If you look at economics that throws out the external costs of coal.
Globally fossil fuels recieve seven trillion dollars annually in public subsidies. But that's just a drop in the bucket compared to the costs it is allowed to pawn off on other parties. If fossil fuel users had to pay the externalized cost of pollution, then the world would be running on nuclear power right now.
The upstream Linux kernel doesn't differentiate between security bugs and "normal" bug fixes. So the new kernel.org CNA just assigns CVE's to all fixes. They don't score them.
Look at the numbers from the whitepaper:
"In March 2024 there were 270 new CVEs created for the stable Linux kernel. So far in April 2024 there are 342 new CVEs:"
Yes ! That's exactly the point. Trying to curate and select patches for a "frozen" kernel fails due to the firehose of fixes going in upstream.
And in the kernel many of these could be security bugs. No one is doing evaluation on that, there are simply too many fixes in such a complex code base to check.
Oh that's really sad. I hope they use a more up to date version of Samba
I don't see that argument in the blog or paper.
Did you read them ?
There are many more unfixed bugs in vendor kernels than in upstream. That's what the data shows.
You're missing something.
New bugs are discovered upstream, but the vendor kernel maintainers either aren't tracking, or are being discouraged from putting these back into the "frozen" kernel.
We even discovered one case where a RHEL maintainer fixed a bug upstream, but then neglected to apply it to the vulnerable vendor kernel. So it isn't like they didn't know about the bug. Maybe they just didn't check the vendor kernel was vulnerable.
I'm guessing management policy discouraged such things. It's easier to just ignore such bugs if customer haven't noticed.
Gordon, Gordon, don't you ever get tired of your obsession ?
"Towards thee I roll, thou all-destroying but unconquering whale; to the last I grapple with thee; from hellâ(TM)s heart I stab at thee; for hateâ(TM)s sake I spit my last breath at thee."
Very astute comment. The white paper shows that the frozen "vendor" kernel model really doesn't work. And if people can't / won't upgrade then maybe alternative security precautions around a known insecure kernel is the best we can do.
I don't think Econ 101 price/quantity equilibrium is entirely what's going on here. Gigabit service *availability* is about the same in Spain and the US, despite America's per capita purchasing power adjusted GDP being about 60% higher than Spain's.
I think the relevant figure is this: Spain has roughly 2.8x the population density of the US. It's surely a lot more expensive to build the infrastructure to cover roughly the same percent of the population here.
TikTok's servers are in America, Singapore, and Malaysia.
Although that's not *nothing*, the question is who exercises admnistrative control of that data. If the Chinese government demands data from ByteDance's management, and ByteDance's management complies, that data is not safe. Of course, even in the US a federal agency can obtain a secret warrant which enables them to help themselves to your private data held by a third party, and because it's *secret* you can't challenge the warrant's legality.
The smart thing is don't put anything sensitive onto any kind of social media. Now some metadata may itself by sensitive for certain persons, like your approximate location at various times. Such persons shouldn't use social media at all, even if the data is hosted in the EU, which generally has the best data privacy protections in the world, because there is *no* country in the world where a company can defy a lawful warrant, whatever "lawful" means in that country.
I'm just gonna leave this here..
I think one place to expect operational savings is refueling. Conventional reactors spend about 8% of the time offline being refueled. Every eighteen months thousands of workers from all around the country come to the site to do the work. SMRs are designed to need refueling much less often, typical every 3-7 years. Some designs go for up to thirty years without refueling. Plants with a larger number of smaller reactors can also do maintenance and refueling without losing any revenue, as the remaining reactors put out a little more power to compensate.
SMRs shut down and cool down much faster; some don't require any active cooling measures at all. You just shut the thing down and a week later it's cold even if you don't have outside power. So there's a lot less plumbing to monitor and maintain.
Of course these are all just promises now. Running these things is going to be so different we won't really know until we've built and operated some.
"If we only did the right thing then we couldn't do what we want to do."
Which in itself says nothing whether you are or are not violating the creators' rights.
You as the non-owner of the IP have certain fair use rights that depend, not on the mechanism by which you obtain a copy of the data, but on the effect of what you are doing with the data upon the copyright holder's proprietary interests. A download button does *not* indicate content is free game for commercial use.
Were there fewer fools, knaves would starve. - Anonymous
