Archive for August 30th, 2011

August 30, 2011

The repos: the linux secret weapon

by Neil Rickert

I considered titling this “It’s the repos, stupid,” but I wanted to get “linux” into the title.

We recently purchased a new computer for a family member who uses Windows.  And it reminded me of why Windows has so many more security problems than linux.

We unpacked the computer.  Then it was plugged in and the setup program was run.  It created a user account, prompting for an account name.  This account was automatically given administrative privileges.  There was no prompt for setting up a limited user account.  Admittedly, UAC (User Access Control) is in effect, but that is still less safe than using a non-administrative account.  There was no prompt for a password.  The setup program just assumed that login without password would be used.

After it was all setup, the Windows automatic updater kicked in.  There were periodic messages that the updates would be installed at 3am.  After a few days, the important updates seem to have all been installed.

This morning, I did a check.  The computer was running an insecure version of the Adobe Acrobat reader, and was running an insecure version of flash.  There had been no attempt to update those.

That’s the difference that the repos (software repositories) make for linux.  If this had been a linux system that handles software updates, then flash and acroread (if installed) would have been updated by now.  And, of course, with a linux system the user would have been setup as an ordinary (non-root) user and with a password.

That’s the security difference right there.  A naive Windows user, not aware of current security problems, would have been left with an insecure setup that had insecure versions of important software (flash and Acrobat reader).  By contrast, on linux a naive user would have a more secure setup with all software updated to versions that fix known security holes.  An important part of the difference is that linux software is installed from the repos, so that there is a single place to check for updates.

Incidentally, on my dual boot systems it has seem that when I reboot to Windows the main program that I use is Adobe update.  There has been a never ending stream of updates to flash.  On linux, the flash updates come through without any special effort on my part.  And when I notice them, I know it is time to reboot to windows and run Adobe update once again.