OSNews

Your argument only makes sense if we're talking about using 3rd party applications and drivers, which most people don't include when they talk about OS security. It's Apples and Oranges...

I don't want to criticise your opinion, but think it's fascinating (and surely you are not the only one).

The whole system in regards to security is as weak as it's weakest part is. Yet, as soon as not using weak parts rises to a certain level of uncomfortable (in this situation, alternative hardware), they will be accepted, even if they drive the whole system unsecure.

Edited 2006-10-16 22:57

I don't want to criticise your opinion, but think it's fascinating (and surely you are not the only one).

It's not an opinion. I don't have a choice about the hardware I use if I want a consumer level 3D Card with accelerated 3D graphics for Solaris.

So, quite frankly, I don't really care. I just want the tools to do my job or to do whatever I need to.

The moment a viable alternative comes available, I'd be all for it. But so far, none have materialised.

Actually the choice between bad and bad it not a choice at all.
Seemengly windows drivers use the same codebase are they affected? Did NV release update for them as well?

I don't think it is a question of how uncomfortable it is. There simply is no alternative to fall back to even on Linux.
Intel Graphics are very slow and Ati drivers... well... you sure don't want to leave nVidia for Ati if it comes to drivers.

So if there is an true alternative then i'm not aware of it.

Hmm .. the whole system is not as weak as its weakest part if the weak part is isolated .

So how to isolate this driver?

Beta drivers are not the answer. It's like saying that your WinXP security problems can be fixed by installing Vista Beta

Beta drivers are not the answer. It's like saying that your WinXP security problems can be fixed by installing Vista Beta

Why not? Works for everyone else in the industry...

(Creative, Microsoft, etc.)

On the subject of the XIG drivers. As an owner and a long-time user of one of their packages, I feel I can comment that they are excellent drivers. The only thing that is a shame is that more recent and powerful hardware cards are not supported.

Through the efforts of the manufacturers, they have laregely been pushed out of the fully hardware accelerated chips and mostly focus on Intel integrated graphics solutions these days.

I own one of their Platinum packages for my old HP notebook and have been quite pleased. The performance is excellent (given the underlying chipset) and they are extremely reliable. However, if you demand incredible performance on a modern 3D design package, you will be out of luck with XIG as they simply no longer support recent 3D Labs, nVidia, or ATI hardware. It is really a shame.

I believe in their products and appreciate all the work it takes to develop their products.

The only thing that is a shame is that more recent and powerful hardware cards are not supported.

Which is my primary problem and why I qualified my statement with "High Performance". XiG is not an option.

http://www.xig.com/Pages/Summit/OSsupport.html#Solaris32anchor

nVidia is still the only option. XiG's support is only good for the older generation of video cards. I don't see SLI or anything like that on there either (maybe I'm missing it). Not only that, between choosing to pay for a driver and one for free, the choice is obvious in this case...

Besides, this whole conversation was about binary drivers, how is choosing *another* binary driver any better?

"nVidia is still the only option."

Your not interested to pay for other options ...

"between choosing to pay for a driver and one for free"

The cost of a working secure and up to date driver is included in the sale price of the graphic card.

"how is choosing *another* binary driver any better?"

I was answering your no other option comment.

The cost of a working secure and up to date driver is included in the sale price of the graphic card.

Exactly, so why would I pay for a driver *again*?

I was answering your no other option comment.

My no other option comment taken in context was that there was no *non-binary-only* option.

As much as I like free drivers, open source code can have root exploits too....

Yes, but usually open source developpers doesn't wait two years before fixing them.

@renox

Open source developpers wait for a volunteer to fix the bugs. Which could be between immediately or never. It's the same has in closed source software.

"That should shut up the people who call anti-blob folks "idealists." Closed code can't be easily audited, and thus can't be trusted."

Actually I don't call anyone idealists. I think Open code is just as bad since me not being a coder, I just have to use it and rely on someone else. Being open means it is easier to slip exploits in. I don't know any of these so called 'Auditors' monitoring the code.

"Being open means it is easier to slip exploits in."

No it doesnt but I'm sure someone is happy that there are people who beleive in that FUD.

""Being open means it is easier to slip exploits in."

No it doesnt but I'm sure someone is happy that there are people who beleive in that FUD."

Well, with closed source only the developers can contribute code to it, and yes it may take a bit longer to fix when something is found. With open source supposedly any one can commit code, unless I am sorely misunderstanding the meaning of community contributions, so an exploit may not even be found for awhile.

Well, with closed source only the developers can contribute code to it, and yes it may take a bit longer to fix when something is found. With open source supposedly any one can commit code, unless I am sorely misunderstanding the meaning of community contributions, so an exploit may not even be found for awhile.

Uhh...I don't know of any decent project which allows just about anyone to apply a patch to the source tree..Usually the moderators check the patches and then either accept or reject them. So, if someone wrote a malicious patch, it would get rejected anyway. Sure, someone could download the whole source tree and patch it, but he/she would still not get it spread..Anyway, in essence, while only the developers can contribute code to closed source drivers, in open source model anyone can contribute a patch, but still the devs decide whether it goes in or not..

And it failed miserably.

It all comes down to who you trust. Do you trust all Microsoft employees? Are you sure nobody is including a backdoor in there somewhere? Do you trust the guys around the Linux/Xorg/Gnome/KDE projects?

Each of them uses their own software, so nobody of them wants a backdoor from other developers in his software. They have a clear motivation not to include a backdoor in their code, because all accepted code changes have to be attributable to someone for copyright reasons. The one who tries to include a backdoor knows, that no open source project will ever trust them again. And the likelihood that the backdoor will be found is very high, the code is open so everyone can search it for backdoors!

"With open source supposedly any one can commit code"
No, only people granted access to commit code can do so.

You cannot just like that put code into CVS. You can send a submission, but that doesn't mean it is accepted.

Open Source != Uncontrollable

> Well, with closed source only the developers can contribute code to it,
> and yes it may take a bit longer to fix when something is found. With
> open source supposedly any one can commit code, unless I am sorely
> misunderstanding the meaning of community contributions, so an
> exploit may not even be found for awhile.

Yes, you *are* misunderstanding. Open Source (to some extents), and even more Free Software, mean that anyone can download the software and source code, distribute it, locally modify it, and distribute modifications.

Nothing, really nothing, gives you permision to modify the codebase in the project's repository as you wish. The project maintainers are free to accept your modifications (if you distribute them), but they could just as well ignore them altogether. Finally, a project maintainer who allows anonymous users to commit changes to the repository obviously hasn't learnt the hard way yet. But again, *nothing* in OSS or FS gives you permissions to do that, only stupid maintainers do.

easier to slip exploits in, are you joking? you dont think other developers on the project notice if someone throws in a root exploit? and you say you dont know of any auditors, there are LOTS, many distributions do some stuff to the packages before deploying, they look at the code, many end users do too, and often, bugs and security problems gets back upstream because of that.

and you may need to rely on someone, but atleast you know you always will have the ability to actually get it fixed. if suddenly your closedsource vendors decides they dont care, you are simply owned, on the other hand, in the opensource world you may hire others to do the work.

"and you may need to rely on someone, but atleast you know you always will have the ability to actually get it fixed. if suddenly your closedsource vendors decides they dont care, you are simply owned, on the other hand, in the opensource world you may hire others to do the work."

Agreed to an extent, those are valid points. I have my concerns with both models. Convincing the folks who control the money in a company to go with OpenSource for that reason is like poking yourself in the eye with a sharp stick repeatedly from my experience. This even included having an issue with a Linux box, posting to a news group and having my answer in about 2 hours. They still didn't buy it, go figure.

I think that says more about the company you're working with rather than the Open Source model.

Why would it be easier to slip exploits into open code? Open source projects only give commit privleges to trusted commiters. Indeed, its probably pretty hard to slip an exploit into a major piece of open source code. You make a commit to the Linux kernel, and tens of thousands of people see the generated changelog message. Unless you're a very trusted commiter, at least a couple of people see the patch too. And all these things are there on the internet, for anyone to look at any time.

In the world of politics, it's called "transparency". When everyone sees what's going on inside, it makes it much harder for somebody to do something wrong.

> There is always the option of using open source drivrs, no one is
> forceing anyone to use close source. Only if they want decent 3d.

I think it is a bit unrealistic to expect anyone with an nVidia card *not* to want decent 3d features and performance. After all, they have paid a lot of money for their graphics card.

if you seriously think that the specifications required to create drivers that supports 3d for nvidia and ati cards puts them at a disadvantage, you are not informed on the subject. the documentation required by us wouldnt even disclose information about their driver optimizations (which are mostly useless to their competitor, as its almost entirely hardware specific).

both ati and nvidia has hugeass budgets and labs to get exactly the information they want from the competitor, they dont need any stinking documentation.

Even if it costs 200 € and is half as fast as a ATI or NVidia. Just to know, that there will be no more hassle at install or unfixable bugs makes an excess of 100 € worth paying.

I hope OGP will sell in the millions, that would give them enough budget for further development, and maybe NVidia and ATI would finally see that free drivers are a killer feature for us. Loosing most of their Linux market share to OGP over night might tell their upper management the story we could not yell at them loud enough for them to hear.

>Get a f**king grip - one f**king security hole in 5 years since they started supporting Linux and that too it's been fixed in the beta 9xxx series and the GPL morons get their panties in a twist.

Alleged technical superiority of open source v proprietary is not a claim the FSF actively makes and it is not one Stallman endorses, he has even gone as far as advocating free inferior software. They consider it irrelevant.

I can assure you that "GPL morons" had their "panties in a twist" long before this issue was disclosed, and it has very little to do with security vulnerabilities not only because it's irrelevant to them, but because it doesn't make sense to get all upset about this considering how many vulnerabilities things like the Linux kernel has suffered from.

So really, your issue is with the Eric Raymondism.

it may be a rare thing, but we have no way to fix production systems now, so tell me, these freebsd/solaris users, including yourself, you talk about, do you not care about security holes in production? do you simply upgrade to beta quality stuff to get around it? if freebsd suddenly had a security flaw on a critical machine of yours, would you simly pull CVS HEAD and compile if you knew it didnt have the bug?

Really people, get a grip!. It's not like there haven't been security holes in the Linux kernel before.

Hundreds in the 2.6 kernel alone.

But saying truthful things about the Linux kernel gets you modded down pretty quick!

Easy fix.What's all the fuzz about?

I just got a new kernel update:

Linux serpent.virtuall-host.dyn-o-saur.com 2.6.18-1.2200.fc5 #1 SMP Sat Oct 14 16:59:56 EDT 2006 x86_64 x86_64 x86_64 GNU/Linux

The beta nvidia driver runs smooth by the way.

Things like that dangerous blob should definetely be banned from the kernel space. If they run in user space, ok. But I don't want them in the kernel space.

What the.. You have a CHOICE you know, you don't have to use it if you don't want to.
Banning is NOT a solution, it only takes away people's ability to choose what they want to run and where.

So Greg is WRONG if he tris to limit my freedom to choose.