The monoculture of meritocracy
Posted Nov 15, 2012 14:12 UTC (Thu) by khim
In reply to: The monoculture of meritocracy
Parent article: Crowding out OpenBSD
This sort of thing is certainly common in low-level crypto design (e.g., side-channel attacks from algorithms that aren't carefully designed to do the same operations regardless of the input), and is one of the many motivations for the AES and SHA competitions involving getting lots of different people to propose different ideas and attack each other's ideas, instead of collaborating on a single algorithm.
This is good example. Let me rephrase the question: why do you think Linux is a problem while AES and SHA are Ok? IOW: why even have a contest where one winner is picked and then reused everywhere if monoculture is so bad?
AFAICS Linux fulfills the same role as AES or SHA: different implementations are offered and one it picked, then used everywhere. If it was a bad decision then later it can be changed (see: DES to AES and MD5 to SHAxxx transitions).
We don't support the ability to use some exotic and clever ciphers in our documents and web-servers (only when some cipher wins the contest it's used for "real" programs), why should we support the ability to run "real" programs on experimental OSes like OpenBSD or Haiku?
On the software side, I've heard of cases where, e.g., several separate security bugs were found regarding NT's kernel entry ABI, and you couldn't fix those bugs at once without completely redesigning that ABI and possibly API.
If that happens then you need to redesign said ABI, it makes no sense to cultivate series of OSes each with it's own problems: sooner or later they all will be compromised if you'll not tighten them up.
to post comments)