So when will Linux vendors charge for security fixes?

Opinion Linux vendors spend money building security bug fixes. How much longer will they give them away for free, writes SecurityFocus columnist Hal Flynn.

In the last week of October, Apple debuted its latest installment of the BSD-based operating system Mac OS X 10.3, also known as Panther. With it came many new features, as well as some security fixes.

And not just a couple security fixes, several of them. All told, nine security fixes ranging from problems in Mac OS X applications such as finder, to freely available applications such as OpenSSH.

The security patches created a huge controversy when they came out, owing to a rumor that the only way to get the fix would be to purchase the upgrade, a $129 outlay.

In the end, this turned out to be untrue. Apple assured customers that the fixes would be back-ported, and would be available for all other currently supported operating systems.

But until Apple made a public announcement about it, we almost saw a revolution.

When it comes to security patches, I've always heard the same argument from the open-source and free software crowd. The argument is that distributing source code for the operating system facilitates the speedy resolution of security problems. When a security hole is announced, the volunteer community is supposed to come to the rescue like a fire brigade, quickly putting out a patch that makes everybody safe and keeps the hackers at bay.

But in most cases, it seems the open-source community is the last group to come to the rescue. When a vulnerability is initially made public, things usually go one of two ways: if the vendor was notified first, that vendor typically tries to work with the researcher, and makes an effort to issue a coordinated release. Otherwise, if the vendor wasn't notified, the problem is disclosed to the public, and the community stands idly by, dumbfounded.

Inevitably, somebody fixes the problem -- usually very quickly, if it happens to involve a piece of software that's distributed widely, and included as a standard package in most UNIX and Linux distributions. But it's not the much-ballyhooed open-source volunteer community that's providing the fix. One wouldn't even know that community exists, if they weren't brought up each time the arguments for open-source are made.

Instead, the fire brigade consists primarily of the maintainers of the software. It also includes the vendors -- SuSE, Red Hat, Mandrake, and others -- that end up having to devote paid development resources to resolving issues in the code.

Who Pays For It?

One thing I've never understood is why vendors who distribute an operating system for free also distribute fixes for free. The General Public License has always required vendors to make sources of all such licensed software freely available. But more often than not, these fixes are not trivial: they require real analysis, and significant developer resources.

If you're a software vendor, these resources aren't free. Developer time that could be dedicated to creating new or improved products that are, ironically, often also given away for free, are instead devoted to providing maintenance on applications not originally authored by the vendor. It isn't hard to find places where those resources would be better spent, like the nagging problems in usability, interface design, and maturity that prevent most free software packages from seeing more widespread adoption.

But the vendor resources are dedicated to the security holes. The vendor puts out the fix, and gives it away for free. The volunteer community, which is allegedly supposed to pick up this ball and run with it, instead waits for the vendor advisory, then downloads the fix when it becomes available. And all of this is provided at the vendor's expense.

Yeah, we almost saw a revolution with Apple. We almost saw the start of vendors outright demanding payment for security fixes. We almost saw an end to the freeloading.

Though the difference between Apple and Linux vendors in terms of licensing is, pardon the pun, apples and oranges, I think we will likely see vendors charging for security patches as a standard practice in the not-too-distant future.

It only takes one vendor to prove they can do it for the rest to follow. For a frame of reference, look at online music distribution schemes: with all of the controversy surrounding digital rights management, people are paying for and downloading music in a variety of DRM formats, including iTunes and Windows Media files.

Another good example is subscription-based software. Many software packages have moved to a subscription-style pricing scheme. Instead of a perpetual license, you pay for each year you use the product, and the subscription fee covers development and support.

In the last few weeks, we have seen a number of shifts in the Linux market. For example, Red Hat moving to Enterprise distributions, which cost significantly more, and dropping their desktop operating systems. We also saw SuSE purchased by Novell, a company that requires "entitlement rights" to obtain fixes for software.

Did Apple chicken out on a good, but controversial, decision at the last minute? Or was it just another case of the FUD floggers dreaming up new conspiracy theories? We may never really know. Whatever it was, I think it was a glimpse of a revolution to come, and a peek at the future of Linux software fixes.

Copyright © 2003,

Author and security analyst Hal Flynn manages the SecurityFocus UNIX focus area.