User: Password:
|
|
Subscribe / Log in / New account

ISVs providing Linux downloads

ISVs providing Linux downloads

Posted Sep 11, 2012 23:54 UTC (Tue) by khim (subscriber, #9252)
In reply to: ISVs providing Linux downloads by rich0
Parent article: Meeks: Linux on the (consumer) Desktop

I want ALL my applications to get timely security updates, and not just whatever their respective upstream projects care to support.

That's fine, you can have it. In fact there are dozens of distributions which cater to the people like you. The problem? 97-98% of users (Ok, let's be generous: 95% of users) don't give a damn—but they want to play new game the day it released and they want to install new "CoolApp" right after they read a review on a newssite.

The fact that Linux desktop caters to the people like you is great: I'm pretty sure that's why the Linux desktop market share is stable (if minuscule): such people have no viable alternative. But maybe, just maybe, it'll be good to offer something to the rest of the pack?


(Log in to post comments)

ISVs providing Linux downloads

Posted Sep 12, 2012 1:48 UTC (Wed) by cyanit (guest, #86671) [Link]

You can have both.

Just make sure that if a new library breaks the ABI, it can be installed side-by-side with the old one and that the old one remains available forever on all newer distributions.

ISVs providing Linux downloads

Posted Sep 12, 2012 4:59 UTC (Wed) by viro (subscriber, #7872) [Link]

... along with all its bugs, that is? Guys, all software sucks. Always had, always will. Including the libraries. The rate of discovery falls as the damn thing gets less and less test exposure, but so does the rate of fixing them. Efficiency of attacker on systematic hunt for bugs does *not* diminish, though. Moreover, the less exposure does the library get, the less incentive one has to do clean fixes as opposed to minimal ones, so the codebase slides deeper and deeper into bitrot. Making further fixes more and more painful and more likely to introduce new bugs.

BTW, in case if it's non-obvious - I agree that userland approach to API stability is atrociously bad. And API design tends to be just as promiscuous and lousy.

It's just that your "solution" really isn't. Neither is bundling libraries with ISV code using those, for the same reasons.

ISVs providing Linux downloads

Posted Sep 12, 2012 5:02 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]

Yup. And that's why all major OSes move towards various sandboxing technologies.

ISVs providing Linux downloads

Posted Sep 12, 2012 5:39 UTC (Wed) by khim (subscriber, #9252) [Link]

Efficiency of attacker on systematic hunt for bugs does *not* diminish, though.

It goes down, too. If library just sits out there and nobody uses it then it's useless for attacker anyway. If library is actually needed by some software then user will find and install it (unless s/he'll abandon Linux, that is) and thus it'll be available for the attacker anyway. And if library is not present in the latest version of the distribution but is transplanted from older version then it'll be more buggy, not less.

It's just that your "solution" really isn't.

It's the only alternative which works. We may lament that it's bad for one reason or another (and it is!) but as long as it's the only game in town…

Neither is bundling libraries with ISV code using those, for the same reasons.

Again: if you don't provide stable ABI in your system then ISVs will bundle libraries with their offers. Acrobat brings openssl and libcurl, Firefox brings SQLite and NSS. And games bring practically everything including bundled version of SDL and libvorbis, sometimes even libjpeg and libpng.

If you think that this approach magically makes your system more secure than the one which supplies obsolete libraries in it's core then you are sorely mistaken.

As I've said: few percents of users may be satisfied with selection of goods offered in their repo. Fine, but maybe it's time to create something for the rest of us?


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds