Linked by Thom Holwerda on Wed 15th Apr 2009 09:54 UTC
Bugs & Viruses Whenever the Conficker worm comes up here on OSNews (or any other site for that matter) there are always a number of people who point their fingers towards Redmond, stating that it's their fault Conifcker got out. While Microsoft has had some pretty lax responses to security threats in the past, it handled the whole Conficker thing perfectly, releasing a patch even before Conficker existed, and pushing it through Windows Update. In any case, this made me wonder about Linux distributions and security. What if a big security hole pops up in a Linux distribution - who will the Redmond-finger-pointing people hold responsible?
Permalink for comment 358799
To read all comments associated with this story, please click here.
security.debian.org
by werterr on Thu 16th Apr 2009 07:30 UTC
werterr
Member since:
2006-10-03

I don't know about others but Debian and Ubuntu use a system where you have a security repository. The people behind these are allowed to upload 0-day fixes (instead of going through the normal process of getting you new package accepted) and touch basically every packages in the entire repository.

This system should allow for distributions to fix security problems as soon as they can, or at least upload a temporary fix/work around until the problem is fully solved. They also have mailing-lists where announcements are send to, therefor any system administrator that subscribes to them should know about issues and take appropriate steps.

This is a standard duty as an administrator of any platform.

Now I think pointing a finger here is more complex than with commercial/licensed software. Cause when you buy a product of license you must be able to expect a certain level of commitment of the seller/producer.

This is the reason why one could argue that if Microsoft does not fix a problem in a reasonable amount of time, it's becomes there 'fault'.

However you don't buy or license a product/service from X.org, OpenSSH, Apache or Bind. They explicitly say in there license that it's free and you are not guaranteed support or error/bug free software.

How does this translate into distributions selling (Linux) software where these packages are included ?

I'm thinking that when you market that product as a 'perfect webserver' or a general purpose server os, a customer can rightfully expect you as a commercial entity to fix security issues in this product they pay for, whether or not the underlying party that builds the software used actually fixes this themselves or not.

When I take your work that you gave for free and make money of it, any problems with my customers should be my responsibility not yours.

Besides I think no distribution that didn't actively fixed problems with there stuff would not get much traction (with non-hobby costumers) anyways.

Reply Score: 2