[Leaplist] Why Open Source won't work on "Vista computers"

[Bill Anderson]

On Tuesday 26 December 2006 23:56, Chris wrote:
> Phil Barnett wrote:
> >On Tuesday 26 December 2006 19:56, Chris wrote:
> >>As much as I'd like to agree with you, because, well, I pretty
> >>much always agree with you... I have misgivings.
> >
> ><snip of points that I don't necessarily disagree with>
> >
> >Building an operating system that refuses to be compromised because it can
> >only run trusted software is a good thing no matter where it comes from.
>
> Fair, and true - partially. The presumption is that the trusted
> software has some degree of quality and security to start
> with - which is an area that MS doesn't shine at, and whose
> deficiencies in this arena are at the root of the problems that
> this solution pretends to address.

Well stated.

>
> >We need a way in an operating system to determine what can run and what
> > can not run before the software than should not run shows up on the
> > doorstep.
>
> While I agree on theological grounds, I have to ask - what
> problems in FOSS does this solve? And is the cure worse
> than the disease? Has Linux had, for example, buggy drivers?
> You bet - does today. Buggy applications? Does today. So
> what? Can I download and run a shell script that says
> "rm -rf /"? Well, yeah. But if you prevent that, you also
> prevent the ability to download and run a script or program
> that solves a problem - unless the author has jumped through
> the trusted hoops.

Furthermore, providing a means for an administrator to override provides a 
means for a gap in the fence - by design.


> There are more than a couple of flys in this soup. The first
> is pragmatic. Who decides? Someone has to certify that
> a piece of software be deemed trustworthy. Who? Redhat?
> Novell? Linus? A yet-to-be-created blue ribbon panel? And
> what criteria are used to establish eligibility for certification?

This is a very large fly. It is larger than the next one...

> Or does each distro establish it's own certification, which
> would be a nightmare for those seeking certification. MS
> can pull this off - they're a monolith. Linux is the hydra -
> the multi-headed beast that will not die, and will not be
> tamed. The diverse tributaries that fuel Linux are it's
> strength -  but also make implementing something like
> this a serious challenge. I don't think Debian, for example,
> would certify things the same way as Mandriva.

This diversity does cause the stated difficulty. However,  here again we will 
find strength in our approach and methods. The most likely situation *today* 
(as in it would have been entirely different 5 years ago or more) is that an 
OSS consortium would form to provide a standardized method/framework. Just as 
we see happening in the Desktop Environment arena among other arenas.


> Fly number two doing the backstroke is this - what hardware
> or software developer is going to go through the expense
> of certification for Linux? And why would they? 

Certainly those selling to government would. Why? It depends on who gets there 
first, and who lobbies more successfully. If the government requires certain 
certifications to run as "trusted" (so sayeth the government, nothing to do 
with TC mind you), you can bet vendors currently "certifying" on RedHat or 
Novell would simply add this to the stack. Oracle would. So would Veritas, 
and so would IBM. Why? Government sales. Or heavily regulated industries such 
as electrical utilities and financial institutions.

This is where the lobbying comes in. Whether it be lobbying of Congress or 
lobbying of regulators, the most important battle on the front is the halls 
of regulation. Consequently, this could conceivably be the impetus behind 
FOSS getting together and doing it. IF we could come up with a common 
certification level, and levels of Trust (the gov. is big into levels of 
stuff), and if we could get it implemented and working *first* we would have 
a good ground for lobbying of a standard. If it is an open spec deal(of 
course) we could walk a path like Open Document without the incumbent.

IF we pulled this off, FOSS would have a major attraction to it. Especially if 
it doesn't cripple the system to meet the requirements.

> It's just one 
> more reason not to even develop for FOSS. Are we really
> big enough that we can demand Adobe get certified as
> trustworthy on a platform they can barely be bothered
> with today?

We dont start with Adobe. We start as a volunteer system with an emphasis on 
the ones most likely to do it (such as Oracle, IBM, Novell, HP).

>
> >What remains to be seen is who can do it. We often blame Microsoft for
> > things they haven't done yet because it fits their MO. There's no
> > question about that. I believe that MS is fully capable of blowing their
> > lower torso off while trying to attempt this.
>
> I don't doubt that Microsoft can do it. I just doubt that it will
> do any good if they persist in certifying their own buggy
> software. Which they undoubtedly will. Locking your liquor
> cabinet, then handing Ted Kennedy the keys doesn't really
> achieve the desired effect.

Nice.

> On the FOSS side, I don't know. It may be technically achievable,
> but I kind of think it's a cure in search of a disease. What's been
> the real effect of all this untrustworthy stuff running on Linux?

I agree with you here. On the other hand, however, is the argument I made 
above. Not that it is an easy road, mind you.


> But I don't see MS stamping certification on it's own bad
> software as helping anyone but MS - 

Truer words are rarely spoken.


Cheers,
Bill