1) Usually, (unless it's a critical flaw) the OSS community will wait to give the program maintainer a chance to release the patch him/herself. It makes more sense that way, sicne the source is trusted and the patch won't interfere with the overall plans of the maintainer.

2) Even if the thing is no longer supported by the company that distributed it, you still have the source code on hand to make the patches yourself (if indeed you use that particular feature - if you don't and you can't code all that well, then chuck that portion of the code out, recompile the kernel, and you're just as protected, with a performance boost to boot.) Otherwise, if you can't find the thing anywhere and you actually need it done, you can always hire local help to write a patch for you.

This is a far cry from the poor sods who will be left with patching their old NT 4.0 boxes on their own a year off from now (I believe that's when MS decided, after umpteen extensions, to finally cut off the NT folks?)

2) "If you're a software vendor, these resources aren't free. Developer time that could be dedicated to creating new or improved products that are, ironically, often also given away for free, are instead devoted to providing maintenance on applications not originally authored by the vendor."

Err, philosophical nitpick here: Places like RedHat and IBM aren't selling the software product per se, they're selling the services that go with it. Otherwise, it appears that RH is addressing that with the Fedora Project and its differentiation between Fedora (free, community-oriented), and RHEL (free only as in speech, as the GPL requires).

3)"But the vendor resources are dedicated to the security holes. The vendor puts out the fix, and gives it away for free."

...and this is different from Microsoft's approach to distributing security fixes... how?

It makes perfect sense to distribute security fixes for free, no matter who you are. It is more vital for proprietary vendors than OSS ones, yes, because of the lack of a source code from which folks could create a DIY solution. OTOH, when you're just starting out, and working to build a solid reputation with your customers, it would make sense to do it even if you give away the source code to it all.

4) "For example, Red Hat moving to Enterprise distributions, which cost significantly more, and dropping their desktop operating systems."

This is a completely inaccurate statement. http://fedora.redhat.com replaced that "desktop operating system" with a more community-based model.

/P

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/200/23896#23896