Have Heartbleed and Shellshock changed your attitude to open source security?

[parspes]

When many people can look at source code, bugs and security holes should
be discovered quickly.

http://www.linuxvoice.com/?p=2122
http://en.wikipedia.org/wiki/Linus%27s_Law

--
more != better

[William Unruh]

On 2014-10-02, parspes <par...@gmail.com> wrote:
> When many people can look at source code, bugs and security holes should
> be discovered quickly.

They were. It was by looking at the source code that the bugs were
discovered. It does of course require looking with malice at the code,
and it is true that that happens less frequently than it should. But
once it started, the bugs (and more than the intial bug) were discovered
quickly and fixed quickly.
So, no they have not changed my attitude. They have strengthened it
since they were discovered and fixed extremely fast. (hours, not even
days).

>
> http://www.linuxvoice.com/?p=2122
> http://en.wikipedia.org/wiki/Linus%27s_Law
>

[mike]

That coin has two sides.
While the enthusiasts are sleeping comfortably, secure in the
knowledge that their code is solid,
The bad guys are also reading the source looking for vulnerabilities.

On the one hand, you have closed source with an organized, disciplined
team of developers working on the whole process.

On the other hand, you have open source with no apparent organization
and random developers
forking stuff over the transom into the repository at their every whim.

It's hard to declare one process inherently more secure than the other.

[DecadentLinuxUserNumeroUno]

On Thu, 02 Oct 2014 17:17:34 -0700, mike <ham...@netzero.net> Gave us:

>and random developers
>forking stuff over the transom into the repository at their every whim.

Someone should bend you over the transom, and take a nice, wide belt
to your ass.

[Jonathan N. Little]

mike wrote:
>
> On the one hand, you have closed source with an organized, disciplined
> team of developers working on the whole process.

Which is why Windows has has such a clean record.....rrrrright!

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

[DanS]

"Jonathan N. Little" <lws...@gmail.com> wrote in
news:m0ksoe$g77$1...@dont-email.me:

> mike wrote:
>>
>> On the one hand, you have closed source with an organized,
>> disciplined team of developers working on the whole
>> process.
>>

>> On the other hand, you have open source with no apparent organization
>> and random developers
>> forking stuff over the transom into the repository at their every whim.
>>
>> It's hard to declare one process inherently more secure than the other.
>
>

> Which is why Windows has has such a clean
> record.....rrrrright!

(I didn't see anyone mention Windows or make any claims about it.)


One of my first thoughts when news of this broke was, "I wonder if there are any old
forks of BASH out there that have this vulnerability".

As a programmer, I have inherited a couple projects that aren't that tiny. I'd be lieing if I
said I went back through every module, every piece of code and read it, and verified it
to be all completely safe and bug free. Sometimes you just can't do that. Everyone's
got deadlines, there's other work to be done. You can't just sit there for hours and
hours and hours reading code. It's obvious this is the case, since BASH is in 90% of
Linux distros, and it is/was used, obviously without any source code verification from
all the organizations and groups that use and distribute BASH under GNU licensing.

[John Hasler]

DanS writes:
> One of my first thoughts when news of this broke was, "I wonder if
> there are any old forks of BASH out there that have this
> vulnerability".

Why do you think that there are any forks of Bash out there at all? Why
would anyone use a fork when the GNU project is doing an exellent job of
maintaining it?
--
John Hasler
jha...@newsguy.com
Dancing Horse Hill
Elmwood, WI USA

[Jonathan N. Little]

DanS wrote:
> (I didn't see anyone mention Windows or make any claims about it.)

Naw, not at all, except for the crack about "disorganized",
"undisciplined", and "vulnerable" open-source is vs the "organized",
"disciplined" and therefore "invulnerable" close-source must be. Total
balderdash.

[Richard Kettlewell]

John Hasler <jha...@newsguy.com> writes:
> DanS writes:
>> One of my first thoughts when news of this broke was, "I wonder if
>> there are any old forks of BASH out there that have this
>> vulnerability".
>
> Why do you think that there are any forks of Bash out there at all?
> Why would anyone use a fork when the GNU project is doing an exellent
> job of maintaining it?

Apple have a fork of Bash.

--
http://www.greenend.org.uk/rjk/

[Richard Kettlewell]

William Unruh <un...@invalid.ca> writes:
> parspes <par...@gmail.com> wrote:

>> When many people can look at source code, bugs and security holes
>> should be discovered quickly.
>
> They were. It was by looking at the source code that the bugs were
> discovered.

It wasn’t exactly “quickly” though - multiple years in both cases.

--
http://www.greenend.org.uk/rjk/

[John Hasler]

DanS writes:
> One of my first thoughts when news of this broke was, "I wonder if
> there are any old forks of BASH out there that have this
> vulnerability".

I wrote:
> Why do you think that there are any forks of Bash out there at all?
> Why would anyone use a fork when the GNU project is doing an exellent
> job of maintaining it?

Richard Kettlewell writes:
> Apple have a fork of Bash.

True, but that's Apple. We were discussing the Free Software world.

[Cybe R. Wizard]

On Thu, 02 Oct 2014 21:05:27 -0400
"Jonathan N. Little" <lws...@gmail.com> wrote:

> mike wrote:
> >
> > On the one hand, you have closed source with an organized,
> > disciplined team of developers working on the whole process.
>
> Which is why Windows has has such a clean record.....rrrrright!
>

To be honest and fair, no user has yet run across any vulnerabilities
while reading Microsoft's source code.

;-]

Cybe R. Wizard
--
Nice computers don't go down.
Larry Niven, Steven Barnes
"The Barsoom Project"

[Richard Kettlewell]

John Hasler <jha...@newsguy.com> writes:
> DanS writes:
>> One of my first thoughts when news of this broke was, "I wonder if
>> there are any old forks of BASH out there that have this
>> vulnerability".
>
> I wrote:
>> Why do you think that there are any forks of Bash out there at all?
>> Why would anyone use a fork when the GNU project is doing an exellent
>> job of maintaining it?
>
> Richard Kettlewell writes:
>> Apple have a fork of Bash.
>
> True, but that's Apple. We were discussing the Free Software world.

Apple’s Bash is free software.

--
http://www.greenend.org.uk/rjk/

[Caver1]

On 10/03/2014 09:14 AM, Cybe R. Wizard wrote:
> On Thu, 02 Oct 2014 21:05:27 -0400
> "Jonathan N. Little" <lws...@gmail.com> wrote:
>
>> mike wrote:
>>>
>>> On the one hand, you have closed source with an organized,
>>> disciplined team of developers working on the whole process.
>>
>> Which is why Windows has has such a clean record.....rrrrright!
>>
> To be honest and fair, no user has yet run across any vulnerabilities
> while reading Microsoft's source code.
>
> ;-]
>
> Cybe R. Wizard
>

Their brain matter sure hurts though. :)

--
Caver1

[Cybe R. Wizard]

Do you also believe in fairies, pixie dust, unicorns and Ghods? ;-]

[JEDIDIAH]

On 2014-10-03, Jonathan N. Little <lws...@gmail.com> wrote:
> DanS wrote:
>> (I didn't see anyone mention Windows or make any claims about it.)
>
> Naw, not at all, except for the crack about "disorganized",
> "undisciplined", and "vulnerable" open-source is vs the "organized",
> "disciplined" and therefore "invulnerable" close-source must be. Total
> balderdash.
>

Software is like sausage. The main differing feature of Free Software is
that you get to see the process in all of it's ugly glory. The problems that
you may try to invent with Free Software are not a manifestation of the whole
"hobbyist" versus "professional" distinction. They are a result of the normally
invisible parts of the process laid bare.

"Professional" software development isn't any more organized or disciplined.

As a consumer rube, you just don't get to see what goes on behind the scenes.

[John Hasler]

Richard Kettlewell writes:
> Apple’s Bash is free software.

They are not part of the Free Software community. Do you know of anyone
other than Apple that uses their fork?

[Jonathan N. Little]

For some ignorance is more than bliss, they armor themselves with it.

[Jonathan N. Little]

True but insight is neither linear nor instantaneous. Many things that
are obvious in the world today were observed but overlooked by countless
others over thousands of years until one day an individual has a
insight, took a second look, took notice and recognized something that
added to our understanding.

The point some are missing is you cannot see what you are cannot look at.

[William Unruh]

On 2014-10-03, mike <ham...@netzero.net> wrote:
> On 10/2/2014 4:18 PM, William Unruh wrote:
>> On 2014-10-02, parspes <par...@gmail.com> wrote:
>>> When many people can look at source code, bugs and security holes should
>>> be discovered quickly.
>>
>> They were. It was by looking at the source code that the bugs were
>> discovered. It does of course require looking with malice at the code,
>> and it is true that that happens less frequently than it should. But
>> once it started, the bugs (and more than the intial bug) were discovered
>> quickly and fixed quickly.
>> So, no they have not changed my attitude. They have strengthened it
>> since they were discovered and fixed extremely fast. (hours, not even
>> days).
>>
>>>
>>> http://www.linuxvoice.com/?p=2122
>>> http://en.wikipedia.org/wiki/Linus%27s_Law
>>>
> That coin has two sides.
> While the enthusiasts are sleeping comfortably, secure in the
> knowledge that their code is solid,
> The bad guys are also reading the source looking for vulnerabilities.

The bad guys are not hung up by compiled code. Note the number of
attacks on Windows, which certainly is not open source. But it means it
is far harder for many people to figure out how to fix it.

>
> On the one hand, you have closed source with an organized, disciplined
> team of developers working on the whole process.

Hehehehe. A team of developers who is told tomake sure they have the
code out by Tues, never mind the quality control, becasue marketing had
promised shipping by then.
Or the security is handed over to a recent hire who has never thought
about security in his life, and so has to fake it. Yeah. right.

>
> On the other hand, you have open source with no apparent organization
> and random developers
> forking stuff over the transom into the repository at their every whim.
>
> It's hard to declare one process inherently more secure than the other.

Yes, which is why having others being able to easily read the result and
check it is so important.
That a good contributor's stuff is let slide is true in either case-- do
you really think that the best coder's stuff is tested as rigourously in
closed source as open source? Especially under time pressure?

[William Unruh]

On 2014-10-03, Richard Kettlewell <r...@greenend.org.uk> wrote:
> William Unruh <un...@invalid.ca> writes:
>> parspes <par...@gmail.com> wrote:
>
>>> When many people can look at source code, bugs and security holes
>>> should be discovered quickly.
>>
>> They were. It was by looking at the source code that the bugs were
>> discovered.
>

> It wasn???t exactly ???quickly??? though - multiple years in both cases.

Agreed.

[Caver1]

What surprises me is the the criminal hackers took so long to find it.

--
Caver1

[Hactar]

In article <20141003081...@WizardsTower.invalid>,

Cybe R. Wizard <cybe_r...@WizardsTower.invalid> wrote:
> On Thu, 02 Oct 2014 21:05:27 -0400
> "Jonathan N. Little" <lws...@gmail.com> wrote:
>
> > mike wrote:
> > >
> > > On the one hand, you have closed source with an organized,
> > > disciplined team of developers working on the whole process.
> >
> > Which is why Windows has has such a clean record.....rrrrright!
> >
> To be honest and fair, no user has yet run across any vulnerabilities
> while reading Microsoft's source code.

That we know of. There may have been leaks.

--
-eben QebWe...@vTerYizUonI.nOetP ebmanda.redirectme.net:81
LIBRA: A big promotion is just around the corner for someone
much more talented than you. Laughter is the very best medicine,
remember that when your appendix bursts next week. -- Weird Al

[Richard Kettlewell]

John Hasler <jha...@newsguy.com> writes:
> Richard Kettlewell writes:
>> Apple’s Bash is free software.
>
> They are not part of the Free Software community. Do you know of
> anyone other than Apple that uses their fork?

No. So what?

The original question was “I wonder if there are any old forks of BASH
out there that have this vulnerability”. The answer was yes, with the
vulnerability only fixed in APPLE-SA-2014-09-29-1. Nothing about
appearance on some imaginary free software community membership list.

--
http://www.greenend.org.uk/rjk/

[William Unruh]

Of course we do not know what NSA did.
But why would that surprize you? They have the same problem that the
white hats have-- where to look.

>

[William Unruh]

On 2014-10-03, Richard Kettlewell <r...@greenend.org.uk> wrote:

> John Hasler <jha...@newsguy.com> writes:
>> Richard Kettlewell writes:

>>> Apple???s Bash is free software.

>>
>> They are not part of the Free Software community. Do you know of
>> anyone other than Apple that uses their fork?
>
> No. So what?
>

> The original question was ???I wonder if there are any old forks of BASH

I think that the dispute was with "forks". Apple bash is bash, it is not
a fork, is I think what the point was.

> out there that have this vulnerability???. The answer was yes, with the

[Caver1]

I guess what really surprises me is that they both found it at about the
same time.

--
Caver1

[Richard Kettlewell]

William Unruh <un...@invalid.ca> writes:
> Richard Kettlewell <r...@greenend.org.uk> wrote:
>> John Hasler <jha...@newsguy.com> writes:
>>> Richard Kettlewell writes:

>>>> Apple’s Bash is free software.

>>>
>>> They are not part of the Free Software community. Do you know of
>>> anyone other than Apple that uses their fork?
>>
>> No. So what?
>>

>> The original question was “I wonder if there are any old forks of BASH

>
> I think that the dispute was with "forks". Apple bash is bash, it is not
> a fork, is I think what the point was.

That doesn’t seem to be the point John was making.

If you think it’s not a fork then which upstream version of Bash do you
think it is identical to?

(It’s certainly a fork now, since they used their own slightly different
fix to Shellshock.)

--
http://www.greenend.org.uk/rjk/

[John Hasler]

William Unruh writes:
> I think that the dispute was with "forks". Apple bash is bash, it is
> not a fork, is I think what the point was.

No, Apple maintains a modified version of Bash, which they include in
their OS alongside an unmodified version. I'm sure that their
"organized, disciplined team of developers" has an excellent reason for
doing such a loony thing. "Company policy", for example.

However, the original question clearly implied that the OP thought that
some Linux or BSD distribution might be distributing an old fork of
Bash.

[William Unruh]

No. they (the crackers) heard about the bug, realised how simple it was to impliment
and within an hour had done so.
Nothing surprizing.

>

[William Unruh]

On 2014-10-03, Richard Kettlewell <r...@greenend.org.uk> wrote:

> William Unruh <un...@invalid.ca> writes:
>> Richard Kettlewell <r...@greenend.org.uk> wrote:
>>> John Hasler <jha...@newsguy.com> writes:
>>>> Richard Kettlewell writes:

>>>>> Apple???s Bash is free software.

>>>>
>>>> They are not part of the Free Software community. Do you know of
>>>> anyone other than Apple that uses their fork?
>>>
>>> No. So what?
>>>

>>> The original question was ???I wonder if there are any old forks of BASH

>>
>> I think that the dispute was with "forks". Apple bash is bash, it is not
>> a fork, is I think what the point was.
>

> That doesn???t seem to be the point John was making.
>
> If you think it???s not a fork then which upstream version of Bash do you

> think it is identical to?
>

> (It???s certainly a fork now, since they used their own slightly different
> fix to Shellshock.)

In which case you would call Redhat's and Mageia's and probably Debian's
a fork since all use slightly different fixes (eg both Redhat and Mageia
also fix the buffer overflow bugs which upstream has not done so yet).
That would be a really weird definition of "fork".

>

[JEDIDIAH]

No. That would be a terribly conventional definition of a fork.

Brand X is different from Brand Y and the original.

[DecadentLinuxUserNumeroUno]

On Fri, 3 Oct 2014 14:40:02 -0500, JEDIDIAH <je...@nomad.mishnet> Gave
us:

Perfect example of open type license apps forking...

Look at the tree for "NetHack".

http://en.wikipedia.org/wiki/NetHack#Ports_and_forks

[mike]

Ok, but what percentage of the linux-based desktop computing platform
is rigorously tested by the "best coders"?
Absolutely anybody can fork absolutely anything and distribute it.

Closed source code IS OPEN SOURCE to the developers/maintainers.
Primary difference is that ordinary idiots can't modify it and redistribute
it as easily.

I'm not saying that one is better than the other.
I'm saying that blind faith that open source solves all problems
is irrational.

[John Hasler]

mike writes:
> Ok, but what percentage of the linux-based desktop computing platform
> is rigorously tested by the "best coders"?

What percentage of closed source software is rigorously tested by the
"best coders"? There are thousands of closed source vendors. On
average, they employ average coders, who are the only people who have
access to the source. Thus only a very small fraction of it can
possibly be tested by the ""best coders". Free Software, on the other
hand, is accessible to anyone. Thus the "best coders" have an
opportunity to review it, regardless of who wrote it.

> Absolutely anybody can fork absolutely [any Free Software] and
> distribute it.

They can try to distribute it. They will most likely be ignored.

> Closed source code IS OPEN SOURCE to the developers/maintainers.

A small, closed group of unknown competence.

> Primary difference is that ordinary idiots can't modify it and
> redistribute it as easily.

Idiots clearly can and do produce and distribute closed source
software. The difference is that nobody can fix it.

[DecadentLinuxUserNumeroUno]

On Fri, 03 Oct 2014 16:07:11 -0500, John Hasler Gave us:

>mike writes:
snip

even aioe rejects his tripe.

>
>Idiots clearly can and do produce and distribute closed source
>software. The difference is that nobody can fix it.

I'd say that mike has a pretty bent perception.

[Caver1]

Normally bugs are patched much faster in open source then closed source.
Much fewer lines of code then closed source. Open source is more secure
then closed source.
The benefits of the forking is that new ideas are coming from more devs.
The good ideas are adopted, the bad fade away.

--
Caver1

[Joe]

On Fri, 03 Oct 2014 13:35:47 -0700
mike <ham...@netzero.net> wrote:

>
> Closed source code IS OPEN SOURCE to the developers/maintainers.

I'd be willing to bet that it's on a need-to-know basis, that a given
piece of source code is accessible to as few people as is practical.

> Primary difference is that ordinary idiots can't modify it and
> redistribute it as easily.
>

I don't think open-source software written or modified by unknown
people would be used or redistributed. The person who placed the recent
Heartbleed bug (accidentally!) was trusted to do so by people who were
in turn trusted to appoint trustworthy people. It wasn't a case of a
random hacker producing a modified security package and asking for it
to be accepted, this was a commissioned work. Similarly, the Debian
OpenSSH bug of a couple of years ago was introduced by the official
maintainer. Everyone makes mistakes, and clearly the quality control
procedures haven't always been what they might have been.

> I'm not saying that one is better than the other.
> I'm saying that blind faith that open source solves all problems
> is irrational.

I don't think many people do have such faith. What they do have to go
on is observation, previous history. There are countless cases where
closed-source vendors have been notified of security issues and have
done nothing about them until either an exploit appeared or the bug was
published to push them into action. This is far less likely to happen
with open-source software, as personal pride is at stake.

I agree with the implied assertion that the idea of open-source
software being subjected to very much scrutiny has been seriously
discredited. The bash bug was there for more than two decades without
being spotted, and as far as I know, the Heartbleed code was audited
by one other person before being widely accepted. Given the nature of
the code, this wasn't wise, and it shouldn't need hindsight to tell us
that.

--
Joe

[Aragorn]

On Friday 03 October 2014 17:51, Hactar conveyed the following to
alt.os.linux.debian...

> In article <20141003081...@WizardsTower.invalid>,
> Cybe R. Wizard <cybe_r...@WizardsTower.invalid> wrote:
>> On Thu, 02 Oct 2014 21:05:27 -0400
>> "Jonathan N. Little" <lws...@gmail.com> wrote:
>>
>> > mike wrote:
>> > >
>> > > On the one hand, you have closed source with an organized,
>> > > disciplined team of developers working on the whole process.
>> >
>> > Which is why Windows has has such a clean record.....rrrrright!
>> >
>> To be honest and fair, no user has yet run across any vulnerabilities
>> while reading Microsoft's source code.
>
> That we know of. There may have been leaks.

So sad that several people take what Cybe R. Wizard wrote as serious.
Quite evidently, not many *users* have come across vulnerabilities in
Microsoft's source code because Microsoft's source code is... not
available [*], maybe? Duh!


[*] Yes, yes, with the exception of those special licenses where you
pay a certain amount and then they send you the source code to
(commonly old versions of) a particular software title, and of
course as read-only, and with a non-disclosure agreement attached
to it.

--
= Aragorn =

http://www.linuxcounter.net - registrant #223157

[William Unruh]

Except you are setting up a straw mah. Noone says that open souce solves
all problems, not even all problems of security. Might as well say that
democracy solves all problems. It doesn't. It is just better than the
alternative.

[Aragorn]

On Friday 03 October 2014 23:07, John Hasler conveyed the following to
alt.os.linux.debian...

> mike writes:
>
>> Closed source code IS OPEN SOURCE to the developers/maintainers.
>
> A small, closed group of unknown competence.

According to the annual reports by Coverity, their competence is quite
known, and to be more precise, located a few levels below that of the
FLOSS developers. :p

[Aragorn]

On Friday 03 October 2014 23:18, DecadentLinuxUserNumeroUno conveyed the
following to alt.os.linux.debian...

Which he still feels that he needs to prove to us all on a regular
basis. ;-)

[John Hasler]

mike writes:
> Closed source code IS OPEN SOURCE to the developers/maintainers.

I wrote:
> A small, closed group of unknown competence.

Aragorn writes:
> According to the annual reports by Coverity, their competence is quite
> known, and to be more precise, located a few levels below that of the
> FLOSS developers. :p

On average. The competence of any particular randomly-chosen
closed-source development team is unknown. A few of them may actually
be quite good. Too bad there is no way to know until it's too late.

[DanS]

John Hasler <jha...@newsguy.com> wrote in
news:87h9zl2...@thumper.dhh.gt.org:

> William Unruh writes:
>> I think that the dispute was with "forks". Apple bash is
>> bash, it is not a fork, is I think what the point was.
>
> No, Apple maintains a modified version of Bash, which they
> include in their OS alongside an unmodified version. I'm
> sure that their "organized, disciplined team of developers"
> has an excellent reason for doing such a loony thing.
> "Company policy", for example.
>
> However, the original question clearly implied that the OP
> thought that some Linux or BSD distribution might be
> distributing an old fork of Bash.

A fork of BASH.

I suppose it's preposterous that someone/group would fork an Open Source s/w
package.

[DanS]

"Jonathan N. Little" <lws...@gmail.com> wrote in
news:m0l5t0$56a$1...@dont-email.me:

> DanS wrote:
>> (I didn't see anyone mention Windows or make any claims
>> about it.)
>
> Naw, not at all, except for the crack about "disorganized",
> "undisciplined", and "vulnerable" open-source is vs the
> "organized", "disciplined" and therefore "invulnerable"
> close-source must be. Total balderdash.
>

Microsoft isn't the only 'closed source' software company. There are hundreds of
others. You and the people ike you are the ones that typically bring Windows into the
conversation. Why is that?


Original statements.....

"On the one hand, you have closed source with an organized, disciplined
team of developers working on the whole process."

On the other hand, you have open source with no apparent organization
and random developers forking stuff over the transom into the repository at their every
whim."

It's hard to declare one process inherently more secure than the other."

OK, so, I see security updates for proprietary apps, AND for open source apps, so, the
third statment seems to be somewhat accurate.

[Snarfleborf]

mike wrote:

> On 10/2/2014 4:18 PM, William Unruh wrote:
>> On 2014-10-02, parspes <par...@gmail.com> wrote:
>>> When many people can look at source code, bugs and security holes should
>>> be discovered quickly.
>>
>> They were. It was by looking at the source code that the bugs were
>> discovered. It does of course require looking with malice at the code,
>> and it is true that that happens less frequently than it should. But
>> once it started, the bugs (and more than the intial bug) were discovered
>> quickly and fixed quickly.
>> So, no they have not changed my attitude. They have strengthened it
>> since they were discovered and fixed extremely fast. (hours, not even
>> days).
>>
>>>
>>> http://www.linuxvoice.com/?p=2122
>>> http://en.wikipedia.org/wiki/Linus%27s_Law
>>>
> That coin has two sides.
> While the enthusiasts are sleeping comfortably, secure in the
> knowledge that their code is solid,
> The bad guys are also reading the source looking for vulnerabilities.
>

> On the one hand, you have closed source with an organized, disciplined
> team of developers working on the whole process.

Please!
Give some sort of warning before you drop a howler like that!
Do you know how hard it is to clean up coffee that's been sprayed over a
keyboard?

But seriously: ROI (Return On Investment)
Manager: "Prove to me how many more copies of Windows we would sell for
an additional x hours of code testing."

The reason that heartbleed and shellshock got so much coverage is
precisely because they're so unusual. With Windows, the reaction's:
<Yawn> Another arbitrary-code-execution bug! What else is new?

[William Unruh]

On 2014-10-03, DanS <t.h.i.s....@r.o.a.d.r.u.n.n.e.r.c.o.m> wrote:
> "Jonathan N. Little" <lws...@gmail.com> wrote in
> news:m0l5t0$56a$1...@dont-email.me:
>
>> DanS wrote:
>>> (I didn't see anyone mention Windows or make any claims
>>> about it.)
>>
>> Naw, not at all, except for the crack about "disorganized",
>> "undisciplined", and "vulnerable" open-source is vs the
>> "organized", "disciplined" and therefore "invulnerable"
>> close-source must be. Total balderdash.
>>
>
> Microsoft isn't the only 'closed source' software company. There are hundreds of
> others. You and the people ike you are the ones that typically bring Windows into the
> conversation. Why is that?
>
>
> Original statements.....
>
> "On the one hand, you have closed source with an organized, disciplined
> team of developers working on the whole process."

And the context was operating systems, Linux being mentioned in
particular, not gimp or sox.

>
> On the other hand, you have open source with no apparent organization
> and random developers forking stuff over the transom into the repository at their every
> whim."
>
> It's hard to declare one process inherently more secure than the other."
>
>
>
> OK, so, I see security updates for proprietary apps, AND for open source apps, so, the
> third statment seems to be somewhat accurate.

And how long did it take for a fix for the bug to appear? And how long
for the typical closed source bug?

>
>
>
>

[Wildman]

On Fri, 3 Oct 2014 11:51:32 -0400
ebenZ...@verizon.net (Hactar) wrote:

> In article <20141003081...@WizardsTower.invalid>,
> Cybe R. Wizard <cybe_r...@WizardsTower.invalid> wrote:
> > On Thu, 02 Oct 2014 21:05:27 -0400
> > "Jonathan N. Little" <lws...@gmail.com> wrote:
> >
> > > mike wrote:
> > > >
> > > > On the one hand, you have closed source with an organized,
> > > > disciplined team of developers working on the whole process.
> > >
> > > Which is why Windows has has such a clean record.....rrrrright!
> > >
> > To be honest and fair, no user has yet run across any
> > vulnerabilities while reading Microsoft's source code.
>
> That we know of. There may have been leaks.
>

There was. I have the sources for dos 3.3 and 6.0. They
were posted to a binary newsgroup several years ago.

--
<Wildman> GNU/Linux user #557453
The cow died so I don't need your bull!

[Richard Kettlewell]

William Unruh <un...@invalid.ca> writes:
> On 2014-10-03, Richard Kettlewell <r...@greenend.org.uk> wrote:

>> If you think it’s not a fork then which upstream version of Bash do

>> you think it is identical to?
>>

>> (It’s certainly a fork now, since they used their own slightly

>> different fix to Shellshock.)
>
> In which case you would call Redhat's and Mageia's and probably Debian's
> a fork since all use slightly different fixes (eg both Redhat and Mageia
> also fix the buffer overflow bugs which upstream has not done so yet).
> That would be a really weird definition of "fork".

I don’t see a problem with calling those forks, although they do differ
in character. Debian for instance takes the latest Bash (with some
latency) and modifies it according to their requirements, updating when
a new upstream release appears. Apple, in contrast, no longer update
from upstream at all.

--
http://www.greenend.org.uk/rjk/

[Anton Ertl]

Richard Kettlewell <r...@greenend.org.uk> writes:
>William Unruh <un...@invalid.ca> writes:
>> On 2014-10-03, Richard Kettlewell <r...@greenend.org.uk> wrote:
>
>>> If you think it’s not a fork then which upstream version of Bash do
>>> you think it is identical to?
>>>
>>> (It’s certainly a fork now, since they used their own slightly
>>> different fix to Shellshock.)
>>
>> In which case you would call Redhat's and Mageia's and probably Debian's
>> a fork since all use slightly different fixes (eg both Redhat and Mageia
>> also fix the buffer overflow bugs which upstream has not done so yet).
>> That would be a really weird definition of "fork".
>
>I don’t see a problem with calling those forks, although they do differ
>in character.

That would be an unusual usage of "fork". These changes are not the
start of separate development. Instead, these distribution's later
take the next version from upstream. So development has everything
but forked, and any upstream fix turns up in the distribution's
version at some point; the orinal claim about forking was that it
would not, so that claim certainly used the more usual meaning of fork
as "creating a distinct and separate piece of software" (Wikipedia).

- anton
--
M. Anton Ertl Some things have to be seen to be believed
an...@mips.complang.tuwien.ac.at Most things have to be believed to be seen
http://www.complang.tuwien.ac.at/anton/home.html

[Caver1]

The 2013 report by Coverity stated that the norm for open source was 6
days and closed source was months. Don't remember how many for sure but
I think it was 4 or 5 months. Also stated that the errors per lines of
code in open source where a little less then half of closed source code.
The amount of errors per line of code in the Linux kernel was 173 times
less then in closed source back in 2004.
http://archive.wired.com/software/coolapps/news/2004/12/66022

Another example;
http://www.infoworld.com/article/2687117/open-source-software/libreoffice-code-ten-times-better-than-proprietary.html

http://tinyurl.com/nkx9y5w

"September 26, 2014 - InfoWorld LibreOffice's superlow defect rate puts
proprietary software to shame"

--
Caver1

[Cybe R. Wizard]

On Sat, 04 Oct 2014 08:58:02 -0400
Caver1 <cav...@inthemud.org> wrote:

> The amount of errors per line of code in the Linux kernel was 173
> times less then in closed source back in 2004.

You were good until that. Please re-examine that statement for its
impossibility and re-write. ;-]

Cybe R. Wizard
--
One time less than anything is zero. 'Smaller than' is arrived at by
subtraction or division, not multiplication.

[William Unruh]

On 2014-10-04, Cybe R. Wizard <cybe_r...@WizardsTower.invalid> wrote:
> On Sat, 04 Oct 2014 08:58:02 -0400
> Caver1 <cav...@inthemud.org> wrote:
>
>> The amount of errors per line of code in the Linux kernel was 173
>> times less then in closed source back in 2004.
>
> You were good until that. Please re-examine that statement for its
> impossibility and re-write. ;-]
>

Definition: errors per line of code= Total number of errors in the code
divided by the number of lines of code. It is a number (hopefully) much
less than 1. Errors per line of code in Linux could be 173 times smaller
than that in closed source as a logical statement. Ie, it is not
impossible.

[Cybe R. Wizard]

I don't see how one can have negative numbers of errors. No errors?
Certainly! Negative numbers of errors? Absolutely not.

"My code has 27 less than zero bugs." Nah, not possible.


Cybe R. Wizard
--
Nice computers don't go down.
Larry Niven, Steven Barnes
"The Barsoom Project"

[William Unruh]

On 2014-10-04, Cybe R. Wizard <cybe_r...@WizardsTower.invalid> wrote:
> On Sat, 4 Oct 2014 13:11:34 +0000 (UTC)
> William Unruh <un...@invalid.ca> wrote:
>
>> On 2014-10-04, Cybe R. Wizard <cybe_r...@WizardsTower.invalid>
>> wrote:
>> > On Sat, 04 Oct 2014 08:58:02 -0400
>> > Caver1 <cav...@inthemud.org> wrote:
>> >
>> >> The amount of errors per line of code in the Linux kernel was 173
>> >> times less then in closed source back in 2004.
>> >
>> > You were good until that. Please re-examine that statement for its
>> > impossibility and re-write. ;-]
>> >
>>
>> Definition: errors per line of code= Total number of errors in the
>> code divided by the number of lines of code. It is a number
>> (hopefully) much less than 1. Errors per line of code in Linux could
>> be 173 times smaller than that in closed source as a logical
>> statement. Ie, it is not impossible.
>>
> I don't see how one can have negative numbers of errors. No errors?
> Certainly! Negative numbers of errors? Absolutely not.

He said "times less" which means you divide by 173 not subtract.
It is a pretty standard English idiom.

[Cybe R. Wizard]

On Sat, 4 Oct 2014 13:11:34 +0000 (UTC)
William Unruh <un...@invalid.ca> wrote:

So, .01 errors per line of code and 10,000,000 lines of code = less
than zero? Not. It's .000000001. That's /MUCH/ more than zero. It's
an error for every hundred lines or 10,000 errors!

[John Hasler]

William Unruh writes:
> The amount of errors per line of code in the Linux kernel was 173
> times less then in closed source back in 2004.

Cybe R. Wizard wrote:
> You were good until that. Please re-examine that statement for its
> impossibility and re-write. ;-]

William Unruh writes:
> Definition: errors per line of code= Total number of errors in the
> code divided by the number of lines of code. It is a number
> (hopefully) much less than 1. Errors per line of code in Linux could
> be 173 times smaller than that in closed source as a logical
> statement. Ie, it is not impossible.

"N times less" is nonsensical. "Less" implies a difference, not a
ratio.

[Cybe R. Wizard]

On Sat, 4 Oct 2014 13:35:32 +0000 (UTC)

William Unruh <un...@invalid.ca> wrote:

> On 2014-10-04, Cybe R. Wizard <cybe_r...@WizardsTower.invalid>
> wrote:
> > On Sat, 4 Oct 2014 13:11:34 +0000 (UTC)
> > William Unruh <un...@invalid.ca> wrote:
> >
> >> On 2014-10-04, Cybe R. Wizard <cybe_r...@WizardsTower.invalid>
> >> wrote:
> >> > On Sat, 04 Oct 2014 08:58:02 -0400
> >> > Caver1 <cav...@inthemud.org> wrote:
> >> >
> >> >> The amount of errors per line of code in the Linux kernel was
> >> >> 173 times less then in closed source back in 2004.
> >> >
> >> > You were good until that. Please re-examine that statement for
> >> > its impossibility and re-write. ;-]
> >> >
> >>
> >> Definition: errors per line of code= Total number of errors in the
> >> code divided by the number of lines of code. It is a number
> >> (hopefully) much less than 1. Errors per line of code in Linux
> >> could be 173 times smaller than that in closed source as a logical
> >> statement. Ie, it is not impossible.
> >>
> > I don't see how one can have negative numbers of errors. No errors?
> > Certainly! Negative numbers of errors? Absolutely not.
>
> He said "times less" which means you divide by 173 not subtract.
> It is a pretty standard English idiom.

I'm pretty darned sure that, "times," means multiplication, not
division.

cybe@wizardstower:~$ dict times

<snip>

From WordNet (r) 3.0 (2006) [wn]:

times
n 1: a more or less definite period of time now or previously
present; "it was a sign of the times"
2: an arithmetic operation that is the inverse of division; the
product of two numbers is computed; "the multiplication of
four by three gives twelve"; "four times three equals twelve"
[syn: {multiplication}, {times}]

[Cybe R. Wizard]

/BOOM!/ A man who knows math. Thanks, John.

[John Hasler]

Cybe R. Wizard writes:
> I don't see how one can have negative numbers of errors. No errors?
> Certainly! Negative numbers of errors? Absolutely not.

It's so good that not only does it have no bugs itself, it corrects up to
173 buggy lines in programs that you run on it.

[Ivan Shmakov]

>>>>> John Hasler <jha...@newsguy.com> writes:

[Setting Followup-To: news:alt.os.linux ’cause of E2MANYGROUPS.]

[…]

> "N times less" is nonsensical. "Less" implies a difference, not a
> ratio.

Doesn’t that depend on the one’s fluency in English? I’m not so
sure that English is the OP’s native language, for instance, and
confusing “less” with “lower” doesn’t seem like a grave grammar
offense to me, either.

--
FSF associate member #7257 http://boycottsystemd.org/ … 3013 B6A0 230E 334A

[Aragorn]

On Saturday 04 October 2014 15:42, Cybe R. Wizard conveyed the following
to alt.os.linux.debian...

Brother Wizard, I am very familiar with your well-intended pedantry
regarding less, but from the mathematical point of view, division is an
inverse multiplication. :p

1/2 = 1 * (2^-1) = 1 * 0.5

[Caver1]

On 10/04/2014 09:06 AM, Cybe R. Wizard wrote:
> On Sat, 04 Oct 2014 08:58:02 -0400
> Caver1 <cav...@inthemud.org> wrote:
>
>> The amount of errors per line of code in the Linux kernel was 173
>> times less then in closed source back in 2004.
>
> You were good until that. Please re-examine that statement for its
> impossibility and re-write. ;-]
>
> Cybe R. Wizard
>

In 2004 the Linux kernel was found to have 985 errors in 5.7 million
lines of code. Closed source was found to have 30 errors for every 1000
lines of code, that turns into 117,000 errors in 5.7 million lines.
117,000divided by 985=173.

--
Caver1

[Caver1]

[Caver1]

I goofed I put 170,00 in the calculator not 117,000. So the difference
is 118.8 times more errors.

--
Caver1

[John Hasler]

Caver1 writes:
> In 2004 the Linux kernel was found to have 985 errors in 5.7 million
> lines of code. Closed source was found to have 30 errors for every
> 1000 lines of code, that turns into 117,000 errors in 5.7 million
> lines. 117,000divided by 985=173.

Thus having 1/173 the errors of closed-source. That's a ratio, not a
difference. If you want to make a dramatic statement say "Closed-source
has 173 times as many bugs per million lines as the Linux kernel!"
"Times less" is typical of innumerate newsies.

Of course, Coverity has access to all Open Source but only to a subset
of closed source, so it's not a fair comparison. No one knows how bad
closed-source may actually be when all the stuff produced by outfits too
cheap to pay Coverity to check it is included.

[Cybe R. Wizard]

Linux kernel has one one-hundred-seventy-thirds (1/173) the number of
bugs.

Cool.

[Cybe R. Wizard]

True, not -173.

[Cybe R. Wizard]

On Sat, 4 Oct 2014 10:09:06 -0500

Put in percentage, Linux kernel has 0.0084188034188 the number of bugs
as...

Cybe R. Wizard -around 84-ten thousandths using your numbers

[Caver1]

I know I pointed out my wrongness. 118.8

--
Caver1

[Caver1]

On 10/04/2014 10:40 AM, Caver1 wrote:

[Richard Kettlewell]

Caver1 <cav...@inthemud.org> writes:

> Cybe R. Wizard wrote:
>> Caver1 <cav...@inthemud.org> wrote:
>>> The amount of errors per line of code in the Linux kernel was 173
>>> times less then in closed source back in 2004.
>>
>> You were good until that. Please re-examine that statement for its
>> impossibility and re-write. ;-]
>

> In 2004 the Linux kernel was found to have 985 errors in 5.7 million
> lines of code. Closed source was found to have 30 errors for every
> 1000 lines of code, that turns into 117,000 errors in 5.7 million
> lines. 117,000divided by 985=173.

The 985 figure seems to be number of defects Coverity found with their
static analyser in 2004. That makes it ‘defects that Coverity knew how
to find in 2004’, not ‘all defects’.
http://www.coverity.com/library/pdf/linux_report.pdf

The same article links to an eweek article as the source of the “30
errors per 1000 lines of code” number:

For every thousand lines of code developed by commercial software
makers or corporate programmers there could be as many as 20 to 30
bugs, according to William Guttman, the director of the SCC, a group
of businesses and academic institutions looking for ways to make
software more dependable.
http://www.eweek.com/c/a/Web-Services-Web-20-and-SOA/Can-Software-Kill/7/

No word on the methodology used.

I think it’s fairly safe to conclude that these numbers aren’t
comparable and quite probably don’t reflect anything meaningful in 2014.

--
http://www.greenend.org.uk/rjk/

[Richard Kettlewell]

John Hasler <jha...@newsguy.com> writes:
> Caver1 writes:

>> In 2004 the Linux kernel was found to have 985 errors in 5.7 million
>> lines of code. Closed source was found to have 30 errors for every
>> 1000 lines of code, that turns into 117,000 errors in 5.7 million
>> lines. 117,000divided by 985=173.
>
> Thus having 1/173 the errors of closed-source. That's a ratio, not a
> difference. If you want to make a dramatic statement say "Closed-source
> has 173 times as many bugs per million lines as the Linux kernel!"
> "Times less" is typical of innumerate newsies.

I don’t think there’s anything wrong with “times less”. My university
and employers since then don’t seem to have thought I was innumerate.

--
http://www.greenend.org.uk/rjk/

[Cybe R. Wizard]

On Sat, 04 Oct 2014 11:28:15 -0400

I know, and think it very good of you to do so. That said, I've just
been accepting your numbers without calculating them, myself, except for
that negative numbers thing.

[William Unruh]

Do you really need to have idioms disentangled in detail for you?
A is 173 times less than B if A is smaller than B and A would have to be
multiplied by 173 to get B.

So yes, the "times" means multiplication and "less" means smaller in
number than, just as you want. It is just that you do not understand
English well enough to figure out how those concepts are embedded in the
phrase.

[William Unruh]

On 2014-10-04, Cybe R. Wizard <cybe_r...@WizardsTower.invalid> wrote:
> On Sat, 4 Oct 2014 13:11:34 +0000 (UTC)
> William Unruh <un...@invalid.ca> wrote:
>
>>
> So, .01 errors per line of code and 10,000,000 lines of code = less
> than zero? Not. It's .000000001. That's /MUCH/ more than zero. It's
> an error for every hundred lines or 10,000 errors!
>

Unfortunately it was your lack of command of English that led you to
imagine that the phrase meant a number less than zero.

[Cybe R. Wizard]

You're from the UK where it seems to be, for some strange reason, an
idiomatic form of speech, but is nevertheless incorrect arithmetical
usage.

At least no one has yet tried the appeal to authority of using Issac
Newton's (also from the UK) incorrect usage of the term.

If I'm not mistaken William Unruh is British Canadian so maybe the
same cultural incorrectness has crept into his language, too.

I'm quite sure he's no stranger to math!

[William Unruh]

On 2014-10-04, Richard Kettlewell <r...@greenend.org.uk> wrote:
> John Hasler <jha...@newsguy.com> writes:
>> Caver1 writes:
>
>>> In 2004 the Linux kernel was found to have 985 errors in 5.7 million
>>> lines of code. Closed source was found to have 30 errors for every
>>> 1000 lines of code, that turns into 117,000 errors in 5.7 million
>>> lines. 117,000divided by 985=173.
>>
>> Thus having 1/173 the errors of closed-source. That's a ratio, not a
>> difference. If you want to make a dramatic statement say "Closed-source
>> has 173 times as many bugs per million lines as the Linux kernel!"
>> "Times less" is typical of innumerate newsies.
>

> I don???t think there???s anything wrong with ???times less???. My university
> and employers since then don???t seem to have thought I was innumerate.

It is a well known English idiom. It may, as the dictionaries might say,
be indicative of less formal use of English, or even regional dialect,
but it is certainly a useage I also know and have heard in use, and is
far more defensible than using "disinterested" for "uninterested" or
using "I" instead of "me" for the object of a sentence when in a
compound. "Between you and I" for example. But I suspect that is a
far more illogial useage than "times less" which I have lost the battle against.

>

[Caver1]

There was no negative number thing.

--
Caver1

[William Unruh]

On 2014-10-04, Cybe R. Wizard <cybe_r...@WizardsTower.invalid> wrote:
> On Sat, 04 Oct 2014 10:37:24 -0400
> Caver1 <cav...@inthemud.org> wrote:
>
>> On 10/04/2014 09:06 AM, Cybe R. Wizard wrote:
>> > On Sat, 04 Oct 2014 08:58:02 -0400
>> > Caver1 <cav...@inthemud.org> wrote:
>> >
>> >> The amount of errors per line of code in the Linux kernel was 173
>> >> times less then in closed source back in 2004.
>> >
>> > You were good until that. Please re-examine that statement for its
>> > impossibility and re-write. ;-]
>> >
>> > Cybe R. Wizard
>> >
>>
>> In 2004 the Linux kernel was found to have 985 errors in 5.7 million
>> lines of code. Closed source was found to have 30 errors for every
>> 1000 lines of code, that turns into 117,000 errors in 5.7 million
>> lines. 117,000divided by 985=173.
>>
> Linux kernel has one one-hundred-seventy-thirds (1/173) the number of
> bugs.
>

That is another, far more awkward, a way of saying it, yes. (I would
dispute the "s" at the end of thirds-- for example I would say one third
of a litre, not one thirds of a litre.

[William Unruh]

On 2014-10-04, Cybe R. Wizard <cybe_r...@WizardsTower.invalid> wrote:

> On Sat, 04 Oct 2014 16:44:25 +0100
> Richard Kettlewell <r...@greenend.org.uk> wrote:
>
>> John Hasler <jha...@newsguy.com> writes:
>> > Caver1 writes:
>>
>> >> In 2004 the Linux kernel was found to have 985 errors in 5.7
>> >> million lines of code. Closed source was found to have 30 errors
>> >> for every 1000 lines of code, that turns into 117,000 errors in
>> >> 5.7 million lines. 117,000divided by 985=173.
>> >
>> > Thus having 1/173 the errors of closed-source. That's a ratio, not
>> > a difference. If you want to make a dramatic statement say
>> > "Closed-source has 173 times as many bugs per million lines as the
>> > Linux kernel!" "Times less" is typical of innumerate newsies.
>>

>> I don???t think there???s anything wrong with ???times less???. My university
>> and employers since then don???t seem to have thought I was innumerate.

>>
> You're from the UK where it seems to be, for some strange reason, an
> idiomatic form of speech, but is nevertheless incorrect arithmetical
> usage.

It is not arithmetical. It is English usage.

>
> At least no one has yet tried the appeal to authority of using Issac
> Newton's (also from the UK) incorrect usage of the term.
>
> If I'm not mistaken William Unruh is British Canadian so maybe the
> same cultural incorrectness has crept into his language, too.

With a name like Unruh? Hardly British. But the second part, Canadian, you got right.
"cultural incorrectness"? It is English, not some computer language.
And it is a phrase will a well defined and well known meaning. You might
not like the elliptical phrase, but then you are not the Academie
Anglaise.

[RedAcer]

On 03/10/14 01:17, mike wrote:
> On 10/2/2014 4:18 PM, William Unruh wrote:
....
> That coin has two sides.
> While the enthusiasts are sleeping comfortably, secure in the
> knowledge that their code is solid,
> The bad guys are also reading the source looking for vulnerabilities.
>
> On the one hand, you have closed source with an organized, disciplined
> team of developers working on the whole process.

Who are you thinking of here?
Have you ever work as a software engineer?

[John Hasler]

mike writes:
> On the one hand, you have closed source with an organized, disciplined
> team of developers working on the whole process.

RedAcer writes:
> Who are you thinking of here? Have you ever work as a software
> engineer?

They're organized: they have a manager (a former salesman) who makes all
the important decisions. They're disciplined: they shut up and do as
they are told.

[DanS]

William Unruh <un...@invalid.ca> wrote in
news:m0nma7$lvb$2...@dont-email.me:

> On 2014-10-03, DanS
> <t.h.i.s....@r.o.a.d.r.u.n.n.e.r.c.o.m> wrote:
>> "Jonathan N. Little" <lws...@gmail.com> wrote in
>> news:m0l5t0$56a$1...@dont-email.me:
>>
>>> DanS wrote:
>>>> (I didn't see anyone mention Windows or make any claims
>>>> about it.)
>>>
>>> Naw, not at all, except for the crack about
>>> "disorganized", "undisciplined", and "vulnerable"
>>> open-source is vs the "organized", "disciplined" and
>>> therefore "invulnerable" close-source must be. Total
>>> balderdash.
>>>
>>
>> Microsoft isn't the only 'closed source' software company.
>> There are hundreds of others. You and the people ike you
>> are the ones that typically bring Windows into the
>> conversation. Why is that?
>>
>>
>> Original statements.....

>>
>> "On the one hand, you have closed source with an
>> organized, disciplined team of developers working on the
>> whole process."
>

> And the context was operating systems, Linux being
> mentioned in particular, not gimp or sox.

No, the context of the post I replied to was not OSs.

The context was open source vs. closed source.

[DanS]

William Unruh <un...@invalid.ca> wrote in

news:m0p61n$bgc$4...@dont-email.me:

You're new here, aren't you?

[Mike Yetto]

While walking through the streets of Soho in the rain
Cybe R. Wizard <cybe_r...@WizardsTower.invalid> wrote...

> On Sat, 04 Oct 2014 08:58:02 -0400
> Caver1 <cav...@inthemud.org> wrote:

>> The amount of errors per line of code in the Linux kernel was 173
>> times less then in closed source back in 2004.

> You were good until that. Please re-examine that statement for its
> impossibility and re-write. ;-]

As you may remember, I'm 1/7 less likely than the norm to agree
with you.

Mike "let's see them parse that one" Yetto
--
"Give a man a fish, and you`ll feed him for a day. Teach a man to
fish, and he`ll buy a funny hat. Talk to a hungry man about fish,
and you`re a consultant."
- Scott Adams

[Mike Yetto]

While walking through the streets of Soho in the rain

Aragorn <thor...@telenet.be.invalid> wrote...

But this is linguistics being discussed, not mathematics.

Mike "not even grammar" Yetto
--
"The first rule of magic is simple. Don't waste your time waving
your hands and hopping when a rock or a club will do."
- McCloctnick the Lucid

[mike]

And here we are right in the middle of the thing that makes linux-based
desktop computing platforms so "interesting".
Let's ignore the base issue and argue over who's WRONG.

[Rick Pikul/Chakat Firepaw]

On Sat, 04 Oct 2014 08:30:29 -0500, John Hasler wrote:

> "N times less" is nonsensical. "Less" implies a difference, not a
> ratio.

"N times less" is a common English construction that acts as the reverse
of "N times more". While "less" _on its own_ does imply a simple
subtraction, when it follows "times" it generally modifies the default
meaning of times from implying multiplication to indicating division.

--
Chakat Firepaw - Inventor and Scientist (mad)

[Cybe R. Wizard]

On Sat, 4 Oct 2014 16:08:23 +0000 (UTC)

Completely wrong. A is 1/173 of B. Just as always, one single time
less that <any number> is /ZERO/. Do the subtraction for yourself.
Subtract one time 173 (173) from 173 and see what you get. "Two times
less," is nonsensical in the real world unless you are talking of money
and debt.

>
> So yes, the "times" means multiplication and "less" means smaller in
> number than, just as you want. It is just that you do not understand
> English well enough to figure out how those concepts are embedded in
> the phrase.
>

Oh, I believe I understand the English involved. One thing I fail to
understand is why someone ostensibly well-educated would feel the
need to stoop to insults when unable to defend their position. I had
thought better of you.

I guess education doesn't necessarily make you a better person, does
it?

[Cybe R. Wizard]

On Sat, 4 Oct 2014 16:11:34 +0000 (UTC)

William Unruh <un...@invalid.ca> wrote:

> On 2014-10-04, Cybe R. Wizard <cybe_r...@WizardsTower.invalid>
> wrote:
> > On Sat, 4 Oct 2014 13:11:34 +0000 (UTC)
> > William Unruh <un...@invalid.ca> wrote:
> >
> >>
> > So, .01 errors per line of code and 10,000,000 lines of code = less
> > than zero? Not. It's .000000001. That's /MUCH/ more than zero.
> > It's an error for every hundred lines or 10,000 errors!
> >
>
> Unfortunately it was your lack of command of English that led you to
> imagine that the phrase meant a number less than zero.
>

Be so kind as to show where the math is wrong.

[Cybe R. Wizard]

On Sat, 04 Oct 2014 12:20:53 -0400
Caver1 <cav...@inthemud.org> wrote:

> There was no negative number thing.

"173 times less than..."

[Cybe R. Wizard]

On Sat, 4 Oct 2014 16:21:02 +0000 (UTC)
William Unruh <un...@invalid.ca> wrote:

> On 2014-10-04, Cybe R. Wizard <cybe_r...@WizardsTower.invalid>
> wrote:
> > On Sat, 04 Oct 2014 10:37:24 -0400
> > Caver1 <cav...@inthemud.org> wrote:
> >
> >> On 10/04/2014 09:06 AM, Cybe R. Wizard wrote:
> >> > On Sat, 04 Oct 2014 08:58:02 -0400
> >> > Caver1 <cav...@inthemud.org> wrote:
> >> >
> >> >> The amount of errors per line of code in the Linux kernel was
> >> >> 173 times less then in closed source back in 2004.
> >> >
> >> > You were good until that. Please re-examine that statement for
> >> > its impossibility and re-write. ;-]
> >> >
> >> > Cybe R. Wizard
> >> >
> >>
> >> In 2004 the Linux kernel was found to have 985 errors in 5.7
> >> million lines of code. Closed source was found to have 30 errors
> >> for every 1000 lines of code, that turns into 117,000 errors in
> >> 5.7 million lines. 117,000divided by 985=173.
> >>
> > Linux kernel has one one-hundred-seventy-thirds (1/173) the number
> > of bugs.
> >
> That is another, far more awkward, a way of saying it, yes.

Perhaps a little more awkward. Completely and totally more correct.

> (I would
> dispute the "s" at the end of thirds-- for example I would say one
> third of a litre, not one thirds of a litre.

A thing cut into 173 pieces has 173 discrete pieces. Each is
one one-hundred-seventy-third.

Several together are one-hundred-seventy-thirds. It's typical English
which, of course, I don't seem to understand.

[Cybe R. Wizard]

On Sat, 4 Oct 2014 16:30:20 +0000 (UTC)
William Unruh <un...@invalid.ca> wrote:

> On 2014-10-04, Cybe R. Wizard <cybe_r...@WizardsTower.invalid>
> wrote:
> > On Sat, 04 Oct 2014 16:44:25 +0100
> > Richard Kettlewell <r...@greenend.org.uk> wrote:
> >
> >> John Hasler <jha...@newsguy.com> writes:
> >> > Caver1 writes:
> >>
> >> >> In 2004 the Linux kernel was found to have 985 errors in 5.7
> >> >> million lines of code. Closed source was found to have 30 errors
> >> >> for every 1000 lines of code, that turns into 117,000 errors in
> >> >> 5.7 million lines. 117,000divided by 985=173.
> >> >
> >> > Thus having 1/173 the errors of closed-source. That's a ratio,
> >> > not a difference. If you want to make a dramatic statement say
> >> > "Closed-source has 173 times as many bugs per million lines as
> >> > the Linux kernel!" "Times less" is typical of innumerate newsies.
> >>
> >> I don???t think there???s anything wrong with ???times less???.
> >> My university and employers since then don???t seem to have
> >> thought I was innumerate.
> >>
> > You're from the UK where it seems to be, for some strange reason, an
> > idiomatic form of speech, but is nevertheless incorrect arithmetical
> > usage.
>
> It is not arithmetical. It is English usage.
>

Confusing the usage of multiplication and division is clearly
arithmetical. It is also English which has driven the incorrect usage
but it is obviously an arithmetical problem involving number
manipulation.

> >
> > At least no one has yet tried the appeal to authority of using Issac
> > Newton's (also from the UK) incorrect usage of the term.
> >
> > If I'm not mistaken William Unruh is British Canadian so maybe the
> > same cultural incorrectness has crept into his language, too.
>
> With a name like Unruh? Hardly British. But the second part,
> Canadian, you got right. "cultural incorrectness"? It is English,
> not some computer language. And it is a phrase will a well defined
> and well known meaning. You might not like the elliptical phrase, but
> then you are not the Academie Anglaise.
>

Please be so kind as to show that well-defined definition citation. I
can't seem to find it anywhere.

[Cybe R. Wizard]

On 5 Oct 2014 04:55:24 GMT

Rick Pikul/Chakat Firepaw <chakat...@gmail.com> wrote:

> On Sat, 04 Oct 2014 08:30:29 -0500, John Hasler wrote:
>
> > "N times less" is nonsensical. "Less" implies a difference, not a
> > ratio.
>
> "N times less" is a common English construction that acts as the
> reverse of "N times more". While "less" _on its own_ does imply a
> simple subtraction, when it follows "times" it generally modifies the
> default meaning of times from implying multiplication to indicating
> division.
>

You're the second person to espouse that position. I say it is wrong
and provided a dictionary definition to show so.

Show your definitions that say otherwise.

[DecadentLinuxUserNumeroUno]

On Sat, 04 Oct 2014 20:55:38 -0700, mike <ham...@netzero.net> Gave us:

>>
>And here we are right in the middle of the thing that makes linux-based
>desktop computing platforms so "interesting".
>Let's ignore the base issue and argue over who's WRONG.

Leading me back to my recommendation of a TV series that depicts just
what is wrong with the human animal... in a very strange but cool way.

Probably over your head tho.

It is at least 400 times better than anything you have yet seen. :-)

And if you have seen it, it will be 50 times better than it was the
first time through, cause you'll catch a few new nuances.

L E X X

http://www.imdb.com/title/tt0178149/

http://www.lexxdomain.com/

[DecadentLinuxUserNumeroUno]

On 5 Oct 2014 04:55:24 GMT, Rick Pikul/Chakat Firepaw
<chakat...@gmail.com> Gave us:

>On Sat, 04 Oct 2014 08:30:29 -0500, John Hasler wrote:
>
>> "N times less" is nonsensical. "Less" implies a difference, not a
>> ratio.
>
>"N times less" is a common English construction that acts as the reverse
>of "N times more". While "less" _on its own_ does imply a simple
>subtraction, when it follows "times" it generally modifies the default
>meaning of times from implying multiplication to indicating division.

Very well put. Must be a more local, colloquial thing, because I am
familiar with it, and others here are obviously not yet we are from the
same nation.

[Caver1]

On 10/05/2014 12:55 AM, Rick Pikul/Chakat Firepaw wrote:
> On Sat, 04 Oct 2014 08:30:29 -0500, John Hasler wrote:
>
>> "N times less" is nonsensical. "Less" implies a difference, not a
>> ratio.
>
> "N times less" is a common English construction that acts as the reverse
> of "N times more". While "less" _on its own_ does imply a simple
> subtraction, when it follows "times" it generally modifies the default
> meaning of times from implying multiplication to indicating division.
>

In math not grammar.

--
Caver1

[Caver1]

On 10/05/2014 01:28 AM, Cybe R. Wizard wrote:
> On Sat, 4 Oct 2014 16:11:34 +0000 (UTC)
> William Unruh <un...@invalid.ca> wrote:
>
>> On 2014-10-04, Cybe R. Wizard <cybe_r...@WizardsTower.invalid>
>> wrote:
>>> On Sat, 4 Oct 2014 13:11:34 +0000 (UTC)
>>> William Unruh <un...@invalid.ca> wrote:
>>>
>>>>
>>> So, .01 errors per line of code and 10,000,000 lines of code = less
>>> than zero? Not. It's .000000001. That's /MUCH/ more than zero.
>>> It's an error for every hundred lines or 10,000 errors!
>>>
>>
>> Unfortunately it was your lack of command of English that led you to
>> imagine that the phrase meant a number less than zero.
>>
> Be so kind as to show where the math is wrong.
>
> Cybe R. Wizard
>

The phrase, times less than, was a phrase in grammar not math.

--
Caver1

[Caver1]

On 10/05/2014 01:29 AM, Cybe R. Wizard wrote:
> On Sat, 04 Oct 2014 12:20:53 -0400
> Caver1 <cav...@inthemud.org> wrote:
>
>> There was no negative number thing.
>
> "173 times less than..."
>
> Cybe R. Wizard
>

That’s grammar not math.

--
Caver1