On Mon, Jul 14, 2014 at 12:20 PM, Andrew Wyatt <andrew at fuduntu.org> wrote: > >> > >> > http://heartbleed.com/ >> > >> > Oh, wait. >> >> Openssl doesn't have much to do with Unix/linux. It is just one of a >> bazillion application level programs that you might run. Are you >> going to include all bugs in all possible windows apps in your >> security comparison? >> > > OpenSSL is a library, not an application, And not used unless an application uses it. >> >> But init/upstart/systemd are very special things in the unix/linux >> ecosystem. They become the parent process of everything else. For >> everything else, the only way to create a process is fork(), with it's >> forced inheritance of environment and security contexts. >> > > Yes, they sure are, you're right about that. Without an init (of any > kind), you only have a kernel. You don't have mounted filesystems, or > anything else. And no other processes.... >> In any case, giant monolithic programs that try to do everything >> sometimes become become better than a toolbox, but it tends to be >> rare. First, it takes years to fix the worst of the bugs - but maybe >> that has already happened in fedora... And after that it is an >> improvement only if the designers really did anticipate every possible >> need. Otherwise the old unix philosophy that processes are cheap - >> if you need another one to do something, use it - is still in play. >> If you need something to track how many times something has been >> respawned or to check/clean related things at startup/restart you'll >> probably still need a shell there anyway. >> >> > It's very rare. I wasn't speaking to this though in this instance, I was > only speaking to Windows security not being any better or worse than > anything else. Yes, using window vs. unix/linux is an overreach as an analoy here - and unnecessary. It's just a matter of 'big, new, monolithic' code bases vs. a small set of well-tested reusable tools. We could just run everything under java if we wanted. But. how many years old is java and how often are there still mandatory updates of the whole thing because of some recently noticed security bug in some part of it? -- Les Mikesell lesmikesell at gmail.com