It is literally shocking to hear prominent Linux kernel developers say that they will continue to downplay, ignore, and disguise security problems in their kernel. The claim that "security by obscurity" helps their users and deters script kiddies is laughable. No one is asking them to publish sample exploits in the ChangeLog. All we need is to have security bugs clearly marked, along with a note about when the problem began. Since they rely heavily on vendors to distribute their kernels, they should provide advance notice to vendors so the vendors can provide a new kernel package at the same time as the vulnerability is published. The approach of silently fixing the bug in the HEAD branch (or whatever they call it in git), not telling any of the good guys, and hoping that the bad guys don't notice it is **very, very dangerous**. This kernel should definitely not be used on servers, or desktops containing sensitive or confidential information. There are free alternatives to the Linux kernel. Debian has been working on combining the Solaris and FreeBSD kernels with the Debian GNU-based userland. This might be the future of GNU, and people should check out GNU/Solaris and GNU/kFreeBSD to see how to help. If you need a system *right now* that has proper security and development practices, take a look at OpenBSD, FreeBSD, and Solaris. Until the Linux kernel developers have a change of heart about fundamental software engineering practices (i.e. security and stability), the Unix user community should treat it as an interesting toy and playground for new ideas. It's not something you would use for anything important.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds