[LWN Logo]
[LWN.net]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests


Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters
All in one big page

Other LWN stuff:
 Daily Updates
 Calendar
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Archives/search
 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- Gaël Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials


GNOME and .NET. It seems to have started with this article in The Register, which quotes Miguel de Icaza as saying that GNOME 4.0 should be based on Mono. It is not surprising that this statement has upset some people. A calmer look at the situation suggests that some of the fears are overblown.

Mono, of course, is a free implementation of parts of the .NET framework. In particular, Mono aims to provide a compiler for the C# language, an implementation of the "Common Language Infrastructure" (yet another virtual machine and remote procedure call implementation), and an extensive class library. In theory, Mono will help with the development of secure, highly interoperable applications.

Then again, there's Don Marti's inimitable characterization of the whole .NET framework:

If you break the whole mess down, as far as I can tell you get a rounded-scissors version of C++, a standard library for same, a virtual machine, and a Big Brother bank/authentication/anal probe system.

All of this stuff, of course, has been designed by Microsoft. Some of it has been proposed for ECMA standard status - but not all of it. The Mono implementation is progressing, but it remains far from a stable, complete state.

One thing that people should keep in mind before getting too upset over Miguel's statements is that he is talking about GNOME 3 or 4. The GNOME project has not yet released version 2.0, and Mono 1.0 is still a distant prospect. So any integration of GNOME and Mono will not happen for years. There will be plenty of time to see how Mono works out, how Microsoft manages its .NET standards, and whether the .NET framework truly helps the application development process.

Even then, Miguel is not pushing for a major rewrite of GNOME. Instead, he sees Mono as a way of making GNOME development go better in the future:

I am not asking anyone to rewrite any code. Indeed, I encourage people not to do so. But when it comes to extend a product, Mono might be a valuable tool. Valuable, because I believe that the major feature of .NET is reduction of development time and the reduction of the money we spend on developing those products.

Indeed, development time is one of the key factors behind this push:

Evolution: roughly 2 years of development, and at its peak had 17 developers working on it. [...]

The bottom line is that developing these applications is costing a lot of time, and a lot of money. I want to see Linux succeed on the desktop, and for this to happen, many more apps will need to exist. I want to go from having 17 people working for two years on a product to have those same 17 people work on four products in the same time.

.NET supporters cite a number of features which can help achieve this increase in development productivity: a comprehensive class library, the ability to easily integrate code in multiple languages, a garbage collection system which eliminates memory management problems, and more. It is also claimed that using the .NET framework will greatly increase the number of developers who can write for the Linux platform.

These claims, certainly, are worth the time to evaluate. Linux has far more applications than it did even a few years ago, but very few people would say that it does not need any more. If Mono can help bring about more free applications sooner, then it is worth a look.

The fact remains, however, that .NET is a standard created by Microsoft for its own ends. Adopting Mono could serve mainly to bring Linux systems into the whole HailStorm framework - an idea which lacks appeal. In the rush to develop more applications for Linux, it is worth taking some time to consider exactly what kind of applications we want.

Then, consider that there is nothing to keep Microsoft from "embracing and extending" its own standards. Some years from now, Mono could look much like the Wine project does now: forever chasing a set of shifting standards, and never being quite solid enough to completely serve its intended purpose. There also remains the issue of possible royalty claims or patent issues with .NET. Microsoft has not been entirely clear on the status of much of .NET, and unpleasant surprises are a real possibility. It is dangerous to base your applications on a standard controlled by a competing company.

Those worries are all speculation at this time, however. Given the amount of time that will pass before GNOME could even conceivably adopt Mono in any serious way, there will be ample opportunity to see how things play out. And, in the end, Miguel, while highly influential, lacks the ability to commit GNOME to any such course. The GNOME Foundation exists for a reason, and it's likely that its members will look hard before leaping onto the .NET bandwagon.

(See also: Miguel's "long reply" on this issue).

Who has more security problems? The folks at vnunet started some fun with this article claiming that Linux had more security problems than Windows in 2001. Here's their reasoning:

Although the statistics so far only go up to August 2001, aggregated distributions of the Linux operating system suffered 96 vulnerabilities while Windows NT/2000 suffered only 42. Breaking the figures down by distribution, Mandrake Linux 7.2 notched up 33 vulnerabilities, Red Hat 7.0 suffered 28, Mandrake 7.1 had 27 and Debian 2.2 had 26.

Any Linux user will immediately see the flaw in this reasoning: the same vulnerabilities are being counted up to four times. The real number of Linux vulnerabilities will certainly have to be a lot less. vnunet quickly backpedaled, noting that "all Linux distributions essentially use the same kernel, certain bugs are being counted more than once." Which still somewhat misses the point, since Linux distributions share far more than just the kernel.

We decided that it was time to try to get a handle on how many vulnerabilities were really suffered by Linux systems in 2001. To that end, we plowed through more security updates than any sane person would want to see in one day, and compiled the following table. Anybody who is proud of Linux's security should have a good look and weep - it is a very long list.

There is no end of caveats that apply to this table: it is hard to make a one-for-one comparison of security updates across distributions. Undoubtedly some updates have been joined that should not be, and others have been kept separate when they should be together. The table also does not distinguish between versions; an update for Red Hat Linux 6.2 makes the list, even if 7.x was available and not vulnerable. The picture is rough, but, we think, still interesting. Without further ado:

Linux security updates in 2001
Vulnerable packageDebianMandrake Red HatSuSETurbolinux
analog X       X
apache (Jan) X X      
apache (Jul) X X X    
arpwatch   X      
bind X X X X X
cfingerd (Apr) X        
cfingerd (Jul) X        
cron X X X X X
ctags X        
cups   X   X  
cvsweb         X
cyrus-sasl     X X  
dhcp         X
dialog         X
diffutils   X X    
ed         X
ePerl X X   X  
elm   X      
esound         X
exim X   X    
exmh X X      
expect   X      
fetchmail (Jun) X X      
fetchmail (Aug) X X X X  
fml X        
gdm   X      
getty_ps   X      
gftp (May) X X X    
gftp (Oct) X        
glibc (Mar) X X X   X
glibc (Dec)   X X X  
gnupg X X X X X
gnuserv X        
gpm X X      
groff X        
gtk+   X     X
htdig X X X X  
hylafax   X   X  
icecast X   X    
imap   X   X  
imp X        
inetd     X    
inn X X      
iptables     X    
ispell   X X    
jazip X        
joe X X X X  
kdelibs   X X    
kdesu   X   X  
kernel (May)       X  
kernel (Oct) X X X   X
kernel (Nov)   X X X  
ld-linux       X  
libgtop   X      
licq   X      
linuxconf   X      
losetup     X    
lpr     X X  
lprng     X   X
mailman X   X    
mailx X        
man (May) X   X X  
man (Feb) X        
man2html X        
mc X     X  
mesa   X      
mgetty X X X   X
micq X   X    
minicom   X X    
mktemp     X    
mod_auth_pgsql     X    
mod_auth_mysql       X  
most X        
mutt   X X    
mysql X X      
ncurses   X     X
nedit X X X X  
netscape X X X   X
nfs-utils         X
ntpd X X X X X
ntping       X  
nvi X        
omni print     X    
openldap X X      
openssh (Jan) X        
openssh (Feb) X X   X X
openssh (Oct)   X      
openssh (Dec) X X X X  
openssl   X X   X
php4 X X      
pine   X      
pmake         X
postfix X X      
printtool     X    
procmail X X X    
proftpd (Feb) X X      
proftpd (Mar) X        
rdist   X      
rpmdrake   X      
rxvt X        
samba (May) X X      
samba (Jun) X X X X  
sash X        
screen       X  
sdbsearch       X  
sendfile X        
sendmail X X X X X
sgml-tools X X X X  
shadow-utils   X      
slocate         X
slrn (Sep) X        
slrn (Mar) X X X    
snmp     X    
splitvt X        
squid (Jan) X X     X
squid (Jul) X X X X  
sudo X X X X  
susehelp       X  
tcpdump   X     X
telnet X X X X  
tetex   X X    
timed   X   X  
tinyproxy X        
tripwire   X      
util-linux   X   X  
uucp X X   X  
vim   X X X X
w3m (Jun) X        
w3m (Oct) X        
webalizer     X X  
webmin   X      
wmaker X X   X  
wmtv X        
wu-ftpd (Nov) X X X X  
wu-ftpd (Jan) X X     X
Xaw X        
xemacs   X X   X
xfree86 X   X    
xinetd X X X X  
xloadimage X X X X  
xmcd       X  
xtel X        
xvt X        
zope (May) X X X    
zope (Mar) X X      
Totals: 81 81 56 44 28

Whew. That is a total of 290 updates for 145 unique vulnerabilities. It would seem that the vnunet article actually underestimated the problem. A quick look at the totals suggests that Turbolinux is the most secure distribution with only 28 updates, while Debian and Mandrake top the list at 81. It must be time to put out a press release.

That is, of course, complete nonsense. Why do the different distributors have different numbers of updates? Here's a few reasons:

  • Not all distributors ship the same packages. Debian, due to its size, is almost guaranteed to have more issues than any other distribution. Very few others ship packages like cfingerd or xtel.

  • Distributors sometimes combine multiple fixes into a single update - especially if they are running behind. The number of updates puts a lower bound on the number of security problems fixed, but doesn't tell much more than that.

  • Some distributors are rather better at getting updates out than others. All distributions, for example, were vulnerable to the latest glibc buffer overflow problem. Debian's update came out in January, and thus didn't quite make the 2001 table. Turbolinux has yet to issue an update for that problem, and for many others. If you simply count and compare updates, you will penalize the distributions that are more serious about security.

In other words, we are not yet at a point where we can make meaningful comparisons even between Linux distributions. Trying to compare Linux with Windows seems like a waste of time. In the end, there is only so much to be learned about the security of an operating system by counting its published vulnerabilities. One has to look at the seriousness of each, how it was discovered (internal audit or external exploit), how long users had to wait for a fix, and how many users were actually compromised as a result of the problem. We need better ways of understanding and comparing security response; simply counting vulnerabilities is not sufficient.

Inside this LWN.net weekly edition:

  • Security: Checking for root kits; Sardonix security auditing portal
  • Kernel: Linus tries BitKeeper; the radix tree page cache.
  • Distributions: Lists Again; Three not-so-new Japanese distributions.
  • Development: PostgreSQL 7.2, Ogg Vorbis RC3, AFPL Ghostscript 7.04, ht://Dig 3.1.6, Galeon 1.0.3 and 1.1.3, GNOME 2.0 Desktop Alpha 2, GARNOME Preview 1, Samba 2.2.3, Gnumeric 1.0.4.
  • Commerce: Edward Felten drops DMCA case; LinuxWorld awards.
  • Letters: Lindows coverage; Linux Standard Base
...plus the usual array of reports, updates, and announcements.

This Week's LWN was brought to you by:


February 7, 2002

 

Next: Security

 
Eklektix, Inc. Linux powered! Copyright © 2002 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds