Ubuntu blues

[Eric Dunbar]

cc: Sounder at lists.ubuntu.com

> > There is one advantage to OSS -- once such spyware starts appearing,
> > there will be a whole army of programmers ready to tackle the problem
> > _as soon_ as it appears. With Micro"SoftOnVirusesAndSpamware", its
> > users are at the mercy of the good graces of anti-spyware writers, or
> > of the ransomware writers who sell the uninstallers for their own
> > apps, because it doesn't seem like Microsoft is quick to do something
> > about the complete gridlock that characterises the Windows internet
> > computing experience.
> 
> Not really, it's just that spyware is a very challenging issue to fix.
> How would you plan on stopping spyware on Linux if someone double
> clicks a .deb file which adds it to the services on startup? How does
> Microsoft fix this? I don't think they can without sacrificing huge
> amonuts of ease of use.

I believe there are two crucial differences between the OSS and the
Windows (fully closed) paradigms of OS development will make the
difference.

1. Once these "double clickable" trojan .deb files appear for OSS
OSes, there will be a whole community of developers be able to
_immediately_ respond to the appearance of the trojan and devise a
work-around to the problem.

2. Since most distros have a centralised repository from which you can
d/l the software this in-and-of-itself will act as a check on what
spy-/ad-ware writers can accomplish.

Of course, #2 will eventually disappear as distros standardise on
common libraries and APIs (or, if apps become self-contained like on
Mac OS X where the libraries needed by an app are included in the
"application" (most OS X apps are actually directories with libraries
and other resources that are made to appear to be apps to users
(essentially the same self-contained software design model that's
characterised Mac software design from day one... which is why Mac
apps are so much more easily pirated)).

> > (as I noted recently... at www.download.com the top Mac downloads were
> > for P2P software and in the top 5 there were _non_ piracy-related apps
<snip>
> > hidden deep in the *nix hierarchy, etc.)).
> 
> Well.. it's because all Mac apps are pre or statically linked. Linux
> apps are traditionally dynamically linked and Windows apps are usually
> both. When you install a Mac app that requires some new libaries, it
> usually uses the Installer app and it can spend anywhere up to 15
> minutes 'optimizing the HDD', aka prelinking all the files.

The majority of apps that are properly coded _do not_ do that since
they don't install any files in off-limits places since they are
self-contained. There are two exceptions to that rule and the first
are OS updates since they will update the underlying *nix structure
(mach kernel, BSD utilities) or Apple's own APIs/DEs (Quartz, Carbon,
Java etc). The second are ports of *nix apps which expect to have
libraries installed in non-standard places (and the porter hasn't gone
to the trouble of changing the paths... quite understandable given
that these are by-and-large volunteers doing the work).

Microsoft Office, for e.g., installs as quickly as your CD/DVD-ROM can
read the files. This is perhaps the most complex apps that the
overwhelming majority of users can ever dream of installing and it
doesn't require a whit of pre-linking (however much I deribe MS for
making a hyper-bloated app, it's still damn complex).

> I don't see why we should really hold Mac users in any holy grail
> position.

You shouldn't! I cite Apple's Mac OS X because it _IS_ a succesful and
well-executed *nix (and, arguable, Linux is no-where near where
Apple's Mac OS X is for simple functionality as a USABLE desktop OS).

> OSX is nice, but Apple is very, very slow at patching stuff
> and they usually botch it - it's taken them over a week for two major
> exploits (one still not fixed right). I'd say Linux is the best with
> patches, then Microsoft very closely behind and then Apple right at
> the back. Apple just doesn't have the resources to do patches well.

Apple (IMNSHO) has a good model of responding of security patches --
they "just happen". Once a week your computer will check for updates
and give you the option to install them if desired. Linux is such a
discombobulated scene that some distros will have the patches
available immediately whilst others never, and, AFAI can tell, there
isn't any automagic update check that happens YET (I know there are
some apps in beta but they aren't universally deployed on the desktop
yet)... Synaptic in Ubuntu is a good first step for e.g. but it
doesn't automagically do the checks yet.

There is also one big difference between the free (as in $$) Linuxes
(the commercial ones have  different standards to which they are held
and tend to be servers) and OS X in terms of quality control and
customer expectations -- Apple cannot afford to have an update that
itself creates real problems whilst fixing hypothetical ones (just
because there's a theoretical securit problem doesn't mean there's an
exploit). Thus, they have to go through a lot more quality control
than the free Linuxes (where breakage is a fact of life) before
patches go out.

Additionally, Apple's users by-and-large _don't care_ about security
and have far more invested in a functioning system. What concerns you
(probably as a former Windows user) doesn't concern the bulk of Mac
users -- security has NEVER been an issue on Mac systems (from day
one) so security under their "new" (now 3 years old) *nix won't be
either. What concerns Mac users are timely stability (a hold over of
pre-*nix days) and feature improvements.

Apple has to keep the number of updates to a minimum. If there are too
many, people simply will turn off software update and this would be
bad for Apple since the company has a lot of credibility riding on
making sure that a sizeable portion of its userbase is as up-to-date
as possible to ensure that exploits cannot proliferate (if they ever
are developed ;-).

The same sort of thing must be kept in mind with Ubuntu (and Linux in
general) -- too many updates all the time numb the user. What Apple
does is a "bulk" update. Whereas I might see updates to sudo, apache,
etc coming through at a rate4 of one or two a day on Ubuntu's Synaptic
Aple takes them and sticks them in one bulk update.

Different ways of development, different ways of functioning!

Neither strategy is necessarily better than the other but "just
because that's the way Linux has always done things" isn't a great
reason for doing things that way. Likewise, "just because
Apple/Microsoft does it" is not a good argument for doing things
either. All I'm saying is that it is possible to learn from the
mistakes others have made, and also the things they do right, and,
perhaps more importantly, THE REASONS they do things the way they do.
The future for Linux is as a _viable_ alternatively to Windows. To do
this Linux (as a whole) needs to do things that Windows does, noly
_better_. But, it also needs to make sure that it offers a quality
experience. Daily-updates may satisfy the geek in me, but it isn't a
great recipe for system stability for e.g.

> Remember, it's really a small computer company - the iPod in terms of

It's the second largest OS developer ;-) in the world.

> sales is about 2-3x more important.

The iPod is only a quarter of the company's income...

Eric.