Hal Flynn, 2003-11-26
Linux vendors spend money building security bug fixes. How much longer will they give them away for free?
Colapse all |
Post comment
Ending the Free Lunch
2003-11-26
Anonymous (1 replies)
Anonymous (1 replies)
The Cost of Ending the Free Lunch
2003-12-01
Anonymous (1 replies)
Anonymous (1 replies)
There is a COST associated with "Ending the Free Lunch": IF you end the "Free Lunch" and you get ONE BAD security related problem -- say a virus -- and people have not patched their systems because they'd have to spend $$$ -- lots of $$$ -- to keep up with the security fixes, then the virus will spr...
[ more ] [ reply ]
[ more ] [ reply ]
The Cost of Ending the Free Lunch
2003-12-06
Anonymous
Anonymous
I totally agree. Vendors offering their version of an open source product protect the future of it by contributing security patches for it.
The instant a vendor starts charging for security fixes for their OS, you'll probably see a mass exodus to the one(or many) that provides them for free.
...
[ more ] [ reply ]
The instant a vendor starts charging for security fixes for their OS, you'll probably see a mass exodus to the one(or many) that provides them for free.
...
[ more ] [ reply ]
Ending the Free Lunch
2003-11-26
Rob McQuillen
Rob McQuillen
Hal,
Interesting article, but I'm having difficulty believing that vendors, be they of free or commercial software, charging money for security fixes could be anything but bad news for an Internet that already enjoys Free Patches For All, yet is still ripe with security disasters.
It certainly m...
[ more ] [ reply ]
Interesting article, but I'm having difficulty believing that vendors, be they of free or commercial software, charging money for security fixes could be anything but bad news for an Internet that already enjoys Free Patches For All, yet is still ripe with security disasters.
It certainly m...
[ more ] [ reply ]
Lots of points missed...
2003-11-26
Penguinisto (2 replies)
Penguinisto (2 replies)
1) Usually, (unless it's a critical flaw) the OSS community will wait to give the program maintainer a chance to release the patch him/herself. It makes more sense that way, sicne the source is trusted and the patch won't interfere with the overall plans of the maintainer.
2) Even if the thing i...
[ more ] [ reply ]
2) Even if the thing i...
[ more ] [ reply ]
Lots of points missed...
2003-12-01
Anonymous (1 replies)
Anonymous (1 replies)
1) RedHat shifting their desktop to Fedora is really only a precursor to their release of a Corporate Desktop Edition of RedHat. They didn't want to compete with themselves.
2) In most cases the SSH or Apache or whatever team fixes the bug and then the vendors roll that patch into their version ...
[ more ] [ reply ]
2) In most cases the SSH or Apache or whatever team fixes the bug and then the vendors roll that patch into their version ...
[ more ] [ reply ]
Lots of points missed...
2003-12-01
Penguinisto
Penguinisto
1) Maybe... dunno if they decide to do that or not; if they do that's cool, since they'll most likely retain Fedora in either event, given their commitment to it thus far. Only time will tell, though.
2) Yep - I agree perfectly :)
In either case, Mr. Flynn really needs to go grok RH's actions ...
[ more ] [ reply ]
2) Yep - I agree perfectly :)
In either case, Mr. Flynn really needs to go grok RH's actions ...
[ more ] [ reply ]
Lots of points missed...
2003-12-02
Anonymous (1 replies)
Anonymous (1 replies)
> 4) "For example, Red Hat moving to
> Enterprise distributions, which cost
> significantly more, and dropping their
> desktop operating systems."
>
> This is a completely inaccurate statement.
> http://fedora.redhat.com replaced
> that "desktop operating system" with a
> more community-bas...
[ more ] [ reply ]
> Enterprise distributions, which cost
> significantly more, and dropping their
> desktop operating systems."
>
> This is a completely inaccurate statement.
> http://fedora.redhat.com replaced
> that "desktop operating system" with a
> more community-bas...
[ more ] [ reply ]
There Ain't No Such Thing As A Free Lunch
2003-11-26
Anonymous
Anonymous
Point 1: "Who pays for fixes?"
The reason that most of the fixes come from the big companies is simple: The big companies (Red Hat, Suse, etc.) have *hired* the people that wrote the code in the first place.
It's silly to conclude that "there would be no fixes without the big companies." The c...
[ more ] [ reply ]
The reason that most of the fixes come from the big companies is simple: The big companies (Red Hat, Suse, etc.) have *hired* the people that wrote the code in the first place.
It's silly to conclude that "there would be no fixes without the big companies." The c...
[ more ] [ reply ]
Ending the Free Lunch
2003-11-27
Anonymous Coward
Anonymous Coward
My god, is this fundamentally flawed idea or what?
"Company X: Hey, there is a security fix for that program you bought off us"
"Customer Y: Great, where is it"
"Company X: Oh, we can't GIVE it to you, pay up and bend over"
Now what customer in their right mind is going to pay for software w...
[ more ] [ reply ]
"Company X: Hey, there is a security fix for that program you bought off us"
"Customer Y: Great, where is it"
"Company X: Oh, we can't GIVE it to you, pay up and bend over"
Now what customer in their right mind is going to pay for software w...
[ more ] [ reply ]
Ending the Free Lunch
2003-11-27
Anonymous (2 replies)
Anonymous (2 replies)
To put it simply, if I buy a car and find that the door-lock doesn't work I would demand, at least, that the lock was changed for one that worked.
Why should we expect less from a software vendor? If they write code that doesn't work correctly (and yes that does include security, just as with a c...
[ more ] [ reply ]
Why should we expect less from a software vendor? If they write code that doesn't work correctly (and yes that does include security, just as with a c...
[ more ] [ reply ]
Ending the Free Lunch
2003-11-28
Anonymous (1 replies)
Anonymous (1 replies)
Agreed. RedHat for example can't even
keep thier header files matched with the
kernel in their distributions. And they have the nerve to charge for support? Seems like a money making scam to me....
[ more ] [ reply ]
keep thier header files matched with the
kernel in their distributions. And they have the nerve to charge for support? Seems like a money making scam to me....
[ more ] [ reply ]
Ending the Free Lunch
2003-11-28
Anonymous
Anonymous
"To put it simply, if I buy a car and find that the door-lock doesn't work I would demand, at least, that the lock was changed for one that worked."
"Why should we expect less from a software vendor? If they write code that doesn't work correctly (and yes that does include security, just as with ...
[ more ] [ reply ]
"Why should we expect less from a software vendor? If they write code that doesn't work correctly (and yes that does include security, just as with ...
[ more ] [ reply ]
Apple no, Suse sure
2003-11-27
groovecat
groovecat
This article seems to be a bit confused, in particular because it's arguing that people shouldn't get free support for free operating systems, and then applying that argument to MacOS, which people pay for. Gah?
I don't agree that Apple should have charged for security updates - people buy the pr...
[ more ] [ reply ]
I don't agree that Apple should have charged for security updates - people buy the pr...
[ more ] [ reply ]
Ending the Free Lunch
2003-11-27
Anonymous
Anonymous
Free lunch? Hal, have you somehow forgotten what makes up Free Software distributions? I'll answer that for you: the work of Free Software developers worldwide.
Many companies finance important Free Software projects and developers within their organization (Red Hat, Mandrake, etc). But how in...
[ more ] [ reply ]
Many companies finance important Free Software projects and developers within their organization (Red Hat, Mandrake, etc). But how in...
[ more ] [ reply ]
Ending the Free Lunch
2003-11-27
cowbutt
cowbutt
I'm sorry, but this article is almost completely oblivious of the way security issues are found and quashed within Free and Open Source software.
Unlike proprietary software, typically the flaws are found by the developers themselves and the fixes rolled into the canonical release (the "upstream"...
[ more ] [ reply ]
Unlike proprietary software, typically the flaws are found by the developers themselves and the fixes rolled into the canonical release (the "upstream"...
[ more ] [ reply ]
Does Microsoft or SCO supply Security Focus writers?
2003-11-27
Anonymous (2 replies)
Anonymous (2 replies)
That was about the most short-sighted article I've seen yet on SF.
Microsoft has enough trouble convincing the world they can make anything secure. Imagine how bad the worms and viruses would be if MS charged for patches. They can't get half the world to apply patches when they free and compl...
[ more ] [ reply ]
Microsoft has enough trouble convincing the world they can make anything secure. Imagine how bad the worms and viruses would be if MS charged for patches. They can't get half the world to apply patches when they free and compl...
[ more ] [ reply ]
Does Microsoft or SCO supply Security Focus writers?
2003-11-27
picklepak
picklepak
Listen retardo, everyone knows that SCO is being backed by Microsoft in a final attempt to, once again, fragment Unix at a time when the Unix-like Operating System concept is stronger than ever. Everyone knows that at any one time there are a dozen or more unpatched vulnerabilities in Internet Explo...
[ more ] [ reply ]
[ more ] [ reply ]
Does Microsoft or SCO supply Security Focus writers?
2003-11-29
Anonymous
Anonymous
>> The most disgusting thing about these SF articles is the get reprinted without the feedback or readers all over the place. So many readers will come to the conclusion that opinions expressed in the articles are representative of the security community. <<
Then again, why wouldn't it be represe...
[ more ] [ reply ]
Then again, why wouldn't it be represe...
[ more ] [ reply ]
Ending the Free Lunch
2003-11-27
Anonymous (2 replies)
Anonymous (2 replies)
Makes mocrosoft software seem alot better. The only way people are going adopt linux is if it is better (not even close at the moment in security or ease of use) or if it is free. Once a company actually tries to charge for linux, people will start jumping back to microsoft in droves. So right now t...
[ more ] [ reply ]
[ more ] [ reply ]
Huh?
2003-11-28
OCG (2 replies)
OCG (2 replies)
This is pretty ignorant. Show me a copy of the "draconian license agreement" RedHat is trying to enforce.
RedHat Linux is still GPL and, while they want you to pay for support now, if you decide to stop paying you still have a legal license to use the software.
...
[ more ] [ reply ]
RedHat Linux is still GPL and, while they want you to pay for support now, if you decide to stop paying you still have a legal license to use the software.
...
[ more ] [ reply ]
Huh?
2003-11-30
Anonymous (1 replies)
Anonymous (1 replies)
Open source in name only. Its like school cafeteria food. As long as its free or almost free you might eat it, but if they try to charge it you are going to go to a real restaraunt. Its what microsoft was banking on, Sooner or later the Linux companies were going to burn through thier IPO money and ...
[ more ] [ reply ]
[ more ] [ reply ]
Huh?
2003-12-01
Anonymous
Anonymous
Wonderful example of speaking without knowing what you are talking about. Bravo!
"Sooner or later the Linux companies were going to burn through thier IPO money and have to start charging for the product. IBM is a service company. They make money selling support. They will probably do ok with li...
[ more ] [ reply ]
"Sooner or later the Linux companies were going to burn through thier IPO money and have to start charging for the product. IBM is a service company. They make money selling support. They will probably do ok with li...
[ more ] [ reply ]
Ending the Free Lunch
2003-11-29
Anonymous (2 replies)
Anonymous (2 replies)
You're *funny.*
Let's look at an actual case in which an FS/OSS product has three times the install base of the MS equivalent. That is, Apache.
All but about three security problems are in IIS. The "swiss cheese" of webservers. Apache is dominant because it's better. More secure, more reliable...
[ more ] [ reply ]
Let's look at an actual case in which an FS/OSS product has three times the install base of the MS equivalent. That is, Apache.
All but about three security problems are in IIS. The "swiss cheese" of webservers. Apache is dominant because it's better. More secure, more reliable...
[ more ] [ reply ]
I'll cook the free lunch; I'll provide the meat, you provide the vegetable
2003-11-27
picklepak
picklepak
I disagree with this article. For those open-source operating systems where security and correctness is a key priority, patching vulnerabilities happens extremely quickly by a small group of extremely dedicated individuals. Have you ever heard of an arcane group of BSD-based operating systems known ...
[ more ] [ reply ]
[ more ] [ reply ]
Missed the point quite a bit
2003-11-28
Anonymous (1 replies)
Anonymous (1 replies)
The GPL, by defination prevents this problem from ever happening. If more than 5 people are using a piece of gpl software, no matter how old it is, someone will release a free patch for it. People have become way to dependant on prepackaged binaries from distros. They act like if their distro doesn'...
[ more ] [ reply ]
[ more ] [ reply ]
Missed the point quite a bit
2003-12-01
Anonymous (1 replies)
Anonymous (1 replies)
Exactly. Yet another fine example of a press individual who can't wrap his mind around the concept of free software and/or the GPL, so he tries to view it through the horse blinders of commerical software. Things don't work that way. He see's RedHat or Suse, or whoever is his favorite distro, as...
[ more ] [ reply ]
[ more ] [ reply ]
Ending the Free Lunch
2003-11-28
Anonymous (1 replies)
Anonymous (1 replies)
So, Flynn, you going to start shaving any time soon?
Sheesh. I actually started to take you seriously. I didn't realize you only had your bike's training wheels taken off last week.
Get a clue Skippy. We knew how to write software that wasn't garbage before you were born. Having your program c...
[ more ] [ reply ]
Sheesh. I actually started to take you seriously. I didn't realize you only had your bike's training wheels taken off last week.
Get a clue Skippy. We knew how to write software that wasn't garbage before you were born. Having your program c...
[ more ] [ reply ]
Ending the Free Lunch
2003-12-02
Anonymous
Anonymous
> "Product liability."
You mean like the liability imposed by this section from the GPL, right?
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE CO...
[ more ] [ reply ]
You mean like the liability imposed by this section from the GPL, right?
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE CO...
[ more ] [ reply ]
If I paid you Hal, if I paid YOU, would you stop writing such assinine articles?
2003-11-29
Edward W. Ray
Edward W. Ray
This moron is a security consultant? Why do you think MS is keeping a $50B cash hoard? Companies as well as indvidual users are not going to stand for flawed software which impacts their bottom line for much longer. Linux at least has an excuse, it is essentially free. But now that Red Hat and S...
[ more ] [ reply ]
[ more ] [ reply ]
Bah. Security-Fixes for Enterprise-Linux have never been free
2003-11-30
Anonymous
Anonymous
e.g., SuSE has a quasi-subscription-model in their Enterprise-products line, called "maintainence":
- paid yearly
- you get access to the site where the patches are hosted
- you get support (it's not bad actually)
- while your maintainance is running, you can upgrade to the next version of the...
[ more ] [ reply ]
- paid yearly
- you get access to the site where the patches are hosted
- you get support (it's not bad actually)
- while your maintainance is running, you can upgrade to the next version of the...
[ more ] [ reply ]
So wrong.....
2003-12-01
jmorris@beau.org
jmorris@beau.org
I'd suspect the primary reason the proprietary vendors tend to supply the errata free is because they don't like the alternative. Hint: it wouldn't be collecting fees. Try wrapping your puny mind around the thought of FTC mandated product recalls.
Software is the ONLY major US industry which t...
[ more ] [ reply ]
Software is the ONLY major US industry which t...
[ more ] [ reply ]
This article is a trollbait, and FUD too
2003-12-01
Anonymous
Anonymous
Surprise, surprise, it's the maintainers of software products who deliver bug fixes. And for some reason, the author does not consider them members of the open source community. Hell knows why. The next thing is that he expects distributors to charge for the updates. But what if the software is GPLe...
[ more ] [ reply ]
[ more ] [ reply ]
GPL - simple really
2003-12-01
Anonymous (1 replies)
Anonymous (1 replies)
Quote:
Part of Section 1 of the GPL
You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the ...
[ more ] [ reply ]
Part of Section 1 of the GPL
You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the ...
[ more ] [ reply ]
GPL - simple really
2003-12-03
Anonymous
Anonymous
The GPL only applies to a proportion of free software.
Apple are building on a lot of BSD licenced code. Here it is in Apple's interest to return patches to the core code, so they don't have to live with the hassle of working in a branch. Sure Apple have plenty of code to maintain without adding ...
[ more ] [ reply ]
Apple are building on a lot of BSD licenced code. Here it is in Apple's interest to return patches to the core code, so they don't have to live with the hassle of working in a branch. Sure Apple have plenty of code to maintain without adding ...
[ more ] [ reply ]
Freedom, not Freeness
2003-12-01
Frihet
Frihet
I've always been happy to pay Red Hat to keep my PC operating system up to date and secure. I thought RH9 and Red Hat Network made for the best workstation combination available. Of course, I cheerfully paid my $60 per year for the Network. Unfortunately, the recent downgrade and 4X (according to...
[ more ] [ reply ]
[ more ] [ reply ]
Ending the Free Lunch
2003-12-01
esjatharvee
esjatharvee
it's not about freeloading. It's about defective products. If I purchased a product and it is broken or defective in some way, I have rights under the the law to get that product replaced or repaired at no charge.
The same should be true for software. If some distribution vendor puts togethe...
[ more ] [ reply ]
The same should be true for software. If some distribution vendor puts togethe...
[ more ] [ reply ]
Ending the Free Lunch
2003-12-01
Anonymous (1 replies)
Anonymous (1 replies)
> Inevitably, somebody fixes the problem --
> usually very quickly, if it happens to
> involve a piece of software that's
> distributed widely, and included as a
> standard package in most UNIX and Linux
> distributions. But it's not the
> much-ballyhooed open-source volunteer
> community tha...
[ more ] [ reply ]
> usually very quickly, if it happens to
> involve a piece of software that's
> distributed widely, and included as a
> standard package in most UNIX and Linux
> distributions. But it's not the
> much-ballyhooed open-source volunteer
> community tha...
[ more ] [ reply ]
Ending the Free Lunch
2003-12-01
Anonymous
Anonymous
Who is this kid anyway? Perhaps his apparent youth should be the tipoff that he hasn't been around long enough to know what he's talking about as he clearly doesn't.
As if Linux and its requisite security fixing just sprung up in the last couple of years with the big commercial vendors... Lin...
[ more ] [ reply ]
As if Linux and its requisite security fixing just sprung up in the last couple of years with the big commercial vendors... Lin...
[ more ] [ reply ]
Ending the Free Lunch
2003-12-01
Anonymous (1 replies)
Anonymous (1 replies)
"Flynn is just mad because he thinks somebody should give him money. Why? Because he has a cool haircut.
"
I suppose "cool" is in the eyes of the beholder. I'm not big on Marine-chic myself :)...
[ more ] [ reply ]
"
I suppose "cool" is in the eyes of the beholder. I'm not big on Marine-chic myself :)...
[ more ] [ reply ]
Who actually fixes bugs?
2003-12-01
Anonymous (1 replies)
Anonymous (1 replies)
The author has assumed that the software vendor fixes bugs and that therefore they should charge users for it.
The truth is the complete opposite. The tricky and timeconsuming part of fixing bugs is finding them, not fixing them once they have been found. Testing code for bugs is a very expensive...
[ more ] [ reply ]
The truth is the complete opposite. The tricky and timeconsuming part of fixing bugs is finding them, not fixing them once they have been found. Testing code for bugs is a very expensive...
[ more ] [ reply ]
Ending the Free Lunch
2003-12-01
Z2
Z2
Hi Hal,
Let's say you have just installed a new lock on your house and a few months later somebody finds out that the lock has a serious flaw, publishes it in the local newspaper and anybody can walk into your house while you are having your non-free lunch in the local restaurant. Do you really t...
[ more ] [ reply ]
Let's say you have just installed a new lock on your house and a few months later somebody finds out that the lock has a serious flaw, publishes it in the local newspaper and anybody can walk into your house while you are having your non-free lunch in the local restaurant. Do you really t...
[ more ] [ reply ]
Ending the Free Lunch (IT reporting)
2003-12-01
Anonymous (1 replies)
Anonymous (1 replies)
Recently there has been a continuous drop in the quality of free news reporting in the IT industry. Sites claiming to offer the latest free news in the IT industry have instead started to cater to their advertisers. writing so called articles based on what the PAYING advertisers would like to see ...
[ more ] [ reply ]
[ more ] [ reply ]
Ending the Free Lunch (IT reporting)
2003-12-01
Anonymous
Anonymous
This should not be surprising in a business model where the product is the audience and the customer is the advertiser. This is a thorny issue for advertising-based publishers because the content that the audience likes may not be palatable to the advertiser. In such a case, the advertiser may threa...
[ more ] [ reply ]
[ more ] [ reply ]
Jouro-Lobbiest
2003-12-01
Anonymous
Anonymous
It shouldn't come as a surprise to anyone that this writer has an ax to grind, just look at the title of the article. Compare ?Ending the Free Lunch? with Darl McBride's speech ?No Free Lunch... and No Free Linux?. This article is way too transparent to be thought provoking. The proprietary softwar...
[ more ] [ reply ]
[ more ] [ reply ]
Ending the Free Lunch - References?
2003-12-01
Anymouse
"But it's not the much-ballyhooed open-source volunteer community that's providing the fix. One wouldn't even know that community exists, if they weren't brought up each time the arguments for open-source are made."
So I guess that since my servers run Slackware I am SOL because RedHat is d...
[ more ] [ reply ]
Anymouse
"But it's not the much-ballyhooed open-source volunteer community that's providing the fix. One wouldn't even know that community exists, if they weren't brought up each time the arguments for open-source are made."
So I guess that since my servers run Slackware I am SOL because RedHat is d...
[ more ] [ reply ]
Ending the Free Lunch
2003-12-02
Anonymous
Anonymous
I suspect the reason why fixes to any OS is given away for free is fundamental product policy, which goes something like this:
Would you ever keep a product that was inherently faulty, or broken? Most of us would return a faulty DVD player or VCR or TV or car or any other type of product immedia...
[ more ] [ reply ]
Would you ever keep a product that was inherently faulty, or broken? Most of us would return a faulty DVD player or VCR or TV or car or any other type of product immedia...
[ more ] [ reply ]
Ending the Free Lunch
2003-12-02
Anonymous
Anonymous
Most of the reactions are quite interesting and show the "religious" behaviour of the Linux geeks (I am only a Linux developper/user).
The point of the article was to show that the business model of the Linux distrib makers may be changing, and therefore shift from a "we help the world" mindset to ...
[ more ] [ reply ]
The point of the article was to show that the business model of the Linux distrib makers may be changing, and therefore shift from a "we help the world" mindset to ...
[ more ] [ reply ]
Ending the Free Lunch
2003-12-02
Anonymous (1 replies)
Anonymous (1 replies)
I think Mr Flynn makes some legitimate points:
- software development is costly, and software security issues are really costly to find, fix, test, and distribute in a easily usable way
- if you run a business, you have to make money
- the community is not responsive to customers
Software deve...
[ more ] [ reply ]
- software development is costly, and software security issues are really costly to find, fix, test, and distribute in a easily usable way
- if you run a business, you have to make money
- the community is not responsive to customers
Software deve...
[ more ] [ reply ]
Ending the Free Lunch
2003-12-04
Anonymous
Anonymous
One thing that should be said is that the vendors _package_ most of the patches. While they do substantial work in enhancing the security of their software, you can not expect them to know more about Apache than the Apache consortium does or more about BIND than the ISC does. They bundle a lot of ...
[ more ] [ reply ]
[ more ] [ reply ]
Ending the Free Lunch
2003-12-05
Anonymous
Anonymous
The thing is though, one of the major advantages of using linux is that it is free.
I'm almost sure that at least one linux vendor would still distribute the fixes for free, and I'd bet money that most, if not everyone, would change to that vendor. Which means that more people would support that...
[ more ] [ reply ]
I'm almost sure that at least one linux vendor would still distribute the fixes for free, and I'd bet money that most, if not everyone, would change to that vendor. Which means that more people would support that...
[ more ] [ reply ]
Security updates cost money in development time, organizational effort and distribution (i.e. bandwidth). It makes sense though that security fixes should be free if someone pays for the operating system.
Users who have not paid for the operating system should not be entit...
[ more ] [ reply ]