← Back to context

Comment by digiown

4 months ago

One good thing we can say about Linux bundling all the drivers is that it obviates the need to run almost all of this type of low quality (if not outright spyware) driver management software. They are especially problematic because they can't be sandboxed easily like most other proprietary crap.

For whatever reason, distro maintainers working for free seem a lot more competent with security than billion dollar hardware vendors

38 comments

digiown

Reply
aleph_minus_one  4 months ago

> For whatever reason, distro maintainers working for free seem a lot more competent with security than billion dollar hardware vendors

I don't believe that these billion dollar hardware vendors are really incompetent with security. It's rather that the distro maintainers do care quite a bit about security, while for these hardware vendors consider these security concerns to be of much smaller importance; for their business it is likely much more important to bring the next hardware generation to the market as fast as possible.

In other words: distro maintainers and hardware vendors are simply interested in very different things and thus prioritize things very differently.

  • Symmetry  4 months ago

    Years of working in embedded computing have left me with the impression that most hardware companies are just bad at software. I think part of it is that the long cycle times of making hardware push them towards a culture of waterfall development. But years of working with the microcontroller libraries for ethernet PHYs, the bash scripts to build the kernels for SoCs, etc make me perfectly willing to believe they are incompetent with security.

  • zeendo  4 months ago

    This comes down to intentions versus results. Viewed through the lens of results the comment you're replying to is still correct: The result is incompetence. I'd argue that's the only lens that matters when you're on the receiving end of such work.

colechristensen  4 months ago

It is, mostly, the organization Linus created (and of course the enormous number of people participating).

An absurd amount of weight is carried by a small number of very influential people that can and want to just do a good job.

And a signal that they're the best is you don't see them in the news.

We need more very influential people who aren't newsworthy.

  • digiown  4 months ago

    The most direct comparison would be the package manager, that's why I said distros. These driver management tools do a (poor) job at being a package manager, along with many other commercial software installation tools.

    With Linux itself, it helps that they are working in public (whether volunteering or as a job), and you'd be sacked not in a closed-door meeting, but on LKML for everyone to see if you screw up this badly.

    • Avamander  4 months ago

      Popular Linux distributions also use HTTP CDNs. Even though the content is always signed, it still exposes the HTTP stack, signature verification code and a bunch of the application logic to the attacker.

      Apt has had issues where captive portals corrupt things. GPG has had tons of vulnerabilities in signature verification (but to be fair here, Apt is being migrated to Sequoia, which is way better).

      But these distros are still exposing a much larger attack surface compared to just a TLS stack.

kasabali  4 months ago

Ryzen master isn't a driver. Most of its functionality isn't even available in Linux, even with 3rd party tools or drivers.

xattt  4 months ago

Aren’t vendors moving to a browser-based control model, where the hardware runs on a local web server that exposes various settings? It sounds terrible for security.

myst  4 months ago

The corporate drones have the management tower above them, the OSS enthusiasts do not. That is it.