IT Employment optimize

Security vs. popularity

Security is not obscurity. Popularity is not the only reason MS Windows is so poorly secured in general use. Maybe. Chad Perrin explains why this might be.

Security is not obscurity. Popularity is not the only reason MS Windows is so poorly secured in general use. Maybe.


One idea in particular keeps coming up in discussions amongst IT professionals and software partisans: that the popularity of a piece of software is inversely correlated with its security. The assumption is that greater popularity of a piece of software makes it a more tempting target, and being a more tempting target makes it less secure.

There is some truth in that idea, but not nearly as much as many people think. If all else is equal, the more-popular software will be compromised first. On the other hand, all else is not equal, and being first is not necessarily the same as being only:

  • After the most popular piece of software is targeted, the next-most popular will also be targeted, if it has enough of an installation base to make it worthwhile to compromise.
  • It does not take much, in terms of market share percentage, for a piece of software to be popular enough to attack. For the most widely used types of software, a single percentage point can mean millions of deployments.
  • Software that is used on more high-value targets will be targeted first, all else being equal. That software is usually not the most popular software.
  • Software that can be used best as a staging ground for attacking other systems will be targeted first, all else being equal, if for no other reason than the fact that it widens the scope of the attack on more popular software.
  • The second most popular Web server software is far less secure in practice than the most popular Web server software.

All of this adds up to evidence and reasoning that contradicts the notion that popularity is the proximate cause of a poor security record. The last of these five points is, in fact, a direct counterexample of the idea, so that even making claims of causes -- based on nothing but correlations -- does not support the argument, despite the fact that is the entire argument. Correlation does not imply causation.

There is, however, another way to look at the relationship between popularity and security. While popularity is not the proximate cause of a poor security record, it might have some influence on that security record.

The influence is not, for the most part, because of attracting evildoers to attack the more popular system. If it is also a very well-secured system in the vast majority of deployments, it will provide a difficult enough challenge that many malicious security crackers (especially those who do not target millions of victims at a time) will choose other targets that are less popular but easier to crack.

The influence of popularity has an effect on security through the roundabout effects of a large user base on the way the system is designed. As more people clamor for particular features and interface changes, developers are under increasing pressure to appease those people's demands. Doing so can easily lead to ill-considered security design decisions, out of control growth of complexity, and development mistakes. This is how poorly secured bloatware generally comes to be.

Microsoft Windows is the most popular end-user, general purpose operating system in the world. Depending on who you ask, and what assumptions you make about how such things are counted, Apple MacOS X is the second most popular. Canonical's Ubuntu Linux is arguably third, if a guess is needed. Interestingly, that is also the order in which we could rank their security problems.

  • Microsoft Windows has an atrocious record for dealing with vulnerabilities. It also uses a deeply security-unconscious architecture, and is built on the philosophy that "more is more" -- far from a minimalist "less is more" philosophy that recognizes the connection between simplicity and security. These and other difficulties result in a design that simply begs to be compromised. While a number of security focused initiatives have been undertaken to turn the poor security reputation of Microsoft around, many relentlessly bad security policies coupled with certain realities of featuritis and other lack-of-design features add up to a losing battle.
  • Apple MacOS X is built on a much stronger core architecture, including a microkernel, a primarily BSD Unix userland beneath the GUI, and an innovative high-level API taken straight from '90s acquisition NeXT Software. Despite all this, Apple's strict policies -- bordering on "control freak" in some cases, and willful ignorance in others -- conspire to undermine that foundation and infect Mac OS X with poor security characteristics. One symptom of this is the unconscionably slow response to security vulnerabilities, in many cases actually making MS Windows patching policy look good by comparison.
  • Finally, Canonical's Ubuntu Linux is, with every release, rapidly approaching the sort of bloat we have come to expect and loathe from Microsoft's flagship operating system. At least in part because it primarily relies on open source software developed outside of Canonical, and benefits from the often better security policies of those outside projects, Ubuntu does not suffer the same rate of creeping corruption of security that afflicts Mac OS X. That creeping corruption is still an ongoing problem, however. Ever-more bloat, ever-tighter coupling between system components, and increasing focus on superficial end user enticements as a higher priority than good system design: these things lead to a system that resembles its more popular, less well secured competitors, more and more all the time.

By contrast, consider the case of some less-popular operating systems that have, to some extent, remained unpopular because of their focus on correct design decisions, security conscious maintenance, and keeping the system reasonably lean and stable. Among these operating systems are:

  • More technically oriented Linux distributions like Debian and Slackware
  • The "popular" BSD Unix system, FreeBSD
  • The most security conscious BSD Unix systems -- correctness obsessed NetBSD and security auditing obsessed OpenBSD

That is, in fact, arguably the order of these systems from least secure to most secure, as well as from most popular to least popular. It correlates very strongly with their level of disdain for the most widespread popularity where it conflicts at all with good system design. Even the least popular among them have millions of users around the world, in one capacity or another, and would thus be quite worthy targets for malicious security crackers. In fact, the tendency for those on the more-secure end of that spectrum is to be used for public-facing servers, thus also making them on average higher value targets, on a case by case basis. Despite all this, their security records are much more admirable than those of MS Windows, Apple MacOS X, and Ubuntu Linux.

Popularity does not correlate with the failure of real security just because malicious security crackers avoid the second- and third-most popular options. It does, however, correlate well with the failure of real security when that popularity produces social pressures that undermine the security of system design and maintenance.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

65 comments
ian3880
ian3880

Irrespective of the OS used, it seems to me that security concerns discussed here are internet related to either the bad guys getting INTO your computer system or for the bad guys getting the info OUT of your system, then surely the answer is to have a "disposable system" on line and a "secure system" that NEVER goes on line. "Disposable system": one that has minimal (or false) personal information, that is mirrored to a removable hdd on a regular basis (the regularity is proportional to the perceived hack attack risk). "Secure system": never on line, never updated directly on line, never uses questionable software, and is located in a secure room without either hard wired or wireless access to the internet. Then there is the problem of "people" to contend with. USB drives, CD/DVD drives tempts people to bring in their latest games, photos of little Johny, etc etc. As pointed out by others, security is inconvenient. Most people want the latest and greatest (should I mention the early adopters of Vista here?) popular software. The vast majority of software users, unfortunately don't like inconvenience and so try to bypass security or don't care, or don't even realise why the security is needed in the first place. Sadly this not only relates to computers, software and the like, but to ALL forms of security.

mikifinaz1
mikifinaz1

If you can't be found you can't be a target. The trick is not to be found, that is the hard part. Most people don't want to truly sacrifice to the level needed to be anonymous. If you don't want to be anonymous, but somewhat safe there is a tip I learned from the Viet Cong. You need to look like every other peasant, that is easy and works as long as you keep a low profile and a practice a few precautions. The one thing about computers most people don't know is that they are completely insecure, even the ones behind locked doors in the NSA or Langley. I met a guy once while I worked at Microsoft who was commissioned to make a "totally secure" system. He did after a fashion, the only problem was that it cost billions of dollars and required CS trained users. So, for most of us it is an impossible goal. He said that the more accessible you make a system the less secure it gets and while you can be somewhat secure and popular you really can't be both popular and totally secure. It is all about risk management.

Kent Lion
Kent Lion

The statement in this article: "As more people clamor for particular features and interface changes, developers are under increasing pressure to appease those people?s demands...This is how poorly secured bloatware generally comes to be." is not entirely accurate. Users are not asking for bloatware. The people clamoring for particular features and interface changes often seem to be the software developers themselves. For example, Microsoft Office versions after 2003 require experienced users to learn how to use them over again, at considerable cost in time and frustration. In addition, unless those users create their own set of buttons, also at considerable cost in time, everything they do using the new Office "menu" system (ribbons) is slower because it requires more mouse-clicks. I do not believe you will find a lot of people who appreciate being pushed to expend all that time and effort in exchange for receiving no compensating benefit in return. No-one clamored for this. If anyone is clamoring for anything it might be for the existing software to be fixed and then left alone.

dawgit
dawgit

My take, build security in, and keep it simple. (ok, easy for me to say)

zefficace
zefficace

Therefore you have more screw-balls to screw with your software and "find" your flaws. ;) It's just a matter of proportions, and windows has lots trigger-hap... uh, click-happy users. Also, the more "technical" linux distros and bsd DO NOT address the same user base. Those users will find and report flaws, they will behave in ways to limit the effect of a flaw. Some users, having the skills, will even contribute code to close the flaw. You can't say that of many windows users, thought they greatly outweight linux/bsd users. (more so for the code part, as users don't see ms code) So yeah, popularity might not have a direct relation to security, but it does have an effect on the importance of flaws, the ease of exploitation, and duration of the exploitation window.

bboyd
bboyd

All your listed reasons to subvert security by the user are ones of perceived convenience. Computers are supposedly a tool of ever increasing convenience and they either increase productivity or free time (arguable). Would this free time be the cause of our forefathers "Idle Hands" comments. I have the same problem in a manufacturing environment, I automate the difficult and repetitive tasks leading to less required skill and tedium. which in turn leads to even more moronic decisions by the "Users" that have to be further automated to remove the stupidity induced problems. Eventually the stupidity reaches the level of the "user" interacting with the automation in a way that gets them injured. Then safety features increasing complexity have to be added. Several generations(machine) later the cost of the safety features is a larger component of capital machine cost than the process automation itself. Protecting the user from themselves leads to a never ending stupidity loop. I do like your disposable system idea! Especially the false PII.

Tony Hopkinson
Tony Hopkinson

Back in the day, we used to check for boot sector viruses on floppies. When Vista came out PM mode (poor man's sandbox) was one of the improvements. Most people turned it off so they could see Britney Spears truly naked. You can still go to pages now where they recommend you turn off your firewall to see all of her, and they do it. Now you could say don't make it an option, but then they do, for backwards compatibility reasons... The real vector of attack is greed. Free ring tones, MP3s, porn, tax rebates, Canadian lottery wins, dead businessmen in Hong Kong, liitle old bible thumper's bequests and of course Nigerian parcels of money. The list of idiots is endless, and as they say a another one logs on every minute. Mainly with windows...

AnsuGisalas
AnsuGisalas

A secure system that's only connected to a printer... and onto which one cannot bring anything? That's a typewriter then. And then the disposable system which is used for everything else, and so is attractive to attackers. That's same as we have already. Correct me if I'm wrong? Why wouldn't one want the disposable system to be as hard to crack as possible?

Tony Hopkinson
Tony Hopkinson

The popularity argument is based on the number of installations, not how strong or weak and individual system is, which could be based on teh number of accesses if you don't want to put the effort in to securing each avalaible access. Which MS et al, definitely don't, as they have no sensible commercial reason to do so.

Tony Hopkinson
Tony Hopkinson

Sales and marketing have told me they wanted the features and the bosses told me they wanted them yesterday. So it's official, it's all your fault...... :D Software fixed and left alone? How can you stay in business with a plan like that?

apotheon
apotheon

Users are not asking for bloatware. The article didn't say "users" -- it said "people". Sometimes, however, the users as a group are asking for bloatware. It's probable that no individual user is asking for bloatware; each of them is asking for a single feature, without realizing (in many cases) that the single feature is part of a choice between a lean, efficient, usable application and a step toward greater bloat. Put them all together, though, and you might get a general request for bloatware. The people clamoring for particular features and interface changes often seem to be the software developers themselves. Nope. Developers don't want to endlessly add features. Their managers, however, often do. Marketing departments definitely do. These, too, are "people" -- and they are not the developers. everything they do using the new Office "menu" system (ribbons) is slower because it requires more mouse-clicks. The ribbon is an attempt to put a band-aid over bloat. It's meant to distill the huge collection of features down to the most commonly used options, to suit the needs of the majority, without actually eliminating the other features that are used more rarely. Of course, this is only a weak attempt to cover up the fact that MS Office has become bloated beyond all reason, but the ribbon itself was a noble attempt by those who realized they'd never be allowed to put the application on a diet to make it feel less bloated. It is at best a solution of mixed value, though. The way it got that bloated was pressure from a combination of user base, management, and the marketing department at Microsoft. The developers surely didn't wake up one day and think "We really need to make up some more, largely meaningless, features to add to this software! Grunt work is awesome!"

Neon Samurai
Neon Samurai

I see popularity contributing to frequency of attempts but the more interesting metric remains response time; how long is the vulnerability exploitable, how long between bug report and patch release. If popularity related to security rather than attempts, we'd see the most popular attack targets having the lower patch times and resulting higher potential for security. Flaws in the platform that enable exploits through the application would be addressed in the platform layer instead of "that's a problem with XYZ, tell the third party developer to fix it". A more popular platform will get more attempts against it. If popularity related to more than the number of attempts, that most popular platform would be the most secure. Instead, we see the same flaws continuing to be successfully exploited. Imagine if popularity came with the security QA responsibility it suggests.

Tony Hopkinson
Tony Hopkinson

The most intelligent piece of kit you have is the human in the loop. The idea is to stop, well reduce them making silly mistakes through lapses in concentration, not replace an intelligent human with a silicon moron. There's a big difference between automating control and automating a function.

apotheon
apotheon

When you let accountants and their ilk manage automation, you end up with the situation you describe. Such idiots see the "opportunity" to reduce costs by eliminating workers from employment, and by reducing the necessary skill level (and thus compensation level) of workers. If they had half a brain between them, these gits would realize that they should redirect intelligence to work on other enhancements to the process. The real value in automation is not in reducing the amount of involvement of humans in the process; it's increasing the opportunity for humans to work on improving things that makes automation valuable. This is why good programmers who automate software testing then spend the extra time they don't have to spend testing software on doing other productive things, such as refactoring code to make the application more stable, secure, and maintainable.

AnsuGisalas
AnsuGisalas

Popularity is linear... it's just length. In itself, a one-dimensional-L target is hard to hit. Amount of weaknesses is width. By itself, a one-dimensional-W target isn't attractive to hit. Put them together; multiplying L by W and you see how big your target is. Now, the second fallacy as described by Chad, comes from the fact that popularity is relative, but number of installs is absolute. So, yes, a huuuuuuuge target several miles high and wide is easy to hit, but so is a [i]relatively[/i] insignificant target of 20mx20m - it's insignificant only compared to the huge one, not compared to the payoff/effort calc of the crackers, which is an absolute measure, not a relaitivizing one. The crackers, you see, also take into account the other side of popularity. It takes so and so many successful exploits to close a hole. It varies from publisher to publisher, but not by a huge margin. So, if you're milking the same huge cow that a million other guys are milking, then the hole you're using can get plugged pretty quickly. But if you're milking a smaller and out-of-the-throng cow, then you have a longer milking time - personally. So there are crackers out there scouring for nice niche products to milk, be certain of that.

apotheon
apotheon

Software fixed and left alone? How can you stay in business with a plan like that? You can do that pretty easily, if your business model isn't growth-obsessed.

gscratchley
gscratchley

or, does popularity engender an unintended behviour on the part of the supplier? ie, "because so many people want it, I better get it out there faster; I may have to short-change security features to do so" Glen

AnsuGisalas
AnsuGisalas

Something's wrong with those numbers. Should be a 34 in there too... after all your company is only a handful of days older than I am :p Or maybe you've laced your disclosures with inaccuracies? Like Columbus, to prevent theft of intellectual property? ;)

bergenfx
bergenfx

(said with a cherubic, churlish smirk and eyebrows raised in quixotic detachment with a tiny flavor of adolescent eye-roll)

santeewelding
santeewelding

"Winkey-faced". I'd use it, going forward, if I knew what the hell it meant.

bergenfx
bergenfx

Now I understand why I don't always understand, if you understand my winkey-faced drift.

santeewelding
santeewelding

Only 34? Me, I got me 35, coming up on 36, nominally. Forty or more if I count the other stuff. I lay in wait for those with less.

bergenfx
bergenfx

words. After 34 years of doing this ... sent the youngest off today. (This feels like the digital equivalent to leaving a note under a rock that may or may not ever be read, but it seemed like a good rock to put it under all the same ... and yes, I am aware of the ambiguous reference. We can let this one slide).

santeewelding
santeewelding

There are layers of indirection here that are not your own? Oh, my God. What [i]have[/i] I gotten myself into?

apotheon
apotheon

I appreciate your clarification. As I said, I just wasn't sure what you meant, in context. There are times when I just don't feel up to trying to sift through the layers of indirection in discussions, for good or for ill, and choose instead to bluntly ask what people are saying or just leave well enough alone. I'm feeling a little of both, about different parts of the discussion here, at this exact moment. Also . . . thank you for the expression of your opinion of my capabilities and presence here. I'm not immune to flattery, much as I like to flatter myself with pretensions to the contrary.

santeewelding
santeewelding

And the trace you leave of it, cuts admirably well through any old-boy crap you may or may not see here. Keeps others honest.

bergenfx
bergenfx

It wasn't an implication; it was an interpretation, or rather, a mis-interpretation (see "I guess that invalidates" above). But you asked, so here are the thoughts leading to the mis-interpretation. First, my observations: You are quite articulate. You construct very solid, and sometimes airtight, arguments. No secret that you are among the most adept at discourse in these pages. And most of the time, you fight fair, and do not descend to gutter warfare. I may be wrong about any of that, just as I was wrong with my interpretation. My mis-interpretation ... that Santee would rather see you stay on the high road and see others defend in the gutters. And according to the mis-interpretation, it did not indict your capability to engage at that level, just the notion that you shouldn't. So, the mis-interpretation is embarrassing. I obviously don't know the players, understand TR or read tea leaves. If you want to add your two cents to that, now is an opportune time.

apotheon
apotheon

1. Censorship is heuristic, subjective, and prone to error -- but I repeat myself. 2. Please clarify your implications, lest I infer in error. I'd like a more straightforward assignment of your analogies, if you don't mind.

AnsuGisalas
AnsuGisalas

I give the censor-app a "non sine laude approbatur" for diligence, but a "pereat" for realization.

bergenfx
bergenfx

the "Of course, I am just reading the same cave paintings" post. I'm changing to something more scientific than tea leaves ... maybe Tarot. And I am changing my aspiration to a younger Cleaver brother ... maybe Alfred.

santeewelding
santeewelding

Much earlier. Think, powdered wigs to hide scabies.

bergenfx
bergenfx

... [with] tea leaves that others are reading, but I thought it came down to: Voltaire would not kick someone in the ba77s.+++ Not that he couldn't or wouldn't take a man's heart out with his bare hands, but that his sovereign defenders would never let him. They would take care that he did not have to descend. For me, I aspire to the older Cleaver brother. Voltaire would be nice. Maybe next aspiration. +++ No implication on my part that you were going there, but perhaps the author noted a particular direction. edited to change and note --> Did you know that certain words that may involve Magna and Laude are censured? Very, very thorough, these censors.

apotheon
apotheon

I am capable of thinking of the way to do something positive as well as the way to do something negative. Sure, I know a thing or two about destroying -- and I also know that it is generally preferable to build.

AnsuGisalas
AnsuGisalas

You seeing something I don't? Share. Lace cuffs - that somehow makes me think of an early 1800s gentleman pugilist. Not an altogether unflattering image, you know.

santeewelding
santeewelding

Right? Expert at breaking things and killing people, right? So am I. I don't see it in what you are saying. What I see is lace cuffs.

AnsuGisalas
AnsuGisalas

the latter has better funding, and better incentives to work hard. Printing their own money, as it were. It's funny, it's always like that. Military too... protections always tailing weapons. Right now, for instance, a four man infantry team can carry with them weapons to take out any tactical weapons platform they can see. And there's a price-tag difference there to make it very interesting, defense-wise. Now, if only there were other parallels; hackers that go singling out security flaws in botnets and malware, to make them turn on their creators or users. But maybe there is. Hijack a botnet today!

Neon Samurai
Neon Samurai

I'm thinking that most people don't need to go out of there way and use some obscure vuln. With blanket attacks, they are playing the odds; one million sprayed, 10,000 successfully breached. Everyone is a target of a blanket attack though it may only be possible to affect some of the targets hit. From the defensive side, there is little value in obscurity. Pick an unpopular OS or hide SSH on a port different from 22; doesn't matter, the attacker will find the port or learn the new system. From the offensive side, obscurity is valuable. You want to sneak in and remain undetected as long as possible. You are the foreign body in the system and must evade the anti-bodies. So, there probably is value in choosing a more obscure vulnerability provided you can make an exploit consistently affective against it. A larger period of effectiveness means updating your bot creating malware less frequently. I just don't think criminals are intentionally looking for obscure stuff from there stockpiles. These days, it's organized crime and profit not impressing one's friends with cleverness. You pick the vuln that works for this run and use it until patch time. Then, you keep using it until it becomes ineffective catching those slow to patch while you weaponize the new vuln for the next attack run. If the cow is giving milk, keep yanking the udder. You won't be down long, if at all, when popularity causes your vuln to get fixed. On the other hand, you have an affective vuln now where your stockpiled vulns may become known and fixed. For this reason, you want a collection of vulns. Hit the one that works now hard while it works. Make sure you can swap in any of the next vulns easily encase some of them are patched before you make use of them. In this game, there are researchers on both sides luckily but defensive is still a game of catchup. If vulns are being discovered by well intended researchers, they are also being found by those with malicious intent.

AnsuGisalas
AnsuGisalas

that they avoid the less popular targets for this reason? I don't suggest that they avoid the most popular ones for this reason, only that every viable niche will be filled. And that a low-intensity one may well be long-lived enough to be even desirable to some. A patch isn't the end of their party, for sure.

Neon Samurai
Neon Samurai

If we consider the cow as the exploitable vulnerability previous to patch availability then drawing more attention to it will hopefully draw enough attention to get a patch produced. Sure, lots of people milking the same cow results in the cow drying up. But the people doing the malicious milking, have a long list of cows previously unknown. They simply pull a new 0day vulnerability from the stock pile and work it until exhausted. As a criminal, your buying or finding your own 0day vulns on the side while exploiting the latest working vuln for your own ends. More people milking the same cow just means updating your gambit more frequently.

Tony Hopkinson
Tony Hopkinson

There are other analogies 1000 spear armed natives versus a machine gun. :p But the real clue is the guys who go for the popularity argument are looking for an excuse not a reason.

Tony Hopkinson
Tony Hopkinson

that would be defined as heresy by the current incumbents. In fact so vile a heresy I don't believe that they are actually capable of thinking about it without becoming violently ill.

apotheon
apotheon

How's this for a paraphrase? "The perfect slave believes (s)he is the only free (wo)man." That sounds suspiciously like a description of the GPL-faithful, actually.

kama410
kama410

No, not alone, clearly. Just a member of a tiny, but hopefully growing, minority. Sadly the huge majority is, well, the phrase, "None so blind as those who will not see." seems appropriate. My own more to the point expression is: The perfect slave not only does not know he is a slave, but is convinced that he has more freedom than anyone else and will violently refuse any evidence to the contrary.

Neon Samurai
Neon Samurai

assuming paying shareholder profits above all other considerations is ethical rather than imposed by society as a moral (of course, that's a whole other tangent to mess about in).

seanferd
seanferd

Like exploding gas tanks and spewing oil wells. (Petrochemical theme not intentional.)

seanferd
seanferd

Thomas Jefferson held the very same reservations for the same reasons. No one listened. No, you are not alone.

Tony Hopkinson
Tony Hopkinson

not in sales and marketing either. :( If you were it would make perfect sense. :( :(

Neon Samurai
Neon Samurai

The corporate entity itself is neutral and has been used towards good ends also. But with the publicly traded corporation who's retail product is returns for the investors above all else; yeah, those are a problem.

JosiahB
JosiahB

I've known other companies that have worked to a "when it's ready" timetable, Icelandic developers CCP come to mind, they've described so many features for EvE Online as coming 'soon?' that they turned it into a t-shirt. End result? a successful, solid and stable game which has seen the most active players on one server of any MMO. Rushing releases leads to poor quality unstable, unsecure software, seems obvious to me and I'm not even a developer....

kama410
kama410

It brightens my day every time I read something showing that another person has come to the realization that a lot of the problems we face in our world are a fairly direct result of the existence of the legal entities called corporations. Specifically, as you said, the publicly traded corporation. Their eventual demise will be a terrible thing to live through. Like any other organism, they will fight to preserve themselves. And they are huge and powerful organisms.

apotheon
apotheon

It's not the market's fault. It's the fault of this legal convention, imposed on the market, that we call the "public corporation". Perverse incentives are part and parcel of the existence of that business entity, the publicly traded corporation.

Neon Samurai
Neon Samurai

If the company is in the business of shipping 10 billion a year in high quality software yet knowingly shipping premature or otherwise substandard products; there may be an ethics issue. If the company is in the business of shipping 10 billion a year in shareholder equities and software just happens to be the materials used during profits production; shipping substandard software is more expected since the expense of QA detracts from the core product (ie. shareholder profit). The two are very different company goals and sadly, the market rewards the second far more often then the first.

Neon Samurai
Neon Samurai

There is definitely the motivation to rush unfinished product to market to meet a calendar date versus and engineering metric. Canonical is doing this with the Ubuntu distribution released on a marketing calendar rather than when it's ready and Windows is notoriously rushed out the door for marketing dates; win7 being possibly the only Microsoft distribution that had noticeable QA done while still in official beta and RC status. I think the mentality of shipping a product and fixing it after rather than quality at time of delivery is part of the problem. I contrast this to Debian's impending release date for version six which is currently schedule for "when it's ready".. or in more detailed terms, when it meets an engineering metric needed to be called the new Debian Stable. Perhaps ironically, it is this solid product's history for stability and security that makes it so attractive as a parent for for other distributions like Ubuntu.

seanferd
seanferd

of the vendor. Especially vendors of such popular software that they have huge amounts of money and dedicated developers to work on these things.

Tony Hopkinson
Tony Hopkinson

That's a very tactful way of describing the situation.