Yeah SxS works a treat. No more dll hell. Great for servicing too. The problem here is moronic devs not shipping the libraries that they link against. MS would be castigated if they didn't fix security holes. Why oh why does kdawson think this is a return to dll hell? Does he actually know what SxS is? Does he even have experience of windows development?
Well there was an eight year wait to fix this one and nobody knows whether or not it has been exploited over that time.
I guess the famous "many eyes" were busy doing something else rather than looking in the source code for bugs like this.
I hope that the steady stream of security problems with open source software will put an end to all the tedious ms hate here on slashdot. Perhaps I'm being a tad optimistic though 'cos faith does seem to blind one from reality.
Well I think the point is that ie6 is tied to xp and so shares the same long term support lifecycle. Just because ms won't sell you a new licence for xp doesn't mean that they won't continue supporting and patching it. You don't need to be a genius to understand that.
The average two year old understands 250 words? My two year old and all her same age friends know far far more than that. I also don't think that you get cleverer as you get older. You just learn more.
Well, it may be as clear as 2 + 2 = 4 to you but perhaps I'm not as clever as you. In any case I'm somewhat old fashioned and like to have evidence.
The particular article I was thinking of is: "Is Linux Better than Windows Software?", Adenekan (Nick) Dedeke, IEEE Software, Vol 26 issue 3.
The author says:
To investigate vulnerability, I analyzed data from the US National Vulnerability Database (http://nvd.nist.gov/nvd.cfm), which is hosted by the National Cyber Security division of the US Computer Emergency Readiness Team (US-CERT). The database integrates all publicly available US government vulnerability databases. It lists each vulnerability type once. For example, if CERT is notified 300 times of a potentially damaging type of computer vulnerability, it lists that vulnerability only once in the database.
I aggregated the known vulnerability types for RedHat Linux and Windows systems reported during 1997-2005. The study included 1,048 vulnerability types for Red-Hat Linux and 552 for Windows 2000 and Windows 2003. The types fall into three categories: high, moderate, and low severity. I based each type's scoring on the Common Vulnerability Scoring System (CVSS),10 a global standard. Between 2002 and 2005, the total number of vulnerabilities for Linux rose dramatically from 67 to 333, while that of Windows rose from 69 to 86. I also found that for high severity, Linux experienced a rise from 31 to 126 while Windows experienced a rise from 38 to 53. I found similar results for low and medium severity.
The author then goes on to conclude:
Therefore, unless someone can show that Windows systems' vulnerabilities are underreported, my study doesn't support the assertion that open source software, represented by Linux, is less vulnerable than Windows systems. It also casts doubt on the global assertion that Linux's quality is better than that of Windows. Could these results hold true for other categories of open source and closedsource software?
I also recall an article that Diomidis Spinellis (an academic and a keen free software advocate) published I can't remember where. He used automatic code analysis tools to compare the source code for a range of operating systems (Windows research kernel, Linux, some BSDs) and found that no significant difference in quality.
So, yes it's clearly true that more people CAN look at the code for open source software. But how does that translate into quality is much more interesting. Just because they can doesn't mean that they will.
I think the "many eyes make all bugs shallow" idea (Linus's rule) has some merit but it's not the only factor. For security the fact that there are such disparate bodies responsible for delivering Linux makes it very hard to get a good security process. Consider the fiasco surrounding the now infamous Debian OpenSSH bug where the bug was introduced by downstream packagers who didn't understand the implications of what they were doing. Where was the security audit? Well there wasn't one.
Traditional closed source companies appear to be able to have much more control and oversight of cross-cutting issues like security. Doesn't mean they will exercise it (see Microsoft in the time before XP SP2 and SDL). But it's certainly possible for them to do security well (see Microsoft today). Then there's a company like Apple which to my mind is like MS was 10 years ago. Security is just not on their radar - it's an irritation to them.
I think the open source bazaar approach has been wonderfully successful and has proven to scale fantastically. It's next big challenge though is in the realm of security. As Linux gains ground (which it seems likely to at least in server space) it will increasingly come under heavy attack. Can the bazaar adapt to handle this? I'm positive that it will but it remains to see how it will.
Google doesn't really seem all that different. It just gets the Mac hate a bit lower down. And are we really going to deliver judgement on the basis of a single search? Doesn't seem very scientific to me!
Also, since when has Google been a paragon of independence in its searches? I seem to recall that searching for anything related to a Google product will return Google's product at or near the top.
It only makes it more likely that those bugs will be caught sooner since so many eyes can peruse the code
Do you have any evidence for this or is it just your belief? I'm sure there are academic papers that look at this and of course there are sizeable historical repositories of vulnerabilities, e.g. US-CERT. It's actually possible to test your hypothesis.
What you find when you do this is that some closed source projects have good track records and some have bad track records. Likewise some open source projects have good track records and some have bad track records. You will find, for example, that there's a huge difference in standard between Microsoft (now actually quite good) and Apple and Adobe (very poor at security).
The only conclusion I can draw from this is that being open source doesn't result in your code being better than closed source code. Likewise vice versa. My belief is that it is the processes and people involved that make the difference.
Do you have any hard evidence of that or is it just faith?
Don't get me wrong I'm a big fan of open source, free software in the RMS meaning of free. But I just don't really get along with faith. It's quite astonishing how much of the commentary on Slashdot is all about faith with no reference to evidence. I guess we're all human though, even us techie geeks!
I don't understand. I was led to believe by many reputable slashdot posters that open source software wasn't susceptible to such problems because the open source software development process is inherently so much better than traditional development methods. What am I to think now?
You seem to be saying that Apple's machines are expensive and their OS only runs on limited hardware (e.g. Apple). That seems reasonable but you then go on to imply that this problem is caused by Microsoft? How exactly is that so? Surely Apple can sell their hardware more cheaply if they want? And what's to stop them supporting Mac OS on a much broader range of hardware? You honestly think that it is Microsoft that is hindering them?
Well, if people don't like it they can always install something else. Nobody forces you to buy Windows or use a Mac. People do it because they choose to.
What's so hard about 64 bit on windows. You can single source 32 and 64 bit versions without any ifdefs with no trouble. The interface on 64 bit is called win32 and is identical. What's your problem?
Well, that's your opinion, but if you were in charge of the Windows team would you choose to:
1. Release a 64 bit only OS and condemn yourself to failure in the netbook space, or 2. Release a 32 bit version which can run on Atom and have some chance of competing.
Only an utter moron would opt for option 1. And in case you hadn't noticed, MS owns the netbook market.
Slashdot Mirror
Yeah SxS works a treat. No more dll hell. Great for servicing too. The problem here is moronic devs not shipping the libraries that they link against. MS would be castigated if they didn't fix security holes. Why oh why does kdawson think this is a return to dll hell? Does he actually know what SxS is? Does he even have experience of windows development?
Have you been hiding under a rock for the past few months?!
seems a bit fishy to me ....
Clearly you have no idea what GCD is.
Actually, C is not a block-structured language. You can't declare functions inside other functions.
Well there was an eight year wait to fix this one and nobody knows whether or not it has been exploited over that time.
I guess the famous "many eyes" were busy doing something else rather than looking in the source code for bugs like this.
I hope that the steady stream of security problems with open source software will put an end to all the tedious ms hate here on slashdot. Perhaps I'm being a tad optimistic though 'cos faith does seem to blind one from reality.
Well I think the point is that ie6 is tied to xp and so shares the same long term support lifecycle. Just because ms won't sell you a new licence for xp doesn't mean that they won't continue supporting and patching it. You don't need to be a genius to understand that.
This doesn't sound very hostile to me. Try posting in favour of something originating in redmond on slashdot if you want to experience true hostility!
The average two year old understands 250 words? My two year old and all her same age friends know far far more than that. I also don't think that you get cleverer as you get older. You just learn more.
Oh ha ha ha
Million lines of code?! Are you crazy? My 5 developer app has 600,000 loc windows xp reportedly had 35 million i'd guess 7 has over 50 million.
Well, it may be as clear as 2 + 2 = 4 to you but perhaps I'm not as clever as you. In any case I'm somewhat old fashioned and like to have evidence.
The particular article I was thinking of is: "Is Linux Better than Windows Software?", Adenekan (Nick) Dedeke, IEEE Software, Vol 26 issue 3.
The author says:
The author then goes on to conclude:
I also recall an article that Diomidis Spinellis (an academic and a keen free software advocate) published I can't remember where. He used automatic code analysis tools to compare the source code for a range of operating systems (Windows research kernel, Linux, some BSDs) and found that no significant difference in quality.
So, yes it's clearly true that more people CAN look at the code for open source software. But how does that translate into quality is much more interesting. Just because they can doesn't mean that they will.
I think the "many eyes make all bugs shallow" idea (Linus's rule) has some merit but it's not the only factor. For security the fact that there are such disparate bodies responsible for delivering Linux makes it very hard to get a good security process. Consider the fiasco surrounding the now infamous Debian OpenSSH bug where the bug was introduced by downstream packagers who didn't understand the implications of what they were doing. Where was the security audit? Well there wasn't one.
Traditional closed source companies appear to be able to have much more control and oversight of cross-cutting issues like security. Doesn't mean they will exercise it (see Microsoft in the time before XP SP2 and SDL). But it's certainly possible for them to do security well (see Microsoft today). Then there's a company like Apple which to my mind is like MS was 10 years ago. Security is just not on their radar - it's an irritation to them.
I think the open source bazaar approach has been wonderfully successful and has proven to scale fantastically. It's next big challenge though is in the realm of security. As Linux gains ground (which it seems likely to at least in server space) it will increasingly come under heavy attack. Can the bazaar adapt to handle this? I'm positive that it will but it remains to see how it will.
I'm thinking of generic terms like e-mail, spreadsheet, android
Google doesn't really seem all that different. It just gets the Mac hate a bit lower down. And are we really going to deliver judgement on the basis of a single search? Doesn't seem very scientific to me!
Also, since when has Google been a paragon of independence in its searches? I seem to recall that searching for anything related to a Google product will return Google's product at or near the top.
It only makes it more likely that those bugs will be caught sooner since so many eyes can peruse the code
Do you have any evidence for this or is it just your belief? I'm sure there are academic papers that look at this and of course there are sizeable historical repositories of vulnerabilities, e.g. US-CERT. It's actually possible to test your hypothesis.
What you find when you do this is that some closed source projects have good track records and some have bad track records. Likewise some open source projects have good track records and some have bad track records. You will find, for example, that there's a huge difference in standard between Microsoft (now actually quite good) and Apple and Adobe (very poor at security).
The only conclusion I can draw from this is that being open source doesn't result in your code being better than closed source code. Likewise vice versa. My belief is that it is the processes and people involved that make the difference.
Does anyone want to argue against this?
Do you have any hard evidence of that or is it just faith?
Don't get me wrong I'm a big fan of open source, free software in the RMS meaning of free. But I just don't really get along with faith. It's quite astonishing how much of the commentary on Slashdot is all about faith with no reference to evidence. I guess we're all human though, even us techie geeks!
You think I've come to the right place?
I don't understand. I was led to believe by many reputable slashdot posters that open source software wasn't susceptible to such problems because the open source software development process is inherently so much better than traditional development methods. What am I to think now?
You seem to be saying that Apple's machines are expensive and their OS only runs on limited hardware (e.g. Apple). That seems reasonable but you then go on to imply that this problem is caused by Microsoft? How exactly is that so? Surely Apple can sell their hardware more cheaply if they want? And what's to stop them supporting Mac OS on a much broader range of hardware? You honestly think that it is Microsoft that is hindering them?
What nonsense. Apple provides a perfectly adequate OS and has done for years and years. Likewise Linux.
Well, if people don't like it they can always install something else. Nobody forces you to buy Windows or use a Mac. People do it because they choose to.
What's so hard about 64 bit on windows. You can single source 32 and 64 bit versions without any ifdefs with no trouble. The interface on 64 bit is called win32 and is identical. What's your problem?
Well, that's your opinion, but if you were in charge of the Windows team would you choose to:
1. Release a 64 bit only OS and condemn yourself to failure in the netbook space, or
2. Release a 32 bit version which can run on Atom and have some chance of competing.
Only an utter moron would opt for option 1. And in case you hadn't noticed, MS owns the netbook market.
Atom is the justification
Why bother conducting your own study when you could use one of the many already done in other countries?