In a wide-ranging conversation with Verizon open-source officer Dirk Hohndel, 'plodding engineer' Linus Torvalds discussed where Linux is today and where it may go tomorrow.
Should what be handled? Security vulnerabilities? Here’s how you should handle security bugs differently to other bugs:
Report them separately and clearly. Don’t hide by omission the fact that they are security bugs (common practice in Linux apparently). Coordinate with major vendors how to push fixes.
They are generally more important than other bugs so you should put more effort into detecting and preventing them. E.g. using fuzzing, sandboxing, formal methods, safer languages, safety annotations, etc.
They have high value on the grey market and people actively try to create them, so you need to design your system under that assumption. An obvious thing to do is software isolation so a bug in - to pick a random example xz - can’t bring down ssh. Software isolation, microkernels, sandboxing etc. help with this.
There’s no way you can say “they’re just bugs”. Maybe in the 80s. It’s not the 80s.
Report them separately and clearly. Don’t hide by omission the fact that they are security bugs (common practice in Linux apparently). Coordinate with major vendors how to push fixes.
That’s exactly how it works. Vulnerability found, reported and fixed in secret and when everything is in place everyone is informed to update.
They are generally more important than other bugs so you should put more effort into detecting and preventing them. E.g. using fuzzing, sandboxing, formal methods, safer languages, safety annotations, etc.
I don’t want to sound condescending, but what do you think all this talk about Rust and AI tools is about?
In the end you want to prevent all bugs from happening. Some filesystem bug randomly deleting data can be just as catastrophic as remote code execution.
And if some feature turns out to be a gaping security hole you’ll quickly see it turn into a bug. That’s what the quote is about. Every security issue is a bug so it has to be handled like a bug and squashed.
Priority in bugs exist independent of them being security related or something else. A critical bug will always get the highest priority fix.
I don’t want to sound condescending, but what do you think all this talk about Rust and AI tools is about?
Yeah I am aware. It’s very good that they’re looking at it and great that Linus is supportive and not a stuck-in-the-mud. Doesn’t invalidate my comment thought. He’s still saying security bugs are no worse than other bugs.
And if some feature turns out to be a gaping security hole you’ll quickly see it turn into a bug. That’s what the quote is about. Every security issue is a bug so it has to be handled like a bug and squashed.
I mean… I don’t think that’s what he’s saying. Nobody is saying not to fix security bugs…
Should what be handled? Security vulnerabilities? Here’s how you should handle security bugs differently to other bugs:
Report them separately and clearly. Don’t hide by omission the fact that they are security bugs (common practice in Linux apparently). Coordinate with major vendors how to push fixes.
They are generally more important than other bugs so you should put more effort into detecting and preventing them. E.g. using fuzzing, sandboxing, formal methods, safer languages, safety annotations, etc.
They have high value on the grey market and people actively try to create them, so you need to design your system under that assumption. An obvious thing to do is software isolation so a bug in - to pick a random example
xz
- can’t bring down ssh. Software isolation, microkernels, sandboxing etc. help with this.There’s no way you can say “they’re just bugs”. Maybe in the 80s. It’s not the 80s.
That’s exactly how it works. Vulnerability found, reported and fixed in secret and when everything is in place everyone is informed to update.
I don’t want to sound condescending, but what do you think all this talk about Rust and AI tools is about?
In the end you want to prevent all bugs from happening. Some filesystem bug randomly deleting data can be just as catastrophic as remote code execution.
And if some feature turns out to be a gaping security hole you’ll quickly see it turn into a bug. That’s what the quote is about. Every security issue is a bug so it has to be handled like a bug and squashed.
Priority in bugs exist independent of them being security related or something else. A critical bug will always get the highest priority fix.
Yeah I am aware. It’s very good that they’re looking at it and great that Linus is supportive and not a stuck-in-the-mud. Doesn’t invalidate my comment thought. He’s still saying security bugs are no worse than other bugs.
I mean… I don’t think that’s what he’s saying. Nobody is saying not to fix security bugs…