Slashdot Mirror

http://uptime.netcraft.com/up/graph/?mode_u=off&mo de_w=on&site=www.riaa.com&submit=Examine

The site www.riaa.com is running Microsoft-IIS/4.0 on NT4/Windows 98. FAQ

NT4/Windows 98 users include ABB Asea Brown Boveri Ltd, Gillette, British Nuclear Fuels Ltd and Ernst & Young International

Microsoft-IIS is also being used by www.dellhost.com, www.datapipe.com, Ferrari and Intel Corporation

Do you want to look for an SSL site at www.riaa.com ?

Uptime Charts and Statistics for www.riaa.com

No uptime is currently available for www.riaa.com.

Netblock Owner
UUNET Technologies, Inc

They're using UUNET and Microsoft products ... hehehe I think a DoS should be the least of their worries ... I would almost go so far as to say it wasn't a DoS attack, but more a BSOD attack ... heh heh heh

Please please please tell me this is faked

-dk

Step 1. "Don't use Linux"?

The site www.ibiblio.org is running Apache/1.3.26 (Unix) mod_perl/1.27 mod_fastcgi/2.2.12 PHP/4.0.6 on Linux.

No idea of what ftpd daemon ftp.ibiblio.org runs, I get the same response looking up the ftp server in netcraft.

The Netcraft results show 223 sites ending in Microsoft.com. Yikes.

It's probably due to that bug whereby the uptime counter wraps around after 497 days and a few timesteps later. From what I gather, there are people who are working to get that bug squashed but I dunno if their patches have been accepted by Linus. See also this page from Netcraft explaining the potential problems about their method of uptime detection. You'll also learn there that some OSes do not report uptime, among them such "enterprise" favorites as AIX, Tru64, VM, OS/390 and others. So Netcraft's stuff, while interesting, is not a definitive comparison of the relative stability of the various server OSes out on the Net.

no, no, no... By making it available for apache they suddenly open themselves up to gain a HUGE portion of the web-programming market-share.

It's tough to be ubiquitous when your software won't run on 59.7% of the websites out there.

It's a lot easier to get people to move to IIS later if all of their code (.NET) is portable.

Buddy, looks like M$ has had their share of fame too. royal.gov.uk is no longer run on Linux. Check this this out.

http://uptime.netcraft.com/up/today/top.avg.html

You'll notice that 45 of those top 50 are BSD
machines. Of those 45, 19 are FreeBSD boxes.
You'll notice 1 Linux box. It's nice to see that
leading industry sites like bongload.com and
twobigirls.com have benefited so much from the
stability of BSD.

But though the editors were lazy or Slashcode was buggy, I'll put in a couple of cents anyway.

First of all, this is bad. Microsoft are not adopting the "if you can't beat 'em, join 'em" ideal. Apache dominates web servers. No doubt about it. To defeat this, Microsoft are going to do what they do best: embrace, extend, erradicate.

Based on Microsoft's history, any components they write for Apache will be closed source. If it is not entirely closed, the crutial parts will be. Microsoft are not interested in opening up their IP. Consider this as one of the many possible scenarios:

Following initial proof of concept, first stage deployments and so forth, Microsoft will begin the trouble. It will strangely cease to work. Apache will be to blame and sites will like have to apply patches from Microsoft or just deal with them. At the same time, IIS will lack these problems. They will work to create inroads into the *nix space with Win.NET and IIS.

Keep Microsoft out of open source. They have no business being here. Instead, Apache people should look at either of the two .NET initiatives that are Free.

Remember the Windows Update/Code Red fiasco?

If the fish was big enough, SOMEONE would find a way in, and r00t to every Windows box in the world is a fairly big fish.

the stabilty argument went out the window (pun intended) with WinME.

WinME stable? Excuse my language, but, bullshit. I know that's false from experience. Had you stuck with Win2k and XP I wouldn't have responded.

Besides until Windows is listed here, its stability is still relative.

Heh, think that's bad?

You'd be amazed at the places still running old apache versions despite the ominous warnings!

(Yes, I found the lwn link very ironic too, but not as funny as this)

Heh, think that's bad?

You'd be amazed at the places still running old apache versions despite the ominous warnings!

(Yes, I found the lwn link very ironic too, but not as funny as this)

Heh, think that's bad?

You'd be amazed at the places still running old apache versions despite the ominous warnings!

(Yes, I found the lwn link very ironic too, but not as funny as this)

Heh, think that's bad?

You'd be amazed at the places still running old apache versions despite the ominous warnings!

(Yes, I found the lwn link very ironic too, but not as funny as this)

Heh, think that's bad?

You'd be amazed at the places still running old apache versions despite the ominous warnings!

(Yes, I found the lwn link very ironic too, but not as funny as this)

Note that statistically,
0.31% of defaced sites were running OpenBSD, which greatly contrasts with netcraft's statistics that over 59% of indexed web sites use the Apache httpd server, and considering that Apache runs on the BSD's, Linux, commercial *nix's, Windows, MacOS ... even assuming an equal distribution, this means that the defaced sites are at least two orders of magnitude less than the total sites using OpenBSD (ok, that is a lot of assuming, but I couldn't find statistics of server OS distribution).

Stats on the server are interesting that either it stopped being "up" or stopped bein monitored before june.

Or did I read the graph wrong?

.

See the Netcraft FAQ at http://uptime.netcraft.com/up/accuracy.html#cycle

If you want to learn about uptime, don't bother going to codesta.com. Their servers have already melted from a brutal slashdotting. According to Netcraft, codesta.com runs Linux and has 74 days of uptime... until today!

Goatse.cx runs on Microsoft IIS! So it can reliablly bring you that anus! None of your open sores crap!

Proof that Open Sores is unreliable! Don't click if you run an open sores OS!

most of the time they do pratice what they preach :)

Well, according to this chart, Apple was hosting their websites on Solaris machines until late 2000. It looks like instead of just trashing the machines, Apple shuffled them off into the back rooms to handle lesser duties like SU and such.

I think this is a good idea, as 1) the machines are still good, and 2) it saves resources by using them as long as possible. Apple's server forays are still relatively new (and against the spirit of building personal computers), so it's natural that they'd had somebody else's boxen.

Goatse.cx has changed from apache and now runs on Microsoft IIS!

"[Compiled Apache 2 binaries] are currently available from http://www.phi-web.co.uk/ps2-apache/"

The site www.phi-web.co.uk is running Apache/1.3.22 (Unix) [...] on FreeBSD.

I hadn't thought of that, but I suppose injecting stuff like that into the network is a form of denial of service attack.

It's interesting, also, that a company which has to know that it will incur the electronic wrath of computer geeks everywhere, is foolish to run such an insecure webserver:

www.sk.com appears to run IIS on Windows NT.

www.overpeer.com appears to run IIS on Windows 2000. (I assume www.overpeer.com is theirs, but whois was inconclusive and there's a directory listing denied message up at their document root. Heh.)

Note that sk.com and therefore Overpeer both appear to operate out of third-world countries (Korea, China, whatever) and therefore are essentially immune to US-based prosecution for their network attacks, and, I'd imagine, immune to US protection from network attacks.

They're idiots and won't last very long.

I hadn't thought of that, but I suppose injecting stuff like that into the network is a form of denial of service attack.

It's interesting, also, that a company which has to know that it will incur the electronic wrath of computer geeks everywhere, is foolish to run such an insecure webserver:

www.sk.com appears to run IIS on Windows NT.

www.overpeer.com appears to run IIS on Windows 2000. (I assume www.overpeer.com is theirs, but whois was inconclusive and there's a directory listing denied message up at their document root. Heh.)

Note that sk.com and therefore Overpeer both appear to operate out of third-world countries (Korea, China, whatever) and therefore are essentially immune to US-based prosecution for their network attacks, and, I'd imagine, immune to US protection from network attacks.

They're idiots and won't last very long.

You heard it! Goatse.cx no longer uses the open sores web server apache and now uses Microsoft IIS, As reported by netcraft! Hopefully his anus will get better!

This paper analyzes the amount of source code in GNU/Linux, using Red Hat Linux 7.1 as a representative GNU/Linux distribution, and presents what I believe are interesting results.

In particular, it would cost over $1 billion ($1,000 million - a Gigabuck) to develop this GNU/Linux distribution by conventional proprietary means in the U.S. (in year 2000 U.S. dollars). Compare this to the $600 million estimate for Red Hat Linux version 6.2 (which had been released about one year earlier). Also, Red Hat Linux 7.1 includes over 30 million physical source lines of code (SLOC), compared to well over 17 million SLOC in version 6.2. Using the COCOMO cost model, this system is estimated to have required about 8,000 person-years of development time (as compared to 4,500 person-years to develop version 6.2). Thus, Red Hat Linux 7.1 represents over a 60% increase in size, effort, and traditional development costs over Red Hat Linux 6.2. This is due to an increased number of mature and maturing open source / free software programs available worldwide.

Many other interesting statistics emerge. The largest components (in order) were the Linux kernel (including device drivers), Mozilla (Netscape's open source web system including a web browser, email client, and HTML editor), the X Window system (the infrastructure for the graphical user interface), gcc (a compilation system), gdb (for debugging), basic binary tools, emacs (a text editor and far more), LAPACK (a large Fortran library for numerical linear algebra), the Gimp (a bitmapped graphics editor), and MySQL (a relational database system). The languages used, sorted by the most lines of code, were C (71% - was 81%), C++ (15% - was 8%), shell (including ksh), Lisp, assembly, Perl, Fortran, Python, tcl, Java, yacc/bison, expect, lex/flex, awk, Objective-C, Ada, C shell, Pascal, and sed.

The predominant software license is the GNU GPL. Slightly over half of the software is simply licensed using the GPL, and the software packages using the copylefting licenses (the GPL and LGPL), at least in part or as an alternative, accounted for 63% of the code. In all ways, the copylefting licenses (GPL and LGPL) are the dominant licenses in this GNU/Linux distribution. In contrast, only 0.2% of the software is public domain.

This paper is an update of my previous paper on estimating GNU/Linux's size, which measured Red Hat Linux 6.2 [Wheeler 2001]. Since Red Hat Linux 6.2 was released in March 2000, and Red Hat Linux 7.1 was released in April 2001, this paper shows what's changed over approximately one year. More information is available at http://www.dwheeler.com/sloc. 1. Introduction The GNU/Linux operating system has gone from an unknown to a powerful market force. Netcraft found that, of the systems running web servers on June 2001, GNU/Linux was now the second most popular operating system (with 29.6%, versus Windows' 49.6%) [Netcraft 2001]. Another survey, of primarily European and educational sites, found that GNU/Linux was used more than any other operating system (of the sites it surveyed) [Zoebelein 1999]. IDC found that 25% of all server operating systems purchased in 1999 were GNU/Linux, making it second only to Windows NT's 38% [Shankland 2000a].

There appear to be many reasons for this, and not simply because GNU/Linux can be obtained at no or low cost. For example, experiments suggest that GNU/Linux is highly reliable. A 1995 study of a set of individual components found that the GNU and GNU/Linux components had a significantly higher reliability than their proprietary Unix competitors (6% to 9% failure rate with GNU and Linux, versus an average 23% failure rate with the proprietary software using their measurement technique) [Miller 1995]. A ten-month experiment in 1999 by ZDnet found that, while Microsoft's Windows NT crashed every six weeks under a ``typical'' intranet load, using the same load and request set the GNU/Linux systems (from two different distributors) never crashed [Vaughan-Nichols 1999].

However, possibly the most important reason for GNU/Linux's popularity among many developers and users is that its source code is generally ``open source software'' and/or ``free software''. A program that is ``open source software'' or ``free software'' is essentially a program whose source code can be obtained, viewed, changed, and redistributed without royalties or other limitations of these actions. A more formal definition of ``open source software'' is available from the Open Source Initiative [OSI 1999], a more formal definition of ``free software'' (as the term is used in this paper) is available from the Free Software Foundation [FSF 2000], and other general information about these topics is available at Wheeler [2000a]. Quantitative rationales for using open source / free software is given in Wheeler [2000b]. The GNU/Linux operating system is actually a suite of components, including the Linux kernel on which it is based, and it is packaged, sold, and supported by a variety of distributors. The Linux kernel is ``open source software''/``free software'', and this is also true for all (or nearly all) other components of a typical GNU/Linux distribution. Open source software/free software frees users from being captives of a particular vendor, since it permits users to fix any problems immediately, tailor their system, and analyze their software in arbitrary ways.

Surprisingly, although anyone can analyze GNU/Linux for arbitrary properties, I have found little published analysis of the amount of source lines of code (SLOC) contained in a GNU/Linux distribution. Microsoft unintentionally published some analysis data in the documents usually called ``Halloween I'' and ``Halloween II'' [Halloween I] [Halloween II]. Another study focused on the Linux kernel and its growth over time is by Godfrey [2000]; this is an interesting study but it focuses solely on the Linux kernel (not the entire operating system). Paul G. Allen posted some results from running Scientific Toolworks, Inc.'s tools on the Linux kernel, but this analysis only considered C code (including headers) - ignoring the many other languages used in constructing the Linux kernel (e.g., assembly language), and only concentrating on the kernel. The Free Code Graphing Project at http://fcgp.sourceforge.net generates a graphical representation of a program (currently, the Linux kernel), but only of the C code. In a previous paper, I examined Red Hat Linux 6.2 and the numbers from the Halloween papers [Wheeler 2001].

This paper updates my previous paper, showing estimates of the size of one of today's GNU/Linux distributions, and it estimates how much it would cost to rebuild this typical GNU/Linux distribution using traditional software development techniques. Various definitions and assumptions are included, so that others can understand exactly what these numbers mean. I have intentionally written this paper so that you do not need to read the previous version of this paper first.

For my purposes, I have selected as my ``representative'' GNU/Linux distribution Red Hat Linux version 7.1. I believe this distribution is reasonably representative for several reasons:

1. Red Hat Linux is the most popular Linux distribution sold in 1999 according to IDC [Shankland 2000b]. Red Hat sold 48% of all copies in 1999; the next largest distribution in market share sales was SuSE (a German distributor) at 15%. Not all GNU/Linux copies are ``sold'' in a way that this study would count, but the study at least shows that Red Hat's distribution is a popular one.
2. Many distributions (such as Mandrake) are based on, or were originally developed from, a version of Red Hat Linux. This doesn't mean the other distributions are less capable, but it suggests that these other distributions are likely to have a similar set of components.
3. All major general-purpose distributions support (at least) the kind of functionality supported by Red Hat Linux, if for no other reason than to compete with Red Hat.
4. All distributors start with the same set of open source software projects from which to choose components to integrate. Therefore, other distributions are likely to choose the same components or similar kinds of components with often similar size for the same kind of functionality.

Different distributions and versions would produce different size figures, but I hope that this paper will be enlightening even though it doesn't try to evaluate ``all'' distributions. Note that some distributions (such as SuSE) may decide to add many more applications, but also note this would only create larger (not smaller) sizes and estimated levels of effort. At the time that I began this project, version 7.1 was the latest version of Red Hat Linux available, so I selected that version for analysis.

Note that Red Hat Linux 6.2 was released on March 2000, Red Hat Linux 7 was released on September 2000 (I have not counted its code), and Red Hat Linux 7.1 was released on April 2001. Thus, the differences between Red Hat Linux 7.1 and 6.2 show differences accrued over 13 months (approximately one year).

Clearly there is far more open source / free software available worldwide than is counted in this paper. However, the job of a distributor is to examine these various options and select software that they believe is both sufficiently mature and useful to their target market. Thus, examining a particular distribution results in a selective analysis of such software.

Section 2 briefly describes the approach used to estimate the ``size'' of this distribution (more details are in Appendix A). Section 3 discusses some of the results. Section 4 presents conclusions, followed by an appendix. GNU/Linux is often called simply ``Linux'', but technically Linux is only the name of the operating system kernel; to eliminate ambiguity this paper uses the term ``GNU/Linux'' as the general name for the whole system and ``Linux kernel'' for just this inner kernel. 2. Approach My basic approach was to:

1. install the source code files in uncompressed format; this requires carefully selecting the source code to be analyzed.
2. count the number of source lines of code (SLOC); this requires a careful definition of SLOC.
3. use an estimation model to estimate the effort and cost of developing the same system in a proprietary manner; this requires an estimation model.
4. determine the software licenses of each component and develop statistics based on these categories.

More detail on this approach is described in Appendix A. A few summary points are worth mentioning here, however. 2.1 Selecting Source Code

I included all software provided in the Red Hat distribution, but note that Red Hat no longer includes software packages that only apply to other CPU architectures (and thus packages not applying to the x86 family were excluded). I did not include ``old'' versions of software, or ``beta'' software where non-beta was available. I did include ``beta'' software where there was no alternative, because some developers don't remove the ``beta'' label even when it's widely used and perceived to be reliable.

I used md5 checksums to identify and ignore duplicate files, so if the same file contents appeared in more than one file, it was only counted once (as a tie-breaker, such files are assigned to the first build package it applies to in alphabetic order).

The code in makefiles and Red Hat Package Manager (RPM) specifications was not included. Various heuristics were used to detect automatically generated code, and any such code was also excluded from the count. A number of other heuristics were used to determine if a language was a source program file, and if so, what its language was.

Since different languages have different syntaxes, I could only measure the SLOC for the languages that my tool (sloccount) could detect and handle. The languages sloccount could detect and handle are Ada, Assembly, awk, Bourne shell and variants, C, C++, C shell, Expect, Fortran, Java, lex/flex, LISP/Scheme, Makefile, Objective-C, Pascal, Perl, Python, sed, SQL, TCL, and Yacc/bison. Other languages are not counted; these include XUL (used in Mozilla), Javascript (also in Mozilla), PHP, and Objective Caml (an OO dialect of ML). Also code embedded in data is not counted (e.g., code embedded in HTML files). Some systems use their own built-in languages; in general code in these languages is not counted.

MS have allready been handing out samples of their OS to the expo's organisers:

NETCRAFT

As you can see, the guys were so chuffed with NT4, they moved the website to it!

What is Netcraft using to calculate the uptime? There's just vague explanation of it. Does anybody have details on what they are doing?

Netcraft confirm: *BSD are dying!

Crippring bombsherr hit bereaguered *BSD community. Recentry IDC confirmed *BSD account for ress than fraction of 1 percent arr server.Ratest Netcraft survey prainry state *BSD rost more market share! This news reinforce what we know arr arong. *BSD corrapsing in comprete disarray, further exemprified by fairing dead rast in the recent Sys Admin comprehensive network test.

You don't need to be Kreskin to predict *BSD's future. Hand writing is on warr: *BSD faces break future. In fact there is no future for *BSD because *BSD is dying. Things are rooking very bad for *BSD. *BSD continues to ruse market share. Red ink frow rike river of brood! FreeBSD most endangered of them arr, ruse 93% of core deveropers.

Ret's keep to the facts and rook at the numbers.

OpenBSD reader Theo state 7000 users of OpenBSD. How many users of NetBSD are there? Ret's see. Number of OpenBSD versus NetBSD post on Usenet roughry in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD user. BSD/OS post on Usenet about harf of the vorume NetBSD posts. Therefore about 700 users of BSD/OS. A recent articre put FreeBSD at about 80 percent of the *BSD market. Therefore (7000+1400+700)*4 = 36400 FreeBSD users. This are consistent with number of FreeBSD Usenet post.

Due to troubres of Warnut Creek, abysmar sares and so on, FreeBSD out of business and was take over by BSDI who serr another troubred OS. Now BSDI arso dead, corpse turned over to yet another charner house.

Arr major survey show *BSD has steadiry decrined in market share. *BSD very sick and rong term survivar prospects are very dim. If *BSD is to survives at arr it wirr be among OS hobbyist dabbrers. *BSD continue to decay. Nothing short of a miracre courd save it at this point in time. For arr practicar purpose, *BSD are dead.

Arr your base are berong to us.

Although the amount of active sites is certainly important, it should be noted that the drop you state is a (miniscule) drop in the total market share of internet sites, not a drop in usage. There was still a 5% increase (10.4 million to about 11 million) in active sites served by Apache. Also worth noting is the -0.85 drop by MS (also with about 5% increase in total active sites). What is somewhat perplexing is that of the four major developers listed, only iPlanet showed a growth in the market share of active sites, and its growth is not great enough to account for the drop in Apache and MS. Who are the tiny developers that are taking over relatively large amounts of market share, then?

Much my suprise netcraft showed that www.linuxworldexpo.com is running on MS machines!
Now I know that the web server s/w id can be faked (eg walmart) but the OS is shown as MS too!
also they have had linux+apache listed in the past, so i can only guess that they may have a mix (mirrors) or have switch to MS totaly =/

Much my suprise netcraft showed that www.linuxworldexpo.com is running on MS machines!
Now I know that the web server s/w id can be faked (eg walmart) but the OS is shown as MS too!
also they have had linux+apache listed in the past, so i can only guess that they may have a mix (mirrors) or have switch to MS totaly =/

If you really mean a SSH (not SSL) survey, by Netcraft, I don't know about it and can't find it on their website...where is it?

I'd point them to the Netcraft survey.

More than half the sites with SSH are using OpenSSH.. Tell them to go get a clue instead.

You obviously don't see the big picture. My guess would be that the majority of LameSpy downloaders are kids, either on the computer that daddy bought them, or on daddy's computer. Chances are that most of the 3000 people know just about squat about their computer beyond how to turn it on, frag like hell, and possibly how to turn it off.
Enter Nimda. Replicating at a rate whose exponent is the average of the number of email contacts in the infected group, in this case about 3000 minus the number of machines had virus scanners which actually caught the bug - most likely the number of infected machines is about half the number of downloads. How many people on those email lists are not terribly computer literate as well?
Not trying to blow a lot of fud on the table, but the reality is that these 1500 infected comps boils down to a real pain in the ass, simply because the, ahem, technicians at AdServerSpy can't properly manage their IIS box. I'm sorry, but enough is enough. Companies need to be held accountable when something this sloppy happens. I couldn't think of a better first pick than GameSpy... well, maybe ONE better pick...

OpenBSD is insecure! It has a remote hole and it even ADMITS IT ON ITS WEBSITE Another thing, openbsd is crap, and even the openbsd project it self dosen't use it! It runs on solaris!

"With some 27 percent of the market, Linux is now the second most popular operating system for servers, supplanting the decades-old operating system UNIX; Microsoft holds the top spot. "

I imagine most of these "servers" are domain controllers and the like, it's funny how they forgot to include Apache statistics, most of which I'm assuming run on *nix (is there really that large of a statistic that run Apache on Windows?)

Apache - 56.21%
Microsoft - 31.68%
Zeus - 2.26%
iPlanet - 2.19%

http://www.netcraft.com/Survey/

The site www.trollaxor.com is running Apache/1.3.24 (Unix) mod_perl/1.26 on FreeBSD.

The majority of websites run Apache. If J.Q. Public can't access the the majority of the web, he's going to complain, and possibly return his computer as being defective.

Another reason to dislike teoma, it runs on ASP!
where as dear ol' Google runs Linux. :)

Teoma will NEVER win.

Another reason to dislike teoma, it runs on ASP!
where as dear ol' Google runs Linux. :)

Teoma will NEVER win.

Security? A comparison of 2001 CERT advisories shows that closed source software constituted 72%.

Stability? Netcraft shows that the web servers with the top 10 average and the top 19 maximum uptimes are Open Source.

Open source allows people who are passionate about coding to code great things in large groups. They get great stability and security through honest desire and mass co-operation.

Closed source allows people who are passionate about money to code profitable things in small groups. They get money through marketing. Being closed allows them to brush problems under the carpet in the hope that they won't get noticed until after that products lifetime. Or even claim that problems are merely "theoretical", until someone posts a "BeSysAdm.exe".

source availability has little to do with the security or reliability of software.

I have been supporting closed source software for the past 9 years and I've been using open source software for about 5 years, supporting for about 3.

Linux, FreeBSD and OpenBSD has NEVER crashed on me in normal circumstances (I have managed to make Linux crash when tweaking and building custom kernels). I could never say this about any closed source software I've supported. Netware is pretty stable, but can't touch FreeBSD from what I've seen.

OpenBSD is secure because Theo and friends

Of course, but plenty of fixes and alerts come from people who are simply able to read the source and "friends" come into the stable due to being able to read it in the first place.

this security comes at a steep cost ((re)training, missing features, maintenance).

Learning OpenBSD for someone who is knowledgable about network security is far from steep learning.

Very few machines can be made useful running only the "default install".

Even in light of the recent vulnerability, Apache actually has a good security history. The last time it was mentioned in a CERT advisory was 1996. IIS has been mentioned 8 times since. Then there's Qmail...

Compare, what?

Oh I don't know, compare the comparative?

IIS? NT/2000?

Open source also allows fixes to come very quickly. Often the person who was able to find the exploit, also supplies a patch to fix it. If not, it often comes within a day or even hours. Can you find a closed source hole that was fixed in hours?

Security? A comparison of 2001 CERT advisories shows that closed source software constituted 72%.

Stability? Netcraft shows that the web servers with the top 10 average and the top 19 maximum uptimes are Open Source.

Open source allows people who are passionate about coding to code great things in large groups. They get great stability and security through honest desire and mass co-operation.

Closed source allows people who are passionate about money to code profitable things in small groups. They get money through marketing. Being closed allows them to brush problems under the carpet in the hope that they won't get noticed until after that products lifetime. Or even claim that problems are merely "theoretical", until someone posts a "BeSysAdm.exe".

source availability has little to do with the security or reliability of software.

I have been supporting closed source software for the past 9 years and I've been using open source software for about 5 years, supporting for about 3.

Linux, FreeBSD and OpenBSD has NEVER crashed on me in normal circumstances (I have managed to make Linux crash when tweaking and building custom kernels). I could never say this about any closed source software I've supported. Netware is pretty stable, but can't touch FreeBSD from what I've seen.

OpenBSD is secure because Theo and friends

Of course, but plenty of fixes and alerts come from people who are simply able to read the source and "friends" come into the stable due to being able to read it in the first place.

this security comes at a steep cost ((re)training, missing features, maintenance).

Learning OpenBSD for someone who is knowledgable about network security is far from steep learning.

Very few machines can be made useful running only the "default install".

Even in light of the recent vulnerability, Apache actually has a good security history. The last time it was mentioned in a CERT advisory was 1996. IIS has been mentioned 8 times since. Then there's Qmail...

Compare, what?

Oh I don't know, compare the comparative?

IIS? NT/2000?

Open source also allows fixes to come very quickly. Often the person who was able to find the exploit, also supplies a patch to fix it. If not, it often comes within a day or even hours. Can you find a closed source hole that was fixed in hours?

Come from a collaborative effort on the behalf of the many devlopers to patch the vulnerabilities once they are discovered. Sure, that's just as easy to do in a closed source enviroment, but when you have multiple devlopers in multiple time zones all hacking away at the same time, communicating over the net, it becomes a lot more easy.

Another difference application security makes is the popularity of the software. Obviously my little not apache linux web server hasn't been compromised because it only represents less that 0.005% of all webservers. IIS, while representing less of a market share than Apache (Netcraft), is more of a target because of the fact that their are used by highly desireable corp's and govt's. Govt's are more likely to run IIS because they are somewhat important and their needs to be a source of responsibility for the software they *purchased*, same goes with the typical e-commerce vendor, who if misses a day of availability needs someone to either sue, or to have fix it.

All that said, their is still the human-admin factor. As we have seen very recently -- both IIS and Apache are prone to being vulnerable to attack, it's the response time of the developers and the competency of the admin to roll out and apply the patches/upgrades. There was a story on here earlier (month or so?) regarding the weakest security link in IT being the employee's, but the same holds true for lazy admins. It's not entirely the product you use, but the level of knowledge you have regarding the product, and your competency in making the service secure.

Hmm, I seem to remember the web server being something that they wrote custom for their purposes. netcraft shows them as running GWS/2.0, which I would take for Google Web Server. They're running it on linux, but that doesn't mean what distro they're using. I also remember them (somewhere on the google.com site) saying that they had mixes of Linux, BSD, Solaris, and others.

I don't know, but I like it...

Actually, if you sort on max uptime, you see that 49 of the top 50 uptimes run some variant of UNIX. There is one entry for Windows 2000, but its average is only nine days.