bj-kaiser, on Aug 16 2009, 07:44 AM, said:
not defending anyone, things like this can happen in projects of that size.
I'm just saying even if you are a fan of MS you should sweep before your own door before you pull jokes about what MS (now) calls concurrents.
An awful large bunch of obnoxious Linux zealots keep repeating and telling everyone Windows is insecure though. And that it's also more secure because everyone can look at the source code, and that this "many eyeballs" way makes these things never happen. And that with things like SELinux, they're 100% protected against everything. Whereas in reality, it's a VERY different picture.
If you count from around Y2K or so (starting from the Linux kernel 2.2.x and Win2k Server to Win2008), we get very similar pictures:
Linux: 280 advisories, 475 vulnerabilities with 7% unpatched (worst being rated "less critical")
Win: 472 advisories, 580 vulnerabilities with 7% unpatched (worst being rated "less critical")
It only looks somewhat favorable to Linux in this case because basically no one really looked at Linux back when Win2k was out, and there are basically nothing about it (2.2.x: 8 advisories, 5 vulnerabilities) whereas the new kernels which a lot more people use and gets a lot more attention (2.6.x: 187 advisories, 353 vulnerabilities)
If you look from 2003-now (a time frame where more eyes were laid on Linux, due to having more users), we get this:
Linux 2.6.x: 187 advisories, 353 vulnerabilities, 5.8% unpatched (worst being rated "less critical") -- spanning over 5 years and 8 months.
Win2k3+: 242 advisories, 341 vulnerabilities, 5.3% unpatched (worst being rated "less critical") -- spanning over 6 years and 4 months (2/3 of a year extra, or 12% longer)
If you were to adjust the numbers for an identical time span (or remove all the bugs discovered in the first 8 months Win2003 was out), then Linux looks even worse.
And here, we're merely comparing Linux' kernel flaws against an entire OS and all of its components combined. That's not even remotely fair!
If you were to take the current version of most common commercial server-oriented Linux distro (that would be RHEL 5), compared to the latest version of Windows server (the best/latest the two biggest companies have to offer), we get these:
RHEL 5: 273 Secunia advisories, 829 Vulnerabilities, 0 unpatched, been out for 2 years, 5 months
Win 2008: 40 Secunia advisories, 82 Vulnerabilities, 0 unpatched, been out for 1 year, 6 1/2 months
Yes, RHEL has been around for 50% longer, but even if you boost Win 2008's numbers up by 50%, we're *nowhere near* RHEL 5's numbers. 600% more advisories and 1000% more vulnerabilities in 50% longer?
Simple comparison (I'm not going to manually compare 1000's of bugs spanning over several years, sorry), but I think it makes a point regardless. It hardly looks like the perfect, 100% bulletproof, inpenetrable fort knox they make it out to be now, doesn't it? That doesn't prevent them from laughing "M$ Windoze is insecure! LOL BSOD!" all the time. That very much explains PC_LOAD_LETTER's point.
And if this wasn't MSFN, there would be people calling me a paid shill or astroturfer within mere seconds of posting this. As if Bill himself personally hands a fat cheque to everyone who likes Windows and ever said so on the internet. And if ever anything has ever not worked on Linux then it's either my fault for being too stupid (including when drivers don't exist), that it should STFU and fix it myself and submit a patch (yeah, exactly what the average end user wants!), or because I've been too lazy to try these other 52 other distros, or whatever other nonsense. Only to tell me afterwards that the GIMP is a perfectly good replacement for Photoshop CS4, evolution for Outlook, OOo for MS Office and so on.