Applying the same standard you seem to be expecting from Microsoft, every newly discovered Linux vulnerability is stuff that Linux programmers should have been checking for in their code.
By your account, if a Windows user disables updates and their machine gets compromised because it wasn't patched, then Microsoft is responsible for shipping an insecure OS in the first place.
By the same token, if a Linux sysadmin running a free Linux distro doesn't keep his systems patched and they get compromised, who are you going to hold responsible for shipping an insecure OS, and how do you intend to collect damages?
That is correct. IMO, all programmers should be introduced, during their training, to the fact that all software has the potential for having flaws, that nothing is created that cannot be improved, and that part of their responsibility is to use good tools to make their software as robust as it can be, from their editor to their compiler to their validator, and that the QA department will be trying as hard as they can to break it. Any software company larger than two guys in a garage needs to establish a wall between development and QA, and establish a culture of "cooperating adversaries" who push each other to do the best they can. And all software companies should have a policy that includes mandatory use of software checkers appropriate to their product, which ferret out vulnerabilities and other mistakes.
Unfortunately, doing all that is a dilemma, since I hate business regulations and rules. Ideally, companies that produce crappy unsafe software would be pushed out of the market by loss of business. But that won't do the trick any more than companies that produce crappy unsafe automobiles would be pushed out of the market -- there's always a market for crap. So just like there are rules about car inspections if you want to drive on the public highway, I think there ought to be a rule about publishing a certification of compliance for software products used on the public internet. You'd have to state in unequivocal terms that you "inspected" your software with an approved validator and that it passed.
I know, dream on, dream on...
> By your account, if a Windows user disables updates and their machine gets compromised because it wasn't patched, then Microsoft is responsible for shipping an insecure OS in the first place.
Yeah, pretty much. Look, let's stop pussyfooting. I used to produce software for industrial process controllers. It was embedded -- you surely know what that means. It means IT'S CORRECT BEFORE IT SHIPS, NOT AFTERWARD. Because patches aren't possible. Because mistakes caught only after the code is in the field are immensely expensive to fix. Because it's the right way to do things. Sorry if I sound a bit strident but this is getting silly. OF COURSE I expect Microsoft to ship a high quality, robust OS. WTF else?? I'm not quite willing to believe you're defending their right to ship crap. :-)
> By the same token, if a Linux sysadmin running a free Linux distro doesn't keep his systems patched and they get compromised, who are you going to hold responsible for shipping an insecure OS, and how do you intend to collect damages?
I keep my Linux systems patched, roughly weekly, mostly automated, some manual if they have to be synced with other processes to not cause trouble. I run a mix of mainly free Ubuntu and free CentOS. If my patching slips and my systems get compromised, I'm in a world of hurt with everybody from my boss on up, because my company is responsible to its customers and clients. I patch regularly because as things stand, I cannot count on software being flaw-free.
Sure it would be nice if I could depend on all the Linux developers using validation software. But I don't get my way on that, just like I don't get my way on a lot of things. In the real world, as things stand, I can't hold developers and their companies responsible for shipping flawed software.
Collect damages? Hell, when was the last time -anybody- collected damages for software flaws from anybody else? That's not a problem only for the Linux folks.