Paul Starzetz has found a serious bug in Linux kernels. By exploiting the vulnerability local attackers could gain root privilege. All recent Linux kernels affected. The bug has already been corrected in recent released 2.4.29-rc1 Linux kernel.
Local Root Exploit on 2.4/2.6 Linux Kernels
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
http://seclists.org/lists/bugtraq/2005/Jan/att-0068/exploits_and_pa…
http://dev.gentoo.org/~dsd/gentoo-dev-sources/release-10.03/dist/11…
Now lets wait for 100s of OSS zealots to justify how it is minor as compared to Microsoft bugs.
well it is a local exploit compared to a remote exploit like a lot of windows vulns. Theres a patch for it as well. How long they new about it is up for debate though….
It is minor for a lot of people since its only local. However in a business aspect where you have multi users on each system and someone were to gain root access its a huge security issue.
can you please stop posting flamebait for no real reason? It just clutters up the comments section..
its minor compared to a lot of windows exploits because its local only and theres already a patch out for it.
i am glad this is only a local exploit, security at the desk/keyboard is a non-issue for me since only trusted individuals use this computer, when there is a remote exploit be sure to post that news for sure…
Even if it were a remote exploit,it depends on particular services that are listening on certain ports.If someone would have a hardware firewall which blocks everything inbound chances are still good things go to /dev/null anyway.If the vulnerabillity resides within some www-browser than remote/local doesn’t mean anything,some rootkit could be installed which allso rewrites the OS-firewall and starts sending for ex.on tcp 80,the rk owner still can’t connect because of the hw-firewall is blocking everything inbound?
I think combined with another exploit that would give access to some users shell, it could be darn serious. And maybe turned into a worm. but then the patch is already out. It usually takes M$ much longer to release patches. It’s up to the sysadmins now to take care of this issue.
On the other hand it’s interesting to see M$ followers just waiting for something to point their fingers at.
The Linux kernel is man made, and it’s not perfect. OpenBSD is a very good choice if it comes to security. I will always prefer OpenBSD over Linux for using firewalls. But it’s behind Linux if it comes to performance.
You must be kidding.
Even if we agree that OpenBSD is a great OS I would not use it on desktops. Linux is a lot faster. Of course, I could use FreeBSD (and I do on servers) or, maybe, NetBSD if they get the right hardware support for a particular computer.
People seem to underplay local exploits because they think that someone would need to be physically sitting at the keyboard to run the exploit. Say there is a program running that is remotely exploitable (i.e. Bind). A hacker can first crack to program to get the privileges of that program. They can then use a local exploit to elevate to *ROOT*. Your box is now owned. Just because this is a local exploit, doesn’t mean it can’t be exploited remotely at all. Indirect remote exploits are still possible! That being said, make sure all your systems have all the latest patches wether it be Linux, Mac, or Windows.
And don’t overplay local exploits, particularly when you can finetune access to services/daemons.
If you are running a service that is remotely exploitable, you have have more than you can handle on your tray.
“People seem to underplay local exploits because they think that someone would need to be physically sitting at the keyboard to run the exploit.”
I don’t think anyone thinks that. They underplay it because its local access exploit, not a remote access exploit.
Tried it on debian with 2.4.27 and 2.6.9; didn’t work. Who still uses uselib anyways?
It is a bad bug, period. As bad as windows bugs. The only difference is the way one or the other handles these problems.
I prefer to know how bad it is, the solution to it, and not hear a company saying that it is not a big deal (Microsoft tends to act like this, so please let us not copy them).
I tried it on Debian as well, with the 2.6.8-1-686 kernel. It failed no matter what I tried. At one point it made my machine hang for about thirty seconds and then everything went back to normal.
in Debian “Unstable”.
I don’t have any services running, should I even bother?
OpenBSD is not really inherently more secure than Linux and its patches. If you want a secure Linux you can use seLinux user-land and kernel patches, or you can use rsbac-sources, or you can use the grsecurity patches. If you still want to use a BSD, you can use FreeBSD with its MAC patches, similar to seLinux.
It was OpenBSD which had a remote root flaw in its default install, GNU/Linux never had such an issue… albeit then again this is comparing apples to oranges.
“its minor compared to a lot of windows exploits because its local only and theres already a patch out for it.”
On the other hand most windows exploits come from bugs on internet explorer or userland libs like activex, dcom etc. and not the kernel itself.
True, but everything in windows is so bolted onto the kernel it can bring the system down very easily, think about it, explorer.exe
I use debian but i couldnt be arsed waiting and downloaded the 2.6.10 kernel, patch applied fine, just recompiling the debian way now
I compiled it and tried again on Yoper. It died a bunch of times and didn’t give me a shell. So far this exploit is 0 for 3 (Debian, Yoper, Mandrake).
the exploit code posted specifically mentions it was tested only with GCC 2.9 on kernel 2.4. The fact that this version of the exploit happens not to work on a 2.6 kernel doesn’t mean the kernel isn’t vulnerable to a better implementation of the exploit…
Will this affact people running SELinux, with sysadm_r removed from the authorized roles for root?
the exploit code posted specifically mentions it was tested only with GCC 2.9 on kernel 2.4.
And on x86. It uses x86 and x86-64 specific ASM.
I was just rooted by this sploit after an additional php related attack. This is remote exploitable if there is another flaw available.
How do define what’s GNU/Linux? There are a myriad of different distros. I remember old Red Hat boxes (5.2 was specially bad) that could be pwn3d in a matter of seconds. The 2.4 and 2.6 kernels have had several important bugs already.
seLinux doesn’t really impress me. OpenBSD is complete solution, not just the kernel. They have a modified apache with automagic chroot, audited bind, pro-police in all apps and kernel, W^X, random .so addresses, and much more. Believe me, they’re lightyears ahead of everyone else in the game, they’ve concentrated on it since 1995.
too bad most commercial vendors have no patches available for this.
…that someone who is an avid windows user would even compare the number of bugs xp has to linux and say xp is better. we all must have read the article about linux source code having the least number of bugs according to the stanford university. and the os is open source!! i am an xp user but i know when linux is better than xp.
Here is a link to an english description of the vulnerability for those of us who don’t speak magyar (I believe that’s what they speak in Hungary):
http://isec.pl/vulnerabilities/isec-0021-uselib.txt
It’s so funny, when someone finds even a minor security bug in Windows, Linux Fanboys
starting to scream how shitty Windows is, but when there’s a serious bug in Linux kernel, the same people trying to ignore and downplay it’s importance 
I’m genuinely amused 
This is a bad bug don’t try to downplay it. Linux is written by imperfect beings and is therefore itself imperfect. We as a community shouldn’t downplay this bug. We should just acknowledge that it exists in unpatched systems and that the patch is already available in the main kernel tree. I don’t know if any of the distros have patched this exploit or not. Does anyone know if the commercial distros and debian have issued security patches for this?
As for the security found in Windows, well I don’t think any thing really has to be said. Let the Windows fanboys flame away, while the rest of us use whatever OS works best for us, depending on the situation of course:)
This is off topic, but I have another Linux success story. My university is moving from their IBM AS/390 system for their critical infrastructure to two multi-site Red Hat Linux clusters running the Oracle database. I think I’m going to introduce the heads of my IT department to the K12LTSP project. We have a lot of thin clients around the university that are running Windows embedded and it feels like I’m using a Windows 3.1 system, actually I think Windows 3.1 might have had more features;)
http://seclists.org/lists/bugtraq/2005/Jan/att-0068/exploits_and_pa…
this patch wont screw up my stock Slackware 2.4.26 bare.i kernel will it???
i never heard of seclists.org before today…
LOL! Microsoft reports exploits like this all the time! I would do research on security before making rush decisions like that.
I’m pretty sure he was joking.
“It’s so funny, when someone finds even a minor security bug in Windows, Linux Fanboys
starting to scream how shitty Windows is, but when there’s a serious bug in Linux kernel, the same people trying to ignore and downplay it’s importance 
I’m genuinely amused 
”
You may be amused, but you are also wrong. Half of the Windows exploits don’t even make the news anymore because noone cares. One kernel exploit, though, and you Windows Fanboys ™ start to talk about how we always pick on Windows. Well guess what, Fanboy, I’ve already patched my system (regardless of the fact that I tried the exploit on myself and it didn’t seem to work). As a matter of fact, even if there hadn’t been a patch released right away I could still have patched my own system as soon as I knew the details about the hole. Go ahead and say that about Windows.
Noone is trying to claim that Linux is perfect and is the end to all problems. What we are saying is that there are fewer problems and the few are fixed sooner than in Windows. This is undeniably true.
Now go somewhere else and troll, because you’ve been debunked here.
Just to point out that the availability of a patch doesn’t actually mean the exploit instantaneously disappears.
MS had patches for blaster before it hit real bad, and people didn’t apply them. It’s not restricted to the MS world either. There are plenty of people out there that simply don’t update (And who I blame for the automated SSH attacks on my Linux box). It isn’t enough to just have a patch out, people have to be asked (Perhaps forced) to use the damn thing.
Yes, but when people don’t apply patches it is their own fault, be it Linux, Windows, BSD, SkyOS, BeOS, or OS/X. Yes, it will affect systems, but no systems with administrators who are awake. If the sysadmin is stupid enough to not apply patches, he/she deserves the extra work of cleaning up the mess.
…that someone who is an avid windows user would even compare the number of bugs xp has to linux
Comparison is good.:)
If you know that number of bugs for Linux distro is small, and it is Linux distro- not Linux kernel, that people use, would you be so kind to find out the following:
1. How many patches Red Hat released for Red Hat ES 3.0 in December 2004? (See https://rhn.redhat.com/errata/rhel3es-errata.html)
2. How many patches for critical kernel vulnerabilities Red Hat released in December 2004? (See https://rhn.redhat.com/errata/rhel3es-errata.html)
3. How many bugs were fixed by just one kernel patch released on December 20, 2004? (See https://rhn.redhat.com/errata/RHBA-2004-550.html)
4. How would you rate stability of the Linux kernel, after reading about bug like this: “126998 – Machine hangs in less than one hour.”
5. What should be today uptime of the Linux server with all security patches properly applied? (Answer: just few days, after the latest kernel patch).
++++++++++++++++++++++++++++++
Come back with answers, and use them to tell us stories about OS which is inherently more secure, virtually bug free, with 2 years uptime.
Well, maybe I’m trolling, I don’t know, but what I wanted to say, is that when there’s even a minor bug in MS products, you all, I mean Linux/FOSS Fanboys, starting to point your fingers and scream Windows sux, Linux is great, now, when there’s a bug in Linux, you’re trying to downplay it’s importance – ” it’s only a local exploit, blah-blah-blah”, that’s what amuses me and what I find funny.
And, to be clear – I have nothing against Linux, mac or any other OS, and just trying to say, that all of them are imperfect by default and I guess it’s very strange reaction on MS software from SOME of Linux users.
Yes, some people who think they know a lot more than they do freak out whenever they see a hole in Windows and try to look cool by insulting Windows. These people are ignored by any serious FOSS advocates just as the Windows Fanboys are.
The problem with having exploits like this is that it would make it easier to write a virus or worm that spreads through unpatcheed systems. Having a well-known local root exploit means your system is more vulnerable, if it has other services with known exploits it would depend on how skilled the attackers are.
It would be possible to script a worm that attacks systems using any form of remote exploit to gain user level access and use this vulnerability to gain root and compromise the system. This makes it difficult to protect your system even with chroot. But I’m sure there are many systems with root exploits, even some remote, that still have yet to be patched, just waiting to be attacked. At least the chances are an attacker is going to be another human instead of a script, but these sorts of bugs make the alternatives possible.
Anyway,
Windows might be more secure than any other OS, who knows. Do you? I certainly don’t.
I’ve seen some Linux source code and its not bad, but I wouldn’t expect they have everything locked down. Its so dynamic, these types of problems tend to be found and corrected, but its always possible a piece written a while back could have another remote root exploit in it. Time will eventually find a way to work out these bugs. And I have faith everyone will stick with it long enough to solve these problems.
Writing software is a lot like solving math problems. But how can anyone worry about that when ya got all the stress of dealing with corporate politics, meetings, deadlines, etc. Put all the faith you want in your commercial software, but don’t come crying to me when it breaks. Deal with the lost data, downtime, bugs, viruses and advertisements. But don’t complain, just remember that’s what you paid for. You paid for what’s popular and easy because you can’t be bothered to learn how these “computers” work. Either that or you really know your stuff and know what those algorithms and capable of. In which case you know you made the right choice and know how to avoid the pitfalls. Its all perspective.
“Come back with answers, and use them to tell us stories about OS which is inherently more secure, virtually bug free, with 2 years uptime.”
VMS, OpenVMS
I think your probably right. I wonder what HP is going to do with it.
the same what they did with pa-risc, alpha and tru64:
destroy it and sell whats left to someone else…
True, but everything in windows is so bolted onto the kernel it can bring the system down very easily, […]
False.
[…] think about it, explorer.exe
Explorer has nothing to do with the Windows kernel.
@ Surya
well my machine is running 30 days without reboot
openBSD as only one major hole in 8 years …
Well how much do i pay for my OS 0 euros ? How much do you pay for yours ?
At least in my OS i can view source code and yours ?
The normal was more bug’s report in Linux, and this is simple no one is perfect, so we human make erro’s, with open source is easy to detect bugs and more fast.
If MS release XP Open Source, i am sure that Windows will beat bugs for decades…
Now lets wait for 100s of OSS zealots to justify how it is minor as compared to Microsoft bugs.
Already
There, is really no way to make this look good. Especially since this bug really didn’t need to be a such a big problem if Linux distros cared to take advantage of the functions in Linux and configure it in a more secure way. But unfortunately most don’t.
From what I understand this bug only elevates user priveledges to root. If the normal security roles of root was less lax, this wouldn’t be much of a problem. Most applications doesn’t need to run as root. And the few that really need it, often just need to see a selecte part of the system. By having differentiated security roles for different tasks vulnerabilies like this one would have much less chance of doing any damage. The concept of having one super user like root, or Administrator in windows that is allowed to do everything is not a good concept for security and should be avoided.
Unfortunately most computer users are not skilled enough to develop such policys on their own. This i why it is important that Linux distros help their usrs in this respect. Fedora and some other distros are moving in this direction. Unfortunately the so called targeted security policy available in Fedora is targeted at serverside functions.
Still, a bug is a bug, it doesn’t matter how much you use security roles, chroot jails etc. Every time one layer of security is penetrated your security is lessened. Its even more important as most Linux users doesn’t apply mandatory acces control and role based security leaving them just as unprotected as their windows using friends.
The problem is,that better security costs money. Secure systems, regardless of OS, not only makes it harder for malware to do what it want, it also makes it harder for the sysadmins. This is probably why most Linux ditributers, and Microsoft too for that matter, doesn’t ship their OSes as secure as they are technically capable of. Its like putting more and more locks on your home. You know that it will reduce the risk of burglary but at some point it becomes to inconvienient to handle for everyday use.
when linux gurus talking about community, are they considering all linux users or is it just creamy layer. I am debian user, with 2.6 kernel. Out of 50 comments above NOBODY mentioned how to apply patch and update system within few quick steps!!!. Again average Joe is searching pages through google …………….That’s fate of linux SEALED…
Dude… relax. Its been barely a day since the release. Debian will likely release a patch very quickly and all you’ll need do is apt-get upgrade.
Also, this shouldn’t really bother you as long as you are up to date in other areas and aren’t administrating a multi-use system – especially not if you are smart and behind a router. Not to mention that I’ve tried the code released under Debian with a 2.6 kernel and it doesn’t work. Perhaps it can be modified to do so, but I think the Debian team will have a patch out before anyone gets around to writing a worm capable of coming after your otherwise fully patched system.
So every day at the end of the day do an “apt-get upgrade” and you won’t really have to worry. While the Debian packages are usually old, they do get security patches out relatively quickly.
-Preston
”
…that someone who is an avid windows user would even compare the number of bugs xp has to linux
Comparison is good.:)
If you know that number of bugs for Linux distro is small, and it is Linux distro- not Linux kernel, that people use, would you be so kind to find out the following:
1. How many patches Red Hat released for Red Hat ES 3.0 in December 2004? (See https://rhn.redhat.com/errata/rhel3es-errata.html)
2. How many patches for critical kernel vulnerabilities Red Hat released in December 2004? (See https://rhn.redhat.com/errata/rhel3es-errata.html)
3. How many bugs were fixed by just one kernel patch released on December 20, 2004? (See https://rhn.redhat.com/errata/RHBA-2004-550.html)
4. How would you rate stability of the Linux kernel, after reading about bug like this: “126998 – Machine hangs in less than one hour.”
5. What should be today uptime of the Linux server with all security patches properly applied? (Answer: just few days, after the latest kernel patch).
++++++++++++++++++++++++++++++
Come back with answers, and use them to tell us stories about OS which is inherently more secure, virtually bug free, with 2 years uptime.
”
I’m pretty sure Windows Update would have plenty more updates if MS released
a) Patches right away for problems instead of waiting till the end of the month, bundling them all into one download and claiming they fix one problem on the Windows Update site.
b) Security fixes for Adobe Acrobat Reader, various text editors, Java, more than one mail server, IRC clients, various different image editing programs, updates for more than one GUI and basicially supported most of the programs running on the OS instead of just the OS itself
Most distros don’t release a new kernel patch or kernel every 3 days. Just because Red Hat chooses to do so doesn’t mean Linux is unstable or insecure.
Also, one thing you fail to point out, how do we know MS has found all the bugs in their software. Or, for that matter, patched or even mentioned the ones they do know about.
when linux gurus talking about community, are they considering all linux users or is it just creamy layer. I am debian user, with 2.6 kernel. Out of 50 comments above NOBODY mentioned how to apply patch and update system within few quick steps!!!. Again average Joe is searching pages through google
If you can’t wait until your distro packages it for you, Here is ome suggested reading:
http://www.digitalhermit.com/linux/Kernel-Build-HOWTO.html
Considering this is a quite serious bug I would expect that most distros send out prepackaged fixes very soon, if they are not allready by now.
Linux fanboys you are one of the most hypocrite community i have ever seen.
I’d say Windows fanbuys are.. no wait, Mac fanboys are.. no wait, BSD fanboys are.. No, actually are all. There is trolls&zealots for _every_ operating system out there, thinking their favourite Operating System is THE BEST, period.
I use OS X at home, Linux and Solaris at work, Randomly Windows for games at home, and, gotta say, I am actually happy with each one of them! Peace, my friends. Well actually one that I am not happy with out of box is Solaris
Throw in some GNU stuff, like GCC, GNU grep and other GNU tools, it’s nice 
Right tool for the right job. Anyways, Linux _can_ easily be secured to be a fortress – it’s unfortunately with current distros, administrators job. It takes some effort, but you can create virtually unbreakable Linux box. You can do the same with BSD, Solaris, and even Windows, IF you know what to do. It’s all about configuration. OpenBSD stands out here because it offers the best _default_ configuration.
By the way, Secure Linux tip:
Install Mandrake, set security on installation to ‘Paranoid’, there you have probably the MOST secure Linux distribution out-of-box. It is virtally fully closed – You cannot even start X unless you set rights to it. All tools are separated to their own groups, to get access for users, you need to add users to those groups. It also uses high logging and grsecurity, root user is locked down to _local_ login only (no SSH login allowed, nor su), “su” is allowed only for members of the ‘wheel’ group. By default users cannot ‘ls’ anything else but their own home directories, or launch any tools. That’s how other distros should handle it too!
Yes, the best job here does Mandrake, the “desktop” distro! I recommend trying it with ‘paranoid’ or ‘higher’ security options. It is _REALLY_ secure then.
Love & peace, and stop fighting about operating systems 😉 Rather do something useful, like write tutorial how to secure them.
read this..
http://secunia.com/advisories/12889/
and feed this into IE…
http://secunia.com/internet_explorer_command_execution_vulnerabilit…
Enjoy!
you hit right in the nail with that one
> Out of 50 comments above NOBODY mentioned how to apply patch and update system within few quick steps!!!
That’s a fair point. Linus committed a fix to the bitkeeper repo recently but it may well be a half-baked one as I have read one report already that it didn’t protect a system from the corresponding exploit. I think Alan and Marcelo had published their own fixes prior to that.
I’m going to suggest the use of the one which was (rapidly) committed to Gentoo’s 2.6 tree. I believe it is a slight variant on Marcelo’s patch with some improvements suggested by spender (who is a grsecurity guru). Gentoo’s kernel maintainers are usually very cautious about what they commit to their kernel tree and I (FWIW) can vouch for their judgement. The basic approach is something like:
Step 1:
# cd /usr/src/linux
Step 2:
# wget -O – http://dev.gentoo.org/~dsd/gentoo-dev-sources/release-10.03/dist/11… | patch -p1
Step 3:
Recompile …
For a lot more information, see a post I made to the ck list here: http://bhhdoa.org.au/pipermail/ck/2005-January/002294.html
Note also that the grsecurity team publicised five (relatively minor) vulnerabilities as of their latest release of the grsecurity patch. They have released exploits and fixes in this tarball: http://seclists.org/lists/bugtraq/2005/Jan/att-0068/exploits_and_pa…
Hmmm, it would appear that the URLs are truncated in these comments. Just to be clear, the end of the URL in the wget command should be so: dist/1115_sys-uselib-fix.patch
> I’m pretty sure Windows Update would have plenty more updates if MS released
a) Patches right away for problems instead of waiting till the end of the month, bundling them all into one download and claiming they fix one problem on the Windows Update site.
May be, but did you count all bugs fixed by just one Linux kernel patch released by Red Hat on December 20, 2004? I even gave URL for that patch. Tell me it is not waiting and bundling.
Also, statements like “patches right away for problems” are not true, in general. Yes, some extremely critical bugs could be patched right away, but take a look at the time it takes between a bug was reported and when a patch were released for the distro, and you may find that “right away” does not apply.:)
Released, I mean: as in “available through up2date for Red Hat Linux server.”
Example, a bug randomly taken from December 20 Red Hat Linux kernel patch: “133183 – cpio with many files flips kswapd, system hangs.”
That bug was reported on September 22, patch available on December 20.
It shows that both patching is not happening right away and that patches are bundled in one download.
Comparison is good. Just use numbers and facts, not propaganda and FUD.:)
> b) Security fixes for Adobe Acrobat Reader, various text editors, Java, more than one mail server, IRC clients, various different image editing programs, updates for more than one GUI and basicially supported most of the programs running on the OS instead of just the OS itself
Well, don’t release 3 CDs of bloat, then, and call it “a distro.” Should I patch Perl module bugs if I do not program in Perl? How about openssh? Will php bugs bite me or I am safe not applying the patch? List goes on and on.
Of course, I knew that someone would bring the bloat excuse, that is why I asked: How many bugs were fixed by just one kernel patch released on December 20, 2004?
Can you give that number? That is for kernel, after all. No bloat excuse applies here.
Also, would you please count just kernel bugs fixed by all kernel patches released in December 2004? All kernel bugs fixed in 2004?
What does it say about “virtually bug free opensource software?”
What does total number of patches for all opensource applications bundled with the distro tells about quality of opensource code in general?
> Most distros don’t release a new kernel patch or kernel every 3 days. Just because Red Hat chooses to do so doesn’t mean Linux is unstable or insecure.
Just few lines ago you said that it is better (or more honest) practice to patch right away for problems instead of waiting till the end of the month, bundling them all into one download.
So, are these “most distros” do Linux users disservice by not releasing kernel patch as soon as it is necessary, even if it is necessary every 3 days?
I am not saying that kernel patches released every 3 days, I just point that you blame Microsoft for waiting and bless “most Linux distros” for doing the same.
> Also, one thing you fail to point out, how do we know MS has found all the bugs in their software. Or, for that matter, patched or even mentioned the ones they do know about.
I guarantee you that MS software has bugs. Never said otherwise. I also guarantee that not all bugs known are or even will be fixed.
Same applies to Linux developers and OpenSource developers in general, we know for sure they have not found all the bugs in their software, and we can be pretty confident that not all bugs found are fixed yet.
That is what I am trying to do: put some sanity into those OpenSource advocates who run around in 2005 screaming that “open source does not have bugs, inherently more secure with servers running 2 years of uptime minimum”- like it is 1995. It is not.
We know better what the quality of open source software is. We know how long it takes to fix bugs and release patches for popular distros. We know how long it takes end users to apply these patches.
We have numbers, statistics, historical data.
It is time to use them and draw conclusions, instead of getting agitated every time someone points at these numbers.
As you can see, even with me providing URLs and simple questions where numerical answer can be given, nobody bothered to check numbers.
Boy, I may be wrong after all- too bad my opponents don’t even try to prove it. They just believe.
Why can’t you just shut up? Your bogus argumentation does not convince anyone anyway. Just admit that you are a troll and go away.
Example of bogus argument:
“Well, don’t release 3 CDs of bloat, then, and call it “a distro.” Should I patch Perl module bugs if I do not program in Perl? How about openssh? Will php bugs bite me or I am safe not applying the patch? List goes on and on.”
Well, if you have no need for <insert various stuff> why did you bloody install it? Don’t do that -> Problem solved. I don’t use Internet Explorer, how do I choose not to install that? Sorry you can’t do that, so I guess I’ll have to go on with the patch-mania. (Actually I don’t.)
Note that I don’t say that Linux is the pinnacle of security or that there are no holes in the various distributions, but I find your argumentation dishonest, inflammatory and that you are making – quite feeble – attempts at presenting facts in a misleading way.
In short, you are not trying to do anything else than create riot.
is Soviet Russia Kernels hack YOU!!!
It also uses high logging and grsecurity
The mandrake kernel-secure source was patched up to Mandrake 10 with gesecurity.However you still had to make an policy yourself ,which is very straight forward by the way,when using the Learning mode.Todays Mandrake 10.1 doesn’t have a grsecurity patched kernel-secure,instead it’s been patched with RSBAC,besides that when you choose paranoid as default security setting,package libsafe is automatically installed.Indeed when you set the overal system security to paranoid,msec applies very tight permissions.For a server this is just the beginning but in the case of a home system with also all services disabled this creates an tough Linux box.The french goverment is sponsoring Mandrake in order to get it EAL 5 cetified eventually.Allthough most certifications are overhyped i can’t hardly wait to get my hands on one of those new systems.
> Note that I don’t say that Linux is the pinnacle
> of security or that there are no holes in the various
> distributions, but I find your argumentation dishonest,
> inflammatory and that you are making – quite feeble –
> attempts at presenting facts in a misleading way.
Actually I’d say exactly that about you, while the Russian Guy presented his arguments in a very reasonable way.
As for your arguments:
> Well, if you have no need for <insert various stuff> why
> did you bloody install it? Don’t do that -> Problem
> solved.
Because Linux consists of many many many packages without a useful description of what’s inside. Practically you must install all kind of strange stuff you’ve never heard about because many applications will fail with cryptic error messages otherwise. This statement is based on my personal experience.
> I don’t use Internet Explorer, how do I choose not to
> install that? Sorry you can’t do that, so I guess I’ll
> have to go on with the patch-mania. (Actually I don’t.)
Yes it would be nice if you could leave IE away from your machine. But why don’t you simply *not run* IE? I run Win2k and browse the net with Firefox. No need to patch IE since I don’t use it. What’s the use of not installing it? A few megabytes of extra disk space?
IE is crap, but as long as it lies dead on your disk, simply leave it alone.
The difference with OSS is that security fixes are out once a security problem is known. In windows you only get security fixes once a month. And you don’t know if all of them are fixed.
The redhat kernel patches you talk about aren’t security problems, they are bug fixes. Microsoft comes with bug fixes only with service packs. So your comparison is wrong in many ways.
Secunia is reporting on three vulnerabilities in IE6 running on XP SP2. Any of these, in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files, can be exploited to compromise a user’s system. Moreover, the vulnerability can be used to delete files from the user’s system.
Secunia says ‘Solution: Use another product.’
Why dint this news make up to the OSNews.com headlines ? Or did i miss anything ??
this discussion so pathetic… *sigh*
Because Linux consists of many many many packages without a useful description of what’s inside. Practically you must install all kind of strange stuff you’ve never heard about because many applications will fail with cryptic error messages otherwise. This statement is based on my personal experience.
While this simply isn’t true most of the times i must say that its perhaps evident in an occasional LFS version.But than again if you were capable of making your own Linux From Scrap chances are you are quite familiar with apt-get,dpkg,rpm handling etc.I can say as far as Debian,Gentoo,Mandrake and SuSE are concerned you couldn’t be more wrong.Every single package has its description,and given the fact that you could edit it’s source as opposed to to the closed source packages where you have to reverse engineer in order to get some insight.*OSS*.
What’s the use of knowing what’s inside an package for the average user anyway?All that matters is a good package manager with not only a dependency checker build in but one that comes with a reasonable repository as well.The end-user should be able to trust the developers of the X Linux distro worth its sault.
Last but not least there are sites like rpmfind.net or http://packman.links2linux.de/ were relevant info about packages can be obtained from.Google has also a reputation of being handy.Some info can’t be understood without the proper knowledge beforehand.
Practically you must install all kind of strange stuff you’ve never heard about because many applications will fail with cryptic error messages otherwise. This statement is based on my personal experience.
Use a modern distro. As Russian Guy said himself, it’s not 1995 anymore. If you use Mandrake, there is an easy package selection screen in the install. Only install what you need (hint: if you don’t select anything from the “Server” category, you’ll have a lot less security worries as very few services will be active). After that, run “MandrakeUpdate” once in a while to download bug and security fixes. Probelm solved.
Note that Russian Guy was dishonest in his presentation, as he made no distinction between basic OS and extra software (if you were to make the same comparison to Windows, you’d have to include MS Office, Adobe Acrobat, IIS, and dozens of other software packages). Also, he picked one of the worst months. If he had picked July instead of December, the count would have been much different.
Finally, we can’t make a comparison, because we don’t know how many critical security bugs there have been in Windows’ kernel.
The point that many are trying to make is that this is a local exploit, which means it’s much harder to use than the various remote exploit that came out this year for Windows, from RPC worms to Internet Explorer I-can-take-control-of-your-PC-if-you-click-on-a-link bugs. And if it’s true that some of these bugs can be avoided by not using IE, it’s not true of all of Windows’ security vulnerabilities, such as the Windows Messenger vulnerabilities.
In any case, the prize for the most childish poster has already been won, by Wolf, and he’s a pro-Windows poster. If you guys had any interest in a rational, polite debate, you’d be the first ones to tell him to refrain from such puerile trolling.
The problem with having exploits like this […]
The problem is never an exploit! An exploit is merely a proof of concept. The problem is the fact a theoretical exploitable vulnerability exists. Wether there’s an exploit in the wild, or not, doesn’t make it more severe in the sense of wether you have to upgrade or not.
You’re damn right on patching though. I want a pre-compiled image instead and in that regard this situation just sucks. 2 (non business) days later and still no new 2.6 kernel.
Oh and trolls like Russian Guy are meant to be ignored… he quotes exactly what Microsoft uses in their FUD marketing. Coinsidence? :^)
Windows might be more secure than any other OS, who knows. Do you? I certainly don’t.
Windows is more secure than most other OSes including Linux provided you buy the right add ons. If you use TCPA system you can prevent any software that doesn’t have the right crypto key to run.
This is an entirely new concept. The idea is that computers would be much more secure if their owners wasn’t trusted to do what they want with them. If we don’t trust the owner, but only a few large software companies to decide what, how and when and for how long something should be allowed to run the risks of viruses, software and music and film pircacy would be much less.
The only ones that could create contents for your computer would be the ones with deep enough pockets to buy a crypto key for their contents. This would exclud most small and medium sized companies, and most certainly virus writers.
The good thing, is that it not only prevents you from running viruses. It also prevents you from all other kinds of unlicensed contents such as pirated software, music and film, or from running software with expired licences.
The only problem is that it also makes it impossible to iteroperate in a secure way with software created in house.
You would probably end up with two computers on your desk. One secure, and one where you run unsecure stuff like things you develop yourself.
Another problem is that it would still not fully protect you from buffer overflows, and some new problems would occur, such as it would be much more difficult and expensive to get data from damaged media. The cost of system administration and education would go up significantly.
Another risk is that as viruses will be almost dead in the water in this types of , we will stop protect ourselves from that risk.
Now, what if sombody manages to get a certified virus? What would happen if the hardware that is supposed to check that crypto was tampered with. As of now the biggest PC manefactuerer in the world is in China. Should we trust them with our security. Even if such computers probably wouldn’t be used in military defence systems, they are most likely to be used in your local bank and in other functions of society on wich we rely in everyday life.
Personally I prefer the Linux SELinux available in the 2.6.x kernel and later, where you are in control of the security and you don’t have to trust Microsoft and others to get it. Its main purpose is not preventing the intruder from getting in at the door but rather limit what damage he can do once he gets in.
Windows is more secure than most other OSes including Linux provided you buy the right add ons. If you use TCPA system you can prevent any software that doesn’t have the right crypto key to run.
This is an entirely new concept.
No, DRM is *NOT* a new concept. Don’t give them that credit. The *NEW* aspect of TCPA (hardware DRM) is afaik: 1) the hardware implementation of it 2) the scale in which they want it to be implemented (for the masses) 3) not entirely unique, but it seems to count for the whole OS which is not very common (but see hereunder for an example).
There are many software implementations which either partly or fully do the same, but on software layer. For example, Fairplay and WMV DRM. Those are still vulnerable though. A more system-wide example is NetBSD which has ‘Verified eXec’ (VX) since 2.0 although this existed earlier as well in the form of a patch.
IOW its a known concept driven by a bunch of 500 pound gorillas applied to not software, but on hardware, with the target of en-masse implementation. No matter what whoever says, their target is simple: control.
seLinux is a complete system, it is patches to kernel and userland. Distributions like Fedora Core 3 had seLinux patches enabled in the kernel by default and they were utilized to protect daemons specifically, though it was not a system wide policy.
Also OpenBSD dosn’t even have half the popularity of GNU/Linux, so I would suspect Linux would have more discovered bugs than OpenBSD.
[tobaccofarm]
> Every single package has its description,and given the
> fact that you could edit it’s source as opposed to to
> the closed source packages where you have to reverse
> engineer in order to get some insight.*OSS*.
and
[A nun, he moos]
> Use a modern distro.
I agree totally (I should have said that I had LFS in mind). But with package managers only the managing gets easier. The original problem does not disappear. As “anonymous” wrote:
> Well, if you have no need for <insert various stuff> why
> did you bloody install it? Don’t do that -> Problem
> solved.
Answer: I never wanted to install it, nor did I need it. But some damn application I installed needed it. The “solution” not to install something is hardly a solution in a modular system like Linux. Dependencies often dictate that you install it anyway. Package managers just make it easier.
And AFAIK, dependencies are one of the original reasons why IE could not be uninstalled, since IE is not only a program but also a component that can be used by other applications.
After all, Windows and Linux don’t seem too different in that point.
After all, Windows and Linux don’t seem too different in that point.
True. In fact, most modern OSes share this particularity. Some will say that Macs didn’t, since you can install an application simply by dragging its folder in the applications folder. However, that simply means that all the extra dependencies are bundled with the software, which doesn’t help at all if a vulnerability is discovered in one of these (instead of updating a single lib, for example, you’d have to update every program which comes with a bundled version of it). Both methods have their advantages and inconvenients, it seems.
As I stated above, it’s up to the distros to furnish tools that can easily update software for which vulnerabilities have been found. I can’t speak for other brands of Linux, since I only use Mandrake, but MandrakeUpdate fits the bill pretty well. For remote exploits, it’s also a good idea to subscribe to security sites such as SecuritySpace to get security alerts through e-mail. They cover Windows, Linux and (I assume) the *BSDs, and you can check if your system is vulnerable before trying to secure it.
http://www.securityspace.com (free registration)
“Answer: I never wanted to install it, nor did I need it. But some damn application I installed needed it. The “solution” not to install something is hardly a solution in a modular system like Linux. Dependencies often dictate that you install it anyway.”
They don’t dictate anything. They advice you to install stuff, and if you don’t, you will lose some or all (it doesn’t work at all) functionality in the applications that “depend” on it. Besides, if you installed some application that wanted it as a dependency and you needed the functionality that said dependency bringed, then you per definition needed it.. Just because you don’t directly interact with it doesn’t mean you don’t need it, as I found out many years ago as a noob when I removed glibc from my slackbox..
“And AFAIK, dependencies are one of the original reasons why IE could not be uninstalled, since IE is not only a program but also a component that can be used by other applications.
After all, Windows and Linux don’t seem too different in that point.”
No, it’s one of the reasons given by microsoft. There is also *no* official way to get rid of it, whereas I can use any package management tool to get rid of any application (at my own peril for sure) in any linux distribution.
Dependencies often dictate that you install it anyway. Package managers just make it easier.
—-
No. thats exactly the opposite of what they are designed for. package managers are meant to support installing packages in a modular and granular. you should be able to install just the pieces you want. if a particular package does not allow that within reasonable limitations its a bug
let me know the specifics and I will try and tell you why and how
[anonymous]
> [dependencies] don’t dictate anything. They advice you
> to install stuff, and if you don’t, you will lose some or
> all (it doesn’t work at all) functionality in the
> applications that “depend” on it.
That’s like saying, “the robber didn’t force you to give out your money. He just adviced you nicely that he would kill you otherwise.”
When I need package A because of it’s functionality, and the developers of A based it on B and C, I can choose to either kick A out of my box, or get all the security holes of B and C.
It doesn’t matter a bit if the real-word name of A is “perl” or “internet explorer”.
[anonymous]
> No. thats exactly the opposite of what they are designed
> for. package managers are meant to support installing
> packages in a modular and granular. you should be able to
> install just the pieces you want.
> let me know the specifics and I will try and tell you why
> and how
Okay, an example: I wanted to install and run the GIMP (you probably know it all). Nothing else. The only way I got it running was to install GTK+ too. I’d be *very* interested in how I could avoid that, for example when GTK+ is found to have security issues.
”
Okay, an example: I wanted to install and run the GIMP (you probably know it all). Nothing else. The only way I got it running was to install GTK+ too. I’d be *very* interested in how I could avoid that, for example when GTK+ is found to have security issues. ”
amusing. gtk stands for gimp toolkit. how would install gimp without installing gtk?. obviously not possible. do point out what security issues in gtk are you pointing towards?
if gtk does have a security issue and an update for it is released just for the sake of this dicussion, then gimp doesnt need to be updated since its dependency is based on the interface number which would retained at 2.x. since gtk is api and abi compatible through the full 2.x series only a n update for gtk is necessary unless your distro provider statitically linked to gtk( very unlikely)
the idea is well documented in
http://autopackage.org/overview.html
go read the different version numbers and the concepts behind them. if a different library requires a security fix which simultaneously breaks ABI compatible (shouldnt happen but still) you can do parelled installations as specified here
http://ometer.com/parallel.html and here
http://developer.kde.org/documentation/library/kdeqt/kde3arch/devel…
package managers do not way in anyway force you to install unnecessary packagers. if a dependency does exist it attempts to resolve it using a centralised repository
every operating system does needs these concepts. in Linux its more important due to the extreme amount of modularity it favors over other proprietary systems but the basic ideas and concepts are well known. you need to educate yourself on these stuff if you need to comment about this in a intelligent way
People are always crtising Linux, but most of the new security memorands from MS is based in Linux Examples.
For example:
Adopting Users, and not Admin accounts.
Linux is not perfect, but at least you have the choice to view all code.
Linux is not anymore for expert’s. I never was a expert, and long time i use Linux, believe me or not Linux is more easy then Windows.
For fresh linux user’s there are a lot of distributions that are easy friendly. Fedora, Mandrake, Suse and Ubuntu.
I like Linux, because i like it very much i don’t know why but simple like it.
This days i use Gentoo, but in the past i started with Red Hat, then Mandrake, then Slackware and now Gentoo. Next week i will install and test *BSD, and when i have time Solaris 10(If Released).
There are no perfect machine, so there will be always bug’s.
User’s that want more stable and secure enviroment, have:
Selinux and Hardened Sources.
seLinux is a complete system, it is patches to kernel and userland. Distributions like Fedora Core 3 had seLinux patches enabled in the kernel by default and they were utilized to protect daemons specifically, though it was not a system wide policy.
SELinux is part of the standard 2.6.x kernel, no extra patches to teh kernel should be needed. However, depending on what distro you choose the userland tools may or may not be installed. If you have a kernel prior to 2.6 patches are still needed.
As for the Fedora Core 3 default security policy, it is targeted at servers. So to get a secure system you shoud try their strict policy. Start out in non enforcing mode and check the logs to see what changes you need to make to run whatever services you need, and then change the policy accordingly. When you are satisfied, turn on enforcing mode.
Ubuntu just released their fix for the problem the article is discussing and a couple other bugs (I don’t think they were security related but not entirely sure). They released it about 12 hours ago (lol, just released probably wasnt the best words to use)
I just posted about Ubuntu but I am posting again just to say I am impressed. The news of this exploit hit the news sites within the last 2 days and Ubuntu (and Gentoo and a couple others I have heard) has already patched it. Talk about a quick response! I could be wrong, but I can’t remember MS patching crap that fast. Although Red Hat and other commercial distros are lagging behind, although they tend to test the patches with more scrutiny then community distros most likely.
Oh, and Russian Guy, 2 things.
1) No one said OSS was bug free. Most people say that OSS has bugs, but they are found and fixed quicker than with Proprietary software. Taking the words of some F/OSS zealot troll and applying them to the whole community isn’t very intelligent.
2) You say Red Hat holds off their updates for however long before applying them. So…what about SUSE, Ubuntu, Gentoo, Mandrake, etc? Taking the actions of Red Hat (which is a commercial software company despite the fact that 99.99999% of the software they write is OS I might add) and applying them to the whole community is stupid.
> amusing. gtk stands for gimp toolkit. how would install
> gimp without installing gtk?. obviously not possible.
That’s why I chose that example. See, dependencies do dictate, not advise, what I install.
> do point out what security issues in gtk are you
> pointing towards?
Those yet to be found, and then patched. Remember, the discussion was about additional patching of all dependencies of the program I actually wanted to use (GIMP in this case).
> if gtk does have a security issue and an update for it is
> released just for the sake of this dicussion, then gimp
> doesnt need to be updated since […]
Yes, but gtk needs to be updated. I have to update gtk, although I never wanted to use it. I only wanted to use GIMP. But since gtk is a dependency, I have to care about it too.
Windows equivalent: Since IE is (or better, *was* at that time) a dependency of many applications, you had to care about it too, although you didn’t want to use it.
That’s why I chose that example. See, dependencies do dictate, not advise, what I install.
”
Those yet to be found, and then patched. Remember, the discussion was about additional patching of all dependencies of the program I actually wanted to use (GIMP in this case). ”
i dont understand your stupid point about security here.
”
Yes, but gtk needs to be updated. I have to update gtk, although I never wanted to use it. I only wanted to use GIMP. But since gtk is a dependency, I have to care about it too.
”
you dont have to care at all. you just install gimp and auto resolvers update gtk which has nothing to do with gtk security issues or something
—
point is you arent forced to install stuff you dont need. got that|?
“Windows equivalent: Since IE is (or better, *was* at that time) a dependency of many applications, you had to care about it too, although you didn’t want to use it. ”
crap. IE being integrated forcibly has nothing to do with technical superiority. i could choose not to install any app on Linux, no so in windows
You keep saying that it installs things you don’t need as dependancies. Well, if you don’t need them, then they wouldn’t be installed. If you do need them then they will be installed. Your example with the GIMP (how you use the GIMP but never use GTK) is moot because in fact you do use GTK when you use the GIMP. You use it to draw the windows. Just because it isn’t something you interact with directly doesn’t mean you don’t use it.
I’ll leave it up to others to discuss the relative security and maintenance needs of such dependancies, I don’t have time, but remember that just because you don’t interact with them directly doesn’t mean you aren’t using them.
> You keep saying that it installs things you don’t need
> as dependancies
No I don’t.
> I’ll leave it up to others to discuss the relative security
> and maintenance needs of such dependancies, I don’t have
> time, but remember that just because you don’t interact
> with them directly doesn’t mean you aren’t using them.
… which is exactly what I wanted to say, because the same applies to IE.
then disable most services.
dont complain that since a vendor supports ten thousand packages, there will be more vulnerabilites. let me know when microsoft supports that much.
xp isnt secure, and it is still featureless.
That’s why I chose that example. See, dependencies do dictate, not advise, what I install.”
Acting the fool, or what?
Look, dependencies comes in three variants: Optional, buildtime and required. Since you obviously know nothing about packaging, we can leave buildtime dependencies out.
The optionals are just that, they have usually no effect beyond adding some nifty functionality to the applicantion, which will still work if you ignore them. However, if you ignore the required dependencies you are on your own – just as I orignally stated. I said you can ignore the dependencies if you are prepaired to take the consequences. Do go back and *read* what I wrote.
These dependencies are set by the *programmer* who wrote the program and has *nothing* to do with the packager or the packagemanagement tools per se – which happens to be what was discussed. The package-management just tells you about it.
In this case I can’t decide whether you are ignorant, confused or trolling.
“Those yet to be found, and then patched. Remember, the discussion was about additional patching of all dependencies of the program I actually wanted to use (GIMP in this case).”
Well, if they exist by all means patch them. This was also *not* what was originally discussed. The point was “don’t install stuff you don’t need” not “uninstall everything that needs patching”. And furthermore just because some vendors, like suse, sends along enough material to fill an entire dvd, doesn’t mean that you *have* to install it all. In fact it would be bloody stupid to do that. Install what you *need* and patch that as needed. I bet that will result in a great deal less patching than a compartaive windows system, as there you cannot chose not to install “vital” things like the mediaplayer, moviemaker, outlookexpress and internet explorer, whether you use them or not. Equivalents of all these components can be installed on a oss system, but doing so multiple times makes no sense unless you are out to get a hit on as many patches as possible.
“Yes, but gtk needs to be updated. I have to update gtk, although I never wanted to use it. I only wanted to use GIMP. But since gtk is a dependency, I have to care about it too.”
Utter nonsense. GTK is a PART of the GIMP. It’s just dynamically linked so other programs that use it can link to the same library instead of installing their own copys of the same stuff. Had they linked the binary statically against gtk you would never have heard of it.
“Windows equivalent: Since IE is (or better, *was* at that time) a dependency of many applications, you had to care about it too, although you didn’t want to use it.”
Not the same at all. Internet explorer is an application. GTK is a toolkit used for the gui of a lot of applications – which usually can easily be replaced with equivalent applications.
This level of evading the main point is too much for me. Thanks for assuring my impression of “Linux fanboys”.
This level of evading the main point is too much for me. Thanks for assuring my impression of “Linux fanboys”.
This isn’t trying to straighten what is bend.Most are facts which can be easily verified.Windows also has dependencies,mostly been taken care of by the developer.The drawback however is that you will never know until you install and run some third party apps and do some specific investigation in order to get a clue about what’s actually running and the apps dependencies.A modern OS shouldn’t need you to govern all dependencies and related apps with bugs/flaws/vulnerabilities.That ought to be taken care of by the package manager and maintainers.Acting properly accordingly to the situation at hand would be declaring the package as broken,untill one or more flaws/bugs/vulnerabillities are fixed/solved.If the end-user stubbornly decides to install the app by other means it’s not the responsibillity of others than soley this mentioned end-user.More than once it’s stated that security is proportional to a decreasing usabillity.While it’s evident that given the fact that most advanced security techniques still require a lot of knowledge to be present beforehand,the distro gets a to small target group to be able to cover the expenses which is inevitable with every serious (distro/OS) development project in order to maintain a respectable continuity.
“This level of evading the main point is too much for me. Thanks for assuring my impression of “Linux fanboys”.
Thank you for confirming my suspicion and making your self obvious to any other readers. Hope you enjoy life under the bride.
s bride/brigde ..
“> You keep saying that it installs things you don’t need
> as dependancies
No I don’t. ”
Yet, you said:
“I never wanted to install it, nor did I need it.”
By saying that you are saying it installed something you don’t need, as a dependancy. See? Before you say you didn’t say something, read back through your posts and make sure you actually didn’t say it.
[anonymous]
> “Windows equivalent: Since IE is (or better, *was* at that
> time) a dependency of many applications, you had to care
> about it too, although you didn’t want to use it.”
>
> Not the same at all. Internet explorer is an application.
> GTK is a toolkit used for the gui of a lot of applications
> – which usually can easily be replaced with equivalent
> applications.
No, internet explorer is also a component used in many applications, or better, WAS at the time when IE was so hard-bolted into the OS. You could spot such things in applications which set some paths incorrectly and showed the IE “page not found” text in a window not at all looking like the IE application.
I agree with the rest of what you wrote, so no need to discuss about it.
[Peter Harmsen]
> > This level of evading the main point is too much for me. > > Thanks for assuring my impression of “Linux fanboys”.
> This isn’t trying to straighten what is bend.
Yup, in that sense, sorry for it.
[Preston St. Pierre]
> > You keep saying that it installs things you don’t need
> > as dependancies
>
> No I don’t. ”
>
> Yet, you said:
> “I never wanted to install it, nor did I need it.”
I admit that I messed this a bit up. I meant “I had to install it as a dependency, and needed it as a dependency, but did not need it otherwise than as a dependency”.
Not the same at all. Internet explorer is an application. GTK is a toolkit used for the gui of a lot of applications – which usually can easily be replaced with equivalent applications.
No, Internet Explorer is a components that is reused extensively both within the OS itself (eg: the shell, the help system) and by third party applications.
Architecturally, IE is basically the same as khtml.
Windows also has dependencies,mostly been taken care of by the developer.The drawback however is that you will never know until you install and run some third party apps and do some specific investigation in order to get a clue about what’s actually running and the apps dependencies.A modern OS shouldn’t need you to govern all dependencies and related apps with bugs/flaws/vulnerabilities.That ought to be taken care of by the package manager and maintainers.
The difference is dependency problems on Windows are extremely rare, whereas dependency problems in Linux distros are quite common – particularly if you want to move outside any of the “officially sanctioned” applications or tools.
This happens because the components, libraries and features Windows developers use are well known and almost all included as part of the OS. Those that aren’t are *trivial* to install and nearly always provided with the application that requires them.
That doesn’t happen on Linux because each and every distro has a different idea of what should be standard, where it should go and who should use it. More importantly, it’s difficult for application developers to include simple ways (either automated or with instructions) for end users to update and/or install any missing components, due to the practically guaranteed disaster of cascading dependencies.
Linux needs package management because it’s such a fragmented, immature, unstable and inconsistent platform whose developers rarely pay more than lip service towards compatibility. Package management is _not_ a strength of Linux, its the symptom of deeper, more significant problems. A modern OS simply shouldn’t need package management _at all_.
This is, to a degree, a result of the unix mentality of a system comprising a patchwork quilt of a million and one independently developed and maintained tools. That’s tolerable when you’re dealing with a bunch of text streams and users who are programmers, or the platform is largely single-source (eg: BSDs, Solaris). It doesn’t cut it when you’re trying to present a coherent, consistent interface to ignorant end users.
OS X does it right. Windows somewhat less so due to its reliance on [un]installers. Most Linux distros are a freakin’ disaster. The BSDs fluctuate between somewhat better than Linux (ports does a good job of picking up initial dependencies) to much worse (upgrading – even with portupgrade – and deleting ports is a process where it is easy to inadvertently hose a lot of stuff).
This level of evading the main point is too much for me. Thanks for assuring my impression of “Linux fanboys”.
Hey, don’t put us all in the same basket, please! I think what happened is that you failed to present your case clearly in the first place, and the misunderstanding that followed prevented others from seeing that you were basically saying the same thing as them.
This has nothing to do with whether one is a Linux enthusiast or not. Using words like “fanboys” will only make matters worse.
I understand what you’re saying: it is not clear what all packages are for, and someone who doesn’t know that gtk is required by Gimp (as well as a host of other programs) might not understand what it’s for, and therefore feel that it’s useless bloat (when it isn’t). The fact is that a Linux system is much more modular than a Windows one (which I think you understand), which can seem unsettling for newbies at first.
However, the point is that it is not required to know what all packages are for (hey, I still don’t know what libgdk-pixbuf2 is for) in order to keep a system secure and up-to-date. What you need to know is a) what services you’re running; b) that you should be behind a firewall and c) that you should run the nice security auto-update tool that comes with your distro.
Using LFS is a bad example, because if you choose to build your own Linux system, it’s a given that you’ll know what goes in.
The difference is dependency problems on Windows are extremely rare, whereas dependency problems in Linux distros are quite common
No, they are not. I haven’t had a dependency problem in months.
– particularly if you want to move outside any of the “officially sanctioned” applications or tools.
Mandrake and Debian have thousands of applications in their databases, more than enough for 99% of users. It seems that, by presenting them as “officially sanctioned” applications, you’re somehow implying that the choice is limited, while in fact it’s the opposite: the amount of software available from software repositories is staggering, intimidating almost. The reality is quite different from what you insinuate.
Meanwhile, other commercial applications (e.g. Codeweavers, games, etc.) come with their own installers. The vast majority of Linux users using modern distros never come across dependency problems. The only ones who will are those who will are those who install obscure apps that are often no longer maintained, or those who like to fsck up their systems just to be able to fix it afterwards. These people expect dependency problems, just like people who run Win98 should expect problems if they’re installing a Win2K-only app.
Dependencies on Linux are no longer a real problem.
“A modern OS simply shouldn’t need package management _at all_.”
I am actually very curious: What makes you say this? I don’t see how package management can be avoided. Even the InstallShield installers on Windows are a form of package management. How, if not packages, are we to install software?
I still don’t get your arguments against libraries such as GTK. Applications use them, so you need them. Its just like you need Windows libraries (or functional replacements) to run Win32 programs. GNU/Linux doesn’t have only one basic library. It has many. Surely you are not suggesting, then, that we eliminate glibc? Sure, there have been a few security flaws in them which you are so apt to complain about, and it is something you need only as a dependancy. You never use it yourself. Yet it is entirely needed for the system to run.
What are you trying to accomplish? Are you trying to tell us that all applications should write things from the ground up and not make use of any libraries? I really don’t get what you are saying. How far do you draw the line? You say GTK is bad, so what is good? People just programming in X? Thats ridiculous, it takes far too much work when GTK handles it nicely with much less work. Also, X is still a dependancy.
Your argument of “I don’t use it directly and therefor I don’t need it” is still flawed, no matter what light you try to shine on it. Libraries are, by nature, something that you don’t interact with directly – the program you are using interacts with them. So should we eliminate all libraries?
I’m sure you have some sort of point, but you’ve yet to explain what it is regarding this. We need libraries. They make programming easier. If you want to write an application without using any libraries, be prepared to do a LOT of coding. You’re free to do it, of course, but noone (with the possible exception of OS designers) builds things without using libraries. They are a fact of life.
You seem like an intelligent person (aside from a few immature comments) but I still can’t understand where you get off thinking that libraries are unnecessary just because you don’t interact with them directly. If you have a solution then do tell. On that note, “Everyone use one standard set of libraries” is not an option – not unless this standard set of libraries does *everything* all the other libraries do. I doubt you could ever design a standard set of libraries like that, though.
The fact is that a Linux system is much more modular than a Windows one (which I think you understand), which can seem unsettling for newbies at first.
I think what you mean here is that Linux has a greater availability of alternative modules.
No, they are not. I haven’t had a dependency problem in months.
Months you say ? I haven’t had a dependency problem in Windows for four or five *years*. Even then, all I have is vague recollections of having to install some particular update first, which was included with the application that required it.
Now, if I wanted to think about a dependency problem that actually required a bit of research and stuffing around to fix well, I’d probably have to go back around the ten year mark.
Mandrake and Debian have thousands of applications in their databases, more than enough for 99% of users.
Quantity != quality, as the Mac advocates were so fond of saying.
The important issue is not whether there are thousands of applications available, the important issue is whether or not the application – along with the obligatory half dozen plugins (and their dependencies) – the end user wants (because that’s the one all the k3wl d00ds on #linux told him to use) is available.
Then comes the issue of whether or not it’s the latest version. Which is inevitably what you need to do what you want to do.
Not to mention the complete and utter chaos you can inadvertently cause by installing stuff outside the control of the package manager.
It seems that, by presenting them as “officially sanctioned” applications, you’re somehow implying that the choice is limited, while in fact it’s the opposite: the amount of software available from software repositories is staggering, intimidating almost. The reality is quite different from what you insinuate.
In fact, all I’m trying to “insinuate” is that if the program you want – and often the *exact version* you want – is *not* in one of the distro’s repositories, chances are very high that acquiring a working copy of the program is going to be a long, painful and frustrating process.
The vast majority of Linux users using modern distros never come across dependency problems.
The vast majority of Linux users at this point in time probably don’t consider having the trundle off to a half dozen different websites to cobble together a bunch of RPMs a “dependency problem”, either. IME they only consider it a “problem” when it involved building things from source or upgrading/replacing some ostensibly irrelevant package.
Dependencies on Linux are no longer a real problem.
So why is a package manager a requirement for getting anything even approaching a usable system ?