Ripples from Stack Clash
Ripples from Stack Clash
Posted Jun 28, 2017 21:46 UTC (Wed) by Trou.fr (subscriber, #26289)Parent article: Ripples from Stack Clash
> blame itself for not having fixed this problem. Perhaps LWN shares part of
> that blame for presenting the problem as being fixed when it was not; if so,
> we can only apologize and try to do better in the future. But we might argue
> that the real problem is a lack of people who are focused on the security of
> the kernel itself. There are few developers indeed whose job requires them
> to, for example, examine and address stack-overrun threats. Ensuring that
> this problem was properly fixed was not anybody's job, so nobody did it.
While I'm usually a fan of LWN articles, the recent amount of self-delusion
about security in the Linux kernel has been really annoying.
Maybe you could have reflected on the fact that Linus has been repeatedly
insulting people trying to improve Linux's security for years, which certainly
is a deterent to any contribution on the subject.
And there _are_ people who care about the Linux kernel security: they use grsec
patches.
The KSPP has been trying to improve the situation, but as ms-tg put it in another comment: hiring Brad and PaXTeam to actually port grsecurity to the mainline would have been the most efficient (at least in a technical point of view) way. Just remind yourself that (at least until last year) Brad was working on grsec _on his spare time_.
Posted Jun 28, 2017 22:38 UTC (Wed)
by nix (subscriber, #2304)
[Link] (8 responses)
Employment requires a degree of treating your colleagues like human beings and considering that their concerns may have value and are not exclusively motivated by hatred and malice. I suspect there is a reason grsecurity is off working on its own...
Posted Jun 28, 2017 22:51 UTC (Wed)
by PaXTeam (guest, #24616)
[Link] (7 responses)
no, no such offer was made. the best Kees could offer at the time (about 2 years ago) was to talk to the CII (he said google's decision to compete with us instead of cooperation was made above his pay grade) and they didn't answer my question whether they'd be willing to fund the necessary hours to get this work done. but yeah, don't let the facts stop you from your conspiracy theorizing ;).
Posted Jun 28, 2017 23:59 UTC (Wed)
by pizza (subscriber, #46)
[Link] (6 responses)
Oh, please.
Spender has explicitly stated, here on LWN (and undoubtedly elsewhere) that he would _never_ accept funding from any entity associated with Linux Foundation, including the CII -- in response to the CII asking him to write a proposal in order to get the funding ball rolling.
That sort of response is a good example of what is known as a "self-inflicted career limiting move".
Posted Jun 29, 2017 0:15 UTC (Thu)
by PaXTeam (guest, #24616)
[Link]
the CII did what? that never happened, you must have misunderstood something. i was the one who asked on cii-discuss in august 2015 how this whole thing could work (before investing my free time into writing a proposal) and got no real response, spender was never part of that discussion.
Posted Jun 29, 2017 11:35 UTC (Thu)
by paulj (subscriber, #341)
[Link] (4 responses)
It is obvious that that would induce a degree of bitterness and even hatred. The chain of cause and effect is not clear though.
Further, regardless of prior events, it would still be good to try fix this situation, and find some way to navigate around the social and corporate politics so that spender, et al., can earn a living from their security work. Given that that work has clear value, as there are others being paid to take that work and upstream it.
Posted Jun 29, 2017 13:32 UTC (Thu)
by ms-tg (subscriber, #89231)
[Link] (3 responses)
I am seeing this the same way. So, here's a second modest proposal, one sketch of an approach that could possibly help fix the situation:
1. Problem: Linus's belittling and antagonism for years
Solution: Linus writes a formal, personal apology. Quoting all of his derogatory comments that were later proved false (in a concise way), and saying, "mea culpa", please accept our community apology and come back into the fold and work with us in good faith.
2. Problem: No clear paths forward.
Solution: Ask (don't tell, don't make assumptions) for jointly-designed Next Steps.
In a public forum, Linus in tandem with someone at Red Hat and someone at Linux Foundation or other funding-source formally write a short public letter making clear that they are open to paying, over a number of years, for Brad and Pax Team's time to work diligently with the community to upstream the source. And *ask them* for a suggestion of how that relationship might work. Listen to what they say -- see if there are solutions that meet all interests.
Perhaps there's some reason why this sort of common sense approach cannot work -- would love to know more?
Posted Jun 29, 2017 23:25 UTC (Thu)
by flussence (guest, #85566)
[Link] (1 responses)
>Solution: Linus writes a formal, personal apology. Quoting all of his derogatory comments that were later proved false (in a concise way), and saying, "mea culpa", please accept our community apology and come back into the fold and work with us in good faith.
And once Linus has apologised for being Finnish, grsecurity can apologise for being American.
Posted Jul 3, 2017 18:33 UTC (Mon)
by BenHutchings (subscriber, #37955)
[Link]
Posted Jun 30, 2017 9:44 UTC (Fri)
by paulj (subscriber, #341)
[Link]
Find a good intermediary, and finding the resources, would be the first steps, I'd imagine.
Ripples from Stack Clash
The KSPP has been trying to improve the situation, but as ms-tg put it in another comment: hiring Brad and PaXTeam to actually port grsecurity to the mainline would have been the most efficient (at least in a technical point of view) way. Just remind yourself that (at least until last year) Brad was working on grsec _on his spare time_.
Apparently this offer was made. Brad refused (though why is unclear amid all the conspiracy-theorizing). Frankly it seems unlikely this could have ended well: Brad isn't going to be happy until everything he does goes straight into the kernel without review or question, and that's just not how development of anything works. The first code review would lead to a titanic explosion and probably a rapid firing. (Heck, I suspect one wouldn't have to wait that long: the first security bug after he was hired, even in code Brad had nothing to do with, would lead to a mass of snideness, an escalating flamewar...)
Ripples from Stack Clash
Ripples from Stack Clash
Ripples from Stack Clash
Ripples from Stack Clash
Ripples from Stack Clash
Ripples from Stack Clash
Ripples from Stack Clash
Ripples from Stack Clash