[LWN Logo]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests

 Main page
 On the Desktop
 Linux in the news
 Linux History
All in one big page

Other LWN stuff:
 Daily Updates
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- GaŽl Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials

Linux costs less to insure. In the U.S., at least, a number of important changes happen not as a result of government regulation, but as a result of insurance company requirements. Insurance companies, of course, have a strong motivation to stay on top of certain types of problems - they end up paying for them, in the end. So they attempt to encourage safer behavior through their premiums.

So it is interesting to see the insurance industry begin to flex its muscles in the operating systems arena. Consider this News.com article on the business of "hacker insurance":

Okemos, Mich.-based J.S. Wurzler Underwriting Managers, one of the earliest agencies to offer hacker insurance, has begun charging its clients anywhere from 5 to 15 percent more if they use Microsoft's Windows NT software instead of Unix or Linux for their Internet operations.

This policy is the result of "hundreds of security assessments" done by the company.

In this policy change, we have (perhaps) the first quantitative assessment of the relative costs of Windows and Linux security problems. While it is nice to see a (hopefully) objective result that favors Linux, it is also a little disappointing. 5-15% is a fairly small margin; we should really be able to do better than that. It's a start, anyway.

On the auditing of free software. One of the advantages of free software is said to be the greater degree of auditing of the code. The source is available to anybody, so of course people are looking it over for problems. "All bugs are shallow" and so on. Right?

The truth seems to be a bit less encouraging. People stumble across "obvious" bugs in old code on a regular basis. Most projects have more than their share of ugly code, well below the quality one would expect from a system based on peer review. Common security problems turn up in code that has been in service for years. If wide-scale auditing is happening, it certainly is missing a lot of problems.

But it seems increasingly clear that this degree of auditing is not happening. At the recent Kernel Summit, one high-level hacker was heard to mutter that only a very small percentage of the kernel code had ever been read by anybody other than the original author. And the kernel is one of the most heavily audited free software packages available.

What is going on here is fairly obvious when you think about it. Auditing code tends to be unpleasant, tedious work. Learning a large code base is hard, but until a hacker really understands the package being audited, any fixes are more likely to create bugs then remove them. But once you reach a point where you can confidently audit code in a particular program, you're also at a level of understanding where you can spend your time creating cool new features instead.

In other words, the choices available to a talented hacker are generally (1) spend your time on tedious code auditing, and remain an obscure participant, or (2) create something new and exciting, and maybe become famous. Or something like that. It is not surprising that auditing work tends not to get done.

It sure would be nice if more such work did happen, though. Software truly benefits from being looked at by multiple people. More projects should consider setting up "janitorial" groups to encourage auditing activities and to help new hackers get going with the code. The various companies out there that depend on Linux could also, perhaps, dedicate some of their staff time to auditing tasks. Also helpful, of course, is the development of automated auditing tools (see this week's kernel page).

Even better would be a shift in free software community ethics to recognize code auditing as the crucial and difficult task that it is. There is, at times, too much emphasis on the people who crank out the code, and not enough on those who really make it work for everybody. When auditing becomes a highly appreciated effort, maybe free software will achieve its potential for top-quality code.

IP Filter licensing followup. Our story last week on the IP Filter licensing issue drew a fair amount of attention and mail. Several of our readers politely pointed out that one aspect of our reporting was not quite accurate: FreeBSD, as it turns out, does not use IP Filter as its standard firewalling system. IP Filter is an option, but the default firewalling code for FreeBSD is the free "ipfw" package.

OpenBSD, meanwhile, has chosen to drop IP Filter as a result of the licensing problems.

Anybody wondering whether these choices were wise may wish to peruse this article in the OpenBSD journal, and, in particular, read IP Filter owner Darren Reed's comments. They speak for themselves, and should help any prospective user decide whether it is a good idea to depend on this particular package.

Linux and TV's. This week, Princeton Graphic Systems announced a TV running an embedded Linux kernel. The use of Linux in embedded systems is certainly not new, but a look at just how many projects are aimed at the couch potato crowd might be interesting. Aside from the Tivo, Linux has seen a surge in projects aimed at the ubiquitous cable set-top box.

NetGem seemed to start the flurry with an announcement in April 1999 of their NetBox Cable, the first set-top box to run on the Linux OS for cable-based Internet access. Lineo followed later that year with a project partnered with MeterNet in September of 1999. In January 2000, the company's Linux offering was selected for a box from Bast for use in hotels and apartments. Neither project has been heard from since. Coollogic suggested they had been shipping their e-Pilot box since October of 1999, though LWN.net got word of shipment in April of 2000.

Fast forward to 2001 and you'll find the collection of players has boomed. Aside from the aforementioned Princeton Graphics Systems offering, Sylvania has their own TV, while Nokia is set to launch their much hyped Media Terminal. On the downside, though, the highly anticipated Indrema game box is, alas, no more. That is only to be expected; not all companies can be expected to succeed. It is still interesting to see more and more of them choosing to bet their future on Linux.

LinuxDevices.com's Cool Devices Quick Reference Guide gives a complete run down of other interesting products running Linux.

Inside this week's Linux Weekly News:

  • Security: European Parliament recommends encryption and Open Source software, new vulnerabilities in gnupg, Webmin, and TWIG. More distribution updates.
  • Kernel: 2.4.5, the Stanford checker returns; 2.4 virtual memory stability.
  • Distributions: Red Hat, SuSE and Turbolinux announce Itanium ports, Yellow Dog Linux 2.0 ships, Lanthan Linux added to the list.
  • On the Desktop: Printing issues but skip the tissues (the desktop is not dead)
  • Development: WaveSurfer, new PostgreSQL and mnoGoSearch, an Animation Editor, the GNet network library, FHS 2.2, Java 3d and JMF.
  • Commerce: Here comes the Itanium.
  • History: "Lignux", the importance of faith, Python's first move.
  • Letters: GPL boundaries, software bloat, desktop page
...plus the usual array of reports, updates, and announcements.

This Week's LWN was brought to you by:

May 31, 2001


Next: Security

Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds