User: Password:
|
|
Subscribe / Log in / New account

Ubuntu, security response, and community contributions

Ubuntu, security response, and community contributions

Posted Jul 17, 2008 16:07 UTC (Thu) by madscientist (subscriber, #16861)
Parent article: Ubuntu, security response, and community contributions

I certainly don't want to be an apologist for Ubuntu, although I do use it myself.  But I
think comparing them to Red Hat etc. is not really fair: although the total userbase of Ubuntu
is quite impressive, the number of paying customers for Canonical has got to be a very small
fraction of what a company like Red Hat has.  Thus, Red Hat has a viable positive cash flow
and can afford to fund this kind of development... indeed, that's exactly why people pay them!
Canonical is still being floated by Shuttleworth's fortune (as he's stated recently) and
simply doesn't have the resources to spend.

That said, I do think Shuttleworth's chest-pounding given Ubuntu's position is unfortunate and
ill-advised... if not outright false.  They do some things better than anyone else but they
have a long way to go to catch up to Red Hat, SuSE, etc. in other areas.

Finally, I think some here are being too hard on Ubuntu.  They do create new technology and
they do publish it.  Upstart was already mentioned as an example.  They also have Launchpad
which, whatever you think of it, has some very nice features.  I do have to say that most bugs
I file with Ubuntu ARE pushed up-stream.  That process is getting much better IMO.

And finally, Ubuntu brings something to the GNU/Linux community which is extremely difficult
to create and also impossible to quantify: opportunity and marketing, and a kind of "average
user legitimacy".  I know that virtually all the technology in Ubuntu was there before and/or
was provided by someone else, but putting it together to create that "buzz" and really
concentrating on growing the user base and what that takes is a big task.  While it's not a
technical achievement, it's very hard to do and that success DOES help every GNU/Linux user
and distribution.  As technologists too often we base all our opinions on measurable criteria
such as number of bugs fixed, changes merged, etc. but there are other yardsticks that are
important as well.


(Log in to post comments)

Ubuntu, security response, and community contributions

Posted Jul 17, 2008 16:50 UTC (Thu) by mikov (subscriber, #33179) [Link]

And finally, Ubuntu brings something to the GNU/Linux community which is extremely difficult to create and also impossible to quantify: opportunity and marketing, and a kind of "average user legitimacy". I know that virtually all the technology in Ubuntu was there before and/or was provided by someone else, but putting it together to create that "buzz" and really concentrating on growing the user base and what that takes is a big task. While it's not a technical achievement, it's very hard to do and that success DOES help every GNU/Linux user and distribution. As technologists too often we base all our opinions on measurable criteria such as number of bugs fixed, changes merged, etc. but there are other yardsticks that are important as well.

I agree 100%. I have my own gripes with Ubuntu (see below), but in my eyes in recent years it has made more for Linux acceptance than the rest of the vendors combined.

Yes, they used work done by others - Debian, RedHat, etc without contributing much software, but so what ? This is what free software is about. There is nothing immoral or unethical what Ubuntu is doing! If you don't want Ubuntu to use your software, then don't make it free, I say ...

The problem with Ubuntu, as I see it, is that they don't have the resources to fix bugs and probably lack the leverage with upstream. What happens if you complain to Canonical support about a problem ? If its not a configuration issue, they are probably just going to have to wait like the rest of us for the next upstream release, hoping that it addresses that specific problem. So, I don't see why I would pay them for support.

Ubuntu, security response, and community contributions

Posted Jul 17, 2008 19:01 UTC (Thu) by jspaleta (subscriber, #50639) [Link]


"Yes, they used work done by others - Debian, RedHat, etc without contributing much software,
but so what ? This is what free software is about. There is nothing immoral or unethical what
Ubuntu is doing!"

Let's be very very clear.  There is a distinct different between the Community of Ubuntu users
and developers... and Mark Shuttleworth and Canonical.  As much as Shuttleworth would want to
blur the distinction so that he can wrap him statements up in the goodwill of the Ubuntu
community concept to armor them from criticism he does so at the expense of the Ubuntu
community.

The problem is not the Ubuntu community, the problem is Mark Shuttleworth, is making some very
aggressive statements that are quite simply.. over-reaching..and not properly supported.  He's
burning goodwill with upstream projects in doing so.  

This vulnerability response statement is just the latest example. And I think its perfectly
appropriate that people start asking him why his company has not invested in a transparent
vulnerability reporting process for Ubuntu users... but is instead relying on unnamed
independent studies to bolster statements to the press.  It doesn't have to be like Red Hat's,
but shouldn't Ubuntu LTS users have something in the same general shape? I think that's a
perfectly reasonable sort of question for Ubuntu users to ask of Shuttleworth and Canonical.

But he's made other high profile statements..to the press and to the public..aggressive
statements, which challenge and undermine the processes and work that upstream projects are
using.  Statements about hardware support and about syncing with upstream development to match
Canonical's business interests have been high profile challenges that simply have not been
backed up by his company's own actions..a lack of engaging the upstream projects and to help
them do better before going to the press with the idea.  

I feel somewhat bad for the Canonical engineers who are engaged with upstream. Shuttleworth is
actually de-valuing what they are doing by making public statements which are out of
proportion with the development work they are doing.  He really needs to let those engineers
lead these sorts of discussions as part of upstream project conversations.  I wonder if he can
do that, take a backseat to the engineers in public facing conversations. Maybe he just
doesn't understand the value of restraint.

Are the things Shuttleworth has made headlines for recently things that Canonical can drive
sustainable development for? I think active community Ubuntu users need to really ask
Shuttleworth and Canonical in general some very hard questions concerning sustainability of
the work they are doing under the Ubuntu brand.  

I believe that Debian as a community reached a sustainable level of development based on the
available resources, and that Debian as a project is going to have a long successful career
serving a specific purpose.  It might be frustration in some respects, but I believe they've
built a sustainable process.  I'm not so sure Canonical has.

It's an outstanding question, whether Canonical through the creation of the Ubuntu community
has enough resources to sustain the perceived growth happening in the Ubuntu uptake.  Is
Canonical overreaching beyond its own engineering capabilities with its Ubuntu OEM deals? Is
it overreaching with its Ubuntu LTS edition? What happens to Ubuntu if the answer is yes?
Supporters of Canonical admit that they don't have the staffing commitment of Red Hat to
directly support upstream development in the say way. If that is so, then shouldn't all these
sorts of engineering initiatives from Canonical scare the crap out of you as a Ubuntu
community member because it continues to spread engineering resources even thinner?  How
transparent is Canonical's business plans as it relates to your volunteer commitment and needs
as a Ubuntu community member?  Like I said, I think Ubuntu community members need to be a bit
more critical of Canonical and Shuttleworth.

-jef

Ubuntu, security response, and community contributions

Posted Jul 17, 2008 16:50 UTC (Thu) by acathrow (subscriber, #13344) [Link]


Quote:
"They do create new technology and they do publish it.  Upstart was already mentioned as an
example.  They also have Launchpad which, whatever you think of it, has some very nice
features."

Unfortunately launchpad is NOT open source.


https://help.launchpad.net/FAQ

"Like Sourceforge and Google Code Hosting Launchpad is not open source. Unlike those other
services, we have committed to making Launchpad Free Software."


Ubuntu, security response, and community contributions

Posted Jul 17, 2008 17:07 UTC (Thu) by madscientist (subscriber, #16861) [Link]

Yes, I know; I hope they will fulfill their commitment sooner rather than later and release
it.  I made an unfortunately confusing juxtaposition here.  Saying "they also" was meant to
separate this sentence from the last more definitively.  Launchpad was created in large part
to allow them to interact more fully with "upstream" maintainers, but they haven't published
it, unless you consider making it available as a web service that anyone can subscribe to,
"publishing".

Ubuntu, security response, and community contributions

Posted Jul 17, 2008 19:59 UTC (Thu) by skvidal (guest, #3094) [Link]

"Launchpad was created in large part to allow them to interact more fully with "upstream"
maintainers, but they haven't published it, unless you consider making it available as a web
service that anyone can subscribe to,
"publishing"."


No, No one considers that 'publishing'. That's offering access to a closed-source service.
Same as google or hotmail, etc.


If you want to see an open source and published hosting system, take a look at
fedorahosted.org

-sv


Ubuntu, security response, and community contributions

Posted Jul 17, 2008 20:18 UTC (Thu) by madscientist (subscriber, #16861) [Link]

I don't need to look there; I use savannah.gnu.org all the time.

Ubuntu, security response, and community contributions

Posted Jul 17, 2008 22:48 UTC (Thu) by nix (subscriber, #2304) [Link]

google or hotmail or lwn ;)

(still no source? how many years is it now?)

*yanks chain*

;}

Ubuntu, security response, and community contributions

Posted Aug 15, 2008 13:24 UTC (Fri) by tekNico (guest, #22) [Link]

> google or hotmail or lwn ;)

> (still no source? how many years is it now?)

At least five. It would still be nice to get it, however I doubt that a specialized, Quixote-based CMS would get much attention: nowadays the momentum in Python web frameworks gathers around Django, Turbogears/Pylons, and Zope2/3/Plone.

Ubuntu, security response, and community contributions

Posted Jul 21, 2008 19:25 UTC (Mon) by ddaa (guest, #5338) [Link]

> If you want to see an open source and published hosting system, take a look at
fedorahosted.org

I do not know this, but I am sure it is very nicely done.

However you miss an important point in the text you quoted:

> "Launchpad was created in large part to allow them to interact more fully with "upstream"
maintainers

Launchpad is much more than just a hosting solution. It was designed from day one to encourage
collaboration between upstream projects, distributions and end users, in all the possible
combinations.

Ever since Ubuntu started, Launchpad was being worked on with the explicit goal of bridging
various gaps that make it hard to contribute to the free software ecosystem.

For several years, the Launchpad staff was nearly the size of the ubuntu-core staff (we are
talking in dozens of people here). That strongly suggests that Canonical is genuinely
interested in contributing back.

Disclaimer: I was a Launchpad developer from June 2004 to January 2008.

Ubuntu, security response, and community contributions

Posted Jul 22, 2008 19:24 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link]

"Ever since Ubuntu started, Launchpad was being worked on with the explicit goal of bridging
various gaps that make it hard to contribute to the free software ecosystem."

The real way is to open it up to the community and not have a bitkeeper like situation which
will only lead inevitably to people redoing something like it from scratch because they see
the benefits but don't want to rely on a centralized proprietary service. 

Ubuntu, security response, and community contributions

Posted Jul 22, 2008 21:36 UTC (Tue) by ddaa (guest, #5338) [Link]

> The real way is to open it up to the community

People at Canonical disagree, for numerous reasons including avoding fragmentation, keeping
the problem space simpler, and preserving opportunities for revenue.

> and not have a bitkeeper like situation which will only lead inevitably to people redoing
something like it from scratch because they see the benefits but don't want to rely on a
centralized proprietary service. 

This is a strawman. Proprietary end-user software like bitkeeper is very different from
internet services like Launchpad.

And even if people eventually did succeed at implement a better, more free, and more
successful Launchpad, that would not invalidate the pioneering work that Canonical funded to
ease the flow of knowledge in free sofware.

Ubuntu, security response, and community contributions

Posted Jul 23, 2008 0:56 UTC (Wed) by mmcgrath (guest, #44906) [Link]

> And even if people eventually did succeed at implement a better, more
> free, and more successful Launchpad, that would not invalidate the
> pioneering work that Canonical funded to ease the flow of knowledge in
> free sofware.

You trying to convince us or yourself?  The issue here is canonical embracing open source with
one hand and stealing from it with the other.  No rules are being broken there but the high
and mighty "we know best" attitude is the mark Canonical is leaving on the very community it
relies on.  

The smoke and mirrors people think is the success haven't been founded in any reality I've
seen and people will start to notice that.  Afterall, Mark continues to hemorrhage money into
Canonical at least until he gets bored.  I've yet to see any solid numbers of Ubuntu's success
beyond Google trends.  People will get bored as they realize those in charge continue to hold
a carrot in front of them, they'll move on.

Ubuntu, security response, and community contributions

Posted Jul 23, 2008 19:10 UTC (Wed) by ddaa (guest, #5338) [Link]

In your reply, the tone alone indicates that your are not interested in constructive
discussion. Or if you are, you need to improve your writing skills.

I acknowledge the effort you made in writing this comment. Sadly, as it is written, it would
be very difficult to reply to while keeping the discussion meaningful.

Ubuntu, security response, and community contributions

Posted Jul 23, 2008 19:13 UTC (Wed) by mmcgrath (guest, #44906) [Link]

I'm a technician, not a writer.  How about this:

Ad hominem.  Why attack the argument when you can attack the speaker?  What a common fallacy
you've just committed.  No need to respond, your actions will speak louder, let us know when
that launchpad is OSS.  Have a nice day.

Ubuntu, security response, and community contributions

Posted Jul 23, 2008 19:49 UTC (Wed) by ddaa (guest, #5338) [Link]

How interesting.

I made a point of attacking only your writing. I even suggested you might be of good faith but
that you just failed at clear expression.

Ubuntu, security response, and community contributions

Posted Jul 23, 2008 1:16 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link]

Other than the possible revenue from keeping it proprietary, I don't consider the other
excuses even applicable especially since the memories of companies using the "fragmentation"
card against free and open source software for years is still fresh, Java being among the
latest to turn around. The way to avoid fragmentation is providing a way for community to
participate, innovate and not using control. Distributed services with open protocols is the
long term sustainable approach. Centralized proprietary services just won't scale. 

The inherent problems of proprietary software is similar whether the software is running in
the client or the server and in some ways more problematic given the rise of people and
entities hiding behind software as a service to avoid facing the question. Creating walled
gardens is no innovation. One symptom of the many problems with this approach is the workflow
of translations not going to upstream by default and getting locked up into the distribution
unlike transifex (http://transifex.org) which Fedora project seeded and follows the upstream
by default model like the rest of the distribution in addition to being free and open source.

Ubuntu, security response, and community contributions

Posted Jul 23, 2008 19:47 UTC (Wed) by ddaa (guest, #5338) [Link]

You are touching a lot of topics in this comment. So I could only give very short answers to
each of the points you touched.

> Other than the possible revenue from keeping it proprietary, I don't consider the other
excuses even applicable

I do not think that per-seat licensing of the Launchpad code is a practical business model for
Canonical. But I do not claim to know beforehand what all the revenue opportunities could be.
A sensible entrepreneur avoids discarding possible unseen revenue streams unless there is a
compelling reason to.

> the memories of companies using the "fragmentation" card against free and open source
software for years is still fresh, Java being among the latest to turn around. The way to
avoid fragmentation is providing a way for community to participate, innovate and not using
control.

That is true for user-runnable software. And Canonical understands that very well as is
demonstrated by the development processes of Ubuntu and Bazaar.

Fragmentation, when talking about Launchpad, means something else: the value of Launchpad
comes from the inter-relations between the numerous project communities that are using it.
Multiple distinct Launchpad services would make interactions within any single instance total
to less than it could be. More total users increase the value the project, lost opportunity
decreases it. It is not a clear-cut issue.

> Distributed services with open protocols is the long term sustainable approach. Centralized
proprietary services just won't scale. 

This is a good point, and using a federated design was considered early on. This direction was
not chosen to "keep the problem space simpler", as I said in the message you are replying to.
Avoiding the additional complexity of a decentralized design was a good engineering decision
in its own right.

> The inherent problems of proprietary software is similar whether the software is running in
the client or the server and in some ways more problematic given the rise of people and
entities hiding behind software as a service to avoid facing the question.

Let's agree to disagree. In my view, they are apples and oranges.

> One symptom of the many problems with this approach is the workflow of translations not
going to upstream by default and getting locked up into the distribution unlike transifex
(http://transifex.org) which Fedora project seeded and follows the upstream by default model
like the rest of the distribution in addition to being free and open source.

Discussing the particular perceived shortcomings of Launchpad translations would distract us
of what I regard as the main point of this thread, and I do not claim to understand this part
of Launchpad well enough to address your concerns.

Ubuntu, security response, and community contributions

Posted Jul 24, 2008 2:20 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

You said Canonical employees disagreed with opening the source code and giving access to the
community inorder to retain potential revenue opportunities. I merely conceded that is a
understandable excuse (though I disagree completely with the decision to keep it proprietary).
I don't know why you even bought up "per-seat licensing". Sensible people working within a
community would want to gain trust by not acting inconsistently or giving outlandishly false
claims (c.f security history) whether they are entrepreneurs or not. Anything else is just
short sighted and not even within their self interest. 

Multiple distinct instances need not ever decrease the value of the service at all. It depends
on how well you federate it. Sure, it is more complex but that is price you need to pay for
working with a distributed community of producers and consumers. In my view, the workflow of
translations is a clear direct result of a deliberate strategy to keep the content within the
distribution essentially closed within itself instead of helping the broader upstream
community. The problem is well known and has never been addressed so far. This combined with
the decision to keep the source code closed doesn't indicate or inspire good faith. 

Ubuntu, security response, and community contributions

Posted Jul 17, 2008 19:57 UTC (Thu) by mmcgrath (guest, #44906) [Link]

"although the total userbase of Ubuntu is quite impressive"

It is?  What number is that?  And where did it come from?

Ubuntu, security response, and community contributions

Posted Jul 18, 2008 23:26 UTC (Fri) by stickster (guest, #40146) [Link]

Why don't we ever see responses to this question of statistics?

Ubuntu, security response, and community contributions

Posted Jul 19, 2008 6:08 UTC (Sat) by madscientist (subscriber, #16861) [Link]

Because I have much better things to do with my time. Really? This is what you want to argue about, that Ubuntu is not running on enough machines to justify my statement that it has a userbase that is quite impressive? What kind of statistics are you hoping to see, and where would they come from? Maybe Google can give us some numbers, based on the browser ID strings they track. Try filing a lawsuit; it worked for Viacom. Let me know what you come up with.

I'm willing to take the fact that it's won the top spot in every desktop distro contest for the last few years, it's #2 on the Linux Counter list just a point or two behind Debian (which is pretty good considering that that list is unknown beyond long-time, harder-core Linux users--not necessarily the prototypical Ubuntu user), that it's being pre-installed on Dell desktops and laptops, that it's available from Best Buy both online AND boxed in the store, etc. etc.

If that's not good enough for you, then fine: we'll just agree to disagree, because I don't have the energy to argue about something so silly.

Ubuntu, security response, and community contributions

Posted Jul 19, 2008 13:46 UTC (Sat) by stickster (guest, #40146) [Link]

Statistics gathering doesn't have to be so random and haphazard.  Fedora does it openly and
transparently, as described here:
https://fedoraproject.org/wiki/Statistics

The smolt project was created as a non-Fedora, cross-distribution effort to help with this
need, and other distros have been repeatedly invited to participate so that we can confidently
talk about the size of the overall installation/user base.  Novell, for example, has recently
joined in.  (Smolt also produces useful hardware metrics too.)  Over 15 years into the Linux
story, there's no sense in making these numbers up or sticking our heads in the sand.

I doubt that a driver like accurately showing market size would be considered silly by anyone
basing their business on Linux.  But I understand that many people would rather not argue
about it; so be it.

Ubuntu, security response, and community contributions

Posted Jul 19, 2008 16:58 UTC (Sat) by madscientist (subscriber, #16861) [Link]

I think accurate stats are great, and I'd love to see them.  I don't know much about smolt but
I see no reason why it shouldn't be supported in Ubuntu.  Ubuntu has already the Ubuntu
Hardware Database, and it does have a nice user interface to report hardware info, but the web
site seems really lame and/or broken when I checked it.  There's also popcon, originally from
Debian, where you can register to have the packages you use reported upstream: this is used to
make sure that the CD, which has limited space, has the most popular packages installed.  But
you can also find out some info about how many machines are running Ubuntu:
http://popcon.ubuntu.com/

The problem with these as stats gathering vehicles is that not only are they off by default
(which probably every such package will always be, and I don't disagree with that) but they
aren't even publicized, so unless you happen to run across them you won't use them.  In order
to be anywhere close to accurate there has to be more "advertising".  Maybe an option to
restrict the data uploaded, for people who aren't interested in publishing details but would
like to be counted.

I also found this with a one-minute Google search, from last year:
http://www.starryhope.com/tech/2007/ubuntu-just-how-popul...

I'm saying that I'm not willing to get into an argument about whether or not Ubuntu has "an
impressive userbase" or not.  For one thing, it's completely ambiguous--if I'd said it has 82%
of the desktops then I would expect to be challenged to justify that statement.  However, I
believe my statement is obviously correct given any objective look at the Linux ecosystem.

If we want to talk constructively about possible ways we could get more accurate statistics
I'm all for that.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds