It’s about linux kernel security… but also Linus Torvalds and the warranty that comes with the linux kernel. I really suggest you to read it.
There are three main themes in the article:
- first: the linux kernel “warranty”
- second: concerns about the kernel security
- third: the way Linus Torvalds behaves towards contributors
From my perspective they are reported in a way that describe open-source software as insecure and lead by despotic leaders, making the linux kernel an example of that. I don’t believe this is true and making assumption like that is a way too generic approach to the problem of secure software.
The first point seems somehow misinterpreted. It seems that who is contributing and building the linux kernel should be legally responsible for it, when it’s clearly stated that it comes with no warranty. The linux kernel has always been open-source and free for anyone to use or modify.
Making open source software the base of your company is a choice. With that choice, as with using closed-source software, comes a trade off. Usually with closed-source software you are outsourcing knowledge on how something works. With open-source software you are betting on the opposite: you will always have access to the code you use.
I see advantages in both sides. With closed-source software you don’t need to have people in house, you can have external support, etc. With open-source software you don’t have any fee, you can get help from a community or hire people already knowing the software.
It’s just a tradeoff. Linux is in a lot of servers and devices today because it was chosen for those tasks over other systems. Its copyright and warranty are just another way of releasing software. They don’t make linux less secure.
The second argument is the core argument of the article and it is very important and should be taken into consideration.
I would really like to see big companies using linux contributing to produce a viable hardened linux kernel. But my guess is that they are hardening their systems instead of the kernel, as suggested by Torvalds, because it’s way simpler and less costly*, making sure that reaching the kernel or taking complete control of a machine is very very difficult.
The third point is something that polarize the linux community and the open-source community at large (or at least the part that I know).
I don’t like the way Torvalds sometime answers to people, and I think that being the lead of a big (the biggest?) open-source project is not an excuse. I can easily name leaders in big open-source projects that I’ve never seen answering like Torvalds sometime does. It’s a shame, because it drives people away from a project that is the base of linux and the open-source ecosystem.
* Let’s stay positive and avoid conspiracy theories 🙂