Yeah, our security team once flagged our app for having a SQL injection vulnerability in one of our dependencies. We told them we weren’t going to do anything about it. They got really mad and set up a meeting with one of the executives apparently planning to publicly chew us out.

We get there, they give the explanation about major security vulnerability that we’re ignoring, etc. After they said their bit we asked them how they had come to the conclusion we had a SQL injection. Explanation was about what you’d expect, they scanned our dependencies and one of the libraries had a security advisory. We then explained that there were two problems with their findings. First, we don’t use SQL anywhere in our app, so there’s no conceivable way we could have a SQL injection vulnerability. Second our app didn’t have a database or data storage of any kind, we only made RESTful web requests, so even if there was some kind of injection vulnerability (which there wasn’t) it would still be sanitized by the services we were calling. That was the last time they even bothered arguing with us when we told them we were ignoring one of their findings.

It’s a good idea to be aware of any security advisories of your projects dependencies, but it’s also equally important to be aware of your actual attack surface and audience. It for instance may not matter to your entirely offline and utterly unprivileged app that there’s an arbitrary code execution flaw in one of your dependencies because any theoretical attacker is the user themself and they would only be executing code they already had the capability to execute. On the other hand such a flaw in other circumstances could be absolutely critical. It’s really down to you as the author of the code to evaluate any security advisories through the lens of your codes expected use cases.

It’s Japan, I’m sure somebody is planning to.

Yep and that’s fair, but it’s still really critical that those of us that can migrate do so. It’s a chicken and egg problem. Developers won’t feel pressured to support Linux if there’s no sizable user base, but the user base won’t grow until developers provide support for Linux. He even mentions that in that video. There’s a reason I’m only this year planning on switching my primary desktop from Windows to Linux and it’s because of how good Proton has gotten. I’ve already checked every game in my Steam library and while it’s not 100% of the library that runs, everything that doesn’t is something I don’t care about.

Nah, Linux still only accounts for about 2% of all users on Steam (active per month) so it has a long way to go still, but at least it’s heading in the right direction. If you count only English speaking Steam users that number climbs to over 5%. If Linux can get to and reliably maintain 10% that’s probably good enough to make it a first class target for even AAA releases, but it’s not there yet. The fact that so many games run fine under Linux these days is almost entirely down to the effort Valve has sunk into Proton making it relatively easy for devs to check Steamdeck support off without needing to really put much work in at all.

Going to guess his pain points are the fingerprint reader and possibly wifi/blutooth chipset. There are some of those supported but that’s still the spottiest in terms of driver support under Linux. Maybe also webcam but generally those work fine these days.

We don’t need everyone to migrate, just enough that companies and developers feel obligated to support Linux. We’re slowly getting there. Valve throwing their weight behind Linux for gaming was a massive win for Linux. Another important factor is the rise of the mobile first generations and the fact that at its core Android is Linux based. It’s not completely trivial to port an Android app to Linux but it’s at least no worse than porting it to Windows.

Microsoft may still have a stranglehold on corporate desktops, but they’ve long since lost the battle for servers and their hold on the home desktop is slipping a little more each day. Losing a significant chunk of gamers to Linux would be a massive blow to MS because it has been one of the few really unassailable markets for them historically.

I’m hoping to make the switch next month. Building out a new gaming system and going to try going all in on Linux again. Long ago I was a full time Linux user, but with the rise of Steam and the spotty support of wine I couldn’t justify staying with it. Now that Proton is good enough to cover 90%+ of my games library I’m returning to where I started.