Whenever the Conficker worm comes up here on OSNews (or any other site for that matter) there are always a number of people who point their fingers towards Redmond, stating that it’s their fault Conifcker got out. While Microsoft has had some pretty lax responses to security threats in the past, it handled the whole Conficker thing perfectly, releasing a patch even before Conficker existed, and pushing it through Windows Update. In any case, this made me wonder about Linux distributions and security. What if a big security hole pops up in a Linux distribution – who will the Redmond-finger-pointing people hold responsible?
A Linux distribution is made up of various components written by lots of different projects. Those projects, in turn, are comprised of lots of individuals who contribute code in a loose manner. Microsoft Windows is also made up of various different components, written by several different departments (“projects”, if you will) within Microsoft. These projects, in turn, are also comprised of several different people.
If you can blame “Microsoft” for the Conficker worm, then who do you blame when it comes to a Linux distribution?
Say we have a monumental security flaw in X.org that can lead to remote code execution. Almost every distribution packages X.org, but obviously, only a few will actually ship with the hole before it gets discovered. Still, this raises the question: if Microsoft is responsible for Conficker, who are you going to hold responsible for the hypothetical hole here in X.org?
Your Linux distributor, who apparently failed to do proper QA to find the
the hole? Or will your distributor point to the X.org project? Are they responsible? What if they point to the person who contributed the code, whose name is most likely clearly visible since everything is open?
It really is an interesting question, and in the unlikely scenario that a Conficker-like worm ever made its rounds across Linux machines, I can see a lot of blame being thrown around on mailing lists.