependencies and build-dependencies, to the point that I never even found out whether it actually finished or not. (This all happened during a group meeting for a class project, where I was trying to install FFmpeg on someone else's computer so he could use it to transcode video files, and it was still downloading/compiling things when I left for the day.)

By comparison, building source packages on Linux distributions (such as AUR packages on Arch Linux) has always seemed a lot easier to me. I suppose it's partly because Mac OS X by default has next to none of the dependencies and build-dependencies installed (e.g. build tools aren't installed, and neither are lots of the libraries which generic-Unix programs like ffmpeg depend on and which are likely already installed on a machine running a Linux distro), and partly because the developer community for Fink is smaller than that of the major Linux distributions and/or unofficial package repositories like the AUR (and other Fink-like projects, such as MacPorts, seem to be even smaller) thus it has fewer packages.

Wheeler: Insecure open source software libraries?

Posted Apr 9, 2012 23:17 UTC (Mon) by CycoJ (guest, #70454) [Link]

> You don't need monoculture. Android releases include a lot of customizations - yet most of them don't affect app developers at all. The observed problems are mostly caused by changes in hardware (for example all the programs which assumed you can use trackball to move around are basically unusable on Galaxy Nexus S… yet they still run and use can use them with external mouse).

Funny, have you actually looked at the review comments for apps on the Android market? It's full of reviews like "does not work on Samsung ..., HTC ...", "Please make this work on HTC..."

Wheeler: Insecure open source software libraries?

Posted Apr 10, 2012 10:28 UTC (Tue) by khim (subscriber, #9252) [Link]

I was on both sides of the fence… Do you know just why there are all these endless messages? 9 times out of 10 (if not 99 times out of 100) that's because said HTC or Samsung have older version of OS then the one clearly written in the app requirement.

This means that complainers don't even think about OS upgrade (we have the same situation with NaCl which does not work with MacOS 10.6.7) - and you expect that they will track and install application dependencies? Preposterous.

Wheeler: Insecure open source software libraries?

Posted Apr 26, 2012 9:51 UTC (Thu) by steffen780 (guest, #68142) [Link]

Small reality check: go and look how easy it is to upgrade the average Android phone. Once you found out you can come back and complain about lazy users failing to update their devices using official or easy updates that almost always don't exist; or using root access that generally requires reading pages upon pages upon pages to get. If it's possible at all.

And of course if you belong to the 1% or so of people who have the required skillset you have to give up your warranty (according to the manufacturers at least, I for one would love to see this tested in court).

The situation is slightly better on iOS, but even there updates are only available for a fraction of the useful life of these extremely expensive devices.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds