Langa Letter: Linux Has Bugs: Get Over It

Jan 26, 2003 (07:01 PM EST)

Read the Original Article at

I made a private bet with myself when I ran an item in my newsletter called "Linux Hacks On The Rise". It cited a study of software problems reported by CERT--the Computer Emergency Response Team that impartially tracks computing security threats. (CERT is part of a federally funded research and development center at Carnegie Mellon University in Pittsburgh.)

Among other things, the article said: "...more than 50% of all [CERT] security advisories ... in the first 10 months of 2002 were for Linux and other open-source software solutions."

My only point in bringing up this issue was to show that no operating system is immune to bugs and security issues: As Linux grows in popularity, it will have its own full share of problems.

It's hard to imagine a less inflammatory or more obvious assertion--that all operating systems have bugs and security issues--but I won my bet: Linux and open-source fans thought I was attacking them or their preferred operating system. They deluged me with E-mails, many irate, claiming that CERT (and I) were dead wrong.

The two most-common arguments against the report were:

1) There really aren't that many Linux/open source bugs, especially compared with, say, Microsoft Windows. Many readers argued further that CERT erred by counting the same bugs multiple times in different distributions and versions of Linux or other open-source software; these repeated bugs should have been counted as one meta-bug.

2) Open source bugs, when they do occur, aren't that big a deal anyway because they can be fixed far faster than Windows bugs.

Trouble is, these arguments are based on old information: Yes, there once was a time when both of the above statements were true, but in a moment I'll show you some very current, non-CERT stats and info that illustrate why both statements are now emphatically false. (We'll get to the specifics in a moment.)

But this isn't a bad thing. Rather, I take it as a very positive sign of the growing maturity and mainstream appeal of Linux and open source software. Let me explain:

Linux's And Open Source Software's Excellent History
Linux (and the whole open source movement in general) got its reputation for solid software and rapid fixes when this software was used mostly by a relatively small group of extremely knowledgeable people. They knew what they were doing, and generally ran their software on stable, proven hardware platforms; or, when brand-new hardware was used, it was used in fairly generic ways. (For example, video card drivers for Linux tended not to support exotic feature sets; Linux video usually operated at fairly conventional resolutions and settings.)

This is a benign development environment. Any software can succeed if it's placed only in the hands of a small group of knowledgeable experts who can avoid many problems in the first place, and participate in rapid repair of any unavoidable problems that do occur.

And "rapid repair" was a very real thing: The open source arena tended to attract some of the best and brightest of the world's computing community; people who wanted to do good, and whose contributions were almost always positive, focused on the continual improvement of their software.

But things changed. The open source community has fragmented into myriad competing segments, each with its own different, and increasingly quasi-proprietary, distributions of software. Huge numbers of new users of all skill levels have entered what once had been an experts-only enclave. (Even Wal-Mart now sells cheap PCs with Linux and open source applications preinstalled.) It's much harder to produce software for an audience of all skill levels running who-knows-what hardware, than for an audience only of experts running a limited subset of known-good hardware.

And, not trivially, as the Linux/open source segment has grown, it's finally attracted the attention of crackers (malicious hackers). You see, crackers like to aim at the fat part of the bell curve because that's where the most potential victims are. That's one of the primary reasons why more people try to hack Microsoft software than any other: If a malicious hacker wants fame or notoriety, Microsoft software is the obvious target because more people use Microsoft software than any other.

And to me, this is a key thing: When the Linux/open source community was tiny, few hackers bothered to look for exploitable issues there. It simply wasn't an attractive target. In other words, it wasn't so much that Linux and similar software were truly free from exploitable holes, but simply that no one was trying to find them.

But again, that all changed as Linux and open source software entered the mainstream. Now that this software is a fully viable alternative to conventional commercial software, an inevitable consequence is that more problems will come to light. As novice users, funky hardware mixes, and active cracking all come into play, the bug counts are going up. In fact, way up.

Counting Bugs
There's no perfect, 100% reliable way of comparing bugs across operating systems, especially in an environment where operating systems usually ship with bundled software that may have its own, separate quality issues. But let's start by looking just at the operating system itself:

We can avoid CERT's problem of counting the same bug more than once if we compare the security patch/update counts for one popular distribution and version of Linux to one popular version of Microsoft Windows. In this way, we won't have the Linux count skewed by the same bug cropping up in hundreds of other versions and distributions; or have the Windows count skewed by bugs in other Windows versions or software products from Microsoft.

To further refine the comparison, let's look at operating system versions that came to market at about the same date. This way, both operating systems would have a more or less equal time during which problems could come to light.

It turns out that Microsoft Windows XP and Red Hat Linux 7.2 were released within a few weeks of each other. Both are still current and are actively supported by their respective vendors. So, let's take a look, starting on each vendor's patch/update pages:

For Red Hat Linux 7.2, you go to the Red Hat "errata" page and from there to the page specific to version 7.2 . There, you'll see that, to date, Red Hat has issued 151 patches and updates (mostly for security issues; that's what the "broken lock" icon means) for that Linux version. For a very crude sense of scale, that works out to an average of around 2.3 patches per week.

Next, let's do the same thing for XP Professional, starting on Microsoft's errata page, the "HotFix & Security Bulletin Service"; use the pull-down menu to isolate just the XP-related items. You'll see that the page lists 21 XP-specific patches and updates to date. That's an average 0.35 patches per week.

But wait: Maybe that's not a fair count. After all, XP is the newest Windows version, but RH 7.2 isn't the newest Linux version. Red Hat's newest version is actually version 8.0, so let's look at that. Its errata page lists 27 patches and bug fixes issued in the four months the operating system has been available, an average of around 1.6 patches per week, so far. That's a rate significantly less than Red Hat's 7.2's, but still more than XP's.

These numbers may surprise you because we've all seen a veritable blizzard of patches and updates issued from Redmond. But Microsoft currently has 157 software products under active support, and a typical PC may have not only a Microsoft operating system but also a Microsoft browser, mail program, media player, office suite, and more. In the aggregate, the total number of bugs and patches to keep up with for all this software is daunting. And some of the issues have indeed been severe. (For example, Outlook Express was for years the very worst security hole on most PCs.)

But, if it's unfair to lump all open source software together for bug-counting purposes, it's also unfair to do the same thing for all Microsoft software. (Otherwise, to get an accurate assessment for Linux systems, you'd have to include the bugs from open source browsers and all other normal system add-ins or add-ons, on top of Linux's own bugs.) Instead, to avoid an apples/oranges comparison, it's better to look at specific brands, types, and builds of products across similar amounts of time: That's the only accurate way to see how, say, operating systems compare, or browsers compare, or E-mail programs compare, and so on.

But what about the types or severity of bugs? In fact, I hear this a lot from Linux partisans, that Microsoft bugs are "worse" than Linux bugs. There's a lot of subjectivity in better or worse comparisons, of course. But as a quick example, here's a Red Hat Linux 7.2 bug as described on the Red Hat page:

A vulnerability has been found in the ptrace code of the kernel (ptrace is the part that lets program debuggers run) that could be abused by local users to gain root privileges.

Now here's an XP bug, as described on the Microsoft site:

Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation: A security issue has been identified that could allow an attacker to compromise a computer running Microsoft Windows and gain complete control over it.

Which is "worse?" I actually think these are about the same--either way, someone can take over your PC. But some Linux partisans will insist that the Microsoft bug is somehow "worse." I disagree, but don't take my word for it: Read the descriptions of some bugs from the XP list and some from the Red Hat list, and make up your own mind.

Does all this mean Linux is terrible? Not at all! Complex software will always have bugs and security problems, and I consider Linux's bugs to be in the fully normal range and not worth getting agitated over. What's more, it's great to see such active bug-fixing as the Red Hat pages indicate: There always will be bugs in any software, and the rational thing to do is to fix them, rather than try to convince others that the bugs aren't real or somehow don't count.

Does all this mean XP is inherently wonderful? Nope. XP's bugs are fewer than Red Hat Linux 7.2, but also within the normal range, and likewise merit neither ecstasy nor apoplexy. And, as I said before, there's other Microsoft software--some of it bundled with XP--that has much worse records.

So here's what it does mean: Linux is a normal operating system; so is XP. Both have bugs, some major, some minor. Anyone who tells you that Linux is "inherently more secure" or "much less buggy" than XP simply isn't working from current facts. The reality is that bugs happen, even in Linux: Get over it.

Speed Of Fixes
The second most-cited argument in reader mail was along the lines of: "Open Source bugs aren't that big a deal because they can be fixed far faster than Windows bugs."

Yes, under the very best and limited circumstances, this can be true: A raw, initial fix can be posted online sometimes within hours of a bug coming to light, and that's wonderful, when it happens. But that initial posting is often in source code, or in a form that requires that parts of the operating system or software be rebuilt or recompiled by the user. And it's usually posted in special developer-only portions of open-source Web sites. In other words, the patch may be useful to a handful of expert users. That's great for them, but what about everyone else?

Most patches take much longer to appear, and longer still to become generally available to all affected users, in finished, tested, easily installable form--even if, technically speaking, the initial instance of the bug was stomped out very quickly. Given the growing fragmentation of the open source community and the increasingly quasi-proprietary distributions of Linux, how could it be otherwise? It has to take time to get patches out.

Consider just two cases in point: The Open Source Mozilla project ran three years late in development, and that was just a browser, not an entire operating system. Linux itself took about 7 years before it was even remotely ready for prime time. In the face of software gestations this lengthy, I think it's hard to argue that open source's supposed "fast fixes" actually mean much in real world benefits.

This is a big chunk of Microsoft's problem, of course--it takes time to release a finished, auto-installing patch for all versions and builds of all affected in-use Microsoft software. This often makes Microsoft patches appear weeks or months after a bug comes to light. But as Linux and other open-source software face the same kinds of market problems, their pace is slowing, too. It's inevitable. The more complex and fragmented a software market is, the longer it will take for fixes to diffuse out to all builds and versions. Complex software takes time to write and debug: Get over it.

Put Down Those Flamethrowers
Don't get me wrong: I think the open source movement is a good thing, and I like Linux--it's running right now on two of my office PCs. And none of the above excuses or lessens the seriousness of Windows' own problems with bugs and security issues.

But, as much as the partisans wish it were so, open sourcing isn't a magic solution to the problems of bugs and security issues. As Linux and other open-source software grow in popularity and extend into a fragmented, uncontrolled mass marketplace, they will inevitably have their own full share of bugs and security problems, same as with any other software.

Anyone who tells you differently, or tries to convince you that their favorite operating system is somehow immune to market forces, human error, and plain malice, is doing both you and the operating system they espouse a disservice.

What's your take? Does Linux really have fewer bugs, or less-serious bugs than Windows? What's the best way of judging relative "bugginess?" Are there distributions or builds of Linux less buggy than the one that Fred discussed? Join the discussion!

To discuss this column with other readers, please visit Fred Langa's forum on the Listening Post.

To find out more about Fred Langa, please visit his page on the Listening Post.