Asher, I have said this before and I will repeat it, I was under the belief that the whole point behind Linux is that it's all open source, so within minutes of a bug's discovery you will have thousands of geeks fixing it and testing every possible issue.

As compared to MS's denying of any possible security flaws until somebody else posts solid evidence. Then it throws a tantrum and calls people names.

If such a flaw is exclusive to microsoft then Bill Gates must have an awful lot of offspring posting at Apolyton.

That's fundamentally misinformed, in fact, it's downright naive. In any case, having thousands of geeks fixing a single thing would be a nightmare and would **** things up more than they fix it. How the Linux kernel works is different regular contributers are assigned different sections, not unlike a corporation with teams working on different components. When there's a security hole or bug found, that team is notified and they fix the bug and release it with minimal testing, if any at all. -- OR -- someone contributes a patch to fix it. But this RARELY happens, kernel code is incredibly complex and changing one single thing can have side-effects in countless other components, so very rarely does this happen -- most of the time the "owner" of the code fixes it.

As for thousands of geeks testing it -- no one tests it until its released. So when they release the patch, THEN it is tested -- not just by geeks, but whoever applies the latest patch.

The only difference between Open Source and Commercial development is Open Source people are not held personally responsible if a company applies the code and they lose tons of money in the process. Microsoft and others are liable for that to the tune of hundreds of millions, if not billions, of potential damage.

For this reason, Commercial software undergoes rigorous testing that takes weeks usually. If you've read any interviews with MS Security people responding to criticism, they'll confirm patches are written usually within the first 24-48 hours, but testing (and fixing any bugs that crop up in testing) takes weeks at least.

If anything, the Commerical software theoretically brings more secure code due to accountability for its actions. The problem is most people get confused because they don't understand why Windows is a far bigger hacker target than Linux or Apple systems, which is precisely why it usually has more reported bugs.

The more people you have blindly trying weird security crap on your code, the more likely someone is to find one.

It's simple logic, but it's evidently beyond the grasp of most *nix zealots.

Simply put, the concept of "thousands" of geeks on standby who are all intensely familiar with the code vulnerable is incredibly laughable. You're lucky to have one or two people who can fix that code reliably, and most of the Open Source people do not work on that code full time, it's a hobby for them. Further, they are not legally accountable for any damage their patch does to other components and how it affects people -- hence the lack of testing and quick response time.

It is NOT necessarily a positive how fast patches get released for Open Source. The people who think that need to do a bit more research and thinking...

Another laughable allegation about Open Source is "testing every possible situation". If you've ever used an Open Source environment like Linux, you'd realize pretty quickly that "testing every possible situation" is about the last thing they do. Open Source software is usually developed by people in their spare time, and as such it is designed for something they want to use.

It's obvious by looking at Linux -- it's clearly designed by geeks, for geeks. This doesn't relate directly to security, but it's the most obvious trait that Open Source software is not tested from every angle -- only from the angle of people who want to use it.

Why should people waste hundreds of their own hours testing obscure, weird situations for side-effects if they ain't getting paid for it? MS pays people to do that, hence the weeks of testing...

Most of the new stuff is automated, trying as many combinations of configurations as possible on tens of thousands of virtual computers. Open Source software also doesn't have those resources, usually.

This is Linux's worst problem. It could be an excellent desktop OS very quickly if user-friendliness, and interface tweaks were valued in the community (i.e if you got real prestige from making another guy's program easy to use - for now, the prestige goes almost exclusively to the people developing code)

IOW, Asher, I draw these two points from your posts:

(1) Commercial software is accountable for its bugs.
So I could sue Microsoft the next time Office crashes and I lose my data?

(2) Linux is too complicated for a patch to be bug-free.
That's the problem with having a complicated, multi-use OS, and Windows probably has the same problem. On the one hand though the "Microsloth spends most of their time testing it" argument seems to check out. The solution for Linux might be to make a new kernel from scratch that's more efficient, but I know as much about Linux kernels as a spider knows about quantum physics, so maybe it won't happen.

The third minor point in your last post is that Linux won't break the desktop market because it's too geeky for the average consumer. I can't call BS, because the "average consumer" can barely work a TV remote control.

It's iffy for home users. IIRC, the EULA explicitly forbids that but it's never been challenged in court and some say it wouldn't hold in court.

For corporate users, Microsoft has an "insurance" policy of sorts for security/bugs causing damage or otherwise loss of income for the company. This is the big one.

It's not an inherent problem with how it's designed (or actually it might be, Linux is a monolithic kernel which academics have declared obsolete over a decade ago, but that's another debate...). The problem is, too few people are qualified to provide the patches. A comparable number of people can successfully patch bugs in Windows and Linux kernels. The thing is, the Windows people are usually paid to do this full time while the Linux people are not. Further, Windows patches are put through extensive testings by paid software engineers while Linux is not.

The "average consumer" can barely work Windows, too. But they're getting more and more used to it.

Linux is nowhere near being usable for them, and by the time it is (assuming it does get there), you'd have a hard time telling 80% of the people to retrain once again to use this other system when the one they have does the job just fine.

It's the kind of futility and realism that people like Urban Ranger just don't wanna face.

AHAHAHAHAHAHAHAHAHAHAHAHAH!

Oh, forgive me, my gut hurts. That sounds like the SCO FUD about "indemnification" being so important these days, when nobody in the software industry practices it anyway (including SCO).

I realize later in the thread you state that the "no warranty, no liability" clause may not hold up in court, but -- come on, if someone were going to sue Microsoft for damages from case after case of virus/worm outbreaks, don't you think it would have happened by now? Plus, in the case of corporate software licenses, where the license is negotiated & agreed to before the software is purchased, the "no warranty, no liability" clause almost certainly will hold up as the license (contract) was entered into freely by both parties. The party seeking liability on MS's behalf can certainly ask MS for it, and probably watch the per-seat cost of MS software explode dramatically upward in response.

Honestly -- when have you ever heard of Microsoft indemnifying its end-users, in any industry, of any size, from any potential software faults? If they were, you'd think they'd be blaring it from the hilltops as something that they do that Linux vendors don't/won't. They're not. Because they don't.

Ultimately I think it'll take legislation before any software vendors actually become generally legally liable for software faults -- they'll continue to hide behind licenses that disclaim all warranties & liabilites, and they'll get held up under contract law. Both commercial and open-source vendors work this way.

(word-substitution)
If anything, the Open-Source software theoretically brings more secure code due to the inability of the coders to hide their code from any outside inspection.
(/word-substitution)

Both theories can be argued at great length (OSS argument), and there's no definitive conclusion. It'd be dishonest to suggest otherwise.

Microsoft isn't legally liable either. That's the current state of affairs. Deny it if you wish, but you'd only be denying reality.