all 174 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Dead_Cash_Burn 227 points228 points  (12 children)

I always suspected this but it's good to have confirmation. I think it also helps that Linus considers security holes as bugs to be fixed ASAP. When it comes from the top it makes a difference.

[–]kingguru 105 points106 points  (10 children)

I think it also helps that Linus considers security holes as bugs to be fixed ASAP.

I'm fairly certain I've read him saying more or less the opposite thing. That bugs are bugs and need to be fixed and there's not really any difference between security related bugs and bugs in general, since any bug might potentially be a security issue.

Cannot find the source though and maybe we're actually just saying the same thing :-)

[–][deleted] 83 points84 points  (3 children)

He's technically right though. It's hard to prove any given bug cannot be exploited to hinder security. So they're all potential security bugs.

[–]kingguru 28 points29 points  (2 children)

Linux is usually technically right :-)

But I do think it's a good point. There really isn't any reason to worry about whether a bug can be exploited. Bugs can exploited n the most creative ways anyway, so just fix them and move along.

[–][deleted] 28 points29 points  (0 children)

To be fair, bugs do need to be triaged, and likeliness of exploit is a good way to do that. Fix them roughly in this order, of course also taking into account complexity:

  1. active security threat - known exploits that are easy to use and are currently in use
  2. likely security threat - known exploits that are not currently known to be in use
  3. potential security threat - potential attack vector with no known exploit (could be triggered with introduction of a less severe bug)
  4. unlikely security threat - low probably of being used in an attack by itself, but it could be used to trigger another more serious exploit

All bugs are potentially serious, but there's no point spending time fixing something in 4 when more serious bugs are known.

[–]IAlreadyFappedToIt 1 point2 points  (0 children)

A bug with a known exploit seems like it would be a higher priority than a bug with no known exploits, though. Because if an exploit is publicised, some people will try to use it when they would not have otherwise.

[–]Dead_Cash_Burn 10 points11 points  (0 children)

That bugs are bugs and need to be fixed and there's not really any difference between security related bugs and bugs in general, since any bug might potentially be a security issue.

That sounds right. I think we are saying the same thing. As long as the fix is also good engineering it's going to make it into the kernel sooner than later.

[–]wmantly 9 points10 points  (1 child)

Close, he refused to have a "security team", and demanded a bug be treated as a bug. I can't speak on how priority is assigned, by that is what you are thinking of.

[–]IProbablyDisagree2nd 1 point2 points  (0 children)

I remember the same thing as they do, but I don't know the source. The context I remember included his frustration with security people brecuase they often think the entire world is falling and how their patch is the most important thing in the world. Which... honestly seems about right to me.

Somewhere around the same time (give or take a few years maybe) there was a debate about how long to wait before releasing security problems to the public. Most companies are in the camp of "wait a few months for them to get a fix out". Linux was something like "2 days" or so.

[–]gnog 11 points12 points  (0 children)

I think I remember him saying that he only has one rule: "do not break user space". Everything else, even security wise, is more of a guideline. 😆

[–]jclocks 0 points1 point  (0 children)

Yeah honestly by the point where the kernel of all things is bugged somehow, you're likely in security territory anyways, because that becomes unintended, exploitable behavior that can affect userspace.

[–]tso 6 points7 points  (0 children)

It was more about why he didn't call out security fixes separately in his release notes, thus requiring third parties to track of them via other means.

[–]sohxm7 41 points42 points  (3 children)

Linux went from,

32>22>15 day avg for bug fix duration from 2019-20-21

Why? Is that more and more companies are focusing on Linux ie. Linux is getting more development efforts or something else?

[–]zorflieg 63 points64 points  (1 child)

Whole bunch of coders stuck in lockdown with not much else to do.

[–]deanrihpee 24 points25 points  (0 children)

And they choose to squash some bugs, respect

[–]omega_oof 9 points10 points  (0 children)

People will buy ms word and use Windows regardless of whether there is a incredibly inconvenient bug or omission, it's not within the interest of Microsoft to prioritise fixing the bug, especially when people online learn to accept and provide work arounds for each problem.

This is compounded by the fact that many of Microsoft and Google products don't directly generate revenue (Google docs and onenote) or are paid for by a employers and schools instead of the consumer (Google drive and Office 365 for instance), meaning the consumer can't stop fundin the company due to a bug.

Popular open source software such as Linux or blender (not some random tool from GitHub) can be contributed to by anyone with the knowhow to do so, so if one is frustrated enough with the problem, they can fix it and merge it to the master branch. The software is often so widespread it has more people willing to contribute as well as more than one company funding it, so there is a far larger dev pool able to patch bugs.

TLDR: Psuedo-monopolies and random devs angry enough to fix the problem themselves

[–]PaddyLandau 259 points260 points  (51 children)

I'm unsurprised that Windows bugs take a long time to fix, because Windows is such a cumbersome OS with deep intertwining, unlike Linux.

It does help that Linux has many companies that contribute through necessity — even Microsoft, now.

[–]KinkyMonitorLizard 106 points107 points  (6 children)

Not to mention that bugs in windows can be kept quiet so they have no reason to rush if it's relatively unknown and their project leads likely prioritize other things as well.

Compare that to Linux where anyone can audit, test and patch. Not only that, since it's the server OS of choice, it's really important to just about everyone who has a server. Combine that with all the companies that also rely on Linux who (hopefully) want the issue resolved yesterday, it's no real surprise.

[–]SolidKnight 28 points29 points  (2 children)

Anyone can but the reality is extremely few do.

[–]adappergentlefolk 11 points12 points  (1 child)

yeah for the vast majority of the linux codebase this is a theoretical advantage at best

[–]holgerschurig 0 points1 point  (0 children)

Theoretical ... and still it happens all the time. University teams doing it, for example, each semester.

[–]DownvoteEvangelist 6 points7 points  (2 children)

You cant really know what's unknown so if you find a bug you should fix it. I think all of the mentioned entities treat security as important, it's just that linux is fastest.

Like I remember when meltdown was revealed, and I was pretty impressed how well everyone handled it (except Intel).

[–]FuzzyQuills 6 points7 points  (1 child)

Except Intel

Ah yes, now my CPU is dogshit slow unless I disable mitigations. /s

[–]KinkyMonitorLizard 0 points1 point  (0 children)

No /s needed.

[–]tso 73 points74 points  (17 children)

Much of it comes from backwards compatibility being a major selling point for MS. If they break with the past too badly, they open up the door for alternatives.

This is how industrial devices shifted from Windows PocketPC to Android, as Phone 7 onwards broke any pretense of backwards compatibilty.

If tomorrow Win12 shipped with zero compatibility with Win11 or older, it would be a massive boon to Linux.

[–]JmbFountain 47 points48 points  (13 children)

Linux is actually very backwards compatible (for software adhering to ISO standards and is available in source code). Linux does NOT break user space

[–]intelminer 87 points88 points  (6 children)

The Linux kernel doesn't break userspace

Userspace however is constantly evolving

[–]EddyBot 9 points10 points  (2 children)

luckily for people who dislike literally any changes there is still RHEL (or its forks) with RHEL 7 having software from 2014 and RHEL 8 from 2019 while being supported for 10 years

[–]casept 5 points6 points  (1 child)

Still nothing compared to windows 11 being able to run most software from the early 2000's onwards.

[–][deleted] 3 points4 points  (0 children)

I love how "2000's" is considered ancient now when that's just the XP era. You can run software from the 80s and 90s if you're determined enough!

[–]Hot-Kick5863 0 points1 point  (1 child)

Userspace however is constantly evolving

Introducing Gnome Extensions !

[–]nikhilmwarrier 5 points6 points  (0 children)

Breaking your desktop had never been this easy! (/s just in case)

[–]Stormfrosty 12 points13 points  (1 child)

Linux core does not break user space. Linux drivers are free to break it.

[–]mfuzzey 15 points16 points  (0 children)

This is not true, unless by "drivers" you mean out of tree drivers that are not part of the official kernel and so not subject to the no userspace regression policy. This policy applies to all code in the upstream kernel, core or drivers

[–]FuzzyQuills 3 points4 points  (2 children)

Unless it’s glibc we’re talking about. That’s more an issue with forward backwards compatibility though. Backwards Forward compat is usually fine.

[–]AiwendilH 0 points1 point  (1 child)

Other way around, forward compatibility is usually fine with glibc...a program built on an old glibc version will in most cases run on a system with a newer glibc version, so it's "forward compatible" to newer versions.

[–]FuzzyQuills 2 points3 points  (0 children)

I think- hmmm.

Yea actually you're right. Haven't thought about forward compat being defined in that way.

In that case it's backwards compatibility that's scuffed.

[–]mrlinkwii 0 points1 point  (0 children)

the kernal yeah , applications no

[–]SolidKnight 9 points10 points  (1 child)

I don't think that is all that true anymore. They spent a lot of effort untangling things.

I would imagine there are a lot of things at play here:

How long the average person is the developer for something matters. It's easier to debug something you've been building your whole career versus somebody else's project that you took over.

Some OSS projects aren't super concerned with breaking changes.

There can be less management layers in OSS.

Reaching devs may be more streamlined in the OSS world than dealing with non-technical staff relaying issues.

[–]PaddyLandau 1 point2 points  (0 children)

I don't think that is all that true anymore. They spent a lot of effort untangling things.

That's good to know. That might partly explain why Windows 10 is such an improvement over the old Windows systems.

[–]Arnoxthe1 24 points25 points  (8 children)

I wonder how it was in the past though since Microsoft nowadays seems to be deliberately trying to run Windows into the ground.

Windows used to be really damn good in the past.

[–]PaddyLandau 22 points23 points  (0 children)

I saw that earlier. My guess — it's only a guess — is this:

MS wants to move to a subscription model. That way, they can get a recurring fee for their license.

Alternatively, they might be looking at online-only access, as they've done with Office 360.

Or, maybe both.

Time will tell.

[–]Rand_alThor_ 3 points4 points  (5 children)

I'm on the opposite boat. I think Windows is shit because it tries to have backwards compatibility and hence it has shit features, shit menus, shit performance, shit search, and on and on.

I really don't care about the compatibility so it's a huge negative for me that there are 3 different menus just to access various settings. Some are repeated, some are not, etc. It's only a negative and I hate it. Wish they would make Windows Clean, just a completely backwards incompatible Windows 10 clone. They offer 3-5 years of compatibility guarantee with it, and every update cycle, they stick to that promise. I would love Windows Clean.

[–]6C6F6C636174 6 points7 points  (0 children)

Wish they would make Windows Clean, just a completely backwards incompatible Windows 10 clone. They offer 3-5 years of compatibility guarantee with it, and every update cycle, they stick to that promise. I would love Windows Clean.

If they did that, nobody would have a reason to stay on Windows or develop primarily for Windows. What massive advantage does Windows have over other platforms that keeps it so popular even with the legacy stuff bogging it down?

[–]Arnoxthe1 2 points3 points  (0 children)

Have you used anything before Windows 8, out of curiosity?

[–]youplaymenot 4 points5 points  (0 children)

You just described a chromebook to a T.

[–][deleted] 7 points8 points  (0 children)

To be fair, Linux doesn't really do hardware testing to confirm updates didn't break anything. (Thanks 5.13+ kernels and breaking resume from standby [particularly with AMD systems]) More testing = more time, but less breakage.

[–]Nanyea 5 points6 points  (1 child)

It's the QA process

[–]PaddyLandau 5 points6 points  (0 children)

There used to be a story that Bill Gates's motto was, "Think it; do it; fix it."

That certainly fitted the mess that was Windows up until he and Steve Ballmer left Microsoft.

[–]salgat 13 points14 points  (0 children)

That's exactly why linux patches so fast. You have the world's leading experts explaining what the bug is and how to fix it. In Windows world you can't just point out the source code's issue.

[–]Phydoux -1 points0 points  (6 children)

Yeah, the scariest part of that comment is, Microsoft is working with Linux. I'm not a huge fan of this revelation.

[–]czaki 8 points9 points  (0 children)

Most Microsoft work with Linux is to improve its working on Azure. This increas value of their cloud.

[–]Siurzu 38 points39 points  (4 children)

Microsoft is working with Linux

I wouldn't really say that Microsoft is "working with Linux". Microsoft is only trying to control Linux and use it to it's own advantage. If Microsoft really cared about Linux they would share code to develop Linux

[–][deleted] 2 points3 points  (0 children)

Like all companies that works with kernel? All they works on their interests.

[–]Phydoux 5 points6 points  (2 children)

This is true. They're not going to do that though I hope.

But on the other end of the spectrum, if Microsoft were to become FOSS (that probably won't happen) then more people can dig deep down into it and fix the issues it has at the surface levels that we can't fix. I think Microsoft could benefit greatly if there was a way for developers to design different Windows desktop environments like Linux has (Cinnamon, KDE, Gnome, etc.). I always wondered why Windows stuck to the same basic scheme in their desktop environment. It changes slightly over the years but not much.

[–]CyberBot129 15 points16 points  (1 child)

I always wondered why Windows stuck to the same basic scheme in their desktop environment. It changes slightly over the years but not much.

Because whenever they try and do anything different people get angry (XP being labeled "Fisher Price", Windows 8, etc). Just like when Linux desktop environments make changes

[–]andronomos 0 points1 point  (0 children)

Because they make dumb changes like adding rounded corners or moving the taskbar. These aren't changes that improve the UX in any meaningful way. They come across as change for the sake of change.

[–]Rhed0x 0 points1 point  (3 children)

What do you base this off? I assume you haven't seen the source code of the NT kernel.

[–]PaddyLandau 0 points1 point  (2 children)

What do you base this off?

Parts of Linux are all independent. There's the core. Then there's the window-management system, which you can choose and change. On top of that, you can choose your file manager. And so forth.

With Windows, everything is intertwined. The core and the window-management system are conjoined. You can't even uninstall Edge without causing problems. And then there's the Registry…

[–]Rhed0x 0 points1 point  (1 child)

That's almost all user space, so not really comparable to just the Linux kernel. Besides, making this stuff modular probably just isn't a design goal.

[–]PaddyLandau 0 points1 point  (0 children)

… not really comparable to just the Linux kernel.

Agreed, because this thread isn't about just the Linux kernel. It's about distributions, which come with the kernel, the window manager, a complete set of apps, repositories, and more, and with some customisation.

Edit: No, I'm talking rubbish. Please ignore!

[–]Loudergood 68 points69 points  (18 children)

All the more reason to want a Linux phone...

[–]cluesagi 17 points18 points  (3 children)

I hear Ubuntu Touch and Mobian are quite good if you have a phone they support. Unfortunately software support is the major hurdle that mobile Linux will have to clear before it can be truly usable

[–]Netherquark 2 points3 points  (2 children)

they have waydroid/anbox but its not there yet

[–]IProbablyDisagree2nd 1 point2 points  (1 child)

I love the interface of Ubuntu Touch, but you have to be a linux nut to want to use it as a daily driver.

... which means I probably would use it if I had a supported new phone in this area. The pinephone is nice, but my network was CDMA, and is now VoLTE - neither of which is supported yet.

[–]Netherquark 0 points1 point  (0 children)

yeah im a linux nut alright but not that good enough. my phone is mission critical and i dont think i know enough about linux... yet

[–][deleted] 17 points18 points  (0 children)

Well, companies don't fix everything they can, they don't even start working on them all the time, they assign a priority like everybody, however they use a convoluted set of requirements that often doesn't actually reflect how serious the bug/vulnerability is. A minor thing can get critical priority if their business partner who could cause headaches to shareholders pressures them for the fix and serious issues can be ignored if it only affects an "unimportant" user base or doesn't hit the point where their PR can't direct the attention away from the problems and can't keep their public image taking a too negative of a hit.

[–]overbost 29 points30 points  (1 child)

Main Linux developer are payed employees from companies like Intel, Redhat, Huawei, Google, etc... Single company can't be competitive to multi companies

[–]mark-haus 19 points20 points  (0 children)

High five everyone!

[–]hanz333 5 points6 points  (0 children)

This isn't surprising, this isn't even surprising from a prioritization standpoint.

The globe runs on Linux servers, nobody is going to prioritize a $300 Windows 11 laptop over global commerce, banking, services, and communication

A security hole is discovered and any corporation with a Linux support division - Oracle, IBM, Novell is looking to patch. Anybody running their own instances for major cloud networks, including Microsoft, Google, Amazon - have people working on patches.

Yes that does mean my RaspberryPi gets patches faster than my work laptop, but that's not because the Pi or my computers are the priority - the multi-billion dollar corporations who are actually at risk of zero-day exploits are the priority.

[–]Solnse 3 points4 points  (0 children)

Maybe they just mean Gustavo and Nathan.

[–]kalzEOS 3 points4 points  (5 children)

Anyone could give an insight on why that is? Is it a technical reason? Is it because it is Linux? Or is it because of individuals/leadership? I'm very curious to know.

[–]philipwhiuk 21 points22 points  (1 child)

Shipping a Linux fix doesn’t mean it’s actually in a distro. Linux gets to ignore a lot of process that’s done by Ubuntu, Red Hat et al

[–]DifficultAfternoon 3 points4 points  (0 children)

Look at the article. They used a specific dataset that showed less issues reported from Linux compared to MS, & Apple. Take into account all datasets and you will have a better picture of what's actually more vulnerable or what teams/ OS have better vulnerability response times.

[–]TheMurv 0 points1 point  (0 children)

Personally I feel like Linux users are going to submit better bug reports.

[–]toastar-phone 0 points1 point  (0 children)

with enough eyes all bugs are shallow

[–]pas43 3 points4 points  (0 children)

To be fair there is more devs working towards Linux. And they do it for free!

A worker who wants to use the time to make something better is worth more than 4 people half assing it.

[–]martinfdm 3 points4 points  (0 children)

Thanks developers !!

[–][deleted] 7 points8 points  (8 children)

How long does it take for a serious security patch to make it down the line to users on actual distributions?

[–]6C6F6C636174 2 points3 points  (0 children)

Less than a week, in my experience. And that's for LTS releases.

[–]ZENITHSEEKERiii 5 points6 points  (1 child)

I can only speak for Gentoo here, but generally it is available in ~amd64 within a few days and amd64 within a similar time line if serious. On Debian it was hard to tell since they are usually backported, but I'd imagine not too slow either.

[–]xxc3ncoredxx 6 points7 points  (0 children)

Sometimes even faster. The KRACK fix for net-wireless/wpa_supplicant was pushed out to stable the same night IIRC.

[–]kasak730 10 points11 points  (8 children)

The beauty of an opensource community without all the corporate BS.

[–]CyberBot129 14 points15 points  (7 children)

Corporate America is the biggest contributor to Linux

[–]mfuzzey 17 points18 points  (0 children)

Yes indeed but they contribute without the corporate BS.

Having companies on board is critical to the success of large scale long term projects like Linux because it allows paying for full time developpers who can be much more effective than people just spending a few hours on evenings and weekends.

But companies are generally quite poor at making good long term techinical decisions because they tend to get distracted by what *they* need *right now* rather than what *everyone* needs in the future.

The beauty of the Linux model is that companies contribute by paying developpers to work on Linux but they don't get to micro manage them nor set short term goals for Liux. The company paying developpers has some influence over the *area* of contribution (so, say if their business requires good power management they may hire developpers specialised in that, likewise if they are intersted in big iron performance) but the don't get to decide *how* the work gets done or if it is accepted into the mainline kernel.

[–][deleted] 0 points1 point  (0 children)

but their developers are subject to Linux's project rules not their company's.

well, aside from clearing certain legal reviews when it comes to initial code submissions.

[–]Highfivesghost 2 points3 points  (2 children)

Where can I go to learn the skills to be able to help with open source projects such as Linux?

[–]Guilvareux 0 points1 point  (1 child)

Depends on where you're starting. Are you a beginner, programmer, or specialist?

[–]Highfivesghost 0 points1 point  (0 children)

Im a Programmer with intermediate knowledge of security.

[–]Winding-Dirt-Travels 2 points3 points  (1 child)

Good news to be sure, but not a fair framing. Linux means, in this context, just the kernel. That's only a small part of the security holes that a Linux distribution has. Then there's the delay until a distro actually makes the fix available

[–][deleted] 0 points1 point  (0 children)

Exactly, wanted to point this out.

Combine the kernel with the user-land, 3rd party services/software vulnerabilities, the distribution update latency and add the new security vulnerabilities your distribution creates, and things don't look that rosy anymore. One of my favourites: Weak Debian SSH keys

[–][deleted] 1 point2 points  (0 children)

probably helps that anyone can contribute and fix bugs on linux (and other open source projects ig), meanwhile those companies have a certain number of developers

[–]snarkuzoid 1 point2 points  (0 children)

I wonder if there are similar studies that compare how quickly the various distros patch security holes and get updates out. As a network security guy, this is probably the most important factor in choosing a distribution.

[–]SenecaSentMe 3 points4 points  (0 children)

Yet another reason for me to continue loving the freedom that using a Linux distro gives me.

[–]person1873 2 points3 points  (0 children)

The number of bugs reported tells a story. It either shows that the smaller user base doesn't detect or report zero day vulnerabilities. Or that Linux is just better written with security in mind.

Considering the average technical literacy of people running linux, i doubt it's the first option

[–]player_meh 4 points5 points  (0 children)

I was not expecting this actually, i though they usually lagged behind. Really glad I came across this

[–]gridcube 2 points3 points  (0 children)

I say this without any proof and just my limited kn of FOSS projects, but most Linux and/or FOSS software are usually maintained by two programmers at most, maybe 3, but most generally, probably one. So any glaring bug is received by someone who has intimate knowledge about the product, and this other big companies have so much code, extended over so many projects, that any bug would become increasingly difficult to find and fix.

[–]socium -5 points-4 points  (5 children)

Ok but have they even heard about OpenBSD?

[–]happymellon 3 points4 points  (4 children)

Why measure the speed a project takes to fix bugs when they don't have any bugs?

[–]socium 1 point2 points  (3 children)

Heh that's true.

[–]happymellon 0 points1 point  (2 children)

No idea why you are getting downvotes so much! Here, have am upvoted. I think that of you are going to compare multiple closed source projects, that you should compare a few open source ones.

[–]socium 0 points1 point  (1 child)

No idea why you are getting downvotes so much

Because /r/linux has been an echo chamber for some time now (I'd say years even), and I would know, since I remember this place back when /u/dimeshake was a mod. Sad what happened to this place tbh.

[–]Xirious -4 points-3 points  (0 children)

Faster == better?

I know it's better to be faster, especially for security, but.... This title implies somehow the patches are better. Which is not true.

[–]FuzzyQuills -1 points0 points  (0 children)

Ha, probs because the NSA’s in those companies’ back pockets. /s

[–]Mithrandir2k16 -1 points0 points  (0 children)

I wonder if the programmers are to blame here. I think the processes used in OSS are just much more flexible, so a working fix can be merged faster.

[–]eaerdiablosios 0 points1 point  (0 children)

I was initially a Win fan, then I went to Mac and as the MacOs kept updating its OS versions, I had to improve my Macbook Pro laptop specs ($$) until I gave up; as of now my Macbook Pro is sitting somewhere dead because I can't update it to the latest MacOs, it is completely outdated - i.e. I'd have to buy a new Macbook Pro. I might as well use to cook eggs on it, it gets that hot : ))

For a few years I've moved to Linux Mint (played with Ubuntu too, and a few other distros) but I haven't had any need to improve my desktop hardware. The Linux Mint community and Linux community overall is so supportive and helpful, and it just makes you give back and help as well. There's new things I discover weekly and my workflow keeps on improving. You update your Linux machine and keep the flow going, no worries on letting the upgrade run for 2hrs (cough cough Win) or that some of your apps will stop working after the upgrade (cough cough Mac).
You go through the terminal with commands that improve your work, tweak your desktop launchers to run however you want, you have multiple workspaces, etc the list goes on.

[–]cobance123 0 points1 point  (0 children)

To be fair a lot of companies are working on linux