He then pointed out, “What I see is security means bugs and most of the security issues we have had in the kernel, and happily they haven't been that big — well some of them were big, but that doesn't happen that often. Most of them have been just completely stupid bugs that nobody really would have thought of as security issues normally, except for the fact that some clever person comes around and takes advantage of that."
So can Linux get rid of such bugs? Not realistically. It’s just impossible to write any software free of bugs. The thing is to catch them as soon as you can. “The thing is, you are never going to get rid of bugs,” Linus said. It’s also hard to know ahead of time that the bug in your software can be a security issue. And he’s absolutely right. “If you think of it that way, then you just know that bugs are inevitable; security is never going to be perfect,” he added.
The big difference, as usual, comes from transparency and how quickly the involved parties respond to such bugs. As we’ve covered in other stories, open source companies are much faster at patching bugs than proprietary companies, which, despite having billions of dollars in their pockets, leave security holes unpatched for months to be exploited.
So is there any mechanism in the Linux kernel to ensure fewer bugs go through? Linus said, “In the kernel we obviously try to do the very best we can do. We are very careful on code; we have very strict standards when new people come around. It’s sometimes hard to get into the kernel community just because if you are used to userspace programming, in the kernel you have to be very strict in some respects."
He said that outside of the kernel, people should simply admit that “a) bugs happen, and b) try to mitigate them by, for example, having multiple layers of security. So if you have a hole in one component, the next component will catch it hopefully. I think open source is doing fairly well, but anybody who thinks that we will be entirely secure is not being realistic. We will always have issues."
The Linux Foundation has started an initiative to make open source more secure. When asked about things open source projects can do to ensure bugs happen less often, Linus said, “What I would love to see is, anybody who does network connections, to just have a random packet testing kind of thing. And I have to admit, we do other random testing for the kernel, but I don't think we are necessarily doing as well as we should on things like that."
Sign up for CIO Asia eNewsletters.