PDA

View Full Version : Ubuntu wins best distribution award



matthew
October 8th, 2005, 05:49 AM
Congratulations!

http://www.ubuntu.com/newsitems/uklosa

BWF89
October 8th, 2005, 01:59 PM
If enough people switch to Ubuntu and it stands the test of time mabye companies will start porting software to Linux since most of it's users are useing a single distro.

landotter
October 8th, 2005, 02:18 PM
If enough people switch to Ubuntu and it stands the test of time mabye companies will start porting software to Linux since most of it's users are useing a single distro.

That's a common myth, that somehow it's hard to develop software for Linux because of the different distros and package formats.

Look at Opera, Flash, the Last.fm player--it's not an obstacle. Also look at autopackage--it's quite easy to make a distro-agnostic installer.

Software will be ported to Linux once the user base gets larger. The user base will get larger once more software gets ported to Linux...

lothar_m
October 8th, 2005, 02:20 PM
That's a common myth, that somehow it's hard to develop software for Linux because of the different distros and package formats.

Look at Opera, Flash, the Last.fm player--it's not an obstacle. Also look at autopackage--it's quite easy to make a distro-agnostic installer.

Software will be ported to Linux once the user base gets larger. The user base will get larger once more software gets ported to Linux...

Touche

ubuntu_demon
October 8th, 2005, 02:23 PM
congratiolations to ubuntu!

let's make ubuntu even more popular together :)

Lovechild
October 8th, 2005, 02:25 PM
That's a common myth, that somehow it's hard to develop software for Linux because of the different distros and package formats.

Look at Opera, Flash, the Last.fm player--it's not an obstacle. Also look at autopackage--it's quite easy to make a distro-agnostic installer.

Software will be ported to Linux once the user base gets larger. The user base will get larger once more software gets ported to Linux...


A larger userbase is not enough, there has to be a standard - you cannot possibly maintain a package for every single distribution - it's just not feasble, that is why the LSB and fd.o are good for us.

However I couldn't care less about having 3rd party close course applications ported to my platform - why do I need them?

ubuntu_demon
October 8th, 2005, 02:33 PM
A larger userbase is not enough, there has to be a standard - you cannot possibly maintain a package for every single distribution - it's just not feasble, that is why the LSB and fd.o are good for us.


true



However I couldn't care less about having 3rd party close course applications ported to my platform - why do I need them?

why more 3d party support ? IMO :
we want better hardware support from manufacturers. at least coorporation or closed drivers .. but even better : open source drivers

we want commercial games (because they are fun,show the power of linux,make linux more feasible as a primary OS for family pc's)

landotter
October 8th, 2005, 02:38 PM
- you cannot possibly maintain a package for every single distribution -

Um...
Why do you believe that myth? ;)

I'll repeat: it's perfectly possible to make distro agnostic software and installers right here and now. I mean, the only basic requirements for a lot of software is that you have reasonably modern versions of QT, GTK, and the Linux kernel.

Some folks will say, "What abbout the dependencies?!". Well, include the little buggers in the installer, just like Windows does.

Now I'm not advocating that every software package for Linux do this--that would be a royal pain in the tucchus--I still think that we can disagree on packaging--some folks use .rpm, som .deb, and a select few can be slackers(tm). But that's for the base system-which in Linux is most of your sytem. For addons, like the new MS OfficeLinux or DreamWeaver-Penguin--there's really no reason for them not to use their own home grown installer--heck--they can put an annoying "uninstall xx" into the menu just like in Windows.

Arktis
October 8th, 2005, 03:30 PM
Well, my feelings about ubuntu have been further validated by this award but I am also beginning to feel a certain sense of dread. Just as I felt about firefox. Anyone who's been following neowin.net, slashdot, or even lesser known tech news sites and blogs will know what I mean.

I hope my fears are unfounded here but what does this imply for the future security of ubuntu and linux in general? Am I going to have to be an expert just to stay reasonably safe a few years from now?

Allow me to explain this in a simple way.

More Quality -> More Popularity -> More malicious attention

I don't much like the prospect of rooting around in the guts of my system to stay reasonably secure in the future; I'm no expert.

Lovechild
October 8th, 2005, 05:52 PM
Um...
Why do you believe that myth? ;)

I'll repeat: it's perfectly possible to make distro agnostic software and installers right here and now. I mean, the only basic requirements for a lot of software is that you have reasonably modern versions of QT, GTK, and the Linux kernel.

Some folks will say, "What abbout the dependencies?!". Well, include the little buggers in the installer, just like Windows does.

Now I'm not advocating that every software package for Linux do this--that would be a royal pain in the tucchus--I still think that we can disagree on packaging--some folks use .rpm, som .deb, and a select few can be slackers(tm). But that's for the base system-which in Linux is most of your sytem. For addons, like the new MS OfficeLinux or DreamWeaver-Penguin--there's really no reason for them not to use their own home grown installer--heck--they can put an annoying "uninstall xx" into the menu just like in Windows.

Oh you are one of those illfated people who believe in autopackage... that explains a lot.

yes please start replacing packages that my distribution includes, the mess this would create in terms of security, version differences, patched vendor packages.. no autopackage is just a misguided approach.

Pablo_Escobar
October 8th, 2005, 05:58 PM
And Ubuntu deserves this award like no other distro !!

OS, community, shipit - pure class :)

GeneralZod
October 8th, 2005, 07:48 PM
Allow me to explain this in a simple way.

More Quality -> More Popularity -> More malicious attention

I don't much like the prospect of rooting around in the guts of my system to stay reasonably secure in the future; I'm no expert.

Ah, the old popularity == exploits argument :)

Just because something is more intensively targetted by malicious entities, does not necessarily imply that these entities will be successful in their goal; after all, a tank that accidentally strays into the annual People Who Like to Shot Things With Pea-shooters Convention will likely be "a target", but we wouldn't worry about the fate of our tank, would we? :)

Let's examine the situation further.

A malicious entity will presumably not have physical access to your machine, so if they want to hack it, they must do it via the internet (obviously). The only way to do this is to exploit a vulnerability in some internet-using program running on your machine and get it to execute their code.

Such programs can be roughly divided into two types: those that sit listening for information from the net, and those that make requests from the net and act on the data they receive. sshd, samba, cvs etc are good examples of the former; web browsers like Firefox, or PDF readers (if you download and open a PDF from the net) are examples of the latter.

Interesting side-note: studies show that a plain, unpatched, vanilla XP disc (such as that used by a significant portion of the population when they re-install) if installed while connected, unfirewalled, to the net will be exploited and zombified in an average of 12 minutes. Without user intervention.. This is because the original install of XP opened up a number of listening services by default, and those services turned out to have exploitable vulnerabilities. The net is saturated with PC's port-scanning other PC's for these vulnerabilities, and when they find such a vulnerable, unfirewalled PC, the vulnerability is exploited and a new zombie PC is born, which will now begin actively looking to recruit others. A significant portion of Window's security problems can directly be attributed to this. Which brings me to Reason Not to Panic #1:

Ubuntu has no network-facing services enabled by default

A PC with no services listening on ports is, I think, invisible to would-be hackers. Even if they know your IP address and username and password, they are powerless. Your computer may as well be switched off for all the damage they can do to it. (Someone correct me if I'm wrong on this point).

This side-note also leads us to Reason Not to Panic #2. As mentioned, the problem above stems from people using old media from when it was first bought. A sizeable portion of people would have received XP near when it first came out, and so will be 0wned each time they try to re-install from this old, leaky media - uually before they'd had a chance to download the patches! The fact that MS releases fresh, pre-patched CD's infrequently doesn't help matters. So, #2:

Ubuntu has no huge legacy install-base.

Each successive release of Ubuntu has (presumably) none of the known vulnerabilities of the old, so people won't fall foul to any exploits that targetted the previous release. The fact that whole new releases come out frequently and for free means that we will probably never end up in the situation where droves of people have only installation media so vulnerable that they can't even be patched before they are 0wned.

That was a long digression, so let's go back to the other types of programs that interact with the potentially dangerous net - browsers and PDF readers were the examples given. Straight away, I'm going to cross off everything but web browsers, as while vulnerabilities in e.g. PDF readers are routinely publicised, I've never, ever heard of any of these being exploited - it's simply too much work with too little chance of success for the malware purveyors (this is another point which I'll come back to later).

As we all know, IE is another technology responsible for the malware epidemic currently plaguing Windows PCs - in fact, I'd bet that the combination of unfirewalled network-facing services and IE account for the vast majority of Windows exploits. The reason why browsers are such a good vector for infection is that the average webbrowser will send out loads of requests for information, almost indiscriminately, all over the web including very seedy areas (according to the character and tastes of the person doing the browsing :)), and then performing a great deal of computation on the results (merely decompressing images and preparing web-pages for display are extremely complex and intricate tasks). If there is a known flaw in this immensely tricky procedure, then it can be exploited and the exploiter's code run on your machine.

Microsoft made mistake after mistake after mistake with IE. For one, there's Active X, which I'm sure I hardly need to expand on :) Secondly, and perhaps most critically, they ignored known vulnerabilities for months at a time. In fact, I think that even now there are still vulnerabilties unpatched that were discovered months ago. This was a mistake as it allowed a thriving malware industry to spring up when it could have been nipped in the bud. This is part of an earlier point which I said I'd explore later on, so again I'll leave this for the time being. Thirdly, they bundled IE with Windows with the result that only a minority of people even knew that alternate browsers existed (in fact, some have claimed that only a minority even know what a browser is) which in turn ensured that until a year ago, probably upwards of 95% of people all used exactly the same problem. If I'm a virus looking to infect as many things a possible, a field of clones will leave me rubbing my hands in anticipation - complete homogenity is a cracker's dream come true, as all machines will be susceptible to the same exploit.

Reason not to Panic #3:

Ubuntu's approach to web browsers is nowhere near as brain-dead as that of Microsoft's.

Firstly, there is no analogue to Active X - to run code on your machine, the malicious entity will have to find and exploit a proper vulnerability, or outright trick the user into manually running the entity's executable. By comparison, Active X is a welcome mat with "Use My CPU for Free!" emblazoned across it :) Secondly - well, I'll leave you dangling on this until later :) Thirdly, while Firefox is inordinately popular, there is still a marked spread of browser usage across Linux distros. And, as mentioned, new users switching to Ubuntu will have, even before they patch, a browser invulnerable to any known exploits older than 6 months.

Hopefully, this has shown that the two most often-used points of attack - services listening on ports (Ubuntu has none) and web-browsers (no "Welcome, Crackers!" technologies like ActiveX; increased heterogeneity) - are in better shape on Linux than on Windows. Also, the adoption of a Least Priviledge security model by most distros is of inestimable importance.

I'm too tired and full of Chinese food to carry on this tract at the moment; I'll finish it off later. I'd appreciate it very much if people would critique and add to it so that it is eventually sufficiently sound and comprehensive to just be linked to whenever this discussion comes up :)

Arktis
October 8th, 2005, 08:49 PM
Well, I am certainly thankful you took the time to type such a thorough response to my concerns! You've reminded me why I left windows... I was getting tired of having my PC treated like a house of ill repute.

I suppose there's really nothing for me to worry about as long as I store backups and only save private data to external media. Then all I have to do is identify all the places where data is cached/temporarily stored and wipe them regularly. (I wonder if there is a program for this? someone should create one.) If I take those steps, it won't even matter if I get pwned. Sure, I'll lose the time it takes me to wipe everything and do a fresh install with additional setups and customizations, but that will be it. I suppose what I'm really worried about is getting pwned and never knowing it because of my lack of knowledge.

I hope you fill in the suspense bit (point 2 near the end of your post) sometime soon.

One last thing:
I've always felt uncomfortable with sudo. Perhaps it is my lack of understanding
of how it works, but it seems to me that having a normal user account's password able to function like a root password defeats the purpose of running as a normal user in the first place.

I hope nobody is annoyed at the offtopicness of my posts in this thread, but I think (as I stated in my previous post) that the two subjects are closely related.

benplaut
October 8th, 2005, 09:05 PM
...it seems to me that having a normal user account's password able to function like a root password defeats the purpose of running as a normal user in the first place...

Correct me if i'm wrong, the way i understand it is that if running as root, you don't have to put in a password to do something that only root can do. With sudo (unless the mess with sudoers), you have to put in your password for every operation that would otherwise require su

poofyhairguy
October 8th, 2005, 09:41 PM
One last thing:
I've always felt uncomfortable with sudo. Perhaps it is my lack of understanding
of how it works, but it seems to me that having a normal user account's password able to function like a root password defeats the purpose of running as a normal user in the first place.


Not really. Because unlike running as root, running as a restricted user with sudo forces programs to ask for your password before they can do bad things.

When you run as root, every program has permission to do everything. Anything. Its the number one problem I say with Windows- IE can install stuff without asking you.

In Ubuntu for something to mess with your most important files (the ones that make the OS work) the bad program has to ask for your password. There is the safety valve. If you are browsing the web then it asks for your password, you know something is up. Don't give in. And then don't go back to that site. Thats the protection provided. In Ubuntu, at least it ASKES for your password instead of just doing what it wants.

Because of this, guard your password. In fact, I even guard my data- all of my most important stuff can only be edited by a sudo user. (gksudo nautilus)

Of course users that click next on anything and just give their password freely will still be infected. But that could happen for them in any OS- they are not fit to admin their own system. But for us, its just another thing in the way of the security problems that make XP such a bad eXPeriance.

blastus
October 8th, 2005, 09:45 PM
Great post GeneralZod! I would like to add to it...

On Windows:
They actually did more than just "bundle" IE with Windows, they bound it to Windows.

"To the extent that browsing-specific routines have been commingled with operating system routines to a greater degree than is necessary to provide any consumer benefit, Microsoft has unjustifiably jeopardized the stability and security of the operating system. Specifically, it has increased the likelihood that a browser crash will cause the entire system to crash and made it easier for malicious viruses that penetrate the system via Internet Explorer to infect non-browsing parts of the system." - U.S. DOJ

On ActiveX:

ActiveX is that does not have a security model. If an ActiveX control is running it has full access to the machine. This contrasts Java which has a permissions-based or sandbox security model. Even before IE and ActiveX came into widespread use on the Internet, people were sounding alarms. Back in 1996, Fred McLain demonstrated how to build an ActiveX nuclear bomb (http://www.halcyon.com/mclain/ActiveX/welcome.html). It is a webpage that contains an ActiveX control that shutdowns a Windows machine when visited. :cool:

Arktis
October 8th, 2005, 10:03 PM
Correct me if i'm wrong, the way i understand it is that if running as root, you don't have to put in a password to do something that only root can do. With sudo (unless the mess with sudoers), you have to put in your password for every operation that would otherwise require su

Yeah, that's the way it should be and that's how things function on a normal linux system even without sudo; when you are not root and you try to launch a program or perform a function that requires root, it asks for the root password. Even windows does this the same way when you're not using an admin account. But with sudo, your normal user account password is the key to everything. That is very different, and seems dangerous to me. But then again I don't know exactly how it works internally.