Slashdot Mirror
Bill Gates: Windows Patched Faster than Linux
petard writes "In a very interesting interview published by the Register, Bill Gates made several interesting claims about Longhorn. Many of them have been extensively covered recently, including plans to force users to patch automatically. Surprisingly, everyone seems to have overlooked his statement that Microsoft fixes bugs faster than Linux developers do. 'We've gone from little over 40 hours on average to 24 hours. With Linux, that would be a couple of weeks on average.' Either he's lying or woefully misinformed; their recent performance seems to be more on the order of 3+ months, or over 2000 hours."
I mean, after I install an average workstation of redhat 9.0 I see a lot more patches downloaded from up2date than the 36 or so for a fresh XP Pro install. Of course I mean for all the apps, not just core kernel stuff.
Minor version numbers for *nix packages seem to increase faster, which is a good thing because that means more holes getting patched faster [than Windows].
I guess my comment is that we need to see more Windows patches at a much faster rate, and stop being surprised when MS issues 4 patches in one day. Hell, up2date issues 4 new updates a day on a slow day ;)
And NONE in the preceding month. Microsoft may (or may not) be fixing them in 24 hours. But they are now officially on a once a month patch RELEASE schedule.
I'd like to know what part of the process he is talking about? Is that the time between when the hole is made public and when the patch is released? That would explain things a bit... since MS typicaly can keep the news under wraps until they release the patch simultaneously.
Including a lot of "0 seconds between bug announcement and patch release" is bound to give you a much lower average. So, it would be possible for MS to receive 85 bug reports, surpress all but one for three months, release 85 patches and average just a bit better than 24 hours between public announcement and patch.
Now I'm no Gates apologist -- I haven't even used Windows for years, except when I am forced to kicking and screaming -- but harping on these statements bothers me.
In 1981, NOBODY needed 640k on the desktop. IBM PCs shipped with a tenth that amount of memory. Even assuming memory growth is exponential in the same manner as Moore's Law, this meant that the average user probably wouldn't need 640k for five years or more. Even in 1987, I remember programs (such as WordPerfect 4.2) that could fit on a single 360k floppy -- so the 640k prediction held for several generations of machine. Not a bad prediction in the computer industry.
There were good reasons for making the 640k assumption. All I'm saying is, don't fault an engineer for making a design decision, even if you don't like him personally.
Having said that, you want a desktop application that takes up more than 4 GB of physical memory? Go download the OpenOffice source and add a line:
calloc(4294967296,sizeof(char));
Take THAT, Bill!
Toronto-area transit rider? Rate your ride.
Most likely, he's just reporting what he's being told. And most likely, it's being mis-measured by someone.
Microsoft is a big company, and Windows is a very complex beast. My initial thought is that perhaps the security developers do indeed code and submit a patch within 24 hours.
But then the patch has to wend its way through the labyrinth of QA and regression testing. Because Windows is so highly integrated, even small changes can have big unforeseen consequences, so they can't rush patches out the door without breaking things. I believe Microsoft makes patches available via their support pages well before it hits Windows Update. What *we* are measuring is the time from bug report to being in Windows Update; what *they* are probably measuring is time to patch submittal or time to initial availability via support.
I really, really prefer the improved code separation in the Unix environment; if, say, BIND has a problem or exploit, it's highly unlikely that a patch it will break Postfix or Apache. Because things are better-separated, the developers understand their packages better and can more confidently push patches into their stable branches.
I worry a little about the way the Unix desktops are becoming increasingly interdependent, with lots of libraries and lots of integration... are we going to end up in the same place, eventually? Microsoft doesn't employ idiots, and considering the amount of trouble they've had scaling, well.... I just hope the free software developers are thinking about this.
..no one is posting any hard data, any more than he is. This post references actual numbers, but other than "what a freaking liar/what a misinformed idiot" no one is offering proof on the matter.
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
By "time until fixed in the source tree", I'm just pointing out that Microsoft may take months to roll out a patch to users in a hotfix or service pack.
Also, to be fair, I suspect that few users immediately apply kernel patches in the Linux world. They wait until RH's up2date or Debian's apt-get sucks down the latest and greatest. A fair comparison should might say "Microsoft does not attempt to supply a 'rapid-release' patch for technical users at all, unlike the Linux community. However, it's time-to-Joe-end-user-release is comparable to that of Red Hat." or something along those lines.
I certainly feel that, at least applying the immediately obvious and most useful criteria, Microsoft does *not* fix bugs (release patches) more quickly than the Linux community.
May we never see th
When is the last time a vulnerability in the windows kernel was found? To be fair, we will include vulnerabilities in the HAL, since in Linux the kernel contains that functionality as well.
OpenSSH is a part of Linux as much as RPC or Windows Messaging is a part of Windows.
If a linux kernel exploit is fixed in minutes, then it was a pretty dumb bug. Microsoft has been good lately about doing proactive security reviews, and they often find holes before anyone else does. Linux mostly seems to do reactive fixes, at least from where I'm sitting. Which is to say, at a Windows XP machine, but right next to a gentoo Linux system.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Actually, I think he's referring to the time between Microsoft admiting there is a bug and the time a patch is available.
Example: Today's Windows bug. Microsoft announced it today and patched it today. That's less than 24 hours to "fix" it.
This type of logic makes perfect sense to the PR or marketing departments.
- Tony
It's not like revisionist history is a new concept. In 1981, I could completely see, Bill Gates saying the 640K quote, and have it taken out of context. One of the Watson's (of founding IBM fame, I can't remember if it was Sr, or Jr. I'm guessing Sr), once said that worldwide we'd probably only need 5 computers ever. It's not like he's terrible stupid either.
If you really want to have fun and games, write down a particular fact that you can't remember a specific event ever happening in your childhood. Now, store that piece of paper someplace safe. Now everyday imagine that event happening. Picture in your mind how you would remember it if it happened. Over the course of time, you'll "remember" it as a fact that is just like all of your other memories from childhood. You'll know it's inaccurate, but to your mind you can't tell between a the old true memories, and the newly fabricated memories. It's a simple form of brainwashing. I've specific memories that I know for a fact never happened. I constructed a conversation I never had once for the purpose of trying this out. It's the old adage about a lie repeated often enough becomes true.
I'll willingly admit it's entirely possible Bill never said that, and he surely can't prove he never said it. However, I'll never trust Bill's memory about him not saying it. However, if you tracked down the original references to it and debunk that, now you have something. Somebody has to cite it. It's in the Usenet Archives, or in old papers and trade magazines. Find the originals and debunk them, don't cite Bill saying 15 years later that he didn't say it. That's not debunking.
Here, I'll prove it to you. "I've done some stupid things, and I've done some wrong things, but I was never born. Nobody in the human race would ever say they were born.". Does that "debunk" the fact that I was born or not? I'd say my sitting here, and typing into slashdot is pretty strong evidence I was born at some point in the past.
A number of statistics have been proven to be false, but are cited all the time in the past. If you follow all of the original citations back, you'll find they all start at one single reference. The original person who stated it, either lied, or had something wrong with the way they came to the conclusion. By the time anybody figures that out, it'll be a "fact". I know this happened on stuff reguarding sexual orientation (formely common cited stat that 10% of all men are gay), and I believe it's happened on several other occasions about other commonly cited stats.
Debunking involves getting reasonable close to the source and debunking it. Not asking somebody 20 years later, who has a vested interest in not looking like an idiot, if he said something that's blatantly stupid 20 years ago. Read up on what Bill has said about what he thought of the internet.
I believe it was Cringely who pointed out that Bill always proclaims he was a visionary about the net, and saw ahead of everyone how much that could change the world. Yet when you read his book from that time where he was spouting off about what he thought was the next big things in computers, just as the internet went mainstream he never mentioned it once. Bill's in a position where he can't afford to say, I missed that huge new technology. He's Bill Gate's, he thinks Microsoft single handedly invented the Personal Computer. Just read the end of the article.
Kirby
From Gates himself "How could we ignore the browser?," Gates responded. 'The Explorer is fully integrated with the operating system, take it away and the OS grinds to a halt. When you call up Help, you're using the browser. In Office 2003 instead of going to the local files, the browser will go online and fetch the latest documents."
Any software engineer/programmer who reads this can make a good case for bad design of windows because it's not modular. What morons design an OS that depends on a higher level application. In this case it's IE but it it could easily be any other application, like solitare. Of course it's rubbish that the Windows OS depends on IE but this is the story they have to front ever since they won the case against Netscape.
"OpenSSH is a part of Linux as much as RPC or Windows Messaging is a part of Windows."
To test that theory, I will turn off ssh on linux and you turn of RPC on XP, no let's both reboot and see who gets back first! Enough said!
If a linux kernel exploit is fixed in minutes, then it was a pretty dumb bug.
Yup. The last one I remember like that was the IP stack bug in late 1997 that would crash your system; Alan Cox didn't have the fix out in minutes, but IIRC it was about three hours from discovery to patch.
He can be forgiven for the delay, though, because his patch fixed not just that particular exploit, but all it's variations. When I was booted to Windows 95, on the other hand, I was vulnerable to any prankster exploiting the same type of bug for months, not just because it would take MS weeks to come up with a patch but because Alan Cox's patch fixed the underlying problem, whereas MS would patch up one attack only to remain wide open to nearly identical exploits. Try Googling for "teardrop", "syndrop", or "newtear" if you want to find a more precise timeline than my fuzzy 6yo memory.
Linux mostly seems to do reactive fixes, at least from where I'm sitting.
You mean reactive to all those awful Linux worms that have been sweeping the net? I don't think so. Try pulling up a list of security updates (here, for example) for Linux and see just what percentage you can find exploit code for. I'm pretty sure the squirrelmail, balsa, and Xpdf developers aren't scrambling to write patches reacting to the many exploits aimed at their programs.
The reality is that no one can produce, however we have tried, a perfectly bugless software.
And there is no way we can be certain that our softwares don't have any unintentional vulnerability either.
Nobody likes software patches, but it is a necessity if we want to make our softwares work better.
The question is not how fast one makes the patch - although it's very important - the keypoint in making patches is how EASY we can make our patch-delivery system works.
No doubt that the Linux patches, at least most of them, come out way faster than those of the MS-Windows camp. But there is _one_ thing that we can learn from Microsoft - they have made their patch delivery system (aka www.windowsupdate.com) something that can be used by most users.
I am not saying that the Linux patching process is cumbersome, but we gotta admit that the average users (not sysadmins) just can't begin to understand how to patch their Linux boxes.
If we can come up with something that approach the ease of www.windowsupdate.com, perhaps Linux can be used by even more not-so-tech-savvy users.
I know, I know, there's a world of difference between MS-Windows and Linux, but what I am talking about is the deliverance of our software patches - and in this case, Microsoft has something that we can learn from.
Thank you for reading.
Muchas Gracias, Señor Edward Snowden !
I speak for a lot of people when I say that I hate Microsoft for quite a few good reasons.