Linux Beat Google On Bug Fixes

It’s the kind of thing that makes me feel more confident that I made the right choice switching out from Windows to Linux Distri’s. (Full article about Linux takes first place here. )

IN BRIEF The bug hunters at Google’s Project Zero team have released their latest time-to-fix data and Linux is smashing the opposition.
Between 2019 and 2021 open-source developers fixed Linux issues in an average of 25 days, compared to 83 for Microsoft and Oracle pulling last place at 109 days, albeit from a very low number of cases.

It’s a good read, and boosts Linux image over Windows and Oracle. I wonder how each Linux distri fare against one another.
~s

4 Likes

Presumably depends in part on the length of the chain i.e. if you have a distro based on Ubuntu, and Ubuntu is based on Debian - then the fix may appear slightly earlier in Debian, then appear in Ubuntu, then appear in the third distro.

Even so, some distros may be faster than others and it would be good to know.

Against that, sheer speed is not always an advantage. Look at the ‘recent’ log4shell vulnerability where multiple patches had to be issued before something secure was released in the underlying package. Add to that the possibility that a rushed security fix might actually open another security hole.

Yeah, I’m not buying that plural. :wink:

2 Likes

Some folks go for linux for different reasons. Some want privacy, some want speed, some want something small, some want functionality, some just want to get away from windows, other just want an O/S they don’t have to pay for.

My rule of thumb (if I ony look at it as a popularity contest), just look at the default page of distrowatch.com and the most popular downloads are on the right hand column. (I don’t think they’re downloaded by bots just to bring the statistic up.)

4 Likes

From the responses I guess it doesn’t matter what distri updates there are, “Linux is smashing the opposition.” That is good news for me.

All of the above :slight_smile: but I would add security to the list. And as for cost of so-called O/S, the others O/S’s are just providing ways to communicate, micro-entertain,and in exchange for the cost, users get to be leashed-up ,stalked, spied on, controlled, and at 0 extra charge. I feel one would have a lot to do to use a Linux distri the same way.
Thanks for that distrowatch.com link.

In 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. Thanks to Linux for helping to bring down the “average”. I think the ‘others’ owe Linux a thank you.

But, having looked closely at the stats, and stats are usually something we pay others to use our watch to tell us what time it is.
The up-to 2021 has Linux way in the lead if one considers the number of bugs.
If we look at total volume of Bugs, it’s great to see where Linux stands.

Vendor   Total Bugs     Avg Days to Fix
Apple         84                   69
Microsoft    80                   83
Google       56                   44
Linux         25                   25

When it comes to bugs, Linux is still the least to have bugs and, if one does pop up, Linux still leads in stomping them out.

I’d wager those other O/S’s include a lot of stalkers in the O/S that are also buggy.

Too, those others are also expensive. Linux distri are free.

~s
(have nothing better to do today :slight_smile: )

1 Like

Some caution is advised in interpreting that statistic. For a start it is total volume of (publicly) known bugs. That in turn could be influenced by global share of user base.

I guess total volume of known bugs then also impacts on time-to-repair. The more bugs you have to work on, the harder it is to fix them all in a timely fashion, all other things being equal.

In my opinion spying operating systems are by definition buggy - but Google’s Project Zero almost certainly wouldn’t share that opinion given that Google is one of the major global spies. :wink:

2 Likes

I see you kept yourself busy then. I was doing my local business taxes.

Otherwise I think I had security covered when I listed privacy, I was trying to be as little redundant as possible. (Is privacy inder the genus evolutionary tree of security or the other way around?) Don’t answer that, don’t want to make you too busy.

Or neither?

I think it is fair to say that if you don’t have security then you don’t have privacy (because your device is pwned, all bets are off). That means they are associated even if not related in a tree.

1 Like

Does it matter what it is called? Bottom line, even after nit-picking, Linux beat our (edit - S/B ouT - not our) Google.
~s
edited to correct obvious typo. “our” to ouT.

Whose Google?

1 Like

Thanks. I revised. “our” is now corrected to be “out”.

Seems like a fairly arbitrary comparison to me. I mean what constitutes “Microsoft” in that? Just the OS? Just the built in applications? All applications?

Same problem across the board. And how could one reasonably compare like to like? I mean I guess we could just compare kernel bugs except I don’t think any of those besides Linux breaks those out and once you get larger than the Linux Kernel what constitutes Linux in this comparison?

No matter where you draw the lines it’s severely biased in some way.

Also average time to resolution is different than average time of exposure, is different than… yeah I just don’t see a reasonable way to compare such disparate systems.

If I understood correctly, the scope is clear: it is security vulnerabilities (not all bugs) that are reported by Google Project Zero (not all security vulnerabilities). Basically they report the security vulnerability and then start the clock.

There are many ways in which such a comparison could be unfair but it is still interesting and if it puts a bit of pressure on other operating systems to lift their game then the world is a better place.

To get a clearer understanding of the scope, you would have to get a list of all the vulnerabilities. For example, you would have to work out how to use: https://bugs.chromium.org/p/project-zero/issues/list?sort=id&colspec=ID%20Status%20Restrict%20Finder%20Reported%20Deadline%20Remaining%20CVE%20Vendor%20Product%20Summary&q=status!%3DInvalid%20id>%3D1748%20id<%3D2248%20Deadline%3A90&can=1

Wow! After reading all comments, it’s amazing how fast micro-analysis can knock the wind out of Linux sails.
I still think it’s good news anyway.
~r

1 Like

The most interesting sentence is not quoted:

Furthermore Linux is showing consistent improvement in response times, from 32 days in 2019 to just 15 last year, and that improvement is being mirrored (mostly) across the industry.

… what ever “mostly across the industry” means.