October 15th, 2003, 09:53 PM
Linux Kernel Errors (Study)
The linked PDF document was published by Stanford University's Computer Systems Lab and it discusses automatically detected compiler errors found in 21 snaps shots of the Linux kernel over seven years and baselines these against the OpenBSD kernel.
I know what you are thinking, "This type of error detection is limited and not as useful.", "All Linux bugs are fixed right away, especially source level bugs.", "OpenBSD has less bugs because they work round the clock on pre-emptive bug killing, so this is just an attempt at making Linux look bad." So why would you want to read this document?
First off it answers a few questions about where bugs are likely to occur, if bugs cluster, how long bugs live, and what causes these bugs. Additionally, the following assessments were made that should be of interest:
Average Linux bugs live 1.8 years. (though this may be higher as many bugs are still alive, some as long as seven years.)
OpenBSD showed more errors than Linux in every audit system used.
Also it is discussed that Linux's error rate has decreased over the seven years, which indicates the system is making progress. This is a very important and very unimportant point at the same time from a security stand point. The monolithic architecture creates an instance where ever exception at this level could lead to a full compromise, so this type of hardening is good. However this study fails to cover high level design, so even if the code were completely free of source code bugs security issues could/would still exist.
Although this document is from 2001, there is no reason to believe it's findings have been made obsolete in that time.
Hope you all enjoy this document.
EDITED: AO felt this document was too large, so I have linked to it here:
PS. Edited AGAIN cause I typoed the path.
October 15th, 2003, 10:26 PM
nothing a can of raid can't take care
October 16th, 2003, 09:44 AM
I guess they just like to hold on to the raid.
The point of all of this is not so much if these bugs can be fixed, but the fact that they are not fixed. For years on average and this is only significant because it flies in the face of what Linux users believe about millions of programmers round the world fixing bugs almost instantly upon discovery.
October 16th, 2003, 03:45 PM
you mean there's not an army of programmers around the world fixing bugs instantly??? LOL
i have always chuckled when i hear people comment on that philosophy....it is SO wrong. i have NEVER met any developer that when sitting around bored, said to themselves. "hmmm..i'm bored, i think i'll look over some monolithic code and see if i can find bugs in it" people who do believe that are not nor do they know developers. dev guys like to make new exciting apps/technology/projects, not look over monolithic code. a prime example of that is the most popular mail system for *nix, which is sendmail, even today we are still finding flaws in that application. if the many eyes concept were really true, then why is this high profile app still having new vulns discovered?
always remember this people "NO SOFTWARE IS PERFECT OR THE ANSWER TO EVERY SITUATION"
just making some minor adjustments to your system....
October 16th, 2003, 04:06 PM
Yeah, this goes to show M$ isnt the only OS, that has flaws.