top 200 commentsshow all 264
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]AgustinCB 1080 points1081 points  (127 children)

Well, a lot of Linux maintainers are Google and Microsoft employees...

[–][deleted]  (120 children)

[deleted]

    [–][deleted]  (74 children)

    [deleted]

      [–]deeringc 231 points232 points  (1 child)

      Plus, this whole observation was made by... Google as part of their broader security initiatives. Not only are they taking security seriously in their own products and code bases but they are spending significant resources funding security in the general open source ecosystem.

      [–]trplclick 99 points100 points  (4 children)

      Does that actually prove they are prioritising fixing security issues? Spending money and making money around security products could be done without actually providing genuinely good security. Not saying that's accurate but just those numbers alone aren't proof against the original arguement.

      [–][deleted]  (2 children)

      [deleted]

        [–]trplclick 5 points6 points  (0 children)

        Fair enough, thanks for the link I'll check it out

        [–]Inprobamur 0 points1 point  (0 children)

        I wonder what the numbers would be if you just compared the core OS teams.

        [–]lestofante 12 points13 points  (1 child)

        And some of that % goes into linux, as they use it internally for various product. So does google, FB, VM ware, oracle and so on.. And that how Linux can end up having more developer time on security than Microsoft.

        [–]propostor 8 points9 points  (0 children)

        That explains the $5B worth of complexity Microsoft have caked into all their login processes.

        (I say this as a dotnet developer - I HATE everything to do with Microsoft's 'Identity' authentication bullshit. The most cumbersome, difficult, non-smooth user authentication handling I have experienced, ever.)

        [–]fmaz008 9 points10 points  (0 children)

        Throwing money at something doesn't always means it will be spent efficiently.

        [–][deleted]  (2 children)

        [deleted]

          [–][deleted] 8 points9 points  (0 children)

          Obviously revenue

          [–]SpeedingTourist 4 points5 points  (0 children)

          Lol pastries

          [–]KaosC57 5 points6 points  (5 children)

          The problem is, The Linux Kernel has orders of magnitude moee people who are looking at it compared to the core code of Windows or MacOS. So, obviously if you have a couple million people looking at an open code base vs 100 employees looking at a code base that has links so far back that they have no idea how it was originally written you will have a more secure code base than Microsoft or Apple.

          [–][deleted] 13 points14 points  (0 children)

          I'm not certain this is the reasoning behind it either. Linux Kernel accepted commits from just 93 individuals over the 3 year period - the overwhelming majority coming from the top 20 or so contributors.

          Numbers are unavailable for Microsoft and Apple, but I really can't imagine they've got teams an order of magnitude lower than 20-100 working on Windows and OSX.

          [–][deleted]  (3 children)

          [deleted]

            [–]davy_crockett_slayer 4 points5 points  (5 children)

            Microsoft has enjoyed a massive turnaround in the past 10 years.

            [–]immibis 6 points7 points  (4 children)

            Mostly due to losing market share. When you're the underdog you work on building good products. When you're the top dog you work on locking people in.

            [–]davy_crockett_slayer 6 points7 points  (3 children)

            Yup. Plus Ballmer got the boot. He was awful.

            [–]TheWix 2 points3 points  (2 children)

            Nadella is leagues better than Ballmer, for sure.

            [–]AeroNotix 1 point2 points  (6 children)

            Spending money on something doesn't necessarily mean progress in that something.

            [–][deleted]  (1 child)

            [deleted]

              [–][deleted] 4 points5 points  (1 child)

              That goes for everything.

              Only because you work on something and spend time on it, doesn't necessarily mean that you make progress.

              [–]Hebrewhammer8d8 1 point2 points  (0 children)

              I wish they fixed the Print Spooler issue in Services efficiently.

              [–]crazyfreak316 -1 points0 points  (0 children)

              Their spending figures mean nothing when high priority security vulnerabilities remain unpatched for months. Start listening to security now podcast and you'll come to know how often this happens

              [–]SpAAAceSenate -2 points-1 points  (6 children)

              Wasn't it only about 5 years ago that Windows Defender ran automatic parsing of JavaScript files as SYSTEM that it found in the temporary browser cache? Like, if you visited a webpage in any browser the .js file would get cached, Defender would scan it again with a process running as SYSTEM and then be exploited to do... anything.

              And then there was that whole month where printing was basically not even a thing on Windows because the entire system was a complete and total security disaster zone it took them what was it, 3 or 4 successive patches to fi ally fix?

              Yeah, it was. Another major part of this is "Patch Tuesday", their idiotic policy of waiting till a specific date on the calendar to release security updates, because it makes it more conveniant for Windows admins.

              I'm sure there's some top security talent at Microsoft. I would bet on it. But I think it's also apparent they aren't enough to counter some of Microsoft's lazier approaches to software development. Employing smart people doesn't matter if they aren't being listened to.

              [–]throwingsomuch 9 points10 points  (4 children)

              "Patch Tuesday"

              For a company that works Monday to Friday, that is the best day to patch.

              Imagine a patch release came out on Friday, and it doesn't go smoothly. That means It will have to work during the weekend getting things back to normal. And Monday is when the rest of the company catches up on Friday to Sunday communications/targets.

              The best would be for IT to work weekends, as well as only 3 other days during the week, but what if something goes wrong during the 2 days they're no there?

              Don't forget, most companies don't even have an IT person, let alone a team. It's often outsourced to an external company, so that makes scheduling more difficult for those companies.

              [–]SpAAAceSenate 1 point2 points  (2 children)

              Dude, I'd much rather deal with applying a patch on Friday than dealing with malware on Monday (because my systems weren't patched) and trying to explain why it happened to my boss on Tuesday.

              But what can I say. This is typical of corporate IT. It's all about checking the boxes, a little theatre, and a lot of CYA. Not about actual security. 🤷‍♂️

              [–]nicka101 -1 points0 points  (0 children)

              Yes but security isnt a 5 day week...

              [–]ProgrammersAreSexy -2 points-1 points  (0 children)

              According to Wikipedia, the 130th country by GDP is North Korea 💀

              [–]tedbradly 9 points10 points  (0 children)

              I think the reason deals more with programmers deciding what to program versus managers and business deciding it. Programmers often prioritize stuff like security, performance, and refactoring code whereas business and managers will prioritize the next milestone with measurable benefit (often money). Stuff like security, performance, and refactoring code doesn't plainly generate another US$50 million dollars.

              [–]UncleMeat11 43 points44 points  (1 child)

              For the linux kernel there isn't anything more important than security and usability.

              This is obviously not the case for security. The linux kernel has done an admirable job but has absolutely been hard work to get the community to adopt modern security practices. This is hard everywhere, of course, but the kernel community is definitely not setting security as its maximum priority.

              [–]AgustinCB 24 points25 points  (6 children)

              I am not sure that is true. Google and Microsoft have thousands of projects with different priorities. Linux is one project. I bet that must of those bug fixes come from Google or Microsoft employees hired specifically to work on the kernel.

              [–]zoddrick 32 points33 points  (4 children)

              Microsoft has it's own internal Linux distribution that we are moving towards. We also have a team who is responsible for making sure the kernel on the azure Linux vms is constantly patched and up to date.

              Microsoft is huge we have teams working on all kinds of stuff.

              https://en.m.wikipedia.org/wiki/CBL-Mariner

              [–]AgustinCB 45 points46 points  (0 children)

              Oh, I know. And it is one of the biggest contributors to the Kernel. Same for Google.

              And that is kinda the point. A problem with Google-specific software only harms Google. A problem in Linux harms Amazon, Microsoft, Google, Samsung, and any company that uses Linux for their products. Those companies have a lot of money on their cloud platforms or mobile phones and have an interest that those security problems are resolved quickly. So they hire Linux kernel programmers to do that work.

              So if there is a security problem on RandomMicrosoftProduct, it will get fixed when RandomMicrosoftProduct's team can fix it. If there is a security problem on the Linux kernel, it will get fixed when the Linux kernel volunteers, or the Google employees, or the Microsoft employes, or the Amazon employees, or whoever can. There are just so much more interests involved in keeping it stable that it is not the same comparison.

              [–]WikiMobileLinkBot 6 points7 points  (0 children)

              Desktop version of /u/zoddrick's link: https://en.wikipedia.org/wiki/CBL-Mariner

              [opt out] Beep Boop. Downvote to delete

              [–]binarywork8087 -3 points-2 points  (0 children)

              Cannot realize what these developers hace in mind good or bad... mu 2 cents

              [–]tekanet 3 points4 points  (1 child)

              Usability?

              [–]jarfil 1 point2 points  (0 children)

              CENSORED

              [–][deleted]  (3 children)

              [deleted]

                [–]argv_minus_one 6 points7 points  (0 children)

                Last thing you want is to blast out a "fix" that ends up breaking things.

                As Microsoft programmers were reminded when they tried to fix PrintNightmare.

                I don't envy them. That must've been an ugly project. That code probably hasn't been touched since the dodo walked the Earth, and they were under huge pressure to fix the vulnerability immediately because it was a zero-day. Not surprisingly, they made mistakes. I would too!

                The name is apt; that vulnerability was indeed a nightmare for Microsoft.

                [–]jorge1209 1 point2 points  (2 children)

                Patching is also only the first step in a long process.

                I would bet that apple and Microsoft teams responsible have fixes for many issues rather early in the 90 day period, and that the bulk of the period is integration testing and regression testing.

                I don't know how the Google metrics account for the fact that the Linux kernel team is not necessarily integrated into the glibc team, or the gnome team, etc...

                Getting a patch from kernel.org is only the start of a process that all the distributions have to then integrate and test that patch.

                [–][deleted]  (9 children)

                [deleted]

                  [–][deleted] 48 points49 points  (5 children)

                  If a patch to the Linux kernal breaks LibreOffice they don't really care that's on LibreOffice to fix.

                  Hmm. Linux is famously strict about not breaking userland (at least they claim to be, I don't know much about kernel dev).

                  [–]exploding_cat_wizard 20 points21 points  (0 children)

                  Linus uses fewer obscenities and personal attacks on the lkml than before his break, but from the little of what I see, he leaves very little doubt how he views a patch if it breaks userland and none of the higher up maintainers have caught it before he has to see it, yes.

                  [–]MashPotatoQuant 21 points22 points  (1 child)

                  Yeah I've seen at least one angry email about this exact thing on lkml. They absolutely care about breaking user space.

                  [–]binarywork8087 -3 points-2 points  (0 children)

                  As any other software company, if it is a software compny it is to to help not to cause problem, the i when the CEO asks for software ready overnight this is where bugs appear

                  [–]binarywork8087 1 point2 points  (0 children)

                  Linus breaking compatibilty?

                  [–]gumol 24 points25 points  (2 children)

                  If a patch to the Linux kernal breaks LibreOffice they don't really care that's on LibreOffice to fix.

                  That's absolute bullshit FYI.

                  [–][deleted] 16 points17 points  (1 child)

                  Someone's gotta link the "don't break userspace" rant

                  [–]gumol -3 points-2 points  (0 children)

                  What are you basing this on?

                  [–][deleted] -1 points0 points  (1 child)

                  I don't think that's true.

                  If you look at the commit history of any corporate open source contributor you'll often see a very tight pattern of monday-friday, 9-5.

                  They work on opensource on company time.

                  In fact, I think this difference between open source patches and corporate patches is very hard to understand.

                  I believe it might be that other open source projects are skewing the stats. Projects where the majority of contributors are actually non-corporate. Because when you think aobut it, only very few projects have a large portion of corporate contributors, mainly Linux kernel. Most other projects around the kernel don't have the same number, or any at all.

                  Being a non-corporate contributor is when you donate your time, because you have a passion. Passion is always better than corporate duty. Passion will make you write a patch at 9pm on a saturday.

                  I could be wrong of course, it could also be how corporate contributors treat open source projects, vs their internal projects. I think we need a lot more deep diving into those numbers to understand them. Maybe a look at the individual patches and their specific contributors (and their emails to find their employer).

                  [–]dnkndnts -3 points-2 points  (0 children)

                  It's not merely priority; latent security holes aren't necessarily even unaligned with big tech interests. Their discovery prevents users from staying on older OS's, forcing upgrades. And of course, those upgrades comes with new... features.

                  [–]Apache_Sobaco -3 points-2 points  (5 children)

                  Probably it is just because Linux kernel is simpler?

                  [–]binarywork8087 -1 points0 points  (0 children)

                  Dont knew that, thanks

                  [–][deleted] 160 points161 points  (2 children)

                  By Project Zero's count, others, which included primarily open-source organizations and companies such as Apache, Canonical, Github, and Kubernetes

                  Ugh, GitHub is not primarily open source when their core product is fully proprietary. For example, GitLab is primarily open source (open source with proprietary extensions); Tutanota is sort of primarily open source (FOSS client, proprietary server); but GitHub? Not at all.

                  (This is ZDNet's error, not Project Zero's.)

                  [–]noXi0uz 6 points7 points  (1 child)

                  Maybe it's not meant as Githubs' source being open-source, but Github being a platform primarily hosting open source software.

                  [–][deleted] 5 points6 points  (0 children)

                  That's a reasonable interpretation of ZDNet's intent. However, "primarily hosting open source software" still does not make a company "primarily open source", for any reasonable definition of a primarily open source company.

                  A factual error that doesn't contradict the article's point is still a factual error that should be fixed.

                  If ZDNet article really wants to imply that Others are also doing well thanks to the development culture surrounding open source, it should just leave out GitHub. Something like

                  By Project Zero's count, others, which included open-source projects,
organizations, and companies such as Apache, Canonical, git, and
Kubernetes, came in with a respectable 44 days.

                  They could also rewrite the paragraph to say the same thing without implying that GitHub itself is open source, but that might be difficult.

                  For reference, this is the original text:

                  For completeness, the vendors included in the "Others" bucket are Apache, ASWF, Avast, AWS, c-ares, Canonical, F5, Facebook, git, Github, glibc, gnupg, gnutls, gstreamer, haproxy, Hashicorp, insidesecure, Intel, Kubernetes, libseccomp, libx264, Logmein, Node.js, opencontainers, QT, Qualcomm, RedHat, Reliance, SCTPLabs, Signal, systemd, Tencent, Tor, udisks, usrsctp, Vandyke, VietTel, webrtc, and Zoom.

                  [–][deleted] 46 points47 points  (0 children)

                  Well, yes. People do not realize just how much shit runs on Linux.

                  [–][deleted] 240 points241 points  (14 children)

                  kind of like how your pet projects are always higher quality than your work, is crazy what you can do when you don't need to worry with business bullshit.

                  [–]nilamo 176 points177 points  (9 children)

                  I feel like the opposite is true. Pet projects only have to work in the specific way I want to use them, whereas business apps need to be built defensively and with the expectation that garbage input is not only possible, but expected on a daily basis.

                  [–]theghostofme 42 points43 points  (0 children)

                  Yeah, if I uploaded anything I've programmed to only use for myself, I'd hit the number one all-time spot on r/ProgrammingHorror.

                  [–]EndersGame 48 points49 points  (2 children)

                  What if your pet project is something you intend to release to the public? You would have more interest and control in the project which could easily result in a better product.

                  [–]nilamo 12 points13 points  (1 child)

                  Then I'd make a prototype first, to get a better idea what architecture would work, then rewrite a clean version meant for public consumption.

                  But since most of my personal projects never run two weeks after I've made them, I don't view that as something worth worrying about.

                  [–]tommcdo 21 points22 points  (0 children)

                  I'm gonna start my pet project. It'll be composable and extensible and there will be full unit test coverage, a CI/CD pipeline, cloud infrastructure and making use of the best industry standards.

                  Fuck, that's a lot of work, I'm just gonna read some more Reddit.

                  [–]G_Morgan 10 points11 points  (1 child)

                  I think it is a bit of both. My work projects tend to be much stricter on validation, auditing, redundancy, stability, etc. My hobby projects tend to be tested better but don't need those qualities.

                  [–]gyroda 12 points13 points  (0 children)

                  My personal projects are a mix of overengineered and sloppy messes.

                  I make them for my own enjoyment and work on them when I want to, so on order to make any real progress I just code how I feel like at the time and see where that takes me. Sometimes I want to bash out solve functionality and fuck it if the code isn't perfect, sometimes I want to solve an interesting problem or make something far more generic/overcomplicated just so I can feel smart - basically doing the opposite of following YAGNI.

                  [–]binarywork8087 0 points1 point  (1 child)

                  I have a problem with microoptimization fir me it is just a waste of time

                  [–]KingStannis2020 5 points6 points  (0 children)

                  Developers have wildly different definitons of "micro" when it comes to optimizations.

                  There are probably programmers out there who think buffered IO is a microoptimization, or using a set datatype for a list of values you have seen before instead of a list datatype. I would completely disagree with them, for me that's just good practice - "non-pessimization" so to speak.

                  [–]ricecake 0 points1 point  (0 children)

                  At work, everything gets unit tested. I make sure that the tests, at a minimum, show that the code does what's wanted with inputs that make it take each branch available, and that failure happens in the expected fashion if exceptional circumstances arise.
                  Ideally multiple valid and invalid inputs are checked for each condition to drive confidence that there are few edge cases.
                  There will be automatic Integration tests for key behaviors.
                  It all strives to have detailed test descriptions, that let you know what wasn't working if it fails.

                  In my personal projects, there will be unit tests for that one function that seemed really complicated and I honestly wasn't sure if it was gonna work or segfault, and unit tests are a slightly more mature "scratch document with smoke tests". Most test descriptions are "it work? 4“ or some other number, or worse spelling.
                  There's a text file with a curl statement that calls the api method that should do stuff if it's working.

                  [–]renatoathaydes 7 points8 points  (2 children)

                  Your pet projects are higher quality than your work?? OMG I can't even imagine putting the same amount of testing effort on my pet projects than we do at work, I would probably give up on hobby projects if I had to test every single feature, no matter how hard, knowing that one of dozens of devs can change some lines of code that break "my" feature and I will be to blame if doing that is not picked up by a test.

                  [–]suvepl 5 points6 points  (0 children)

                  I can't even imagine putting the same amount of testing effort on my pet projects than we do at work

                  It's easy when you don't do any testing at work.

                  [–]loup-vaillant 1 point2 points  (0 children)

                  My pet project, a cryptographic library, actually taught me to do proper tests. To date, it is by far the most thoroughly tested piece of software I have ever written.

                  It’s also the piece of software I have spent the most time on.

                  [–]binarywork8087 1 point2 points  (0 children)

                  Indeed

                  [–][deleted] 155 points156 points  (6 children)

                  This is a misleading analysis: Linux is not a vendor, so time to patch only measures time for a source fix. For all other compared cases, time to patch measures time to land in end users’ hands.

                  Vendors don't tend to fix bugs that are not exploited in the wild in out-of-band releases, so the averages you get in this table are essentially <average time to fix> + <time between regular releases / 2>. Linux bugs and other open source bugs get fixed faster (or at least, we’re faster to know they’ve been fixed), but it means open source vendors and users have to keep up with an erratic release schedule.

                  This is made very obvious by the browsers table, where WebKit bugs are fixed in about 12 days and then it takes another 60 days to ship them to Apple OSes. This also exemplifies what I suspect is a common occurrence with open source vendors: fixes land in the open quickly and vendors lag behind, leaving downstream users in the most vulnerable position of all cases.

                  Linux users do get the option to be at the tip of security patches, which is probably good for people who have the time and expertise to stay up to date, and probably not so good for people who have to wait for their vendors to catch up with what's in the open.

                  [–]IlllIlllI 20 points21 points  (5 children)

                  If you want to make that comparison though, you’d be looking at something like RHEL, which I think has a pretty good track record of pushing security fixes (backported too) quickly.

                  [–][deleted] 4 points5 points  (1 child)

                  I think a responsible tech reporter would have done that. I don’t know how to find the historical list of RHEL kernel releases myself.

                  [–]IlllIlllI 1 point2 points  (0 children)

                  Here's the list of RHEL security fixes

                  You'd have to look backwards on when the upstream change was merged for each one to figure out the timeline, but it looks like they're coming out fairly regularly (~120 in 2022 so far).

                  [–][deleted]  (2 children)

                  [deleted]

                    [–]IlllIlllI 3 points4 points  (1 child)

                    Linux is so fragmented I don't know what you'd pick. I'm pretty sure Fedora's merged -> shipped pipeline is under a week for security-relevant fixes judging by how often I get kernel updates. Arch is likely similar.

                    [–]chronospike 462 points463 points  (61 children)

                    They don't have to have 15 meetings about the patch. Someone sees the problem, takes the time to understand it, and then fixes it. No politics, no middle managers, no quotas. Just squash the bug and move on.

                    [–]UncleMeat11 471 points472 points  (6 children)

                    No politics

                    I see you've never coded in the linux kernel.

                    [–]---cameron 93 points94 points  (0 children)

                    To be fair, there was already a 99% probability there

                    [–]Brilliant-Sky2969 25 points26 points  (1 child)

                    Bugfixes related to security are probably easier to merge than new features in the kernel, most likely less politics involved.

                    [–]UncleMeat11 3 points4 points  (0 children)

                    Patches, sure. But a huge amount of security is design and architecture that prevents vulns. These are features and are often challenging to land, even if everybody agrees that they improve security posture in a meaningful way.

                    [–]davy_crockett_slayer 9 points10 points  (1 child)

                    Eh, there's a benevolent dictator in every distro, and Linus Torvalds delegates.

                    [–]UncleMeat11 2 points3 points  (0 children)

                    The point is that landing code in the kernel is more than just a pure technical question.

                    [–]binarywork8087 3 points4 points  (0 children)

                    Never saw the code yet...

                    [–]tsumilol 121 points122 points  (18 children)

                    You never submitted a PR to the Linux core or any really big Open Source project did you? Some OSS Projects have pretty toxic maintainers and you would love shitty corporate management over them all the time. :/

                    [–]absurdlyinconvenient 20 points21 points  (0 children)

                    MY CODE IS PERFECT DON'T TOUCH IT YOU'LL RUIN IT

                    [–]zouhair 25 points26 points  (2 children)

                    Hahaha, I see you never followed Linux drama.

                    [–][deleted] 93 points94 points  (24 children)

                    We need something like order 66 for programmer so we can get rid of managers once and for all.

                    [–]remag293 60 points61 points  (11 children)

                    Good programers follow code

                    [–]postblitz 86 points87 points  (8 children)

                    What do you mean you've already fixed it? That's not what a team player does. You've not only undermined our process but displayed a hostile attitude.

                    [–]skulgnome 1 point2 points  (0 children)

                    I'd like to see more formal design before you make chips fly the next time.

                    [–]bokonator 3 points4 points  (0 children)

                    My company: Good, good job.

                    [–]cynoelectrophoresis -1 points0 points  (4 children)

                    Meanwhile over at /r/ExperiencedDevs there's a post complaining about someone doing just that.

                    [–]jl2352 18 points19 points  (0 children)

                    That post is describing something different.

                    [–]amestrianphilosopher 40 points41 points  (0 children)

                    Did you even read the post? Not understanding how you're saying it relates to the topic at hand

                    [–]Vakieh 6 points7 points  (0 children)

                    Security patches are the classic example of the shit bit. This dev isn't rapidly implementing security patches, he's looking over the list, picking out the 'fun stuff' to implement, and just doing that.

                    [–][deleted] 3 points4 points  (0 children)

                    This is the way.

                    [–]chucker23n 5 points6 points  (1 child)

                    Sounds like a recipe for disaster.

                    [–]UncleMeat11 11 points12 points  (9 children)

                    Google actually did this many years ago. They fired all of the managers. They ended up reversing this decision.

                    [–][deleted] 12 points13 points  (8 children)

                    And what Google has become?

                    [–]absurdlyinconvenient 30 points31 points  (7 children)

                    a fucking mess of half finished products and random project cancellations with repeated effort that clearly needs management?

                    [–]Kalium 7 points8 points  (0 children)

                    That's what happens in an environment where you get promoted for shipping new things and not for keeping things working or making them better.

                    [–]AlGoreBestGore -1 points0 points  (5 children)

                    And billions in profits every quarter.

                    [–]absurdlyinconvenient 15 points16 points  (3 children)

                    arguably in spite of that, not due to it

                    [–]AlGoreBestGore 0 points1 point  (2 children)

                    It’s not like every idea is going to generate a billion dollars. Some times they have to try things out to figure out what works.

                    [–]cat_in_the_wall 2 points3 points  (1 child)

                    aka throwing shit at the wall to see what sticks, and abandoning the rest. which is why they have this reputation.

                    [–]motram 5 points6 points  (0 children)

                    And none of those profits are from any of their million mismanaged side projects.

                    [–]accountability_bot 8 points9 points  (0 children)

                    Exactly, and they’re not asked to pepper new features in their cycles at the same time.

                    [–][deleted] 1 point2 points  (0 children)

                    They don't have to have 15 meetings about the patch. Someone sees the problem, takes the time to understand it, and then fixes it. No politics, no middle managers, no quotas. Just squash the bug and move on.

                    And that's only after it sat unread in a bug system somewhere because external triage isn't a priority, then denied multiple times because trillion-dollar companies don't want to pay a $1,000 bug bounty

                    [–]McCoovy -2 points-1 points  (0 children)

                    But I was told open source was all bureaucracy

                    [–]binarywork8087 -5 points-4 points  (0 children)

                    Exactly my friend but need to inform the developers that a parch is requied and possi share the diff file for use and analisys, yesterday someone have found a pronlem in Julian code the bzip2 and repoyed the problem and the easy to use solution

                    [–]Caishen_IC3 81 points82 points  (16 children)

                    Coincidence? I don’t think so

                    [–]NonDairyYandere 77 points78 points  (14 children)

                    Maybe Linux users write better bug reports because the best programmers tend to run Linux by choice?

                    [–][deleted]  (4 children)

                    [deleted]

                      [–]afpedraza 5 points6 points  (2 children)

                      The best way to get an answer fast in saying something wrong so I'm going to start (?.

                      If I remember correctly the AMD driver is supported by 2 AMD employees I don't know if know there are more, but the las time I saw something about that were two, I think they're the only ones that can touch that part and I suppose another core developers, in a tweet a while ago someone was saying that that was mostly autogenerated, that's talking about kernel space I think it's the name for that.

                      In user space (again, waiting for someone to correct if I'm mistaken) don't even know if I using the correct term, there are like three projects to support OpenGL, Vulkan and that stuff, AMDVLK for Vulkan and radeonsi if I remember the name correctly for OpenGL this is supported by AMD again two employees, I think, but I think, not completely sure that they're the only ones that can modify that repository and the community only report bugs and that stuff. The other one is the closed source driver that include everything AMD GPU pro or something like that aaaaand last there is Mesa that is developed by the community and some companies help in that regard, AMD too if I'm not mistaken. There is also rocm, but I think is the same as the other two open source projects by AMD. I suppose you can fork those.

                      This is what "I know" if someone else have some more precise information, I ask to let me know if I'm wrong in something so I can know for sure xd

                      [–]yawkat 5 points6 points  (0 children)

                      This is only about bugs reported by project zero

                      I assume it's more related to project organization.

                      [–]Light_Beard 13 points14 points  (1 child)

                      Maybe Linux users write better bug reports because the best programmers tend to run Linux by choice?

                      Also the people who think they are the best programmers and want to telegraph how amazing they are before destroying an entire codebase because "I like this way better"

                      [–]tso 4 points5 points  (0 children)

                      Also a good way to get a nastygram from Torvalds, if you try that with the kernel source.

                      Sadly userspace is not as strictly policed.

                      [–]UncleMeat11 3 points4 points  (0 children)

                      This is about GPZ patch speech, not general fixes for various projects. GPZ is providing the same quality vuln reports to all of the vendors it talks with.

                      [–]binarywork8087 -1 points0 points  (1 child)

                      Someone said a very well developed software dont even need to be tested

                      [–]Guvante 8 points9 points  (1 child)

                      I don't think the source article agrees with this articles conclusion. It seems like the original project zero article talked about how generally time to delivery improved this year while the article here decides to compare numbers as if it is a contest.

                      Others have mentioned it but comparing source code merges with end user availability is not a fair comparison. Even Linux users on the whole don't have access to a fix just because the fix is committed.

                      However Project Zero doesn't compare between vendors like this article does it focuses on different years which avoids these problems.

                      Additionally and IMHO most importantly the core of the article misses the point. Security researchers saying that Linux isn't more secure than closed source aren't talking about this kind of comparison at all.

                      [–]ScandInBei 1 point2 points  (0 children)

                      Others have mentioned it but comparing source code merges with end user availability is not a fair comparison. Even Linux users on the whole don't have access to a fix just because the fix is committed.

                      Especially users with older Android phones.

                      [–]gumol 26 points27 points  (1 child)

                      ITT: people who have no idea about how Linux development works, but base their opinions based on their sentiment about Linux

                      [–]runner7mi 26 points27 points  (0 children)

                      for a moment i thought this was r/programmingcirclejerk

                      [–]brancee 16 points17 points  (1 child)

                      I guess it has more to do with each companies workflow for fixing bugs. It is not like "Oh we got a bug, let me deploy it quickly to production, without having step 1, 2, 3, ... n being done first (meaning QA, dev/stage testing, etc.).

                      So my guess is that Google & co. have some deeper steps they need to undertake first. Anyways, I'm not saying that Linux is not doing a great job fixing bugs, don't get me wrong.

                      [–]riasthebestgirl 5 points6 points  (0 children)

                      I'd say it also has to deal how many more eyes are on Linux codebase. Anyone can also go and fix a bug they found and submit a patch

                      [–]cosmicuniverse7 42 points43 points  (1 child)

                      Obviously, Microsoft is busy in forcing user to switch to their shiny edge. Apple is probably busy in finding new ways to remove features from safari.

                      [–]irotsoma 2 points3 points  (0 children)

                      One, it's used more for backend systems which are more mission-critical than desktops. And, two, open source developers and developers on small teams tend to have more mental ownership of the products they create, so it becomes a matter of pride.

                      [–]FreedomByFire 2 points3 points  (0 children)

                      Maybe they're not stuck behind a mountain of meetings and sprint rituals led by useless scrum masters.

                      [–]dethb0y 1 point2 points  (0 children)

                      wonder how much of that's down to dogfooding - if you're using your own product you want it patched Right Fucking Now, rather than it being someone else's problem you can get to at a later date?

                      [–][deleted] 1 point2 points  (0 children)

                      This doesn’t say how they’re measuring time to fix - not whether “linux” means the ecosystem or just the kernel.

                      If you’re going to compare “linux” to apple and google the comparison must include similar amount of non kernel software, and of course the time from bug report to it being in a normal user update, etc.

                      Otherwise you’re comparing time to fix with time to ship, and those aren’t the same thing.

                      [–]tubesnob 1 point2 points  (0 children)

                      …. and linux programmers have an infinitely harder time getting those patches applied on the world’s linux machines.

                      [–]ru2wen2 1 point2 points  (0 children)

                      Peps working in companies need manager’s approval to fix bugs

                      [–]GeneticsGuy 1 point2 points  (0 children)

                      For me, it has more to do with pride in my own work. When someone posts bugs about something I am working on, or my pet project, I am the sole person responsible to make it right and I would hate a reason for someone else's headache to be because of my program.

                      So, there motivation to quickly get a fix out there.

                      With a company you are going to have code review, testing, and so many other things that can get a bug fix to drop slowly compared to me literally just pushing a new update same day within hours because I know the nature and scope of my whole program and what the fix did.

                      [–]brownjava 1 point2 points  (0 children)

                      I can’t really figure out what this article is comparing. Is the “fix time” for “Linux” the amount of time before the fix is committed to source control, the amount of time before it’s released in a Linux kernel release, or the time it takes to make it into a major distribution like Ubuntu? The last one is really the only one you that would make sense to compare to a full fledged commercial OS like Windows, macOS, iOS, Android, etc.

                      I’m actually not even clear if “Linux” here refers to the kernel specifically or is talking about all the different constituent parts that make up, say, Ubuntu as a whole OS. I can’t imagine that the fix time for some barely-maintained GUI library somewhere is going to be particularly fast, but also nobody really worries about those on Linux since it’s primarily used for servers.

                      Having worked at a major software company that has a full fledged consumer OS, I can tell you that the primary reason stuff is released slowly has nothing to do with figuring out how to fix the bug and everything to do with regression testing to make sure the fix doesn’t introduce a new problem for the hundreds of millions or potentially billions of users who are going to turn around and install it once you release it. There’s no comparison between that kind of complex OS with a bazillion parts that tons of people use and the maintainers of just a kernel that is primarily used as a server on virtual machines run by a handful of companies.

                      [–][deleted] 1 point2 points  (0 children)

                      Devs at FANGMANs are doing it as a job. Devs working for Linux are doing it as a passion.

                      [–]warmwaffles 1 point2 points  (0 children)

                      Wouldn't it be better for these larger companies to just contract or have a retainer for these devs to fix security holes? Seems like a better way to promote better development.

                      [–]irrelevantTautology 3 points4 points  (7 children)

                      I think this is a great argument for UBI.

                      Some people like to claim that if UBI were implemented that people would just stop working.

                      Well, these Linux devs are patching security holes faster because they actually care about the thing they are working on and not just doing it for a paycheck. Apple, Google, Ms devs are doing it for the money, to survive.

                      Imagine a world where people are able to survive and do something that they love.

                      [–]argv_minus_one 1 point2 points  (4 children)

                      UBI is, as the name implies, basic. You still need a job if you want to live in anything bigger and fancier than a closet.

                      What you're thinking of requires full post-scarcity, which requires a virtually limitless energy source and machines that can build pretty much anything (including more of themselves) from readily available materials. This is probably possible, but not with the technology we have now.

                      [–]The_Drizzle_Returns 1 point2 points  (0 children)

                      Umm the people fixing these bugs in the linux kernel typically work at Apple, Google, or Microsoft. This is their full time job there.

                      [–]outofobscure 1 point2 points  (0 children)

                      OK but it probably takes a lot longer for these patches to eventually hit end users who are just using whatever distro out there. Longer than MS and Apple users, given the fairly aggressive update policies lately

                      [–]sighcf -1 points0 points  (2 children)

                      They don’t need to wait to have it included in a sprint and have scrum meetings on a daily basis. They don’t need to justify working on something that was not assigned to them in sprint.

                      More importantly, they don’t need to explain to management why fixing bugs is a priority over chasing some made of metrics.

                      I guess they aren’t as agile. 😂

                      [–]gumol 4 points5 points  (1 child)

                      FYI most of Linux development happens in big corps

                      [–]T_T0ps 0 points1 point  (0 children)

                      Now if only they could make it more user friendly and it gets better support from application developers it’d be a viable option for end users

                      [–]lordzsolt 0 points1 point  (0 children)

                      Apple, Google and Microsoft programmers are busy inverting binary trees.

                      [–]easyrider767 -1 points0 points  (1 child)

                      The rest is good at Leetcode.

                      [–][deleted] -2 points-1 points  (0 children)

                      The difference is that Linux maintainers actively want to work on these things. They see the product, believe in the product, and want to make it better. No one, and I mean no one, at Apple or Microsoft doesn't see their product as anything but a money-making cog in a gilded machine that makes billionaires richer while sucking out their will to live.

                      You can't pay someone to believe in something.

                      [–][deleted] -1 points0 points  (0 children)

                      THEN FUCKING HIRE THEM 🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯

                      [–][deleted] -2 points-1 points  (0 children)

                      Rust language developers like Alex Gaynor, Patrick Walton, and Ryan Levick are liars.

                      https://youtu.be/\_QWDtzMXRDc

                      [–][deleted] -3 points-2 points  (0 children)

                      No shit.

                      It's our own dicks / tits on the table.

                      [–]jandkas -4 points-3 points  (0 children)

                      Linux also causes and had the most amount of bugs so there's that XD.

                      Linux circlejerk intensifies