Linux Foundation serves up a tasty dish of BUGS

Replying to self.

Having had a chance to glance over the thing, it seems El Reg may have done it something of a disservice. It does at least appear to be a decent stab at contemplating some of the principles and practicalities of F(L)OSS triage.

Definitely worth a more thorough read as time permits.

Leaving my original splaff in place in case it's an invaluable insight for naïve journo types.

;)

Guess you meant the *quality* of contributions, *diversity* really means nothing.

Also, here it's not a matter of well maintained projects, although in "low maintenance" mode. They spotted projects where bug reports couldn't be delivered and handled, and lacking a central code repository to ensure you know what's the latest code, and what modification has been made and by who - and who approved them. These are not well maintained projects, and they can be a risk from a security point of view. How could you audit a project when there's just several tarball around? If you're a distro maintainer what code should you package?

No idea how serious you are, so offering a serious answer. Tinfoil ON

Considerably better than elsewhere.

Considerably better != 0

FF itself is a veritable cornucopia of exploitable opportunities. Of course these would have to be tailored to target your minority OS which may lessen the risk.

If you're not a high value target, you're probably reasonably likely to be OK at the moment.

As you suggested, system monitor is a toy in this context. All tainted hardware must be simultaneously replaced.

If you're seriously concerned you should employ stringent segregation.

Investigate Qubes and similar as a minimum and/or use separate dedicated secure hardware linked only by "sneakernet" choosing your sneakernet medium wisely.

Re: Help.......

It depends on who you are. Given that 99% or so of malware by simple number is Windows-specific, the odds are pretty low for a drive-by infection. More so if cross-platform stuff like Java and Flash are disabled.

However, if you are part of an organisation that is worth targeting then all bets are off. Most recent surveys have shown the Linux kernel and Windows kernels have similar magnitudes of vulnerabilities, so if someone wants to find a privileged escalation bug for ether then a decent hacker will. Even so, most attacks are started on other programs (web browsers, word processors, PDF readers, etc) which tend to be far buggier than kernels.

Take some time to read GCHQ's advice on securing Ubuntu 14.04 for example, as that looks in to various aspects of security-by-configuration that are not always obvious. The list of guidance can be found here:

https://www.gov.uk/government/collections/end-user-devices-security-guidance

While that is for UK Gov use and so has some assumptions that might not be relevant, most still apply and you should be considering a VPN as well if you travel a lot and have a properly fitted tinfoil hat.

I don't see the fearmongering. I see some people suggesting places where security-minded devs with some spare time can contribute. Their metrics may not be perfect, but they're good enough for a first pass.

Thus you mean that because Linux is secure "by definition" no one should look at possible future attack vectors and proactively look for any issue that could lead to Heartbleed style of vulnerability, and spot and fix them before they are exploited? Complacency is one of the worst enemy of security.

Kudos to LF for not being complacent unlike many of its naive users, and ensure Linux secuiry is really cared of.

Re: "most at risk"...compared with what. exactly?

Never heard of https://www.microsoft.com/en-us/sharedsource/, for example?

The fact that a software is not "open source" doesn't mean its source code is not available to anyone. It just mean that access to source code is restricted to approved entities - which may not be only the entity writing it.

We may discuss forever which approach is "better", but any discussion should start on how things are, not on what you believe they are.

Seems you know SFA about this. Linus Torvalds is only the kernel's lead developer/manager, this is looking at all the other packages that make up a typical (and thus usable) distribution of a system and many of which lack any sort of clear guidance or leadership.

"Trolling" so obvious it hardly deserves a downvote... but have one anyway.

Steve Ballmer and Stephen Elop are available, how about one of them to replace Torvalds ?

The problem the article highlights is that there is software that is widely used in many GNU/Linux distributions that is effectively *unsupported*. There's nobody behind it, accepting bug reports, or actively maintaining the code. This is the exact *opposite* of the Linux kernel developers!

I'm no fan of the GNU/FOSS communities in general, and certainly not its tedious politics, but, for once, Linus Torvalds is not the problem here.

The problem is one we used to call "bit rot". Old code, in common usage, that is a time-bomb waiting to happen. Not just because of potential security risks either, but because an important API that code relies upon might change tomorrow, causing all sorts of major headaches.

Such code thus also acts like a drag on improving such APIs, holding back development and forcing programmers to jump through additional hoops to keep that old code happy. And it's those hoops that cause hackery and kludges to appear in code, opening up wonderful new possibilities for bugs and security issues.

It took them long enough, but Microsoft have finally learned to say, "No!" to continued legacy support in Windows precisely because of problems like these. (Apple never said "Yes!" in the first place; they explicitly state that each major new release of OS X may break old software.)

Re: Is it CSV

Click the "raw" button.