, 2003-11-26
Linux vendors spend money building security bug fixes. How much longer will they give them away for free?
Expand all |
Post comment
Ending the Free Lunch
2003-11-26
Anonymous (1 replies)
Anonymous (1 replies)
Lots of points missed...
2003-11-26
Penguinisto (2 replies)
Penguinisto (2 replies)
Ending the Free Lunch
2003-11-27
Anonymous (2 replies)
Anonymous (2 replies)
Missed the point quite a bit
2003-11-28
Anonymous (1 replies)
Anonymous (1 replies)
If I paid you Hal, if I paid YOU, would you stop writing such assinine articles?
2003-11-29
Edward W. Ray
Edward W. Ray
> usually very quickly, if it happens to
> involve a piece of software that's
> distributed widely, and included as a
> standard package in most UNIX and Linux
> distributions. But it's not the
> much-ballyhooed open-source volunteer
> community that's providing the fix.
Ahem...this is a rather ill-informed analysis. A lot of the bugfixes DO come from the "volunteer community," it's just not always easy to spot when they do.
For example...
zlib: 1.1.4 had a corner-case vulnerability. Although I'm not a core zlib developer, I contributed various patches to fix it, a couple of other developers (primarily the OpenPKG team) added some extra fixes to those patches, and significant pieces of those patches got integrated with the zlib 1.2.x release. But just looking at the 1.2.1 tarball, you wouldn't know how many hands worked on those fixes.
SGI XFS: 1.2.x (and CVS up to the beginning of May 2003) had a frequent habit of deadlocking on the Alpha platform. I hammered at that bug for several days and finally came up with a fix. The fix later got put in CVS. Again, I don't consider myself a core XFS developer, just another community volunteer. And it's still impossible to trace this fix back to me, just looking at the source.
In fact, I've contributed more patches to more open-source projects than I can count, and I'm only a "core developer" of two or three projects. My name rarely ever makes it into a ChangeLog, so you usually don't see my hand shaping the software you use. It's there all the same.
I'm not doing this to blow my own horn (thus why I post as Anonymous); I'm just pointing out where Flynn's analysis falls down. There's often no clear line between the "volunteer community" and a project's core developers, and even when there is, I doubt Hal Flynn (or anyone) is able to accurately trace exactly who developed every OSS security fix out there. CVS logs often aren't enough for that.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/200/23975#23975