Linux is as buggy as Windows

I only cane across this slightly old article recently (see below).

What is the conclusion - that what the author says is a true
reflection of the situation or that he is overstating his case?



Martin

===========

LANGA LETTER: LINUX HAS BUGS: GET OVER IT
Jan 27, 2003

http://www.informationweek.com/story/IWK20030124S0013/1

Fred Langa contends that some Linux proponents harm their cause by
hiding from the facts--it's just as buggy as Windows XP.

----

I made a private bet with myself when I ran an item in my newsletter
called "Linux Hacks On The Rise". It cited a study of software
problems reported by CERT--the Computer Emergency Response Team that
impartially tracks computing security threats. (CERT is part of a
federally funded research and development center at Carnegie Mellon
University in Pittsburgh.)

Among other things, the article said: "...more than 50% of all
[CERT] security advisories ... in the first 10 months of 2002 were
for Linux and other open-source software solutions."

My only point in bringing up this issue was to show that no operating
system is immune to bugs and security issues: As Linux grows in
popularity, it will have its own full share of problems.

It's hard to imagine a less inflammatory or more obvious assertion--
that all operating systems have bugs and security issues--but I won
my bet: Linux and open-source fans thought I was attacking them or
their preferred operating system. They deluged me with E-mails, many
irate, claiming that CERT (and I) were dead wrong.

The two most-common arguments against the report were:

1) There really aren't that many Linux/open source bugs, especially
compared with, say, Microsoft Windows. Many readers argued further
that CERT erred by counting the same bugs multiple times in different
distributions and versions of Linux or other open-source software;
these repeated bugs should have been counted as one meta-bug.

2) Open source bugs, when they do occur, aren't that big a deal
anyway because they can be fixed far faster than Windows bugs.

Trouble is, these arguments are based on old information: Yes, there
once was a time when both of the above statements were true, but in a
moment I'll show you some very current, non-CERT stats and info that
illustrate why both statements are now emphatically false. (We'll
get to the specifics in a moment.)

But this isn't a bad thing. Rather, I take it as a very positive
sign of the growing maturity and mainstream appeal of Linux and open
source software. Let me explain:


Linux's And Open Source Software's Excellent History

Linux (and the whole open source movement in general) got its
reputation for solid software and rapid fixes when this software was
used mostly by a relatively small group of extremely knowledgeable
people. They knew what they were doing, and generally ran their
software on stable, proven hardware platforms; or, when brand-new
hardware was used, it was used in fairly generic ways. (For example,
video card drivers for Linux tended not to support exotic feature
sets; Linux video usually operated at fairly conventional resolutions
and settings.)

This is a benign development environment. Any software can succeed
if it's placed only in the hands of a small group of knowledgeable
experts who can avoid many problems in the first place, and
participate in rapid repair of any unavoidable problems that do
occur.

And "rapid repair" was a very real thing: The open source arena
tended to attract some of the best and brightest of the world's
computing community; people who wanted to do good, and whose
contributions were almost always positive, focused on the continual
improvement of their software.

But things changed. The open source community has fragmented into
myriad competing segments, each with its own different, and
increasingly quasi-proprietary, distributions of software. Huge
numbers of new users of all skill levels have entered what once had
been an experts-only enclave. (Even Wal-Mart now sells cheap PCs
with Linux and open source applications preinstalled.) It's much
harder to produce software for an audience of all skill levels
running who-knows-what hardware, than for an audience only of experts
running a limited subset of known-good hardware.

And, not trivially, as the Linux/open source segment has grown, it's
finally attracted the attention of crackers (malicious hackers). You
see, crackers like to aim at the fat part of the bell curve because
that's where the most potential victims are. That's one of the
primary reasons why more people try to hack Microsoft software than
any other: If a malicious hacker wants fame or notoriety, Microsoft
software is the obvious target because more people use Microsoft
software than any other.

And to me, this is a key thing: When the Linux/open source community
was tiny, few hackers bothered to look for exploitable issues there.
It simply wasn't an attractive target. In other words, it wasn't so
much that Linux and similar software were truly free from exploitable
holes, but simply that no one was trying to find them.

But again, that all changed as Linux and open source software entered
the mainstream. Now that this software is a fully viable alternative
to conventional commercial software, an inevitable consequence is
that more problems will come to light. As novice users, funky
hardware mixes, and active cracking all come into play, the bug
counts are going up. In fact, way up.


Counting Bugs

There's no perfect, 100% reliable way of comparing bugs across
operating systems, especially in an environment where operating
systems usually ship with bundled software that may have its own,
separate quality issues. But let's start by looking just at the
operating system itself:

We can avoid CERT's problem of counting the same bug more than once
if we compare the security patch/update counts for one popular
distribution and version of Linux to one popular version of Microsoft
Windows. In this way, we won't have the Linux count skewed by the
same bug cropping up in hundreds of other versions and distributions;
or have the Windows count skewed by bugs in other Windows versions or
software products from Microsoft.

To further refine the comparison, let's look at operating system
versions that came to market at about the same date. This way, both
operating systems would have a more or less equal time during which
problems could come to light.

It turns out that Microsoft Windows XP and Red Hat Linux 7.2 were
released within a few weeks of each other. Both are still current
and are actively supported by their respective vendors. So, let's
take a look, starting on each vendor's patch/update pages:

For Red Hat Linux 7.2, you go to the Red Hat "errata" page https://
rhn.redhat.com/errata/ and from there to the page specific to version
7.2 https://rhn.redhat.com/errata/rh72-errata.html . There, you'll
see that, to date, Red Hat has issued 151 patches and updates (mostly
for security issues; that's what the "broken lock" icon means) for
that Linux version. For a very crude sense of scale, that works out
to an average of around 2.3 patches per week.

Next, let's do the same thing for XP Professional, starting on
Microsoft's errata page, the "HotFix & Security Bulletin Service";
use the pull-down menu to isolate just the XP-related items. You'll
see that the page lists 21 XP-specific patches and updates to date.
That's an average 0.35 patches per week.

But wait: Maybe that's not a fair count. After all, XP is the
newest Windows version, but RH 7.2 isn't the newest Linux version.
Red Hat's newest version is actually version 8.0, so let's look at
that. Its errata page lists 27 patches and bug fixes issued in the
four months the operating system has been available, an average of
around 1.6 patches per week, so far. That's a rate significantly
less than Red Hat's 7.2's, but still more than XP's.

These numbers may surprise you because we've all seen a veritable
blizzard of patches and updates issued from Redmond. But Microsoft
currently has 157 software products under active support, and a
typical PC may have not only a Microsoft operating system but also a
Microsoft browser, mail program, media player, office suite, and
more. In the aggregate, the total number of bugs and patches to keep
up with for all this software is daunting. And some of the issues
have indeed been severe. (For example, Outlook Express was for years
the very worst security hole on most PCs.)

But, if it's unfair to lump all open source software together for
bug- counting purposes, it's also unfair to do the same thing for all
Microsoft software. (Otherwise, to get an accurate assessment for
Linux systems, you'd have to include the bugs from open source
browsers and all other normal system add-ins or add-ons, on top of
Linux's own bugs.) Instead, to avoid an apples/oranges comparison,
it's better to look at specific brands, types, and builds of products
across similar amounts of time: That's the only accurate way to see
how, say, operating systems compare, or browsers compare, or E- mail
programs compare, and so on.

But what about the types or severity of bugs? In fact, I hear this a
lot from Linux partisans, that Microsoft bugs are "worse" than Linux
bugs. There's a lot of subjectivity in better or worse comparisons,
of course. But as a quick example, here's a Red Hat Linux 7.2 bug as
described on the Red Hat page:

A vulnerability has been found in the ptrace code of the kernel
(ptrace is the part that lets program debuggers run) that could be
abused by local users to gain root privileges.

Now here's an XP bug, as described on the Microsoft site:

Flaw in Windows WM_TIMER Message Handling Could Enable Privilege
Elevation: A security issue has been identified that could allow an
attacker to compromise a computer running Microsoft Windows and gain
complete control over it.

Which is "worse?" I actually think these are about the same--either
way, someone can take over your PC. But some Linux partisans will
insist that the Microsoft bug is somehow "worse." I disagree, but
don't take my word for it: Read the descriptions of some bugs from
the XP list and some from the Red Hat list, and make up your own
mind.

Does all this mean Linux is terrible? Not at all! Complex software
will always have bugs and security problems, and I consider Linux's
bugs to be in the fully normal range and not worth getting agitated
over. What's more, it's great to see such active bug-fixing as the
Red Hat pages indicate: There always will be bugs in any software,
and the rational thing to do is to fix them, rather than try to
convince others that the bugs aren't real or somehow don't count.

Does all this mean XP is inherently wonderful? Nope. XP's bugs are
fewer than Red Hat Linux 7.2, but also within the normal range, and
likewise merit neither ecstasy nor apoplexy. And, as I said before,
there's other Microsoft software--some of it bundled with XP--that
has much worse records.

So here's what it does mean: Linux is a normal operating system; so
is XP. Both have bugs, some major, some minor. Anyone who tells you
that Linux is "inherently more secure" or "much less buggy" than XP
simply isn't working from current facts. The reality is that bugs
happen, even in Linux: Get over it.

Speed Of Fixes

The second most-cited argument in reader mail was along the lines of:
"Open Source bugs aren't that big a deal because they can be fixed
far faster than Windows bugs."

Yes, under the very best and limited circumstances, this can be true:
A raw, initial fix can be posted online sometimes within hours of a
bug coming to light, and that's wonderful, when it happens. But that
initial posting is often in source code, or in a form that requires
that parts of the operating system or software be rebuilt or
recompiled by the user. And it's usually posted in special
developer-only portions of open- source Web sites. In other words,
the patch may be useful to a handful of expert users. That's great
for them, but what about everyone else?

Most patches take much longer to appear, and longer still to become
generally available to all affected users, in finished, tested,
easily installable form--even if, technically speaking, the initial
instance of the bug was stomped out very quickly. Given the growing
fragmentation of the open source community and the increasingly
quasi-proprietary distributions of Linux, how could it be otherwise?
It has to take time to get patches out.

Consider just two cases in point: The Open Source Mozilla project
ran three years late in development, and that was just a browser, not
an entire operating system. Linux itself took about 7 years before
it was even remotely ready for prime time. In the face of software
gestations this lengthy, I think it's hard to argue that open
source's supposed "fast fixes" actually mean much in real world
benefits.

This is a big chunk of Microsoft's problem, of course--it takes time
to release a finished, auto-installing patch for all versions and
builds of all affected in-use Microsoft software. This often makes
Microsoft patches appear weeks or months after a bug comes to light.
But as Linux and other open-source software face the same kinds of
market problems, their pace is slowing, too. It's inevitable. The
more complex and fragmented a software market is, the longer it will
take for fixes to diffuse out to all builds and versions. Complex
software takes time to write and debug: Get over it.

Put Down Those Flamethrowers

Don't get me wrong: I think the open source movement is a good
thing, and I like Linux--it's running right now on two of my office
PCs. And none of the above excuses or lessens the seriousness of
Windows' own problems with bugs and security issues.

But, as much as the partisans wish it were so, open sourcing isn't a
magic solution to the problems of bugs and security issues. As Linux
and other open-source software grow in popularity and extend into a
fragmented, uncontrolled mass marketplace, they will inevitably have
their own full share of bugs and security problems, same as with any
other software.

Anyone who tells you differently, or tries to convince you that their
favorite operating system is somehow immune to market forces, human
error, and plain malice, is doing both you and the operating system
they espouse a disservice.

END

Martin C.E.

On Mon, 22 Sep 2003 21:36:22 +0100, Martin C.E. wrote in
<93FEDBCA34674835A@130.133.1.4>:

>I only cane across this slightly old article recently (see below).
>
>What is the conclusion - that what the author says is a true
>reflection of the situation or that he is overstating his case?

The author makes the wrong comparision, the "Linux-count" includes
patches for a wide range of applications (like Apache/PHP, gaim clients,
mICQ etc ...) while the "XP-count" focusses on the core functionality of
the OS.

You could easily have checked this out for yourself by actually visiting
those pages.

Frans Meijer

Martin C.E. <> spake thusly:
> I only cane across this slightly old article recently (see below).
>
> What is the conclusion - that what the author says is a true
> reflection of the situation or that he is overstating his case?

No OS is perfect and no OS is ever going to be perfect. But for me (note
that I said 'for me' before you blow a gasket) there is no comparison
between Linux and Windows. Linux is by far and away the best operating
system I've ever used. I'd be using it right now if it was up to me what OS
to put on this computer.


--
Audio Bible Online:
http://www.audio-bible.com/

Indigo Moon Man

In article <93FEDBCA34674835A@130.133.1.4>, says...

>
> The second most-cited argument in reader mail was along the lines of:
> "Open Source bugs aren't that big a deal because they can be fixed
> far faster than Windows bugs."
>
> Yes, under the very best and limited circumstances, this can be true:
> A raw, initial fix can be posted online sometimes within hours of a
> bug coming to light, and that's wonderful, when it happens. But that
> initial posting is often in source code, or in a form that requires
> that parts of the operating system or software be rebuilt or
> recompiled by the user. And it's usually posted in special
> developer-only portions of open- source Web sites. In other words,
> the patch may be useful to a handful of expert users. That's great
> for them, but what about everyone else?
>
> Most patches take much longer to appear, and longer still to become
> generally available to all affected users, in finished, tested,
> easily installable form--even if, technically speaking, the initial
> instance of the bug was stomped out very quickly. Given the growing
> fragmentation of the open source community and the increasingly
> quasi-proprietary distributions of Linux, how could it be otherwise?
> It has to take time to get patches out.
>


Sure. XP is a decent desktop. Microsoft in turn, isn't mature enough to
be a real-world Internet server. Neither a Microsoft desktop or server
should be allowed a raw connection, un-firewalled, to the Internet.

As for the portion of the post I left above, 1) Microsoft desktops DO
NOT come with a compiler, as do most Linux distros, therefore, you can't
simply "compile and install" from source code on a Windows machine
(typically, unless you've actively added a compiler, etc) 2) Microsoft
users, as a whole, are less likely to be computer savvy and don't have
the experience to know "what to do" during the first hours of a 0day
exploit. Basically, MS users need to be spoon-fed in order to know what
to do.

Linux, IMHO *is* a better OS, for me, a computer professional. The Linux
desktop isn't ready for the masses, yet. Rome wasn't built in a day, but
it's still Rome, it's still there and it will be around for as long as
it matters.




--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

Colonel Flagg

"Colonel Flagg" <> wrote in
message news:.. .
> In article <93FEDBCA34674835A@130.133.1.4>,
says...
>
> Linux, IMHO *is* a better OS, for me, a computer professional. The
Linux
> desktop isn't ready for the masses, yet. Rome wasn't built in a day,
but
> it's still Rome, it's still there and it will be around for as long as
> it matters.
>

Let's just hope the feral cats running all over the place don't take it
over first, but if they do. The coliseum will understandably be their
first victory. I never saw that many cats (freely running around in one
place) in all my life.

--
Best regards,
Don Kelloway
Commodon Communications

Visit http://www.commodon.com to learn about the "Threats to Your
Security on the Internet".

Don Kelloway

Frans Meijer <> writes:

> On Mon, 22 Sep 2003 21:36:22 +0100, Martin C.E. wrote in
> <93FEDBCA34674835A@130.133.1.4>:
>
>>I only cane across this slightly old article recently (see below).
>>
>>What is the conclusion - that what the author says is a true
>>reflection of the situation or that he is overstating his case?
>
> The author makes the wrong comparision, the "Linux-count" includes
> patches for a wide range of applications (like Apache/PHP, gaim
> clients, mICQ etc ...) while the "XP-count" focusses on the core
> functionality of the OS.

That's an important distinction: a Red Hat distribution contains
hundreds of packages, which for Windows wouldn't be provided by
Microsoft.

Additionally, outside companies, Windows is often used as
Administrator, because it's much more convenient that way. That means
there's not even any need for privilege-escalation---any trojan the
user runs (by explicit execution or one of the bugs in OE) means the
box is 0wned.

Essentially, though, I suspect Windows is more dangerous because it's
a monoculture. Windows XP, or (even better) Windows 2003 is probably
a reasonably secure operating system, provided you use it safely (for
example, as a non-privileged user, most of the time). But even then,
95% of users are going to use Outlook Express with its default
settings, so a bug in that can allow a worm to spread like wildfire.

There are lessons in that for GNU/Linux users, of course. Diversity
(while causing problems---which is why distributions tend to make it
just a bit awkward to change window manager and so on) is worthwhile
for many reasons.

We should worry about trends for more and more people to use (say)
Evolution as their email client, for example. Well, we ought to worry
about that once GNU/Linux has conquered the world, anyway.

Bruce Stephens

<long rant removed>

One difference between Windows vulnerabilities and Linux
vulnerabilities is that I get announcements of Linux updates as they
become available, almost always before an exploit has appeared, but MS
prefers to announce it's patches on the Wednesday *after* an exploit
or almost at the same time as the exploit. Another is that the Linux
patches almost never break anything and the Windows patches often
break something that doesn't even seem to be closely related to the
vulnerability. I apply Linux patches without much thought, but I
cringe when applying one to Windows.

Yes, both are buggy, but there is a difference in the extent of the
bugs: Linux bugs tend to be localized and MS bugs tend to affect the
entire OS package, or at least large sections of it.

As a final note, most of what you are calling Linux bugs are not in
Linux at all, but in the GNU utilities packaged with it, so it would
be more accurate to say that Linux has very few bugs but that there
are many bugs in the individual GNU utilities, each of which is a
separate program, but no one or even many of them have nearly as many
as the one integrated Windows program. You can run Linux without Most
of the GNU utilities, but you can't run Windows without any of its
buggy parts.




T.E.D. ( - e-mail must contain "T.E.D." or my .sig in the body)

Ted Davis

"Martin C.E." <> wrote in message
news:93FEDBCA34674835A@130.133.1.4...
> I only cane across this slightly old article recently (see below).
>
> What is the conclusion - that what the author says is a true
> reflection of the situation or that he is overstating his case?
>

It's overstated, not a fair comparison.

Langa's conclusion that Linux is "just as buggy" as XP seems obviously wrong
to me as a user of both systems. I use Windows XP for office and business
stuff, and Red Hat Linux 8.0 for Python development. I like Windows for its
usability and Linux for its openness and robust architecture. I would be
very happy to see Microsoft fix XP, or even start from scratch with
"Longhorn" and this time get it right. Then I could avoid the coming
painful "migration" of all my office and business stuff to Linux. XP doesn'
t need perfect security. Just good enough that I don't have to waste any
more time on security issues, like this last three weeks dealing with bugs
in McAfee Antivirus and an onslaught of the Swen virus. Also, I really don'
t care about the cost of M$ software. It is insignificant compared to one
day of my time.



The Linux patch counts may look bad to a bean counter, but as a user I feel
good seeing the occasional email from Red Hat when one of these patches is
relevant to my system. It is usually some fix to an obscure problem that
might be a vulnerability, but probably isn't. I schedule the patch
immediately, and never think about it again. Maybe I'm wrong, but my gut is
telling me that Linux is going to keep its high-security status, even as it
becomes more popular among less sophisticated users, and even as it acquires
thousands of buggy applications. I don't know if Windows will ever reach
the level of security I need.



Why do I think this way? I'm no expert, but here is my take. Linux / Unix
was developed by some very bright people working independently of commercial
pressures, and focused totally on "doing what is right" to make a robust and
versatile operating system. Windows was developed under intense commercial
pressures, which led to many compromises, the two most important being time
vs perfection of code, and bundling vs modularity and clean interfaces.
This means that Linux now rests on a very solid foundation, and Windows is a
bloated mess that will be very costly to fix.



Counting patches is not a good way to compare systems when one is
open-source and the other is commercial. Open-source developers are highly
motivated to discover and report bugs. Commercial developers report only
the ones they have to. Red Hat should get credit, not criticism, for the
number of patches they have provided.



I'll bet Microsoft would pay $1B if they could just make their security
problems go away.



- Dave

Dave

Dave wrote:

> "Martin C.E." <> wrote in message
> news:93FEDBCA34674835A@130.133.1.4...
>> I only cane across this slightly old article recently (see below).
>>
>> What is the conclusion - that what the author says is a true
>> reflection of the situation or that he is overstating his case?
>>
>
> It's overstated, not a fair comparison.
>
> Langa's conclusion that Linux is "just as buggy" as XP seems obviously
> wrong
> to me as a user of both systems. I use Windows XP for office and business
> stuff, and Red Hat Linux 8.0 for Python development. I like Windows for
> its
> usability and Linux for its openness and robust architecture. I would be
> very happy to see Microsoft fix XP, or even start from scratch with
> "Longhorn" and this time get it right. Then I could avoid the coming
> painful "migration" of all my office and business stuff to Linux. XP
> doesn'
> t need perfect security. Just good enough that I don't have to waste any
> more time on security issues, like this last three weeks dealing with bugs
> in McAfee Antivirus and an onslaught of the Swen virus. Also, I really
> don'
> t care about the cost of M$ software. It is insignificant compared to one
> day of my time.
>
>
>
> The Linux patch counts may look bad to a bean counter, but as a user I
> feel good seeing the occasional email from Red Hat when one of these
> patches is
> relevant to my system. It is usually some fix to an obscure problem that
> might be a vulnerability, but probably isn't. I schedule the patch
> immediately, and never think about it again. Maybe I'm wrong, but my gut
> is telling me that Linux is going to keep its high-security status, even
> as it becomes more popular among less sophisticated users, and even as it
> acquires
> thousands of buggy applications. I don't know if Windows will ever reach
> the level of security I need.
>
>
>
> Why do I think this way? I'm no expert, but here is my take. Linux /
> Unix was developed by some very bright people working independently of
> commercial pressures, and focused totally on "doing what is right" to make
> a robust and
> versatile operating system. Windows was developed under intense
> commercial pressures, which led to many compromises, the two most
> important being time vs perfection of code, and bundling vs modularity and
> clean interfaces. This means that Linux now rests on a very solid
> foundation, and Windows is a bloated mess that will be very costly to fix.
>
>

Some of the new Linux distro's are a bit buggy,/Bloated. Redhat 9, Mandrake
9.1. They seem to have went out of their way to make them user friendley,
and easy to install.

Here is an example: My friend Richie got Mandrake 8.2 I think, I installed
slackware. We both have the same computer, same hardware. My pc was running
at least 4 times faster than his was. BUT his was easy to install, where I
had to do xf86config to even get to my desktop. His was pretty secure out
of the box, slack was wide open. I had to learn how to setup IPtables and
all that fun stuff that Newbies hate. So you have a choice,easy use and a
sluggish machine, or something that's a bit harder to setup but runs much
faster..

I switched over to FreeBSD 4.8 and would never go back to Linux. You can use
the same desktops that you have on Linux, KDE/Genome and a few others to
choose from..BSD freaking flys, It seems to be real lean.

Chris

On Mon, 22 Sep 2003 21:43:02 GMT, "Don Kelloway"
<> wrote:

>"Colonel Flagg" <> wrote in
>message news:.. .
>> In article <93FEDBCA34674835A@130.133.1.4>,
>says...
>>
>> Linux, IMHO *is* a better OS, for me, a computer professional. The
>Linux
>> desktop isn't ready for the masses, yet. Rome wasn't built in a day,
>but
>> it's still Rome, it's still there and it will be around for as long as
>> it matters.
>>
>
>Let's just hope the feral cats running all over the place don't take it
>over first, but if they do. The coliseum will understandably be their
>first victory. I never saw that many cats (freely running around in one
>place) in all my life.

Fifteen years ago it was totally overrun with rats. Take your
choice, rats or cats.

BoB
For the duration, my address is fake.

BoB