The transparency of open software means that security vulnerabilities are visible and can’t be quietly swept under the rug.
Another bunch of scary security alerts from your favorite Linux distro has hit the front page of FOSS Force. It was the same last week and the week before, and will be the same next week and the week after.
One FOSS-boosting friend claims the alerts are the result of “media sensationalism.” While it’s possible that there is a clickbait element to some of the reports (DROWN, anyone?), most of the reported vulnerabilities are real and serious, and we need to know about them.
But what about vulnerabilities in proprietary software? Microsoft has regular Windows security updates, most of which a Windows PC downloads automatically without giving you much, if any, details about them or the bugs they ostensibly correct.
The same is true of many other proprietary programs. They may tell you that “updates are available,” but not always why they are needed, and never with as much granularity as is the norm in the FOSS world.
Another factor is that a GNU/Linux distro is a whole stack of programs, not just one. Windows and Mac, and even Android, don’t install or take responsibility for many applications, if any. On the other hand, practically any Linux distro will tell you about problems found with just about any program in its entire repository, which may contain thousands of applications and utilities from upstream providers.
So are major Linux distros going to report lots more bugs and security problems than their proprietary “competition?” Well, duh. Of course!
The Linux distro is also likely to tell you about bugs as soon as they are discovered instead of waiting for an arbitrary day like “Patch Humpday” or a press conference where they also announce some sort of positive news — “Now includes NSA-supplied encryption back door for added security!” — or some other new feature they’re proud of.
When it comes to bugs, hacks, and security breaches, FOSS is typically “no waiting” when it comes to telling users about program flaws.
So even though your GNU/Linux distribution probably has fewer holes and problems than most proprietary software, the fact that you learn about each and every one, down to the source code level if you want to go there, makes it seem worse than it is. The truth, of course, is there are fewer vulnerabilities in any GNU/Linux distro than in the typical Windows-plus-applications installation.
On that note, I see that my Windows PC downloaded a bunch of stuff last night and rebooted, even though I set it over and over to not install updates without my say-so, while my two Linux machines only update at my command — and hardly ever reboot even then.
Guess which pattern I prefer? That’s right! The GNU/Linux one. And so should you.