Also, at a typical turbo speed of 5 GHz you get half a billion clock cycles and multiple instructions can be retired per clock for about one or two billion total in those 100ms.
That’s about 1,000 instructions per pixel of the Start Menu!
Meanwhile a substantial fraction of science research goes into improving the efficiency of farming, which pushes down food prices.
I just watched a video about how inept politicians caused a food crisis in Sri Lanka because they thought they knew better than scientists, chemists, and farmers: https://youtu.be/1S2wwbX_p_E
Just yesterday I made myself a NuGet package analyzer tool -- okay fine, I vibe coded it -- that has convenient buttons for filtering out client-side packages, test projects, and dev-time tooling like Aspire.NET.
...is essentially impossible to pull off against commercial operating systems, because their core components are all written in-house by staff with photo ID badges, details with HR, tax returns filed with the government, and a cubicle that makes sure that they're locals and not some faceless anonymous hacker identifiable by nothing other than a throwaway faked email address!
I get that there was a lot of "stigma" about open source, the world largely forgot about it, but... actually, in this sense of allowing anonymous contributions it remains a very real risk.
"Jia Tan" was almost certainly a paid professional hacker working for a nation-state actor. Their "helpful contributions" to XZ utils was nowhere near a full-time effort. They certainly had "other irons on the fire", most probably in the Linux kernel or immediately adjacent to it.
He's probably not the only one doing this kind of "work".
For all you know, Linux has more remote exploits purposefully baked into it than Windows has security bugs inadvertently left in it... and don't forget Linux has bugs leading to security vulnerabilities too!
A rough count of "named" CVE 10.0 score (or close to it) vulns in the last 5 years:
7 for Microsoft: ProxyLogon, ProxyShell, ProxyNotShell, LDAPNightmare, PrintNightmare, noPac, Follina
Windows has had a lot more named high-CVEs than that: MonikerLink, QueueJumper, Certifried, HiveNightmare...
As for "Linux", you'd need to specify the distro and environment, because Linux systems can be very different from one another. Your XZ example for instance didn't even affect most enterprise distros (like RHEL). regreSSHion didn't affect any musl libc distros like Alpine, but other systems would've also been unaffected had you set your LoginGraceTime to 0, which any sysadmin worth their salt would've done so. Leaky Vessels fails on SELinux enforcing distros (RHEL, Fedora etc) and sandboxed environments. I could go on, but you get the picture. Comparing the number of "Linux" vulnerabilities to Windows is completely pointless.
A really infuriating example of this is the Windows Photos app (or whatever it is called this month) where scrolling through a photo album will show every image jumping around as it first shows them at some arbitrary scale, and then fits them to the window.
Much easier to liberally sprinkle mutex locks and "Thread.Sleep(1000); // Quick fix" everywhere until the problems almost always go away!
Meanwhile the guy screaming that this is eldritch madness and can't ever work is "not a team player" because the guy that wrote the code was a hero for applying yet another layer of band aids to the gaping wounds.
The most spectacular instance of this I've seen is Jeffrey Snover getting demoted for "forcing" PowerShell onto Microsoft. Meanwhile from a customer perspective its the only good thing about Windows Server and the only reason I haven't pushed for 100% Linux adoption everywhere I work!
That’s about 1,000 instructions per pixel of the Start Menu!
reply