Back to article
Editor's Note: Action, not Reaction
Why the Open Source Model is Superior
June 12, 2000
I don't wish to sound too much like someone pontificating from the mount, but there's a serious problem in the Linux world that every Linux user on the Internet must address.
To wit: last week the sendmail.org team discovered a serious bug in the Linux kernel that existed in all kernels up to version 2.2.15. The flaw occurs via the setuid command, affecting programs that drop setuid state and rely on losing saved setuid. In fact, according to Linux kernel developer Alan Cox, it affected programs that merely checked the setuid call.
Now, before you hyperventilate, there is a simple way to address this issue: update your Linux kernel to 2.2.16 or better, or update your sendmail version to 8.10.2. It's as simple as that. If you're a little nervous about upgrading kernels, don't be; your distribution's Web site or documentation should have crystal-clear instructions on how to create a new kernel; it's just not that difficult. Similarly, you can keep your current sendmail configuration while installing the newer sendmail. Anyone who has installed Linux in the past six months is probably using a newer kernel anyway, but for those of us who are using older kernels, this security problem should force us to sit up and make some changes to our systems.
How the Linux community responded to this bug is illustrative of how the Open Source model is superior to the proprietary method of developing--or, rather, protecting--software. The bug was discovered by the Wojciech Purczynski, who posted information about it to the influential BugTraq Web site; it wasn't discovered after someone's important Linux site was hacked via this method. Using this information, Alan Cox patched the kernel and the sendmail team released a new version. (In other words, the Linux community was proactive, rather than reactive.) After the bug was verified, word was sent out via the Linux online community; I suspect that most of you have already seen something about this on Linux Today or Linux.com.
Compare this to what happens when there's a security problem with Windows. Microsoft usually tries its best to deny that there's a security problem or attempts to shift the blame onto someone else. The anti-virus vendors then circle like vultures, attempting to prey on people's fears by overstating the extent of any potential problems. Between the denial of Microsoft and the shilling by the software vendors, it's sometimes hard for the average user to see where the truth lies.
There's no such thing as perfect software, and as we rely more and more on the Internet more and more issues like this will pop up. The solution isn't to have unrealistic expectations of our operating systems, but rather to judge them based on how their vendors react to potential security risks. In the case of Linux, the issue was dealt with honestly and immediately, and compare that to how Microsoft deals with the typical Windows flaw.