Rust for Linux redux

[wiz21c]

I tend to see Linux with rosy glasses, so :

> a strong history of not prioritizing security or even considering it

is that really true ?

[freedomben]

No. Security is important and definitely considered.

Some years back there was a viral blow-up where Linus basically said, "security is important but there are lots of things that are important." A lot of people in the security field decided that meant "not even considered" even though that's ridiculous. Linus has always had a pragmatic, holistic approach to the kernel, and many specialists hate that because they think their field is the most important and all others should be second.

If security wasn't even considered, would Linux really have become the de-facto base on which high security orgs (banks, 3 letter gov agencies, etc) deploy? I doubt it very much.

As a security engineer who has seen egregious security malpractice on the part of developers, I fully agree that there can be a real problem with that. However I think it's silly to suggest that the Linux kernel has a history of not even considering security.

[staticassertion]

You've built a straw-man for my statement and you've completely mischaracterized Linus.

Linus had multiple statements that won him pwnies, but what I'm referring to is decades of mailing list posts where he's insulted researchers, or decades of him and Greg rejecting CVEs and hiding vulnerabilities, etc. This has persisted even today, mostly from Greg, but in a less public way than it once was due to cultural shifts.

Make no mistake, Linus and Greg have always had a hostile relationship with security researchers.

> many specialists hate that because they think their field is the most important and all others should be second.

Another straw man. I never said anything like this; that security should be the number one priority or that anything else shouldn't be a priority.

> would Linux really have become the de-facto base on which high security orgs (banks, 3 letter gov agencies, etc) deploy? I doubt it very much.

Is this satire? Are we really going with "Banks deploy Linux... therefor it's secure" ? Did you know banks also run Windows XP on their ATMs?

Linux has had external contributions to security, yes. Much of that has been despite upstream, and with immense work across decades to get upstream to play ball.

> However I think it's silly to suggest that the Linux kernel has a history of not even considering security.

Sorry but the only way for this to be the case is to simply not know the history of the Linux kernel.

[sennight]

Do a quick search of the terms: Linus Torvalds security. Pick any one of the results. While some of his points with regard to utility vs security seem to have merit... when you switch out "secure" with "correct" the problem becomes pretty obvious.