First, patching a Linbox is often a matter of grabbing a patch a day or two after the vuln is known and slapping it into the system. Since Linux is built on the Unix philosophy of tools in a toolbox, you don't have to worry that a patch for program x is going to change code that program's y and z also use (unless it's a library or something).
In any case it's perfectly possible to inspect the patch to see exactly what it does before applying it.
Windows? Not the case. If you have to patch MSHTML, anything from IE to your damned titlebars can get fucked up as a result.
You have no idea if a Windows patch actually patches what it says it does. Hence many corporate users having to maintain test machines in order to black-box test that Windows patchs don't break anything "mission critical".
The point is this: Linux CAN be much, much, MUCH more secure than Windows. However, Linux also does the same thing Unix does: "Look, you can make me secure if you want, but you can also use me to blow your toes off one at a time... YOU choose.. I'm not going to decide for you."
The important difference is that all of the decision making here is ment to be made by a sys-admin. Who is hopefully qualified to understand the consequences of their decisions. Whereas with Windows all sorts of system administration tasks are expected of the end user.
after 5 years linux is ready for the desktop...
Yet it took microsoft far longer to get windows ready for the desktop...
Windows 98 was close, windows 2000 was the pinnacle.
so it tool microsoft FAR longer with windows to get it ready for real desktop use (W2K) than linux has.
Actually the important question is "who's desktop?" There are plenty of situations where it can be argued that W2K is no more "ready" than W9X. There are even some cases where it can be argued that it is less ready.
You're the guy who thought "Could not fork() process" was a good error message, right?
It's just as possible to find examples of such useless error messages with Windows. e.g. "Can't open file", without bothering to give the filename or even "Not enough memory", when the actual problem is trying to open a file which dosn't have write permissions in R/W mode. Meaningless and misleading error messages are a more a sign of poor programmers than OS advocacy.
Most libraries are stuck with Windows simply because they don't have enough money to move away (it does COST money to get everything working with linux)
It also costs money to get everything working with Windows. In addition it costs rather a lot of money to keep things working with Windows.
They're not the only ones which begs the question: If EULAs are legal how could the GPL be illegal?
The GPL is not an EULA.
Both put limits on how and what the recipient can do with what they've received so where's the difference that would make one illegal and the other not? After all, they're both contracts.
They are not both contracts. The GPL is governed by copyright law, EULAs claim to be contracts even though in many cases relevent contract laws render them partially or entirely void. There really needs to be an FAQ on this.
This argument looks reasonable to me. My question, then, is why hasn't someone who contributed has GPL'd code to Linux suing SCO for trying to sell rights to their code?
Or for that matter using the provisions of the DMCA to stop SCO's commercial Linux piracy... Most likely because the laws are written in such a way as to favour corporate use against individuals/smaller corporates.
UNIX and Linux both have 20 ways to do things as well. It's called choice. You choose the best for your situation. I think what you mean is that ActiveX components used on the web should never be allowed to stray out of the web sandbox nor should they be allowed to execute code. And another thing...the mail client should NEVER be allowed to execute code with out asking the user forty times!
Assuming that it should execute code at all. There's also a distinction between executing code and feeding a file to a program...
How do you actually catch the original author of a worm? Most authors of this sort of crap are glory seekers and stupidly leave some reference in the code, or just brag about it on IRC.
How can you tell if the alias they give will lead to the actual virus writer or someone the virus writer dosn't like. Especially if people involved are paramilitary or even real military in nature.
Is Microsoft Software actually certified for safety critical systems? I thought it was not warranted for that use.
Back to the issue of using the right tool for the right job. In many situations no "Off The Shelf" ("Commercial" or otherwise) is suitable. From an engineering POV an Open Source System is more likely to be a good tool, even if you use some standard package/distribution as a starting point. Since you can then verify that it does what it should do and only what it should do. (A lot of malware involves use of unneeded "features".) Something which is very difficult with proprietary software since you need to take things of trust from the vendor and virtually impossible with something like Windows. Which in addition to being proprietary software contains deliberate "sphagetti code".
Lately, it seems, the DMCA is trying to become the all-encompasing way to prosecute anyone who peeks somewhere they "shouldn't."
yet how often has it been used to deal with actual copyright infringment? Especially cases where the copyright infringer is "bigger" than the holder who's copyright they infringe. e.g. SCO vs Linux Developers.
People whine about using only apps that people know, but nobody ever joins a company knowing the five or ten weird apps that only that company uses.
Or whatever customisations/templates/etc the company might use in order to make it easier do whatever they do. Few of our users have used any of the three version control apps we use and we manage to teach them - usually in fifteen minutes and life goes on. Why the big fuss about using an email client they know, or a browser they know?
The real big here is "We must use Windows because people only know how to use Windows". When there isn't even one interface called "Windows", it's not unknown for the real user interface to be a custom application which runs in a maximised window or even the actual user interface is something other than a QWERY keyboard mouse and monitor (such that no user could possibly tell if the machine was running Windows, Doors, Floors or whatever.)
It seems like we could end this whole "virus" thing if we made a few decent decisions at a management level.
e.g. doing some good (old fashioned) "systems analysis" rather than Microsoft Windows everywhere as some kind of fashion statement.
try admining real users instead of a bunch of secretaries than. Its not IE we're worried about. It breaks CAD programs, simulation programs, programs that tell machinery where and how to dig, etc.
The real solution would be to only have Windows used by secretaries, since that is probably something close to what it was designed for.
Hell a friend of mine admins at a coal mine. He applied SP4 to Win2K. Should be able to trust it right? WRONG!!! If he wouldn't have caught that it crashed critically software and stopped applying the service pack right away just imagine what could have happened. This is why it is so important to test patches, especially from M$. Because they can't be trusted.
Or more usefully use the right tool for the job. When it comes to something like mining machinary Windows probably isn't the right tool. Is a WIMP-GUI the best user interface for a machine which digs big holes in the first place?
Bah...like Linux or OS X or BSD or Solaris are any better. Nobody really has desktop patches down all that well, the users make the machines too personalized.
What you are missing is that with unix type systems there are clear distinctions between what is "Operating System" and what is "Application" (as well as "user" and "sys-admin"). Whereas with Windows things are quite deliberatly intertwined.
Plus, any OS that has 95% of the desktop market is going to attract worm/virus writers, and I don't care how open or closed source the code is. If things were reversed and Linux was had hundreds of millions of installs it'd be hacked to pieces.
This explains why IIS is more commonly attacked than Apache, even though IIS is a minority webserver. Possibly even more important than numbers is how "attackable" a platform is and how "malware friendly" it is.
Even now I get all kinds of patches on my RedHat and SuSE boxes, it's no different than Windows.
It's a lot different from Windows. The typical Linux distribution contains a huge amount of software, which in many cases includes several alternatives for the same function. As well as many pieces of software which will only be installed on a few machines. Desiging a worm which will "work" is sveral orders of magnitude easier with the homogeneous Windows population than the heterogeneous Linux population. Even the "Redhat", "SuSE", "Debian", "Gentoo", etc populations are likely to far more diverse than the Windows population.
It's easy to maintain and patch 10K servers of any kind because you have control over everything. But any kind of desktop support is going to suck major a$$, regardless of the OS.
It matters a lot if you are dealing with a "workstation" class of operating system or a "personal computer" class of operating system. Just bacause Microsoft have tacked "workstation" only the name of their product does not mean that it is a workstation OS. Single user, personal computer design assumptions are still there in Windows and a lot of Windows software. e.g. that which requires the user to have administrator privs to even run...
I guess, though, that you've forgotten that the last anti-trust suit against Microsoft was brought in part due to MS' violation of two, count them two, previous Consent Decrees, each the result of Justice Department investigation
Pity the "three strikes and you're out" principle dosn't apply to corporate crooks.
Not even in the 80s. You don't need to have a monopoly to break the law, and you might be surprised at the number of companies that regularly do, yet don't get punished. Just remember, a company can often justify a large fine for an increased efficiency. Even if they balance, the chances of getting caught are so low, that the risk is worth it.
The problem is that the "corporate person" fiction dosn't apply to companies who break the law. Whereas a real person might get hauled off to a jail or subject to restrictive bail conditions if they are simply accused of breaking the law a company can typically carry on "business as usual" even through their "trial".
but in many number of cases MS apps simply copy others' work and try to take advantage of the hard work of others.
It wouldn't suprise me if "borrowing" of code (including OSS) is quite common with proprietary software. Whereas if an OSS program wants to duplicate the function of a proprietary program reverse engineering is likely to be needed.
The GPL is a dscription of terms under which you are granted the right of copying (hence: copyright). It does not (and cannot) compel me to give the source to you in the first place so that you can exercise your right. I can simply claim that the presence of the COPYING file was a mistake corrected in a later release, and nothing more.
In the case in question it would be hard to claim that there was a mistake. Anyway there certainly are cases of courts obliging defendents to stick to agreements they made "by mistake".
You could, perhaps, try to sue me for misleading you (insofar as I led you to believe I would give you the source, when I won't), but you can't sue me for violating my own copyright, and winning said suit would entitle you to damages, not force me to license my code a certain way.
A court may offer you a choice between making the code available to the plaintiff(s), a fine or a conviction for fraud.
While I do not have the dirver from Linuxant, their module would in fact show up to an end user as "GPL". I would think this could be a legal issue for Linuxant, since they are lying to end users of their product about the license.
Thus it would be perfectly resonable for someone supplied this module by "Linuxant" to request the source of the module. And to submit the results of the "modinfo" command as evidence to court... Issues involved with misadvertising and misdescribing things they supply may alternativly land them in a criminal rather than civil court.
It is the user of a module that causes it to be loaded, not the developer. Just because a company makes a binary driver that works on Linux available to its customers, it does not follow that the module developer has entered into any kind of contract with the kernel developers.
However they have entered into an agreement with their customers. Effectivly they are telling people "this code is GPL", thus they are obliged to make the source available to anyone they supply the binary to. Effectivly it's a case of the description on the "box" and what is actually in the "box" being very different from what is in the "box".
There would be no grounds to sue for access to the source code on this basis.
There are no grounds for random kernel developers to sue. The grounds for a customer to sue are along the lines of "The defendent claims the software they supplied is covered by a standard copyright licence (the GPL) but have failed to honour their obligations under that licence".
If you're sure you're driver is okay, a kernel bug should still be there if your driver is absent. If it's not, maybe, just maybe, the bug is with the module, and by lying to the kernel you're just wasting everyones time.
e.g. the module writer has used some kind of hack which whilst it may work fine on their machine causes problems in the general case. Especially if their starting point was some, already untidy Windows, code.
If a kernel oops or panic occurs in a driver, it's important for the kernel developers to quickly know if it's a GPL driver (or a 3rd party binary only driver that they shouldn't even waste their time looking at). Too much noise is generated on LKML for broken binary drivers that just can't be fixed or troubleshooted.
Except by the suppliers of the binary only module. So best try and ensure that any bug reports go to the right place.
Zealotry has it's hand in that Open Source people really only want to fix Open Source drivers.
The term "zealotry" is probably quite applicable to quite a few entities who'd kick up a huge fuss were anyone to even attempt to debug their non GPL software.
First, patching a Linbox is often a matter of grabbing a patch a day or two after the vuln is known and slapping it into the system. Since Linux is built on the Unix philosophy of tools in a toolbox, you don't have to worry that a patch for program x is going to change code that program's y and z also use (unless it's a library or something).
In any case it's perfectly possible to inspect the patch to see exactly what it does before applying it.
Windows? Not the case. If you have to patch MSHTML, anything from IE to your damned titlebars can get fucked up as a result.
You have no idea if a Windows patch actually patches what it says it does. Hence many corporate users having to maintain test machines in order to black-box test that Windows patchs don't break anything "mission critical".
The point is this: Linux CAN be much, much, MUCH more secure than Windows. However, Linux also does the same thing Unix does: "Look, you can make me secure if you want, but you can also use me to blow your toes off one at a time... YOU choose.. I'm not going to decide for you."
The important difference is that all of the decision making here is ment to be made by a sys-admin. Who is hopefully qualified to understand the consequences of their decisions. Whereas with Windows all sorts of system administration tasks are expected of the end user.
after 5 years linux is ready for the desktop...
Yet it took microsoft far longer to get windows ready for the desktop...
Windows 98 was close, windows 2000 was the pinnacle.
so it tool microsoft FAR longer with windows to get it ready for real desktop use (W2K) than linux has.
Actually the important question is "who's desktop?" There are plenty of situations where it can be argued that W2K is no more "ready" than W9X. There are even some cases where it can be argued that it is less ready.
You're the guy who thought "Could not fork() process" was a good error message, right?
It's just as possible to find examples of such useless error messages with Windows. e.g. "Can't open file", without bothering to give the filename or even "Not enough memory", when the actual problem is trying to open a file which dosn't have write permissions in R/W mode.
Meaningless and misleading error messages are a more a sign of poor programmers than OS advocacy.
Most libraries are stuck with Windows simply because they don't have enough money to move away (it does COST money to get everything working with linux)
It also costs money to get everything working with Windows. In addition it costs rather a lot of money to keep things working with Windows.
They're not the only ones which begs the question: If EULAs are legal how could the GPL be illegal?
The GPL is not an EULA.
Both put limits on how and what the recipient can do with what they've received so where's the difference that would make one illegal and the other not? After all, they're both contracts.
They are not both contracts. The GPL is governed by copyright law, EULAs claim to be contracts even though in many cases relevent contract laws render them partially or entirely void.
There really needs to be an FAQ on this.
This argument looks reasonable to me. My question, then, is why hasn't someone who contributed has GPL'd code to Linux suing SCO for trying to sell rights to their code?
Or for that matter using the provisions of the DMCA to stop SCO's commercial Linux piracy... Most likely because the laws are written in such a way as to favour corporate use against individuals/smaller corporates.
UNIX and Linux both have 20 ways to do things as well. It's called choice. You choose the best for your situation. I think what you mean is that ActiveX components used on the web should never be allowed to stray out of the web sandbox nor should they be allowed to execute code. And another thing...the mail client should NEVER be allowed to execute code with out asking the user forty times!
Assuming that it should execute code at all. There's also a distinction between executing code and feeding a file to a program...
Problem is, people (particularly Windows users) buy features before they buy security.
:)
Once you discount vapour, "brand loyalty" and "Hobson's choice" OEM bundling how many people does that leave buying Windows based on it's features
It's also easier to write gui software that will work on 99.99% of all windows 98 or higher installations without extensive tweaking,
If it's actually used by more than about 30% of Windows users there is a fair chance that Microsoft will make a work-a-like part of the OS...
How do you actually catch the original author of a worm? Most authors of this sort of crap are glory seekers and stupidly leave some reference in the code, or just brag about it on IRC.
How can you tell if the alias they give will lead to the actual virus writer or someone the virus writer dosn't like. Especially if people involved are paramilitary or even real military in nature.
Is Microsoft Software actually certified for safety critical systems? I thought it was not warranted for that use.
Back to the issue of using the right tool for the right job. In many situations no "Off The Shelf" ("Commercial" or otherwise) is suitable.
From an engineering POV an Open Source System is more likely to be a good tool, even if you use some standard package/distribution as a starting point. Since you can then verify that it does what it should do and only what it should do. (A lot of malware involves use of unneeded "features".) Something which is very difficult with proprietary software since you need to take things of trust from the vendor and virtually impossible with something like Windows. Which in addition to being proprietary software contains deliberate "sphagetti code".
Lately, it seems, the DMCA is trying to become the all-encompasing way to prosecute anyone who peeks somewhere they "shouldn't."
yet how often has it been used to deal with actual copyright infringment? Especially cases where the copyright infringer is "bigger" than the holder who's copyright they infringe. e.g. SCO vs Linux Developers.
People whine about using only apps that people know, but nobody ever joins a company knowing the five or ten weird apps that only that company uses.
Or whatever customisations/templates/etc the company might use in order to make it easier do whatever they do.
Few of our users have used any of the three version control apps we use and we manage to teach them - usually in fifteen minutes and life goes on. Why the big fuss about using an email client they know, or a browser they know?
The real big here is "We must use Windows because people only know how to use Windows". When there isn't even one interface called "Windows", it's not unknown for the real user interface to be a custom application which runs in a maximised window or even the actual user interface is something other than a QWERY keyboard mouse and monitor (such that no user could possibly tell if the machine was running Windows, Doors, Floors or whatever.)
It seems like we could end this whole "virus" thing if we made a few decent decisions at a management level.
e.g. doing some good (old fashioned) "systems analysis" rather than Microsoft Windows everywhere as some kind of fashion statement.
try admining real users instead of a bunch of secretaries than. Its not IE we're worried about. It breaks CAD programs, simulation programs, programs that tell machinery where and how to dig, etc.
The real solution would be to only have Windows used by secretaries, since that is probably something close to what it was designed for.
Hell a friend of mine admins at a coal mine. He applied SP4 to Win2K. Should be able to trust it right? WRONG!!! If he wouldn't have caught that it crashed critically software and stopped applying the service pack right away just imagine what could have happened. This is why it is so important to test patches, especially from M$. Because they can't be trusted.
Or more usefully use the right tool for the job. When it comes to something like mining machinary Windows probably isn't the right tool. Is a WIMP-GUI the best user interface for a machine which digs big holes in the first place?
Bah...like Linux or OS X or BSD or Solaris are any better. Nobody really has desktop patches down all that well, the users make the machines too personalized.
What you are missing is that with unix type systems there are clear distinctions between what is "Operating System" and what is "Application" (as well as "user" and "sys-admin"). Whereas with Windows things are quite deliberatly intertwined.
Plus, any OS that has 95% of the desktop market is going to attract worm/virus writers, and I don't care how open or closed source the code is. If things were reversed and Linux was had hundreds of millions of installs it'd be hacked to pieces.
This explains why IIS is more commonly attacked than Apache, even though IIS is a minority webserver. Possibly even more important than numbers is how "attackable" a platform is and how "malware friendly" it is.
Even now I get all kinds of patches on my RedHat and SuSE boxes, it's no different than Windows.
It's a lot different from Windows. The typical Linux distribution contains a huge amount of software, which in many cases includes several alternatives for the same function. As well as many pieces of software which will only be installed on a few machines. Desiging a worm which will "work" is sveral orders of magnitude easier with the homogeneous Windows population than the heterogeneous Linux population. Even the "Redhat", "SuSE", "Debian", "Gentoo", etc populations are likely to far more diverse than the Windows population.
It's easy to maintain and patch 10K servers of any kind because you have control over everything. But any kind of desktop support is going to suck major a$$, regardless of the OS.
It matters a lot if you are dealing with a "workstation" class of operating system or a "personal computer" class of operating system. Just bacause Microsoft have tacked "workstation" only the name of their product does not mean that it is a workstation OS. Single user, personal computer design assumptions are still there in Windows and a lot of Windows software. e.g. that which requires the user to have administrator privs to even run...
I guess, though, that you've forgotten that the last anti-trust suit against Microsoft was brought in part due to MS' violation of two, count them two, previous Consent Decrees, each the result of Justice Department investigation
Pity the "three strikes and you're out" principle dosn't apply to corporate crooks.
Not even in the 80s. You don't need to have a monopoly to break the law, and you might be surprised at the number of companies that regularly do, yet don't get punished. Just remember, a company can often justify a large fine for an increased efficiency. Even if they balance, the chances of getting caught are so low, that the risk is worth it.
The problem is that the "corporate person" fiction dosn't apply to companies who break the law. Whereas a real person might get hauled off to a jail or subject to restrictive bail conditions if they are simply accused of breaking the law a company can typically carry on "business as usual" even through their "trial".
but in many number of cases MS apps simply copy others' work and try to take advantage of the hard work of others.
It wouldn't suprise me if "borrowing" of code (including OSS) is quite common with proprietary software.
Whereas if an OSS program wants to duplicate the function of a proprietary program reverse engineering is likely to be needed.
I think the problem is more likely to be that they concentrate so much on being flashy that they forget other aspects that go to make a good program.
:)
e.g. the writing and acting
The GPL only kicks in when distribution happens.
We have distribution happening here.
Distribution of a binary module which claims to be "GPL".
There's absolutely no reason why a company can't write a non-GPL driver for internal use and not make it available publically.
It dosn't matter if the distribution is "public" or not. Distributing to one other party is still "distribution".
The GPL is a dscription of terms under which you are granted the right of copying (hence: copyright). It does not (and cannot) compel me to give the source to you in the first place so that you can exercise your right. I can simply claim that the presence of the COPYING file was a mistake corrected in a later release, and nothing more.
In the case in question it would be hard to claim that there was a mistake. Anyway there certainly are cases of courts obliging defendents to stick to agreements they made "by mistake".
You could, perhaps, try to sue me for misleading you (insofar as I led you to believe I would give you the source, when I won't), but you can't sue me for violating my own copyright, and winning said suit would entitle you to damages, not force me to license my code a certain way.
A court may offer you a choice between making the code available to the plaintiff(s), a fine or a conviction for fraud.
While I do not have the dirver from Linuxant, their module would in fact show up to an end user as "GPL". I would think this could be a legal issue for Linuxant, since they are lying to end users of their product about the license.
Thus it would be perfectly resonable for someone supplied this module by "Linuxant" to request the source of the module. And to submit the results of the "modinfo" command as evidence to court...
Issues involved with misadvertising and misdescribing things they supply may alternativly land them in a criminal rather than civil court.
It is the user of a module that causes it to be loaded, not the developer. Just because a company makes a binary driver that works on Linux available to its customers, it does not follow that the module developer has entered into any kind of contract with the kernel developers.
However they have entered into an agreement with their customers. Effectivly they are telling people "this code is GPL", thus they are obliged to make the source available to anyone they supply the binary to.
Effectivly it's a case of the description on the "box" and what is actually in the "box" being very different from what is in the "box".
There would be no grounds to sue for access to the source code on this basis.
There are no grounds for random kernel developers to sue. The grounds for a customer to sue are along the lines of "The defendent claims the software they supplied is covered by a standard copyright licence (the GPL) but have failed to honour their obligations under that licence".
If you're sure you're driver is okay, a kernel bug should still be there if your driver is absent. If it's not, maybe, just maybe, the bug is with the module, and by lying to the kernel you're just wasting everyones time.
e.g. the module writer has used some kind of hack which whilst it may work fine on their machine causes problems in the general case. Especially if their starting point was some, already untidy Windows, code.
If a kernel oops or panic occurs in a driver, it's important for the kernel developers to quickly know if it's a GPL driver (or a 3rd party binary only driver that they shouldn't even waste their time looking at). Too much noise is generated on LKML for broken binary drivers that just can't be fixed or troubleshooted.
Except by the suppliers of the binary only module. So best try and ensure that any bug reports go to the right place.
Zealotry has it's hand in that Open Source people really only want to fix Open Source drivers.
The term "zealotry" is probably quite applicable to quite a few entities who'd kick up a huge fuss were anyone to even attempt to debug their non GPL software.