Doug Stewart on 24 May 2011 12:32:06 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Microsoft's many eyes?

On Tue, May 24, 2011 at 3:21 PM, Chaz Meyers <> wrote:

> Asking whether Linux is more secure than Windows is a much more reasonable
> question than whether open source software is categorically more secure than
> closed source software.
> The former would still be tricky to prove. What's your metric for security?
> Is it the number of discovered exploitable bugs, perhaps weighted by how
> long the bug was out in the world with no fix available? "Windows" includes
> a lot more than a kernel, so are we just counting kernel exploits or do we
> get to count bugs in X11, GNOME, xft, Firefox, and other software to make it
> a fair apples-to-apples comparison? Each of those subjective questions would
> have to be answered by anyone doing the sort of analysis you describe and
> could bias the conclusions reached.
> The later question, I think, would be far more difficult to answer because
> of how much variation there is between different projects. If I publish
> horrible code that no one reads or uses, does that count against FOSS? Does
> an exploit in vim hold as much weight as one in OpenSSL?  Is it fair to
> compare IE6 in 2005 to Firefox in 2005 even though IE6 was for all intents
> and purposes an abandoned project at that point? If so, can we compare
> abandoned OSS projects to closed source projects? If you can prove Firefox
> has more brilliant people reading code than IE and IE has more brilliant
> people reading code than Konqueror, what does that say FOSS vs closed source
> and who attracts the most eyes?
> I'm not sure there are enough projects out there that are similar enough in
> terms of functionality, manpower, and relevance to do an impartial analysis
> that generalizes over all software. I imagine the result of any such effort
> would end up being highly anecdotal.
> - Chaz Meyers

When talking about operating systems, I think the more
relevant/informative question is "Are OSes that were designed from the
ground-up to be multi-user systems with tiered access controls (e.g.
BSD and SysV UNIX variants) more secure than those still relying upon
mutli-user capabilities bolted onto previously single-user-metaphor
systems (e.g. Windows and, errrr... Windows?)?" The answer to that is
"uncategorically 'yes'", IMNSHO.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --