Remix.run Logo
wahern 3 hours ago

According to https://openai.com/index/patch-the-planet/

Linux: 24 LPEs, plus many additional vulnerabilities.

OpenBSD: 1 LPE.

FreeBSD: 7 LPEs, plus many additional vulnerabilities.

Not sure what that says, though. Perhaps the models are more likely to find Linux issues because of the training.

dcrazy 2 hours ago | parent | next [-]

Or Linux development is significantly more active.

ori_b 2 hours ago | parent [-]

This is an external audit. Why would Linux activity make a difference here? Are you theorizing that the churn causes bugs?

asveikau 2 hours ago | parent | next [-]

> Are you theorizing that the churn causes bugs?

Seems to be the case.

How many times do you see a bug investigation and it's determined when the bug was introduced?

Do you ever look at the diff that introduced it to understand what was going on in the project at the time? Often, it's in service to a new feature. Sometimes the original change is questionable when you consider you traded it for a severe bug.

tosti 2 hours ago | parent | prev | next [-]

When more code is written, more bugs are written.

Or, if the act of debugging is removing the bugs from software, then the act of programming is to put the bugs in the software.

dwroberts 2 hours ago | parent | prev | next [-]

Linux is a much larger project receiving changes to tons of systems from lots of different sources. The combined behaviour of those things working together is massively harder to understand and test.

Copyfail being introduced by an optimization made to some random crypto module is a good example of this.

throw-qqqqq 2 hours ago | parent | prev [-]

The Linux kernel is generally much larger than OpenBSD which is quite minimal.

But I do agree with you - not directly related to activity.

dcrazy 2 hours ago | parent [-]

As another commenter said, number of bugs increases with lines of code changed.

_flux 2 hours ago | parent | prev | next [-]

I wonder how many of the Linux the LPEs are related to drivers, which I understand there are more of..

kevincox 2 hours ago | parent | prev [-]

It is quite possible that Linux is the bigger target so it gets more focus. Vulnerabilities there are generally considered more valuable and notable. It would be very difficult to use these numbers to get a meaningful "more secure" stance as there are tons of variables.

t-3 9 minutes ago | parent | next [-]

From a quick search, Linux kernel is ~40 million loc, freebsd ~9 million, openbsd ~3 million. Number of bugs compared to lines of code leaves FreeBSD looking worse than Linux.

acdha an hour ago | parent | prev | next [-]

Linux also has a ton of extra functionality so I think you’d also have to do some adjustment for “as a user would I be at risk?” versus “can I be a user because it supports my needs?” Some of that would be unfavorable for many users (e.g. a Linux user who is exposed due to a network protocol or file system they’ll never use) but that’s certainly not true of every feature.

hulitu an hour ago | parent [-]

Linux also has a ton of bloat. Configuring your own kernel has become an exercise in frustration because documentation is worse "There is no help for this kernel option" and a lot of things are enabled "by default".

dspillett an hour ago | parent | prev [-]

If this is just counting the kernel, than Linux is probably a bigger target both i terms of current code size and the amount of churn in the codebase as things change over time. Some of the LPEs might (I've not checked) be in modules that are not commonly loaded, which mitigates their overall significance somewhat.

In the less likely even that this is counting what laymen would call Linux or BSD, i.e. both the kernel and common libraries & tools, then Linux definitely has a wider attack surface. Though some of that surface is shared as some userland parts are common to both.

As with your assessment, I'd agree that these flat numbers without looking for further context don't really give enough for a one-is-more-or-less-secure statement.