The Quality of Debian GNU/Linux

I have been using a pre-release version (Wheezy) of Debian GNU/Linux on my PCs for months with great satisfaction. How is that possible with hundreds of known bugs in the repository? Simple. The repository holds many thousands of packages and I have only a couple of thousand installed. The odds are in my favour. In fact, if you filter for “ignore bugs not in Wheezy” and “base system”, the bug-count is only 26:

Debian Bugs Search.

If one counts all the packages I have installed, it’s probably less than 50. Eat your heart out, users of that other OS, because M$ thinks it’s OK to release with 50K bugs and little or no security… The strength of Debian GNU/Linux comes from being open about bugs, sharing information and inspiring confidence in the software.

On Lose ’98 security (BackOrifice):
According to the cDc, the program, when installed, will reveal all cached passwords, create shares hidden to the user and reveal the passwords of existing shares, start programs, shut down programs or upload and download files. It also makes itself mostly invisible in that it does not appear on the list of running programs accessed when CTRL+ALT+DEL is pressed the first time.

Microsoft’s press release on the subject does not inspire confidence. Especially the part where it claims that “Microsoft takes security seriously”. The part where it advises users to follow safe computing practices has a special irony when it appears that the Back Orifice program does not do anything that the Windows 95/98 operating system was not designed to do. Some experts consider that Windows 95/98 does not have any real security and that this was what the program was intended to highlight. Microsoft claimed that “BackOrifice does not expose or exploit any security issue with the Windows, Windows NT or the Microsoft BackOffice suite of products. “

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

30 Responses to The Quality of Debian GNU/Linux

  1. Chris Weig says:

    Big problem with closed source how do you know if a project is lack of maintenance Chris Weig you don’t you cannot see what the source code is doing with closed source you could just count the version number forwards and release so appearing to do maintenance when doing nothing. Only the lead programs in FOSS or Closed Source are properly maintained. FOSS does allow you to find out.

    Wait… I don’t know if a project is maintained or not because I can’t see its source code? This statement is nuts as it is, but you also construct a reality which is severely undercomplex. If I ever reach a point where I have to find out if some software is maintained or not, meaning: if I can rely on it any longer, then I’m already in trouble, closed source or open source, because I haven’t evaluated my options early enough and waited until the inevitable happens: I’m using a software which by all means and purposes is dead. Are you suggesting that scouring the commit log is a remedy for this?

    And again: the source code is only of hypothetical value to you. You have to be able to read it, you have to be able to understand it. And you, Mr. oiaohm, are mistakenly assuming that there’s something like a web of trust for every piece of open source code, where you can rely on this code purely because it’s open source. In your world open source in itself is sufficient enough for attesting code a certain quality.

    Chris Weig the embedded paper was comparing to the best closed source out their like vxworks. Stuff that makes Windows look primitive for security and stability. This is the problem. Linux is fairly much in line with the best closed source. The big problem here Windows is not the best closed source.

    No, in the paper four kernels are compared. VxWorks doesn’t play any role in the paper. Learn to read!

    Myth. Funny enough items like MP3 and other items in MPEG LA companies in it have been sued. Why there no promise that everyone with patents will do the right thing with them.

    MP3. Wow, you had to dig out an old one. MPEG LA was formed precisely to prevent such a patent thicket. And by and large it works out just fine.

    There is a patent pool behind WebM as well Chris Weig. Quite a large one in fact.

    Has it helped them? No. And it won’t. Don’t expect WebM to supersede H.264 or H.265 or whatever comes after that.

  2. oiaohm says:

    Chris Weig
    “You are out of your feeble, little mind, Peter Dolding. FLOSS may offer a theoretical advantage by the code being open. But someone still has to do the work. And the farther away you move from shining beacons like the Linux Kernel, the more unlikely it gets that someone else than the developer will stumble over a bug and fix it.”

    Really how little you know Chris Weig. There are a lot of software auditing tools out there. Anyone maintaining properly secure sites should be running this stuff. Like the USA mil and other Mil around the world.

    When you get into the dog house of Closed Source like Shareware and Freeware programs you also have the same problem of really bad lack of maintenance. Big problem with closed source how do you know if a project is lack of maintenance Chris Weig you don’t you cannot see what the source code is doing with closed source you could just count the version number forwards and release so appearing to do maintenance when doing nothing. Only the lead programs in FOSS or Closed Source are properly maintained. FOSS does allow you to find out.

    Like I get some backward PHP thing I run a PHP audit over it the thing throws up flaw warnings I try something else.

    Brillo
    “Even with the Linux kernel, it’s highly doubtful that each line of the code has been read through by more than a few people (including the originator and the respective maintainers) – let alone closely inspected.”
    The answer is 12 people have read the every section as part of the Linux maintenance process. 2 signs are required before a patch gets to Linus and zero objections. So is 3 people should have fully read the code before it goes into Linux in the first place the other 9 come by the maintenance process. There is a very formal process to Linux kernel development including pgp based signing.

    That is not allowing for those in the lkml mailing list who can object to patches. As I have done from time to time and seen the patch be rejected from include because of it.

    Chris Weig the embedded paper was comparing to the best closed source out their like vxworks. Stuff that makes Windows look primitive for security and stability. This is the problem. Linux is fairly much in line with the best closed source. The big problem here Windows is not the best closed source.

    Chris Weig
    “The risk of being sued is kept to a minimum, while you have no such guarantee with “open” FLOSS “standards” like Google’s WebM”

    Myth. Funny enough items like MP3 and other items in MPEG LA companies in it have been sued. Why there no promise that everyone with patents will do the right thing with them.

    http://www.lawsof.com/page/Google-Brokers-Patent-Peace-Talks-for-WebM-Technology.html There is a patent pool behind WebM as well Chris Weig. Quite a large one in fact.

  3. oldman says:

    Pog, I ask again. How long are you letting this person spew his content free bile?

  4. Chris Weig says:

    Out of the padded cell again, kozmcrae? I’d change mental institutions if I were you.

  5. kozmcrae says:

    Chris !asshole! Weig wrote:

    “Dude! There are no locked up standards!”

    Chris the big FAT asshole.

  6. Brillo says:

    Locked standards, meaning, those that are not freely available, until one pays protection money to obtain them.

    People pay to make Bluray, DVD and music players as well. Nobody cares.

    Most standards are voluntary in the sense that they are offered for adoption by people or industry without being mandated in law.

    False. Standardization offers no value proposition of its own and increases the overall cost of production (as a result of extra efforts to comply with standards) for manufacturers/software developers. In most cases, industry stardards are just vehicles to create a barrier of entry to an existing market, initiatives to band together smaller players to compete with bigger business rivals or evolutionary results of certain types of products.

  7. dougman says:

    Locked standards, meaning, those that are not freely available, until one pays protection money to obtain them. Wasn’t referring computer standards, I am talking about standards for energy and safety.

    Most standards are voluntary in the sense that they are offered for adoption by people or industry without being mandated in law. Some standards become mandatory when they are adopted by regulators as legal requirements in particular domains.

    Example:
    A standards organization gets together, decides on a course of action, then forces someone pay for information, which should have been open and free to begin with to benefit all society.

  8. Chris Weig says:

    What is this? Imbecile hour?

    OpenAccess is — like anyone could most likely guess — about free (as in beer) access to scientific articles.

    And now dougman’s brain stopped working, because he’s writing some nonsense about “[l]ocked up” standards.

    Dude! There are no locked up standards! A standard couldn’t become a standard if it were locked up. That wouldn’t make sense. That’s, by the way, what Steve Jobs tried to teach you imbeciles when he remarked that H.264 was an open standard. Yes, OPEN. Because everyone can implement it. No, that H.264 is patent-encumbered has nothing to do with it. Quite on the contrary. FLOSS fanatics may wish the MPEG LA to hell but the H.264 license pool is precisely what enables companies to implement H.264. The risk of being sued is kept to a minimum, while you have no such guarantee with “open” FLOSS “standards” like Google’s WebM (have they finally finished converting all their videos?).

    Did some FLOSS-tards come up with H.265? No, MPEG did. And the standard is open.

    And one more thing, for the very last time: open source is not a quality criterion. For example, it’s nice that the Blender Open Movies are “open source”. But they also very much suck. Will I stop going to the movies or watching TV because of “open movies”? Hell no.

    If 90% of everything is cr*p, then “open” things are no exception.

  9. Phenom says:

    Any business that gives away its software automatically will generate customers for its services

    The reality proves you wrong. Sorry.

  10. dougman says:

    Opensource science is also coming around these days: http://www.intechopen.com/

    Locked up standards are becoming the OLD school model *looks* at IEEE.

    Apple use to be so far ahead of the pack, they didn’t care about the competition. Now they just want to set on their laurels and collect revenue.

    I could also say the same about music being moving towards opensource, but I have already skewed the discussion.

  11. Phenom wrote, “No sane company would reveal their own code, the code which the invested in, just for nothing. If they do it, everyone will be welcome to copy their ideas, and their implementations.”

    Mindshare is what every legitimate business wants. Any business that gives away its software automatically will generate customers for its services. Of course, outfits like M$ have very little service to sell. They are unwilling to work for a living, the ultimate corporate welfare bums.

  12. Brillo says:

    I guess Google and Amazon is insane then.

    In case you are not aware, Kindle and Android are of no value on their own. Think about this – what good is a razor for without the blade? The platforms themselves in this case are the razor, and their respective ecosystems are the blade. Neither Google nor Amazon, at the end of the day, has anything to lose giving away the source code of those platforms.

    Try asking Google to reveal their search algorithm and see if they are going to give it to you.

  13. dougman says:

    I guess Google and Amazon is insane then.

    http://www.amazon.com/gp/help/customer/display.html/ref=hp_left_sib?ie=UTF8&nodeId=200203720

    https://developers.google.com/android/nexus/images

    However, lets not just reserve this to software. Opensource hardware (OSHW) is becoming prevalent these days and valued at double-digit millions collectively and is expected to reach into the billions in little under 5-10 years.

  14. Phenom says:

    Pogson wrote: If “many eyes” does not matter, M$ would reveal their code.

    That is rather superficial. No sane company would reveal their own code, the code which the invested in, just for nothing. If they do it, everyone will be welcome to copy their ideas, and their implementations.

    An acquaintance of mine is making his living (quite nicely) by selling plug-ins to ESRI ArcGIS, which solve various spatial problems. Now I give you three guesses why he keeps his code a secret.

  15. dougman says:

    It sure would be nice if M$ revealed their code for out-dated software, and let the community take ownership as a good-will gesture.

    I’m not holding my breath.

  16. Brillo, ignoring reality again, wrote, “it is simply naive to believe that a so-called “bazaar” development model will in anyway guarantee security or even anything in return.”

    Know what a patch of software is? Without the “many eyes” concept there would be far fewer patches these days. I can remember binary patches… FLOSS does allow developers to patch their own software or another’s. Often patches are routed through some key person or group, to make sure the big picture is respected but many eyes are still available and enabled to examine the code. It’s in the licence. That other OS forbids that examination. There must be a reason… It’s not technical but about greed. M$ fears losing control of that other OS if they reveal the code. That’s no matter to people who want the code. They can get it by reverse-compiling. It is a matter for law-abiding people who respect the EULA. So, M$ is harming their good customers and doing nothing to prevent the bad guys from doing their thing. That makes M$ an abusive business partner, something we should all avoid.

    If “many eyes” does not matter, M$ would reveal their code.

  17. Chris Weig says:

    Dougman, are you braindead? Yes, you probably are, so no more rhetoric questions. Your only argument for Linux’s superiority is: “it can be read.” Duh! Who would’ve thought that? That the code of a FLOSS project can be read (and changed)? But your paper is interesting. At least you don’t seem to have read it any more carefully than Mr. Pogson reads his linked-to documents. Because under “5. Summary and Discussion” it says:

    “Therefore, the most we can read from the overall balance of marks is that open source development approaches do not produce software of markedly higher quality than proprietary software development.”

    Really doesn’t help your case, or does it?

  18. dougman says:

    Re: the Linux kernel, at least it CAN be read.

    With M$ Windows kernel, you never know what it is doing and if you do not like what Windows is doing, then tough as you do not own it.

    Here is a decent paper on the subject: http://www.spinellis.gr/pubs/conf/2008-ICSE-4kernel/html/Spi08b.pdf

    If one wants to strip down the Linux kernel to speed up booting for an embedded device you can do it, with Windows one can do the same thing, but not legally as per the EULA.

  19. Brillo says:

    You are out of your feeble, little mind, Peter Dolding. FLOSS may offer a theoretical advantage by the code being open. But someone still has to do the work. And the farther away you move from shining beacons like the Linux Kernel, the more unlikely it gets that someone else than the developer will stumble over a bug and fix it.

    Even with the Linux kernel, it’s highly doubtful that each line of the code has been read through by more than a few people (including the originator and the respective maintainers) – let alone closely inspected. Having the source code out there simply doesn’t mean someone will actually put effort in maintaining or even pay attention to it. The million eyeballs theory preached by ESR and the like, thus, is simply nothing more than a myth, and it is simply naive to believe that a so-called “bazaar” development model will in anyway guarantee security or even anything in return.

  20. Chris Weig says:

    Closed source needs to serous-ally improve there processes. Problem with closed source is the idea that no one will find out about your defect so you can forget about. FOSS code release takes that idea out of developers mind.

    You are out of your feeble, little mind, Peter Dolding. FLOSS may offer a theoretical advantage by the code being open. But someone still has to do the work. And the farther away you move from shining beacons like the Linux Kernel, the more unlikely it gets that someone else than the developer will stumble over a bug and fix it.

    If FLOSS were so great as a “process” (it isn’t really a process), then GIMP should’ve had Photoshop by the throat a long time ago. It didn’t happen, it won’t happen. Not enough developers. Bad project management. But I’m sure that somewhere someone is tirelessly scouring GIMP’s source code day and night. If you ever meet this person, let me know.

  21. oiaohm says:

    Brillo just to be scary converity who is the independent usa government auditor of what is normally closed and open source code bases. Put the average defect per line of code for commercial closed source at about 1 per 1000 lines of code. Linux kernel currently running at about .62 bugs per thousand lines of code.

    The average for the FOSS converity checks .47 per 1000 lines of code. So the Linux kernel itself is in 2011 was one of the worse for flaws compared to the rest of FOSS. Compared to closed source its very decent.

    http://www.coverity.com/library/pdf/coverity-scan-2011-open-source-integrity-report.pdf

    When it comes to bugs per line of code we have very recent documents to refer to Brillo.

    The average closed source code base is 7.5 million.
    The open source projects average 832,000 lines of code.

    There is a lot more reinvent the wheel in closed source than FOSS. Leading to vastly bigger code bases. Yes Linux kernel being huge is the lack of shared drivers source with other OS projects.

    In fact a lot of closed source makers have been found using private mirrors of open source and other closed source projects and failing to update them also failing to send updates out to end users.

    Yes to quality process development we have auditors. FOSS is doing well. FOSS can do better.

    Closed source needs to serous-ally improve there processes. Problem with closed source is the idea that no one will find out about your defect so you can forget about. FOSS code release takes that idea out of developers mind.

  22. Brillo says:

    Do you have some “explanation” such as geography or business use bias or such that is similar to the way that you explain away the lack of interest in Linux itself vis-a-vis Windows?

    You are expected too much from a person who lacks the ability to even comprehend his own source:

    What if Microsoft were certified to the highest level of the Capability Maturity Model? Level 5 organizations employ a wide range of practices to generate great software. A CMM5 project typically ships with 1 bug per thousand lines of code. For Vista that works out to 50,000 bugs.

    This isn’t an anti-Microsoft rant. It’s a peek inside the problems any organization has when building huge programs. Though we do indeed have ways to build better code, the costs are huge, and scale exponentially as the program size increases.

    The largest commercial embedded systems I’m aware of are some cell phones which have around 5 million lines of code, generally a mix of C, C++ and Java. Though few if any of these companies work at CMM level 5, that 0.1% bug rate would yield 5,000 defects, a hopelessly buggy product. One can only hope that the most important features (like making a phone call) work well enough for most users most of the time.

    (bolded mine)

  23. Clarence Moon says:

    Web stats can be misleading.

    You say that a lot, Mr. Pogson, usually whenever the misleading statistic runs counter to your wishes. Here, however, it would seem to me that the statistic is neutral in terms of biasing a result. It is counting the Linux users use and that seems to show Ubuntu as some two orders of magnitude more likely to appear than Debian.

    Do you have some “explanation” such as geography or business use bias or such that is similar to the way that you explain away the lack of interest in Linux itself vis-a-vis Windows?

  24. Brillo says:

    On Lose ’98 security

    You have a fetish for ancient operating system releases, don’t you? No wonder you seem to so fond of Debian ;).

  25. Chris Weig says:

    The quality of your posts is ever declining, Mr. Pogson. You haven’t understood any of the two links you used to “prove” how bad Windows is. Thus this post is — like many before it — nothing more but pure FUD.

    Please do a better job next time.

  26. kurkosdr says:

    Of course Debian has few bugs. Most of their software is from upstream, so all bugs get reported to the bug trackers of upstream, and don’t show up in the Debian bug tracker. You know, X.org’s tearing issues, PulseAudio’s volume bugs and latency issues etc. Plus many minor bugs that cause windows to vanish and such.

    Buying a Mac and selling my soul to Apple* is too little price to pay for not being forced to use X.org and PulseAudio. Yes, X.org and PulseAudio are that bad.

    The only “Linux” I can use happily is Android, because it doesn’t have X.org and PulseAudio. Period.

    *the selling my soul part is for irony

  27. Clarence Moon wrote, “Debian as 0.01% by itself. That would seem to make Debian a rara avis even amongst Linux fans. How do you account for it being held in such low esteem?”

    Web stats can be misleading. Debian GNU/Linux gets the same order of magnitude as many hits as Mint or Ubuntu GNU/Linux. see Distrowatch.

    Major roll-outs that use Debian GNU/Linux include Munich, which started with Debian GNU/Linux and now reports Ubuntu GNU/Linux. They certainly do hold Debian GNU/Linux in high esteem. One might prefer Ubuntu GNU/Linux over Debian GNU/Linux for LTS or the release-cadence but I know of no one who thinks less of Debian for such reasons.

  28. JR says:

    @Clarence Moon

    Clarence as always another well thought out comment from you.
    How do you account for it (Debian) being held in such low esteem?
    Why do you think Ubuntu and many other distros are based on Debian.?
    Because it is held in low esteem.?
    Trust you to base another moronic comment on a percentage.
    What is your fascination with numbers, as I said before you cant even work out a ratio

  29. Clarence Moon says:

    Your favorite stats source, Wikimedia, shows desktop Linux sitting at 1.53% these days and Debian as 0.01% by itself. That would seem to make Debian a rara avis even amongst Linux fans. How do you account for it being held in such low esteem? Are you making a mistake?

    Wouldn’t it be a better strategy for all you Linux fans, as pitifully small a number as you can muster, to rally around a single version, presumably Ubuntu, in order to maximize the effects of your advocacy? Afterall, you have bragged on Ubuntu where they managed to convince Dell to offer them pre-installed.

  30. dougman says:

    Debian Linux is VERY stable, this is where Ubuntu was derived from.

    Regarding M$, on every Patch Tuesday, which is every second Tuesday in the month, one only has to read the following:

    “Microsoft patches critical security holes in Windows, Office, IE.
    The company issued fixes (26 just recently) for security vulnerabilities, including for SQL Server and Exchange, etc.”

    Windows and Bugs are synonymous, as one can clearly see when driving down the road. All the prior versions of Windows have been susceptible to all sorts of contagion and nefarious malcontent.

    Windows 8 will be more of the same, nothing changes when it comes to their lack of security or should I say “insecurity”

    M$ is so predictable, that new malware is released on the following day to counter the updates, imagine that! You would think that they would care enough and offer daily updates, but wait there is more!

    Updates from M$ Windows typically require reboots, so daily updates will hinder work, the horror!

Leave a Reply