Linux Bugs, Bugs Everywhere
"We are seeing a lot of crypto bugs surfacing lately because these libraries are suddenly getting a lot of review thanks to Snowden's revelations," suggested blogger Chris Traver. "I think one has to separate the crypto bugs from others because they are occurring in a different context. "From what I have read about gnutls, though, it seems to me that this is probably the tip of the iceberg."
Mar 10, 2014 11:08 PM PT
Well it was a wild week here in Linux land, and not just because of the asteroid that came hurtling by Earth at heart-lurching proximity on Wednesday afternoon.
Pay no attention to the 100-foot-wide ball of rock you might notice streaking through the sky closer than the Moon! *Cough*. Thank goodness for tequila.
Linux fans, however, had bigger -- or rather, smaller -- things to focus on last week. Namely? Bugs.
That's right, bugs figured prominently not just once but twice last week in the Linux blogosphere.
Exhibit A: "Google Won't Enable Chrome Video Acceleration Because of Linux GPU Bugs" was the headline that appeared on Slashdot mid-afternoon last Tuesday.
"Code has been written but is permanently disabled by default because 'supporting GPU features on Linux is a nightmare' due to the reported sub-par quality of Linux GPU drivers and many different Linux distributions," explained the submission summary.
'Hundreds of Packages'
"There are hundreds of packages that use the GnuTLS encryption libraries, so virtually every Linux user is affected," Dave Wreski, CEO of open source security firm Guardian Digital and founder and lead developer at Linuxsecurity.com, told PCWorld's intrepid reporter. "It probably affects every Linux system currently in operation that utilizes the GnuTLS library."
It wasn't long before Linux Girl's skin began to crawl, so she knew it was time to jump into action. She strapped on her snow shoes and trudged into the blogosphere's main downtown to gather a sampling of opinions.
'We're Finding More Bugs'
"Linux is seeing more and more use in a wider variety of markets, and is really starting to pick up Steam (pun!)," offered Linux Rants blogger Mike Stone.
"While I don't have numbers to verify this, it just seems to me that we're adding more eyes to the code, and so we're finding more bugs," Stone suggested.
"These bugs aren't necessarily recent, they were just unnoticed before," he added. "Finding them can only be a good thing."
'Probably the Tip of the Iceberg'
Similarly, "we are seeing a lot of crypto bugs surfacing lately because these libraries are suddenly getting a lot of review thanks to Snowden's revelations," suggested Chris Travers, a blogger who works on the LedgerSMB project.
"I think one has to separate the crypto bugs from others because they are occurring in a different context," Travers opined.
"From what I have read about gnutls, though, it seems to me that this is probably the tip of the iceberg given a 2008 assessment by someone from the OpenLDAP team," he pointed out.
"The basic problem is that up until Snowden started releasing stuff, we thought typical SSL implementations were good enough -- at least combined with things like certificate pinning," Travers concluded. "It now looks almost certain that they are not. We need better, but this is going to take some time."
'Many Things Got Cleaned Up'
As for the Chrome complaint, gaming company Valve has "submitted a lot of bug reports and fixes in the graphics layer in the past year, and many things got cleaned up," consultant and Slashdot blogger Gerhard Mack pointed out.
"I really wonder if the Chrome developers tested lately," he mused.
"Worst case, they could blacklist by library/kernel version, but at any rate, anyone who would care about the extra speed would tend to keep to the releases," Mack added. 'Long Live FLOSS'
"The gist of it is that flaws happen," said blogger Robert Pogson, who recently wrote about the topic on his own blog.
"People are human; they make mistakes," Pogson explained. "With FLOSS those mistakes can't hide forever as they can in non-Free software. Long live FLOSS."
Free and open source software also "tends to be simpler software," Pogson told Linux Girl. "That makes it easier to write and easier to debug because there is no evil genius commanding the programmers to make illogical dependencies all over the place because the salesmen think it works."
'The Worst Piece of Code Is Java'
Microsoft operating systems include far more code and are estimated to suffer from between 15 and 35 times as many flaws as competitor systems do as a result, Pogson noted, citing Cyberinsecurity.
"Methinks the license has something to do with quality of code and how bugs are killed," he suggested. "If M$ published its OS as FLOSS, the world could just filter out that complexity -- if the world wanted to use that software.
"Instead, M$ had to force the world to use its software by anti-competitive means," he added.
Meanwhile, "the worst piece of code in all of FLOSS is probably Java, which started out as non-Free software," Pogson concluded. "Sometimes you just have to start over. That's easier with FLOSS too, but it's much easier to start from the beginning with FLOSS because less has to be undone."