This has been indeed an interesting year for Linux security. The point of this article is to offer a view on what I believe to be some of the most interesting happenings in 2003.

The Linux experts that offer their view on 2003 are Bob Toxen (one of the 162 recognized developers of Berkeley UNIX and author of "Real World Linux Security") and Marcel Gagne (President of Salmar Consulting, Inc. and author of "Linux System Administration - A User's Guide" and "Moving to Linux").

Is it patched yet?

When it comes to 2003 I think we can call it "the year of the patch" with the security community paying close attention to what is patched in what period of time. In an interesting column about security fixes, SecurityFocus columnist Hall Flynn notes that he doesn't understand why Linux vendors that put so much time and money into creating security patches distribute them for free.


Marcel Gagne has a different view of the situation: "My initial reaction to the question of why a company would spend money supplying security fixes is "why shouldn't they?" It's called being a good corporate citizen. If you distribute something that is flawed and that flaw may endanger your customer's data, you have some responsibility to right that oversight. You might distribute EULAs with your software that says "we aren't responsible to anything that might occur on your system as a result of using this software", but you still have a "moral" obligation if nothing else."

"I'm not saying you do this forever, mind you, but over a reasonable period of time. At some point, I expect users to upgrade to newer releases or take some responsibility for patching their own systems. What's a reasonable period of time? I'd say 34 to 36 months. At some point, any reasonable users should understand that the best way to ensure continued support is to upgrade to something more recent." Gagne added.

One of the problems with closed source is the inability to sometimes get support for older versions of the software. Gagne notes: "The beauty of the open source model is that an opportunity exists for creating fixes for old releases. Not so for the users of Windows 95 or 98 who have no source code to go back to when the next critical flaw is uncovered. As to charging for fixes, it seems clear to me that this model of doing business already exists in the open source world. If you, as a user, choose to sign up for corporate support, you are in effect paying for patches and security fixes."

My OS is more secure than yours