Discussion on:

Ubuntu's two big advantages over Windows and Mac

Original post:
http://blogs.techrepublic.com.com/hiner/?p=5556

because all GNU/Linux distros have those advantages.

From what I know, Canonical is the only one to provide the "app store" style library browser. The benefits of the central repository though.. fantastic. It's one of the things I miss most when working with other software platforms.

OpenSUSE does this as well. I'm not an Ubuntu user so I don't know what their categories are, but OpenSUSE breaks theirs down into things like Network, Office, Development, etc. It makes it a lot easier to narrow down your search.

That sounds more like the GUI package manager which pretty much all graphic package managers do. With Ubuntu, the comparible program would be Synaptic which provides graphic browsing and management of the repository packages.

I believe the difference with the app store is that one can buy retail software through it also. I also don't know Suse so I'm guessing blind.

Whilst a centralised repository can be good for updating with supposed repairs to security breaches, it can also represent a central threat; if a flawed approach is contained in this mechanism it could represent an excellent way to distribute malware of any sort.

A centralized repository can't do jack for a security breach, but it is extremely useful in plugging security holes by patching vulnerable software (provided it is used). As for being a threat, that also applies to any "automatically updated" software including Microsoft Update or even the updater built into Firefox.

One of Red Hat's mirrors got left with a weak password though I don't remember if it was discovered before or after unauthorized use.

A Debian maintainer ignored Debian policy (did not consult OpenSSL original developers) and did uploaded a weakened OpenSSL package to the repositories. When discovered, it was fixed within a weak and we now have the openSSH/SSL-blacklist and openSSH/SSL-blacklist-extra packages which identify the resulting weak certificates caused by the issue. (specifically, the Debian dev removed some code that added randomization to the cert generation)

An IRC server was compromised on mirrors of the original developer's site. Gentoo then included that program into it's repositories. To date, only people who downloaded the source package from an affected mirror server or installed it from Gentoo's repositories. No other distribution has been found to be affected. The problem here is that the Gentoo maintainer didn't bother to check the MD5 hash of the source package. Gentoo and the IRC server developers reputation took a beating though they both publicly and promptly anounced the issue while providing clean packages as fast as possible.

Repository miss-management has a big affect on reputation of a distribution. It's a true competitive metric between distributions. How well is the repo maintained, how many packages does it include, how fast/effective are updates to those packages?

To get your package into the main repositories, there are usually several vetting stages. For Debian, you survive peer review in the Unstable repositories before you get moved into Testing repositories. You'll then be under constant peer review and won't actually be included into Stable repositories until the Testing version becomes the new Stable.

Debian 0 Unstable Sid - holding tank for package submittions. Must be something like two weeks without a bug found before moving to Testing.

Debian 6 Testing Squeeze - what is being consolidated and vetted to become the next production quality version of the distribution. This is the "Beta" distro. Gets new program versions and bug/sec fixes.

Debian 5 Stable Lenny - current production version. Does not get new program versions added. Only bug and security related updates are provided. (You won't get Firefox 3.6.7 but you the version that is included has been kept patched and secure)

On the human side, a developer has to earn access to the repositories. One doesn't just ask to be a package maintainer with upload access. You start by submitting small bug reports and patch recommendations. As you earn a reputation among the developers, you work on bigger bugs/patches. Eventually you become known and trusted well enough to potentially be accepted as a package maintainer responsible for that entire program rather than just arbitrary bugs you take on.

Both code and people go through solid vetting and approval with distributions that have any kind of recognition as a major distro like Debian, *buntu, Mandriva, Red Hat.

I'm talking the non-retail distros here. Retail distros like Red Hat, Suse and similar have large companies behind them with the normal hiring processes and such in addition to community versions of there distributions used for R&D.

Three repository related issues in the last ten years or so. That's a heck of a record to try and match. Centralized distribution has proven itself more beneficial to the end user.

[Your response says more than anything I could say to ultimitloozer in response to theirs]

Impressive, and all from an open source mechanism.

I am still laughing at Dell for their recent **** up, and of course there have been instances of shrink wrapped/commercial software viruses.

I suppose I am extremely distrusting of any mechanism at all. Or individual/organisation.

From the perspective of organisational psychology, if you meet an individual within an organisation and are left with the impression that they have issues, are sloppy at their work and such like, then look further up the chain of command to find the initial culprit, in the form of their hiring officer. This applies to security, and deliberate/malfeasant hijacking of an organisation, its products and activities.

Granted a volunteer/open source body might seem more likely to be vigilant and honest, but there is often an idiot in the pack. It starts with just one error, of commission or omission.

I should have also included the motivation angle. With a retail product, you want to maximize profits from that product by putting as little expense (work) into it as possible. Provided it's good enough to not cause too many store returns, it's ready.

When your not being driven purely by maximum profits from minimum expense, you can put more time into product quality. The blend of retail and community forces is different from distribution to distribution but look at a distro like Debian. The new version is released when it is ready to become the new Stable not when some marketing manager's calendar says "beta or not; start the press launch".

I see the politically correct auto sensor cut in at the sight of c**k up.

For the benefit of whomsoever is responsible for this, a little history; a c**k up occurs when the c**k feather on an arrow is placed upward in the longbow, causing the arrow to misfire. It is an English phrase with a noble history, and it has absolutely nothing to do with anything in between the legs, and you might show signs of judgement and wisdom if you edit your filters accordingly and thus appear less inclined to political correctness.

...the twit that did that made it look as if you wrote 'f**k up'.

Maybe it is anti-firearms bias, so that one can not say '**** a pistol'.

[Edit: See! I can't! ]

...they disapprove of the phrase "Kick against the pricks", too.

Who killed **** Robin?

Ride a **** horse

Prick up your ears

The Owl and the Pussycat

Arsenic and Old Lace

Bedknobs and Broomsticks

Free Willy

Wear your scarves and ear muffs


Hmmm... little help?

if Ubu has these advantages and so does other linux distros then those other distros would also have the same advantage. Your statement is self-contradicting and self-defeating.

But you obviously think that any linux distro has these advantages over apple and ms.

then he should have replaced all occurences of the word 'Ubuntu' with 'Linux'.

I don't think that was his point. The 'app store' doesn't exist for most distros.

Having a single source for software download is considered an advantage? anyone can Google for free software for any OS. I do not see what the advantage is. For novice users I suppose a single source can be beneficial but then that user would not be using Linux, IMO

Part of the problem with Windows is that users go to any old website and download "britney naked screensaver". There is much more opportunity to download grief from any old untrusted source.

The repository is a whole other world by comparison. To get into Debian Stable (the production ready product), you have to get your program into unstable from which it must then make the move to testing before eventually ending up in Stable. That vetting process alone stomps all over "I wanted this so I downloaded it and accepted addzilla that it came bundled with"

It's not about a single source to *visit* for software. As convenient as that is, it's hardly a gamechanger. If people want to scour the internet for applications, then more power to them.

What makes this a step up from anything the commercial OSes have to offer is that it is a software REPOSITORY. The software available for this is funnelled through testing procedures and evaluated as being compatible with the OS you are using. And once you have installed it, it will be able to automatically update itself through that same repository. It's a single point of entry for software to your system, supported and maintained by the producers of the operating system.

In that respect, it's quite unlike anything in the Mac/Win world, and as a security model it's miles ahead.

http://appbodega.com/

"Bodega is like a storefront right on your Mac?s desktop, one that?s chock-full of software apps from Mac developers around the world.
Just download and install the Bodega app, and you have access to an ever-growing catalog of software to meet your every computing need. Here are a few highlights of what Bodega can do"

With repositories like Debian's the software goes through significant review before it makes it to what you can download. Does Bodega centrally store the programs and how much review do those programs go through before being made available?

With the given example of Debian, you have to get through Unstable repository to get into Testing repository. Then, you won't actually get into Stable for production use until the next major version release. Your app sitting in Debian 6 Testing (Squeeze) will remain there under constant review until Debian 5 Stable is replaced with Debian 6 Stable.

Bodega is a third party app. The point being Ubuntu's 'app store' is integrated directly into the OS. It's out of the box and if you want additional software during the install or use of the OS, you should go through it first.

Also since since you download applications via shell, developers who have dependencies on other software can prompt you to have them installed and automatically download the latest (stable) version in the process.

Just because some third-party app exists to handle this doesn't mean every user will know to look for it. Which is why is it an advantage. It's Windows shipping without Notepad because MS Office exists in my opinion.

With Windows, at least, once you are over the hurdle of an application that plays nicely with the OS, you then have to be sure that the app. plays nicely with every other app/combination of apps./ device driver.

As for application updaters in Windows, they are available (3rd party of course), e.g. Update Notifier (http://cleansofts.org/)

Does Update Notifier actually do the update download and install or just notify you and provide a link? Secunia is a beautiful bit of software but it does just the notification and link to a download. Your still left to manually install and test compatibility.

Linspire's Click'n'Run (one-click download+install+integrate with OS menus/Icons) technology now owned by Xandros, and available on Ubuntu/Fedora etc. (cnr.com)was a terrific beginning which the other distributions owe them a debt for!

It long preceded the App Store!

Mike

I remember hearing that Canonical was including CnR. I just assumed that is what the app store had been based on.

I believe package repositories predate linspire.
Yum has been around I believe since 1999 or 2000 and apt I believe has been around since before I started using Linux (1998).

They were (are) command line, but gui front ends were quick to follow.

CnR is more of an app store setup to go browse and single-button buy or download as applicable. My understanding is that CnR was designed as a way to distribute retail software since those selling software don't want to put it in the general repositories.

While it may use the repository method in the back end, it is a separate system from the standard repository/package setup (which definitely came before linspire).

Then Linux has no debt to Lindows, because that's not what the distros do.

I didn't mean to infer that CnR pre-dated the repositories! Only that the CnR system as implemented was literally a one-click "download+install+integrate_with_menus|desktop_icons", once one had selected the application(s), and updates to both the System components, and also any other applications installed through CnR, were automatically notified and optionally implemented.

Mike

As Lisa Simpson would say - 'You infer, I imply'

Though, I didn't know the specifics of it other than "browse to the app you want, click the button".

Talk to anyone who's a bit more advanced in technology than the average American, and you'll notice that they think something to the effect of "Ubuntu's the only Linux".

Mention Slackware, and they're stumped. I had one guy say "Gesundheit" when I mentioned Gentoo.

So, it's fair to Linux saying Ubuntu's got it over Windows and Mac, and yet unfair to Linux in saying only Ubuntu has these.

Edit: Well, in ways of access, Ubuntu's method is easiest (app store like), but anyone can make a GUI frontend for a distro's package manager.

I HEARD IF MAC AND WINDOWS MARRIED THEY WOULD HAVE A BEAUTIFUL BABY - WOULD IT LOOK LIKE LINUX?

it is surprising that after centuaries of speculation about the meaning of the Egyptian Hieroglyphs,
they were only decipherable with the Rosetta Stone. Imagine the improbability of that notion. A massive
civilisation which built the Pyramids had a writing system and no-one knows anything about them, both their
technology, nor their true origins. It's almost as if to say every Chinese person suddenly can't read Chinese.
That's a strange notion. Given that Microsoft was readily hoodwinked by a Nigerian scam, and that nearly every
office in the world uses their products, what would be the outcome if there was suddenly no support?

It is therefore a good thing that Linux exists.

Lets hope there are more like it to follow, and of its calibre....

And asides security, why not talk coercive psychological tactics on part of so-called reputable companies,
and their web pages, whereby the first page prompt is to fill in your VISA CARD details. It's a kind of a
look a like to a stealth-bot which garnishes such information, excepting it's a real loud mouth harassing you perpetually
from a call centre, where every second mouthful is 'give me your money'. What's the difference? It doesn't matter how
good your 128bit, RSA, MD5, etcetera is, anyhow.

Also, all traffic over the net goes through servers, first and foremost. Why is server software not more vigilant, in honing stealth-bots,
and Trojans and etcetera, if there are distinct programmatical signatures per the technology of its like. Because anti-virus software makes a fortune
off all those 'security concious' users which amounts to millions.

And besides your very first interface with a web browser proxy quite clearly gives you the option: would you like to continue or not continue,
after informing you that any exchange over a the Internet is subject to 'public invasion' if you like.

So what are the legal ramifications anyhow, if YOU chose YES. It was your choice accepting that danger.

To be quite frank I like them all, Mac, Linux, Win(DOS). They are all cool. If only there was true UBUNTU, and no scammerie.

Too idealistic, I know.

after all, you didn't really respond to anything in my post, you rambled nonsensically about other garbage.

it's to bad Cannonical screwed the security of GNU/Linux with Ubuntu [ and the rest of their distros ], it might be usable if they hadn't.

nope, GNOME and KDE both not usable.

Hey I'd appreciate a pointer or two if you can spare the time. I may have time to put a new HD in a notebook for Linux purposes alone, and have been preparing myself for Ubuntu, which I found myself liking more than Knoppix. I could even become a fanboi!

GOOGLE networks are run on LINUX. THEY don't complain of SECURITY issues with Cannonical. HOW did they overcome this?

Really an illegitimate child (as I don't see Apple and Microsoft mating any time soon) thanks to Intel . . . but Linux runs on WINTEL as well, so it's a not-so-distant cousin.

I think it's fair to call these advantages of the open source distribution model, advantages not limited to either a specific distribution or Linux in general.

Both are the result of developers willing to have their products offered and updated via a central mechanism. The two major closed source / proprietary operating systems have no such agreements or arrangements with the third-party vendors who sell apps for those OSs. Such arrangements are possible (see Apple's apps store), but so far there's no sign of them for the propretary desktop platforms. Why? I suspect it's too many conflicting economic interests, a problem less likely to arise with open source apps.

I see where you're coming from and there's certainly truth to the "conflicting economic interests" argument. But, if Microsoft were to set up a Windows app store and give all of the software makers a 70% take on the revenue (which is what Apple does for its iPhone App Store) and provide a streamlined experience for users to browse and buy software, I think it could be a major success.

It would be opt-in, of course, but if users took to it and started using it as the primary way to discover software, then the software vendors would all be lining up to get on board.

I see Microsoft distributing competitive software as a bigger challenge to overcome. I don't see them putting Firefox and Chrome in the WinAppStore along side the latest IE. Openoffice and other office suites listed along side MS Office are probably a no-go also.

Even if it didn't die within MS company politics, Shareholders would need to be convinced that there is more profit in making competitive software easier to download. I do hope the rumor of a Windows repository has some truth to it. I'm just not sure how this is going to work with the MS way of business.

MSN used to have a kind of software repository called the Digital Locker (http://g.msn.com/??????/??????). They were all trial versions of software to try out. None were Microsoft software but sofware for the MS platforms. I don't see it anymore. The page links usually redirect to Windows Market Place http://www.windowsmarketplace.com/.

I think Microsoft attempted this idea initially, but hardly anyone used it, so it lost support more than likely.

DUNNO

Never heard of it but I was never a heavy Microsoft Network user. I'm guessing it was provided for MSN members or poorly advertised if lack of interest was the reason it was stopped. Pure speculation though.

Jason,
I agree with you on this. We are seeing small attempts to do this in the Mac world but not from Apple. AppBodega (http://appbodega.com/) is an attempt to bring together small software developers into an app store concept. I've use the app and it's quite solid. There is also quite a bit of FOSS in it as well.

I think it will be a challenge to get the large vendors such as Adobe to Microsoft to embrace the concept as they have no problem getting people to "discover' their software.

Also, almost every Mac app I've used has some sort of auto-update mechanism.

Imagine if all your osX software updated through the system updates interface.. all at once.. Apple's own programs plus the third party stuff. My grief with osX and Windows currently is the twelve different check/download/install processes I have to go through before covering all software on the system.

Autoupdate is a problem for me to though. I want to know updates are available but I don't want to be a beta tester getting force-fed automated updates. Just like Windows, wait until the user posts hit isc.sans.org about what the updates broke.

Even my *nix get a manual update so I can review what packages will be affected. If it's a major component, I may need a website developer on hand to confirm that everything is good. If it's an obscure component, I may look up what it is related to. Just now, it was the network-manager update that took out my wifi connection (my own fault, running Debian Testing).

AppBodega is central and automatic. So is is MacUpdate. http://www.macupdate.com/desktop/

No. They do not come from Apple. Does that matter?

I'd list "do not come from Apple" as a bonus. My reason for doc using on Apple's update utility is just to minimize the installed software. One update utility is better than two or more. Still, two is better than "do you wish to update now" windows every time a program is opened (say.. Itunes.. for example).

Nice that they do auto-update of the notified programs though. I'd personally go for a "notify me of available updates but let me choose when to download and install".

I have seen some systems that had 35 different update sources to check.
mainly for different 3D graphics apps for windows systems.

and they used 25 different 3D graphics apps, from 25 different vendors because each app fit a particular niche in the workflow, though 6 of the apps had the tools to do all tasks in the workflow in them.

I don't want to be the tech that gets to do that test and update cycle.