Enterprise Unix Roundup: Linus' Law in Effect

By Michael Hall (Send Email)
Posted Dec 16, 2004

Main     In Other News     Security Roundup     Tips of the Trade
If 'given enough eyeballs, all bugs are shallow,' this was a good week for exterminators. A recent study found fewer bugs per line in Linux vs. other apps. For Linux users leaping to wireless, NdisWrapper brings the more common Win drivers to a wireless NIC.

"Given enough eyeballs, all bugs are shallow," goes the open source verity popularly known as "Linus' Law."

The thrust of Linus' Law is less about security than it is the general process of assuring quality in software, but it certainly resonates with a general current of thought among open source advocates, which is that having source code available for review and audit helps ensure potentially dangerous bugs are more easily neutralized.

A study released this week certainly seems to support arguments in favor of open source as a programming methodology. According to Coverity, the 2.6 series of Linux releases contains 985 bugs in 5.7 million lines of code, or about one bug per every 5,787 lines of code. Coverity says the industry average for commercial software is 20 to 30 bugs per every thousand lines of code.

While the kernel's quality and security is obviously important, it doesn't mean a lot when Johnny Scriptkiddy is climbing in through the hole left by your SMTP listener, or Web server, or DNS server, or remote login server, or network file server, and so on.

Coverity's CEO characterized the study thus: "Our findings show that Linux contains an extremely low defect rate and is evidence of the strong security of Linux. Many security holes in software are the result of software bugs that can be eliminated with good programming processes."

Because it's our job to wag a finger and equivocate, we'll pause to note that fist-pumping over Linux' security is necessarily confined, by the nature of this study, to Linux proper: The kernel, and not the associated operating system assembled around the kernel. While the kernel's quality and security is obviously important, it doesn't mean a lot when Johnny Scriptkiddy is climbing in through the hole left by your SMTP listener, or Web server, or DNS server, or remote login server, or network file server, and so on.

In some ways, studies that do a passable job of isolating the risk posed by the ecosystem of services running atop the kernel are more significant than those that simply look at the kernel itself, and they're where many analysts fall down on the job. It's not uncommon to see shoddy comparisons of every single security issue reported by every single Linux distribution, followed by claims that Linux-based operating systems are less secure because they've tallied the same Apache exploit 12 times.

So what about that ecosystem of services? Who's looking after that?

D.J. Bernstein is well known in Unix circles for his meticulously secure software. His qmail MTA, for example, is backed with a $500 reward for the first person to publish a verifiable security hole.

On a more political level, he's well known for the terms under which he licenses his software: Distributors are free to pass it along in unaltered form, but distributing a patched or altered version requires his permission. This has put him at odds with his share of free/open source software advocates. The Open Source Initiative, for instance, refuses to recognize qmail as open source.

Bernstein also teaches a security class where he requires students to find vulnerabilities in Unix software: 60 percent of their final grade hinges on finding 10 exploitable flaws, which they, in turn, make available online.

Students identify software ranging from fairly simple programs for playing mp3s to the CUPS print server. What they have in common is the availability of source code and resulting auditability. Professor Bernstein's students can use the source to gain valuable experience analyzing software that's in use in production systems, and the software's developers get feedback on problems that hadn't yet been noticed, so they can fix them before the wrong person gets busy with a root kit.

As a means of preserving fragile developer egos, open source software probably seems poor: It can't be fun to watch a fourth year computer science student show the world your software is an exploit waiting to happen. At the same time, it's better than watching that potential exploit actually happen.

So, on balance it's a good week for open source advocates. One of their most respected standard bearers has come out of a serious audit looking pretty good compared to its commercial competition. And a healthy collection of less noted software received a checkup that exposed potentially dangerous flaws.

In Other News

» Last week, we noted an IDC report that stated Linux server shipments will be 25.7 percent of worldwide server shipments in 2008. On Wednesday, Open Source Development Labs (OSDL) announced the completion of another IDC study that indicates "overall market revenue for desktops, servers, and packaged software running on Linux will exceed $35 billion by 2008."

The study also estimates that the market for packaged applications and infrastructure software for Linux will grow at a compound annual rate of more than 44 percent between 2003 and 2008.

A summary of the report is available on the OSDL's Web site.

» Hardware Today takes a look at Apple's supercomputing efforts this week, with a rundown of an Xserve G5 cluster being prepped for use at COLSA's Hypersonic Missile Technology (HMT) team. According to company reps, highlights of the installation include noteworthy improvements in energy and heat management.

» The sheer ungainliness of Unix MTA sendmail inspired waves of competitors with a focus on either simplifying or making mail services more secure. Postfix is one of the best of those competitors on both counts, so if you're looking for a replacement for sendmail, this week's ServerCompare looks at the two side by side, feature by feature.

» According to Sun executives, Solaris is just the first of several enterprise products to be released under an open source license of some sort in the next year. Unfortunately, there's not much more to report than just that. The company's adamant about keeping Java proprietary, and it will not discuss which of its other products and platforms might be opened up.

» Merrill Lynch says Sun must buy either Red Hat or Novell to be taken seriously in the Linux server market. The Register begs to differ, and we're inclined to agree.

>> To Security Roundup
>> To Tips of the Trade

Page 1 of 2

Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.