A new Mindcraft moment?
A new Mindcraft moment?
Posted Nov 10, 2015 2:06 UTC (Tue) by timrichardson (subscriber, #72836)Parent article: A new Mindcraft moment?
>There are a lot of reasons why Linux lags behind in defensive security technologies, but one of the key ones is that the companies making money on Linux have not prioritized the development and integration of those technologies.
This seems like a reason which is really worth exploring. Why is it so?
I think it is not obvious why this doesn't get some more attention. Is it possible that the people with the money are right not to more highly prioritise this? Afterall, what interest do they have in an unsecure, exploitable kernel? Where there is common cause, linux development gets resourced. It's been this way for many years. If filesystems qualify for common interest, surely security does. So there doesn't seem to be any obvious reason why this issue does not get more mainstream attention, except that it actually already gets enough. You may say that disaster has not struck yet, that the iceberg has not been hit. But it seems to be that the linux development process is not overly reactive elsewhere.
Posted Nov 10, 2015 15:53 UTC (Tue)
by raven667 (subscriber, #5198)
[Link] (1 responses)
That is an interesting question, certainly that is what they actually believe regardless of what they publicly say about their commitment to security technologies. What is the actually demonstrated downside for Kernel developers and the organizations that pay them, as far as I can tell there is not sufficient consequence for the lack of Security to drive more funding, so we are left begging and cajoling unconvincingly.
Posted Nov 12, 2015 14:37 UTC (Thu)
by ortalo (guest, #4654)
[Link]
The key issue with this domain is it relates to malicious faults. So, when consequences manifest themselves, it is too late to act. And if the current commitment to a lack of voluntary strategy persists, we are going to oscillate between phases of relaxed inconscience and anxious paranoia.
Admittedly, kernel developpers seem pretty resistant to paranoia. That is a good thing. But I am waiting for the days where armed land-drones patrol US streets in the vicinity of their children schools for them to discover the feeling. They are not so distants the days when innocent lives will unconsciouly rely on the security of (linux-based) computer systems; under water, that's already the case if I remember correctly my last dive, as well as in several recent cars according to some reports.
Posted Nov 12, 2015 14:32 UTC (Thu)
by MarcB (subscriber, #101804)
[Link]
Classic hosting companies that use Linux as an exposed front-end system are retreating from development while HPC, mobile and "generic enterprise", i.E. RHEL/SLES, are pushing the kernel in their directions.
This is really not that surprising: For hosting needs the kernel has been "finished" for quite some time now. Besides support for current hardware there is not much use for newer kernels. Linux 3.2, or even older, works just fine.
Hosting does not need scalability to hundreds or thousands of CPU cores (one uses commodity hardware), complex instrumentation like perf or tracing (systems are locked down as much as possible) or advanced power-management (if the system does not have constant high load, it is not making enough money). So why should hosting companies still make strong investments in kernel development? Even if they had something to contribute, the hurdles for contribution have become higher and higher.
For their security needs, hosting companies already use Grsecurity. I have no numbers, but some experience suggests that Grsecurity is basically a fixed requirement for shared hosting.
On the other hand, kernel security is almost irrelevant on nodes of a super computer or on a system running large business databases that are wrapped in layers of middle-ware. And mobile vendors simply do not care.
A new Mindcraft moment?
A new Mindcraft moment?
A new Mindcraft moment?