This is a pretty stunning insight into the software development process for Linux:
The row erupted in the Gmane mailing list after a developer for the PaX Team, which patches the Linux kernel, accused Torvalds and other top Linux kernel developers of "covering up (the) security impact of bugs" by not clearly labeling them as security flaws.
Torvalds wrote that disclosing the bug itself was enough, without having to label each individual security flaw. He added that taking the bugs to the "security circus" level only glorified the wrong kind of behavior. "It makes heroes out of security people, as if the people who...fix normal bugs aren't as important," wrote Torvalds.
What was left behind for the developers were all the "boring" bugs, which Torvalds considered more important due to their volume.
All bugs do not have equal weight, which is why major software houses all tag bugs for things like "security effect" and try to do a fairly honest job of prioritizing fixes. What Torvalds has said, basically, is that they don't really have any kind of bug triage and its on an as-we-get-to-it basis. Now his comments need to be put in context, no major enterprise (and the vast majority of consumers who use Linux) dont actually use his version, they use a supported version from a vendor with more matrure software practices, so this doesn't mean much in real life.
OTOH if Bill Gates said something like this, he'd have been fired by the Board.
Also, this bit was good:
"I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them. To me, security is important. But it's no less important than everything else that is also important!" Torvalds concluded.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment