Patchy coverage

ZDNet Australia ^ | 02 September 2003 | Josh Mehlman

[ShadowAce]

COMMENTARY--Yep, it's Windows vs Linux time again. as usual, the facts go out the window in a points-scoring battle that completely ignores the important issues.

At the annual Tech Ed conference in mid-August, Microsoft's chief security strategist Scott Charney said "Half of all crashes in Windows are caused not by Microsoft code, but third-party code". Why would he say that?

For about a year, Microsoft has been implementing its Trustworthy Computing initiative, and has gone to great effort to improve its practices and get better security and reliability in its products. Being Microsoft, a lot of the work has gone into new products such as Windows Server 2003 rather than fixing holes in the software everyone's using, such as Windows 2000. Spend more money, get better security.

But it's slow going. Building better software is evolutionary, as is earning the industry's trust when your reputation is as bad as Microsoft's. It doesn't help when, as you're making this announcement, a worm exploiting a vulnerability in your code--not someone else's--is spreading around the world.

A ZDNet Australia Web site reader noted, "In decent operating system design it is recognised that programs may go feral and the OS must cope with this gracefully. Any OS that crashes because of bad applications is basically badly designed."

Charney's statement also ignores the problems many developers face trying to interact with Windows when they can't access the operating system source code, and sometimes can't even get proper documentation of the application programming interfaces. Third-party developers can hardly be blamed for instability if they don't know what they're working with. Charney was, at best, being disingenuous. Dodging the blame does very little to improve your reputation.

Charney's statement moved columnist Sam Varghese at the Fairfax newspapers to decry the terrible state of IT journalism today. "One should question why such statements are repeated verbatim, without even a hint of doubt, by journalists," he wails.

Varghese also writes misty-eyed pro-Linux puff pieces in his spare time in which he freely admits "I am not a techie". Yet in a column the day before, he quotes Linux evangelist Con Zymaris as saying "open source systems have a far lower risk profile" than Windows--verbatim, without even a hint of doubt. Pot, kettle? Or is it OK to report unsubstantiated propaganda if it's propaganda you agree with?

This is a highly contentious point, and not one that lends itself to being quoted without analysis by any journalist who wants to claim a shred of credibility.

Zymaris claims keeping patches updated is far easier in Linux "due to the well thought-out and well-executed package management technologies". This is a highly contentious point, and not one that lends itself to being quoted without analysis by any journalist who wants to claim a shred of credibility.

Patch management is complicated. The Blaster worm was easily defeated if systems had been updated with a months-old patch, but a lot of systems didn't have it installed. This does not give the Linuxheads reason to be pleased with themselves.

Linux certainly beats Windows hands down in the number and frequency of patches, but this is not as good as it sounds. Every time a sysadmin needs to patch a system, particularly a business-critical server, he or she needs to be sure it isn't going to cause problems with what's already running. When new patches come out every other day, as they do with Linux, you can imagine the nightmares this could cause.

There is also a wide range of, words fail me, well thought-out patch management software available for Windows. And while Linux patches are--obviously--free, vendors like Red Hat charge fees to subscribe to their update services that help minimise dependency issues, which can be a big problem with Linux.

In an interesting approach, Sun Microsystems' Orion strategy means Sun will be sending customers quarterly patches for all its software on CD. These patches will be pre-tested for compatibility and integration issues. While this doesn't eliminate the need for emergency patches, at least it takes one big worry off admins' minds.

If it works well, expect to see Microsoft and the Linux vendors taking up the same idea--and slugging it out over which one of them thought of it first, which works better, and which has the lowest TCO.

[ShadowAce]

Would you do the honors? I do not have my tech ping list available at this moment.

[rdb3]

The Penguin Ping.

Wanna be Penguified? Just holla!

Got root?

[Flashman_at_the_charge]

“Half of all crashes in Windows are caused not by Microsoft code, but third-party code”

That’s like Ford saying half of all fatal car crashes were caused by driver error and not by the car failing.

[thoughtomator]

Or Boeing saying, "Half of all crashes of our planes are due to the Microsoft navigation system, and not the overly-hyped problem of engines being mounted backwards".

[Flashman_at_the_charge]

Nice tagline.

[jammer]

Nice screen name. How's Elspeth?

[N3WBI3]

Lol in one hand he bashes somebody for wirting a one side piece and then he goes and writes one himself pot kettle anyone?

I have never, I mean NEVER put a patch on an AIX, Solaris, or Linux system and had it break anything! My time for test to production patches is a couple of days for a low risk, and at most a day for high risk. On the windows side of things three times last year I had a patch break something else (usually an application it would be SQL server, or ...) My time from test to prod is at least a week on critical systems and around a month on low risk.

Windows update is fine for the desktop but anyone who would update Windows without extensive testing is nuts..

[N3WBI3]

I know I love this one, blame the app. An application exception should NEVER take down an OS the only time I have ever seen that on Unix was with a really wierd SAMBA mount that I can not replicate..

[ikka]

Zymaris claims keeping patches updated is far easier in Linux "due to the well thought-out and well-executed package management technologies". This is a highly contentious point, and not one that lends itself to being quoted without analysis by any journalist who wants to claim a shred of credibility.

No, it is NOT a highly contentious point. What is contentious is "which package system is better, RPM or Debian .deb"? But ANYONE who has ever dealt with both Win2k and either RPM or .deb knows full well that Linux wins hands down on this matter.

[Flashman_at_the_charge]

As dotty as ever, still not sure about her though. :-)

[Flashman_at_the_charge]

Hardware abstraction is the key. Check out iSeries.

[Dimensio]

I once took down the OS with a SAMBA mount. I use DHCP on my local network for IP distribution. I had recently taken down the machine that acts as a DCHP server because of a power failure, but I forgot to resume the DHCP client when I restarted (yeah, yeah, I should have a script to do it, but I'm too lazy and the machine rarely goes down). The other machines on the network still had IP addresses, howver, because their previous DHCP leases hand't expired.

Anyway, I was burning a CD, but the source image was stored on a different machine with a Samba network share. Unfortunately, the DCHP lease on the burning machine ran out. As a result, the share on which the CD image -- still being read from for CD burning -- was suddenly and ungracefully unmounted. Result: kernel panic (which is perfectly understandable under such conditions).