So when will Linux vendors charge for security fixes?

Ending the free lunch

  • alert
  • submit to reddit

Website security in corporate America

Opinion Linux vendors spend money building security bug fixes. How much longer will they give them away for free, writes SecurityFocus columnist Hal Flynn.

In the last week of October, Apple debuted its latest installment of the BSD-based operating system Mac OS X 10.3, also known as Panther. With it came many new features, as well as some security fixes.

And not just a couple security fixes, several of them. All told, nine security fixes ranging from problems in Mac OS X applications such as finder, to freely available applications such as OpenSSH.

The security patches created a huge controversy when they came out, owing to a rumor that the only way to get the fix would be to purchase the upgrade, a $129 outlay.

In the end, this turned out to be untrue. Apple assured customers that the fixes would be back-ported, and would be available for all other currently supported operating systems.

But until Apple made a public announcement about it, we almost saw a revolution.

When it comes to security patches, I've always heard the same argument from the open-source and free software crowd. The argument is that distributing source code for the operating system facilitates the speedy resolution of security problems. When a security hole is announced, the volunteer community is supposed to come to the rescue like a fire brigade, quickly putting out a patch that makes everybody safe and keeps the hackers at bay.

But in most cases, it seems the open-source community is the last group to come to the rescue. When a vulnerability is initially made public, things usually go one of two ways: if the vendor was notified first, that vendor typically tries to work with the researcher, and makes an effort to issue a coordinated release. Otherwise, if the vendor wasn't notified, the problem is disclosed to the public, and the community stands idly by, dumbfounded.

Inevitably, somebody fixes the problem -- usually very quickly, if it happens to involve a piece of software that's distributed widely, and included as a standard package in most UNIX and Linux distributions. But it's not the much-ballyhooed open-source volunteer community that's providing the fix. One wouldn't even know that community exists, if they weren't brought up each time the arguments for open-source are made.

Instead, the fire brigade consists primarily of the maintainers of the software. It also includes the vendors -- SuSE, Red Hat, Mandrake, and others -- that end up having to devote paid development resources to resolving issues in the code.

Who Pays For It?

One thing I've never understood is why vendors who distribute an operating system for free also distribute fixes for free. The General Public License has always required vendors to make sources of all such licensed software freely available. But more often than not, these fixes are not trivial: they require real analysis, and significant developer resources.

If you're a software vendor, these resources aren't free. Developer time that could be dedicated to creating new or improved products that are, ironically, often also given away for free, are instead devoted to providing maintenance on applications not originally authored by the vendor. It isn't hard to find places where those resources would be better spent, like the nagging problems in usability, interface design, and maturity that prevent most free software packages from seeing more widespread adoption.

But the vendor resources are dedicated to the security holes. The vendor puts out the fix, and gives it away for free. The volunteer community, which is allegedly supposed to pick up this ball and run with it, instead waits for the vendor advisory, then downloads the fix when it becomes available. And all of this is provided at the vendor's expense.

Yeah, we almost saw a revolution with Apple. We almost saw the start of vendors outright demanding payment for security fixes. We almost saw an end to the freeloading.

Though the difference between Apple and Linux vendors in terms of licensing is, pardon the pun, apples and oranges, I think we will likely see vendors charging for security patches as a standard practice in the not-too-distant future.

It only takes one vendor to prove they can do it for the rest to follow. For a frame of reference, look at online music distribution schemes: with all of the controversy surrounding digital rights management, people are paying for and downloading music in a variety of DRM formats, including iTunes and Windows Media files.

Another good example is subscription-based software. Many software packages have moved to a subscription-style pricing scheme. Instead of a perpetual license, you pay for each year you use the product, and the subscription fee covers development and support.

In the last few weeks, we have seen a number of shifts in the Linux market. For example, Red Hat moving to Enterprise distributions, which cost significantly more, and dropping their desktop operating systems. We also saw SuSE purchased by Novell, a company that requires "entitlement rights" to obtain fixes for software.

Did Apple chicken out on a good, but controversial, decision at the last minute? Or was it just another case of the FUD floggers dreaming up new conspiracy theories? We may never really know. Whatever it was, I think it was a glimpse of a revolution to come, and a peek at the future of Linux software fixes.

Copyright © 2003,

Author and security analyst Hal Flynn manages the SecurityFocus UNIX focus area.

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.