It's not any better, as in the corporate world Linux in particular is just used as a free replacement for Windows or UNIX.
Historically the big fortune 500 companies backing Linux and other open source projects had to pay people big money to write code, nowadays they pay what is really peanuts in comparison to hobbyist developers and roll out the result as end product.
The products are "sold", or more likely given away and then the after sales support dies. It's then your problem, but it's "Linux" and "free" so it must be good... This is particularly true of the "embedded Linux", often the aspect championed most by corporate Linux proponents and many end users alike.
But while this continues and bearing in mind that the project leader himself openly doesn't care much about security (leaving that to others), there's not much hope of this improving any time soon.
With OpenSSL the response has also been forks, which are as ever available to use and those running up to date Linux distributions, will be 'safe' from that particular vulnerability, but the issue of unsupported embedded Linux remains.
Proprietary offerings where vulnerable OpenSSL code has been used are pretty much outside of the control of end users. As with any proprietary software, they will either update it or they won't or you'll buy a new version. But there is not much difference from a user's perspective between this kind of model and offerings such as Android where users with old devices are stuck running an old, vulnerable, OS because you're at the mercy of the hardware vendor. A locked down device running a bastardised Linux, which has to be "rooted" and prevents the user installing the OS of their choice in order to make their device secure and continue to get use out of it, is not freedom by anyone's definition, not a "Linux distro" and only "free software" from a purely technical or legal standpoint.
|