Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests
On the Desktop
Linux in the news
All in one big page
Here is the permanent site for this page.
See also: last week's LWN.
Linux distributors are branching out in their attempts to find ways to make money with free software. Here's a couple of interesting announcements from the last week:
The common thread here shows where the money may really be in the Linux distribution business: providing integrated solutions that "just work." Linux enthusiasts are happy to pull together software from several sources and make the combination work well. People who are experimenting with deploying Linux in their companies often prefer not to have to do that; if they can get a single CD set (or 3490 tape) with everything they need, their lives are easier, and they feel more confident in proceeding.
So it would not be all that surprising to see the number of distributions actually increase in the future, even if the number of distributors drops. And the real winners may be the company that can crank out special-purpose, customized distributions in a way similar to how Dell cranks out computers. Customers who get exactly what they need tend to come back for more.
On the costs of full disclosure. A message on the Bugtraq list asked can we afford full disclosure of security holes?. The motivation for the posting was, of course, the Code Red worm, which, according to some of the more breathless accounts, has cost billions of dollars worldwide. Implicit in the posting is a claim that Code Red would not have happened in the absence of the advisory and exploit posted by eEye.
eEye, of course, denies (convincingly) that its advisory enabled the Code Red worm in any way. But what if it had? Is full disclosure of security vulnerabilities an irresponsible act?
In the proprietary software world, it is tempting to say that only vendors should be given details of vulnerabilities. They can then fix the problem and get patches in the hands of their customers without making exploit information available to the bad guys. This view misses some important points, however. One is that malware authors will figure out the problems anyway; a clever cracker with debugging tools will be able to determine just what problems a binary vendor patch fixes. Even if the license agreement says they can't do that. Vendors also tend to be slow about fixing problems until there is a real need. Independent vendors of security products and services have a legitimate interest in the details of security problems.
But the real point is that those who use buggy software - and that is all of us - have a right to know about the problems in the programs we run on our systems and depend on. Proprietary software vendors, of course, like to withhold such information; that has a lot to do with why many of us use free software instead.
In the free software community, there really are no alternatives to full disclosure. Once the source for a patch has been released, all the details are easily available anyway. And the free software community only benefits from its preference for not hiding problems in general.
So free software users need not be involved in this debate. But the truth of the matter is that the situation is not all that different for proprietary software. The information will get out - crackers have a sort of full disclosure policy of their own. Anything other than full disclosure on the "white hat" side serves only to put people with vulnerable systems (i.e. all of us) at a disadvantage.
LWN Coverage of the O'Reilly Open Source Convention. Better late than never... Dennis Tenney reports on the 2001 O'Reilly Open Source Convention in San Diego, CA. The report covers the conference happenings, and includes interviews with Bruce Momjian, Bruce Perens, Guido van Rossum, and Jim Fulton.
A note to our readers. A few of our readers with eagle-eyes will have noticed that Managing Editor Liz Coolbaugh's name has been missing from the section by-lines for a couple of weeks. Here's the scoop: Liz has been ordered by her doctors to take a medical leave of absence and will therefore not be contributing directly to the journalistic side of LWN.net for a period of time. Liz, get some rest, we're looking forward to having you back.
Those who are interested should see the message to our readers from Liz.
Meanwhile, the rest of us are clearly going to have to scramble to fill the gap left by Liz's absence. This scrambling will likely include cutting back on LWN's content for a while; we're still working on what the exact changes will be, but they will be intended to keep LWN on a sustainable basis while not sacrificing that which makes us truly valuable to our readers. Stay tuned.
Inside this LWN.net weekly edition:
This Week's LWN was brought to you by:
August 16, 2001