An important set of stable kernel updates

Posted Oct 21, 2016 13:45 UTC (Fri) by peter-b (guest, #66996)
In reply to: An important set of stable kernel updates by ppel512
Parent article: An important set of stable kernel updates

> Is it acceptable for Linus to stuff it in a series of commits of cleanups with no mention of security impact whatsoever, to then be made into new stable kernel updates effectively fixing only the single vulnerability again with no mention of security impact? That all users of the upstream Linux kernel need to go to a website of a Linux distro that they don't even use to find out the details of a vulnerability the upstream authors had full knowledge of at the time of the commit? That they purposefully didn't include this information, despite releasing their fix, not a month or a week early, but on the very same day as the expiration of the embargo?
>
> The answer is no. It's not acceptable.

Why is it "not acceptable"? Linux very explicitly comes with no warranty, and Linus has no contractual agreement with you which requires him to provide you with patches in your preferred manner. I'm sure Linus will give you a full refund for the total amount you paid him for your copy of Linux, if you ask him nicely.

You have a number of choices, including but not limited to:

- Stop using Linux and use something else instead
- Fork Linux and maintain it in the way you prefer, or pay someone else to do so
- Campaign for mandatory, statutory warranties and guarantees of merchantability for software, and hope that Linux and the free software ecosystem continue to exist

An important set of stable kernel updates

Posted Oct 21, 2016 13:51 UTC (Fri) by ppel512 (guest, #111882) [Link] (3 responses)

So the answer to an arguably deplorable stance on security disclosure which puts a large swath of real world businesses (and by extension peoples livelihoods) at risk is to just continue to accept the behavior and remain mum about it?

I appreciate you making me aware that there are other options available. I had no clue there were other unix distro's other than linux. I'll just go ahead and let our millions of clients know we'll be proactively moving them to freebsd. I'm sure there will be no consequences or disruption to our business there.

Once you realize how naive that stance is when you work at a large scale in a business that relies upon linux perhaps you might instead see it my way that the correct path is to do what spender and the PaX team have been pushing on for the last decade.

An important set of stable kernel updates

Posted Oct 21, 2016 14:07 UTC (Fri) by farnz (subscriber, #17727) [Link] (1 responses)

Serious question - if it's that big a deal, why aren't you funding the grsecurity team to maintain a Linux-compatible kernel instead of Linus? They've got the technical chops to do so (in spades), and have security views closer to your own, and it would avoid the need to migrate people from Linux to FreeBSD.

This is a social issue, at heart - so far, people prefer Linus's kernel (with Linus's management) to the grsecurity managed fork. Presumably, you have reasons for that, but nonetheless, that's the traditional Free Software way to fix bad management - fork, and be willing to merge together again if the people you've forked from have a change of heart (see also egcs).

An important set of stable kernel updates

Posted Oct 21, 2016 19:15 UTC (Fri) by antow (guest, #108999) [Link]

"why aren't you funding the grsecurity team to maintain a Linux-compatible kernel instead of Linus? "

That is indeed what I would do if I was making any amount of money running 45 000 instances of Linux.

But alas, we engineers are not actually deciding on these matters, are we?

An important set of stable kernel updates

Posted Oct 21, 2016 14:46 UTC (Fri) by karath (subscriber, #19025) [Link]

If you find the kernel development practices are unacceptable to you and also believe that it is not possible to take your business elsewhere then you, by your own admission, have no business continuity plan.

That's an unpleasant situation to be in. Good luck in finding a path to a better place.

Or you could look honestly at why it might be so difficult to find an alternative. And look at how changing kernel development practices might have negative impacts on your business that, in the long-term, outweigh the admittedly high short-term impact of this 'fire-drill'.

Look at the multi-billion value of the Linux kernel [1], which is likely why you find it difficult to find an alternative. Linus Torvalds, so far (25 years), has led a coalition of divergent interests to invest that value. He has demonstrated unswerving commitments to users of the kernel, with all their conflicting interests (even yours). Examples inlcude:
- his insistence on maintaining the external API and ABI of the kernel, even at the expense of developers' short-term interests; and
- his willingness to take on ideas, functionality and code for things/areas that he has no personal interest in;
- his insistence that all bugs, whether functional, performance or security are important (and that many apparently non-security related bugs turn out to have security implications).

Even Microsoft, who have vastly improved their development practices, and yet still release security patches every month, often for issues that already are being exploited in the wild. Large organisations that pay serious money to Microsoft get hit by this. And still call out their IT staff to patch thousands of servers, risking that line-of-business applications will stop working.

[1] from 2008 - https://www.linuxfoundation.org/news-media/announcements/...

An important set of stable kernel updates

Posted Oct 21, 2016 14:00 UTC (Fri) by drag (guest, #31333) [Link]

> - Fork Linux and maintain it in the way you prefer, or pay someone else to do so

This is the most likely outcome if this sort of thing continues.

Hopefully customers of major commercial distros start demanding support for gresecurity or similar type patchsets. That would then drive the mainstream kernel developers to take things a bit more seriously.