> This was a terrible article.
>
> If you want to flame about BSD and Linux, you can always post on Slashdot, but
> if you're going to write an article for SecurityFocus, I would have hoped that
> you would include a few facts.

The article was never intended to ?flame? Linux, only point out the vastly different approach to complexity (compared to traditional UNIX) that's being taken by some of the more popular Linux distributions.

> The article swings between extreme arguments for and against homogeneity,
> confuses the debate over command-line vs. graphical administration with the
> choice of OS (Linux and BSD both stem from and support a strong UNIX tradition
> of non-graphical administration), OS complexity, end-user complexity and
> application choice. It even drops the GPL vs BSD license issue with a quick nod
> to the complexity of the GPL, but no indication of why that should be a
> problem, and especially why that should be a problem with respect to security!

The complexity of a given desktop or server computer is dictated by both the operating system as well as its applications.

The comparison between /usr/bin/calendar and Evolution was not meant to be a direct comparison between BSD and Linux distributions, only to talk about complexity in general and people's unnatural obsession with it. That being said, I'm sure I wouldn't be hard-pressed to find a Linux distribution that installs Evolution or Ethereal by default, and doesn't install mutt, calendar or tcpdump. Why? Because some of the most popular Linux distributions are embracing complexity, and favouring (by default) complex solutions over simpler ones. This is perhaps the key point of the article; there is no intended blanket suggestion that BSD is ?better? than Linux.

In hindsight, dropping the BSD versus the GPL license issue in this article might not have been a good idea; I can certainly see how it might lead you to believe that I'm taking random shots at Linux, as it certainly makes a poor example for the main points that I'm trying to discuss. Point taken.

> I don't even know what to say... it's just bad. I'm sorry to Mr. Miller. I know
> I'm being quite harsh, but I feel I must. I'm a BSD user from the 80s and
> though I use Linux today for just about everything, I have a strong fondness
> for BSD still. This kind of bad writing in its defense churns my stomach.

No need to apologize; everyone is entitled to an opinion. This really wasn't meant to be a ?BSD versus Linux? shoot-out, but more of a comparison between BSD and the more popular Linux distributions with regard to how they embrace complexity. Also, that security is more difficult to archive in a complicated system than in a simple one.

> You want a defense of BSD with respect to security? Here it is: BSD is not
> Linux (though some of the parts are in common). BSD is not System V UNIX or its
> derivatives (though some of the parts are in common. This means that the
> continued use and strength of BSD and its approach to system software
> represents a diversity of operating systems that thwarts one-size-fits-all
> attacks and provides an alternate medium in which to cultivate the best
> security practices.
>
> Notice that I was able to make a strong argument for BSD without having to be
> divisive or paint some other open source OS as a villain.

I'm sorry if you found the general goal of the article misleading, and found that it painted a bad picture of Linux, as that was not my intention. BSD and Linux are different, and such is the beauty of UNIX (variety). My goal was to compare, and not to compete.

J.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/252/27414#27414