|
ru.linux
- RU.LINUX ---------------------------------------------------------------------
From : Sergey Lentsov 2:4615/71.10 08 Feb 2002 14:32:41
To : All
Subject : URL: http://www.lwn.net/2002/0207/
--------------------------------------------------------------------------------
[1][LWN Logo] [No ads right now]
[LWN.net]
Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all
interests
Sections:
Main page
[2]Security
[3]Kernel
[4]Distributions
[5]Development
[6]Commerce
[7]Linux in the news
[8]Announcements
[9]Letters
[10]All in one big page
Other LWN stuff:
[11]Daily Updates
[12]Calendar
[13]Linux Stocks Page
[14]Book reviews
[15]Penguin Gallery
[16]Archives/search
[17]Use LWN headlines
[18]Contact us
Recent features:
- [19]2001 Timeline
- [20]O'Reilly Open Source Conference
- [21]OLS 2001
- [22]Gael Duval
- [23]Kernel Summit
- [24]Singapore Linux Conference
- [25]djbdns
Here is the [26]permanent site for this page.
See also: [27]last week's LWN.
Leading items and editorials
GNOME and .NET. It seems to have started with [28]this article in The
Register, which quotes Miguel de Icaza as saying that GNOME 4.0 should
be based on Mono. It is not surprising that this statement has upset
some people. A calmer look at the situation suggests that some of the
fears are overblown.
[29]Mono, of course, is a free implementation of parts of the .NET
framework. In particular, Mono aims to provide a compiler for the C#
language, an implementation of the "Common Language Infrastructure"
(yet another virtual machine and remote procedure call
implementation), and an extensive class library. In theory, Mono will
help with the development of secure, highly interoperable
applications.
Then again, there's [30]Don Marti's inimitable characterization of the
whole .NET framework:
If you break the whole mess down, as far as I can tell you get a
rounded-scissors version of C++, a standard library for same, a
virtual machine, and a Big Brother bank/authentication/anal probe
system.
All of this stuff, of course, has been designed by Microsoft. Some of
it has been proposed for ECMA standard status - but not all of it. The
Mono implementation is progressing, but it remains far from a stable,
complete state.
One thing that people should keep in mind before getting too upset
over Miguel's statements is that he is talking about GNOME 3 or 4. The
GNOME project has not yet released version 2.0, and Mono 1.0 is still
a distant prospect. So any integration of GNOME and Mono will not
happen for years. There will be plenty of time to see how Mono works
out, how Microsoft manages its .NET standards, and whether the .NET
framework truly helps the application development process.
Even then, Miguel is not pushing for a major rewrite of GNOME.
Instead, [31]he sees Mono as a way of making GNOME development go
better in the future:
I am not asking anyone to rewrite any code. Indeed, I encourage
people not to do so. But when it comes to extend a product, Mono
might be a valuable tool. Valuable, because I believe that the
major feature of .NET is reduction of development time and the
reduction of the money we spend on developing those products.
Indeed, development time is one of the key factors behind this push:
Evolution: roughly 2 years of development, and at its peak had 17
developers working on it. [...]
The bottom line is that developing these applications is costing a
lot of time, and a lot of money. I want to see Linux succeed on the
desktop, and for this to happen, many more apps will need to exist.
I want to go from having 17 people working for two years on a
product to have those same 17 people work on four products in the
same time.
.NET supporters cite a number of features which can help achieve this
increase in development productivity: a comprehensive class library,
the ability to easily integrate code in multiple languages, a garbage
collection system which eliminates memory management problems, and
more. It is also claimed that using the .NET framework will greatly
increase the number of developers who can write for the Linux
platform.
These claims, certainly, are worth the time to evaluate. Linux has far
more applications than it did even a few years ago, but very few
people would say that it does not need any more. If Mono can help
bring about more free applications sooner, then it is worth a look.
The fact remains, however, that .NET is a standard created by
Microsoft for its own ends. Adopting Mono could serve mainly to bring
Linux systems into the whole HailStorm framework - an idea which lacks
appeal. In the rush to develop more applications for Linux, it is
worth taking some time to consider exactly what kind of applications
we want.
Then, consider that there is nothing to keep Microsoft from "embracing
and extending" its own standards. Some years from now, Mono could look
much like the Wine project does now: forever chasing a set of shifting
standards, and never being quite solid enough to completely serve its
intended purpose. There also remains the issue of possible royalty
claims or patent issues with .NET. Microsoft has not been entirely
clear on the status of much of .NET, and unpleasant surprises are a
real possibility. It is dangerous to base your applications on a
standard controlled by a competing company.
Those worries are all speculation at this time, however. Given the
amount of time that will pass before GNOME could even conceivably
adopt Mono in any serious way, there will be ample opportunity to see
how things play out. And, in the end, Miguel, while highly
influential, lacks the ability to commit GNOME to any such course. The
GNOME Foundation exists for a reason, and it's likely that its members
will look hard before leaping onto the .NET bandwagon.
(See also: Miguel's "[32]long reply" on this issue).
Who has more security problems? The folks at vnunet started some fun
with [33]this article claiming that Linux had more security problems
than Windows in 2001. Here's their reasoning:
Although the statistics so far only go up to August 2001,
aggregated distributions of the Linux operating system suffered 96
vulnerabilities while Windows NT/2000 suffered only 42. Breaking
the figures down by distribution, Mandrake Linux 7.2 notched up 33
vulnerabilities, Red Hat 7.0 suffered 28, Mandrake 7.1 had 27 and
Debian 2.2 had 26.
Any Linux user will immediately see the flaw in this reasoning: the
same vulnerabilities are being counted up to four times. The real
number of Linux vulnerabilities will certainly have to be a lot less.
vnunet [34]quickly backpedaled, noting that "all Linux distributions
essentially use the same kernel, certain bugs are being counted more
than once." Which still somewhat misses the point, since Linux
distributions share far more than just the kernel.
We decided that it was time to try to get a handle on how many
vulnerabilities were really suffered by Linux systems in 2001. To that
end, we plowed through more security updates than any sane person
would want to see in one day, and compiled the following table.
Anybody who is proud of Linux's security should have a good look and
weep - it is a very long list.
There is no end of caveats that apply to this table: it is hard to
make a one-for-one comparison of security updates across
distributions. Undoubtedly some updates have been joined that should
not be, and others have been kept separate when they should be
together. The table also does not distinguish between versions; an
update for Red Hat Linux 6.2 makes the list, even if 7.x was available
and not vulnerable. The picture is rough, but, we think, still
interesting. Without further ado:
Linux security updates in 2001
Vulnerable package Debian Mandrake Red Hat SuSE Turbolinux
analog X X
apache (Jan) X X
apache (Jul) X X X
arpwatch X
bind X X X X X
cfingerd (Apr) X
cfingerd (Jul) X
cron X X X X X
ctags X
cups X X
cvsweb X
cyrus-sasl X X
dhcp X
dialog X
diffutils X X
ed X
ePerl X X X
elm X
esound X
exim X X
exmh X X
expect X
fetchmail (Jun) X X
fetchmail (Aug) X X X X
fml X
gdm X
getty_ps X
gftp (May) X X X
gftp (Oct) X
glibc (Mar) X X X X
glibc (Dec) X X X
gnupg X X X X X
gnuserv X
gpm X X
groff X
gtk+ X X
htdig X X X X
hylafax X X
icecast X X
imap X X
imp X
inetd X
inn X X
iptables X
ispell X X
jazip X
joe X X X X
kdelibs X X
kdesu X X
kernel (May) X
kernel (Oct) X X X X
kernel (Nov) X X X
ld-linux X
libgtop X
licq X
linuxconf X
losetup X
lpr X X
lprng X X
mailman X X
mailx X
man (May) X X X
man (Feb) X
man2html X
mc X X
mesa X
mgetty X X X X
micq X X
minicom X X
mktemp X
mod_auth_pgsql X
mod_auth_mysql X
most X
mutt X X
mysql X X
ncurses X X
nedit X X X X
netscape X X X X
nfs-utils X
ntpd X X X X X
ntping X
nvi X
omni print X
openldap X X
openssh (Jan) X
openssh (Feb) X X X X
openssh (Oct) X
openssh (Dec) X X X X
openssl X X X
php4 X X
pine X
pmake X
postfix X X
printtool X
procmail X X X
proftpd (Feb) X X
proftpd (Mar) X
rdist X
rpmdrake X
rxvt X
samba (May) X X
samba (Jun) X X X X
sash X
screen X
sdbsearch X
sendfile X
sendmail X X X X X
sgml-tools X X X X
shadow-utils X
slocate X
slrn (Sep) X
slrn (Mar) X X X
snmp X
splitvt X
squid (Jan) X X X
squid (Jul) X X X X
sudo X X X X
susehelp X
tcpdump X X
telnet X X X X
tetex X X
timed X X
tinyproxy X
tripwire X
util-linux X X
uucp X X X
vim X X X X
w3m (Jun) X
w3m (Oct) X
webalizer X X
webmin X
wmaker X X X
wmtv X
wu-ftpd (Nov) X X X X
wu-ftpd (Jan) X X X
Xaw X
xemacs X X X
xfree86 X X
xinetd X X X X
xloadimage X X X X
xmcd X
xtel X
xvt X
zope (May) X X X
zope (Mar) X X
Totals: 81 81 56 44 28
Whew. That is a total of 290 updates for 145 unique vulnerabilities.
It would seem that the vnunet article actually underestimated the
problem. A quick look at the totals suggests that Turbolinux is the
most secure distribution with only 28 updates, while Debian and
Mandrake top the list at 81. It must be time to put out a press
release.
That is, of course, complete nonsense. Why do the different
distributors have different numbers of updates? Here's a few reasons:
* Not all distributors ship the same packages. Debian, due to its
size, is almost guaranteed to have more issues than any other
distribution. Very few others ship packages like cfingerd or xtel.
* Distributors sometimes combine multiple fixes into a single update
- especially if they are running behind. The number of updates
puts a lower bound on the number of security problems fixed, but
doesn't tell much more than that.
* Some distributors are rather better at getting updates out than
others. All distributions, for example, were vulnerable to the
latest glibc buffer overflow problem. Debian's update came out in
January, and thus didn't quite make the 2001 table. Turbolinux has
yet to issue an update for that problem, and for many others. If
you simply count and compare updates, you will penalize the
distributions that are more serious about security.
In other words, we are not yet at a point where we can make meaningful
comparisons even between Linux distributions. Trying to compare Linux
with Windows seems like a waste of time. In the end, there is only so
much to be learned about the security of an operating system by
counting its published vulnerabilities. One has to look at the
seriousness of each, how it was discovered (internal audit or external
exploit), how long users had to wait for a fix, and how many users
were actually compromised as a result of the problem. We need better
ways of understanding and comparing security response; simply counting
vulnerabilities is not sufficient.
Inside this LWN.net weekly edition:
* [35]Security: Checking for root kits; Sardonix security auditing
portal
* [36]Kernel: Linus tries BitKeeper; the radix tree page cache.
* [37]Distributions: Lists Again; Three not-so-new Japanese
distributions.
* [38]Development: PostgreSQL 7.2, Ogg Vorbis RC3, AFPL Ghostscript
7.04, ht://Dig 3.1.6, Galeon 1.0.3 and 1.1.3, GNOME 2.0 Desktop
Alpha 2, GARNOME Preview 1, Samba 2.2.3, Gnumeric 1.0.4.
* [39]Commerce: Edward Felten drops DMCA case; LinuxWorld awards.
* [40]Letters: Lindows coverage; Linux Standard Base
...plus the usual array of reports, updates, and announcements.
This Week's LWN was brought to you by:
* [41]Jonathan Corbet, Executive Editor
February 7, 2002
[42]Next: Security
[43]Eklektix, Inc. Linux powered! Copyright Л 2002 [44]Eklektix, Inc.,
all rights reserved
Linux (R) is a registered trademark of Linus Torvalds
References
1. http://lwn.net/
2. http://lwn.net/2002/0207/security.php3
3. http://lwn.net/2002/0207/kernel.php3
4. http://lwn.net/2002/0207/dists.php3
5. http://lwn.net/2002/0207/devel.php3
6. http://lwn.net/2002/0207/commerce.php3
7. http://lwn.net/2002/0207/press.php3
8. http://lwn.net/2002/0207/announce.php3
9. http://lwn.net/2002/0207/letters.php3
10. http://lwn.net//2002/0207/bigpage.php3
11. http://lwn.net/daily/
12. http://linuxcalendar.com/
13. http://lwn.net/stocks/
14. http://lwn.net/Reviews/
15. http://lwn.net/Gallery/
16. http://lwn.net/archives/
17. http://lwn.net/op/headlines.phtml
18. http://lwn.net/op/Contact.html
19. http://lwn.net/2001/features/Timeline/
20. http://lwn.net/2001/features/oreilly2001/
21. http://lwn.net/2001/features/OLS/
22. http://lwn.net/2001/features/MandrakeSoft.php3
23. http://lwn.net/2001/features/KernelSummit/
24. http://lwn.net/2001/features/Singapore
25. http://lwn.net/2001/features/djbdns.php3
26. http://lwn.net/2002/0207/
27. http://lwn.net/2002/0131/
28. http://theregister.co.uk/content/4/23919.html
29. http://www.go-mono.com/
30. http://zgp.org/pipermail/linux-elitists/2001-December/003745.html
31. http://lwn.net/2002/0207/a/miguel-.net.php3
32. http://lwn.net/2002/0207/a/long-reply.php3
33. http://www.vnunet.com/News/1128907
34. http://www.vnunet.com/News/1128921
35. http://lwn.net/2002/0207/security.php3
36. http://lwn.net/2002/0207/kernel.php3
37. http://lwn.net/2002/0207/dists.php3
38. http://lwn.net/2002/0207/devel.php3
39. http://lwn.net/2002/0207/commerce.php3
40. http://lwn.net/2002/0207/letters.php3
41. mailto:lwn@lwn.net
42. http://lwn.net/2002/0207/security.php3
43. http://www.eklektix.com/
44. http://www.eklektix.com/
--- ifmail v.2.14.os7-aks1
* Origin: Unknown (2:4615/71.10@fidonet)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
URL: http://www.lwn.net/2002/0207/ |
Sergey Lentsov |
08 Feb 2002 14:32:41 |
|
|
