That’s an interesting question. It’s pretty nuanced. I don’t know of any laws that would stop Microsoft from going “oops, we had a bug in our software, sorry about that”. Same for the linux distros. Unless you’re a corporate customer, then that would be included as part of some contract. So at the end of the day you trust Microsoft’s reremovedtion. You’d trust your distro of choice as well. So as a thought experiment I would suggest that the most secure operating system provider is the one that ships a very similar version of its OS to both end-users and enterprise customers. Some Linux distributions fall into that category, some definitely not.

Also, keep in mind that some distros are run mostly by individual contributors not employed by any knowingly reremovedble company, so I’d stay away from those by default.

I sense this^ reply is crap.

And Xfce4 doing the light heavy lifting as usual.

Hmm I don’t know… Users usually don’t pay much attention to security. And the disclosure method actively hides it from the user until it no longer matters.

For providers, I understand, but can’t fully agree. I think it’s a misguided culture that creates busy-work at all levels.

Indeed, then it becomes a market and it incentivises more research on that area. Which I don’t think is helpful for anyone. It’s like your job description being “professional pessimist”. We could be putting that amount of effort into building more secure software to begin with.

That’s the fallacy I’m alluding to when I mention stuxnet. We have really well funded, well intentioned, intelligent people creating tools, techniques and overall knowledge in a field. Generally speaking, some of these findings are more makings then findings.

God, I hate security “researchers”. If I posted an article about how to poison everyone in my neighborhood, I’d be getting a knock on the door. This kind of shit doesn’t help anyone. “Oh but the state-funded attackers, remember stuxnet”. Fuck off.

Words of wisdom right here.

Personally, what bothers me about the security field is how quickly it becomes a counterproductive thing. Either by forcing people to keep working on time consuming processes like certifications or mitigation work (e.g. see the state of CVEs in the linux kernel) or simply by pumping out more and more engineers that have never put together a working solution in their lives. Building anything of value is already hard as it is nowadays.