Linked by Thom Holwerda on Wed 15th Apr 2009 09:54 UTC
Bugs & Viruses Whenever the Conficker worm comes up here on OSNews (or any other site for that matter) there are always a number of people who point their fingers towards Redmond, stating that it's their fault Conifcker got out. While Microsoft has had some pretty lax responses to security threats in the past, it handled the whole Conficker thing perfectly, releasing a patch even before Conficker existed, and pushing it through Windows Update. In any case, this made me wonder about Linux distributions and security. What if a big security hole pops up in a Linux distribution - who will the Redmond-finger-pointing people hold responsible?
Permalink for comment 358656
To read all comments associated with this story, please click here.
depends on the bug
by jabbotts on Wed 15th Apr 2009 13:15 UTC
jabbotts
Member since:
2007-09-06

If the indavidual program is closely maintained by the upstream developers (OpenOffice) then official bug fixes have to go through them. An unpatched threat becomes there responsability since they choose not to accept patches from third parties.

If the indavidual program works more openly with downstream developers then it becomes a matter of shorter patch times. The core developers can review the submitted patches and choose or modify the closest fit.

If the bug was introduced downstream by the distribution then the responsibility is that of the distribution maintainer. OpenSSH was not broken but someone with upload rights for Debian decided to fix what they thought was a bug. Debian and any distributions forked from it suddenly had broken OpenSSH. Upstream in OpenBSD, it was not broken nor was it broken in distributions that chose not to use the Debian patch. In this case, someone did not follow the Debian policy or consult the OpenSSH developers who are experts in cryptography and it was fixed quickly when discovered.

If you choose Red Hat then you watch for there bug reports and patches. For Debian, debian.org/security. for Mandriva, that distro's bug reports and patches. For WindowsXP, that OS bug reports. For Win2k, that OS bug reports. For Vista, that OS bug reports, for osX, that OS bug reports. Is the bug in the kernel and userspace, or application on top like Word, or third party application like Firefox or a third party provided hardware driver? It's really no different or more complicated just because there are more brand names involved.

Reply Score: 2