Torvalds Lambasts The Security Community (Again)
What started this whole tirade, was a post Torvalds made to the Linux kernel developer newsgroup four weeks ago where he lobbed his opinions of how the "security circus... glorifies and... encourages the wrong behavior," and where he saved his cruelest and most politically-incorrect statement for the uber-security-minded, OpenBSD developers:
|Linus Torvalds (Credit: Wikipedia)|
Needless to say, his comments did not sit well with the OpenBSD community. OpenBSD developer, Ken Westerback responded to Torvalds's comments in an e-mail to ZDNet.co.uk editors a few days later:
"As far as I am concerned OpenBSD is the project with the most demonstrated interest in fixing all bugs found, no matter how trivial, and to systematically examine all source code for instances of bugs encountered... I believe that this is the bedrock principle of pursuing security — software that 'just works' rather than software with Rube Goldberg constructs of knobs and security theatre scenery."
Fast-forward to this week's e-mail exchange between Torvalds and Network World, and Torvalds expounded further on his opinion on the state of today's security environment:
"Too often, so-called 'security' is split into two camps: one that believes in nondisclosure of problems by hiding knowledge until a bug is fixed, and one that 'revels in exposing vendor security holes because they see that as just another proof that the vendors are corrupt and crap, which admittedly mostly are,' Torvalds states...
'Both camps are whoring themselves out for their own reasons, and both camps point fingers at each other as a way to cement their own reason for existence,' Torvalds asserts. He says a lot of activity in both camps stems from public-relations posturing.
He says neither camp is absolutely right in any event, and that a middle course, based on fixing things as early as possible without a lot of hype, is preferable.
'You need to fix things early, and that requires a certain level of disclosure for the developers,' Torvalds states, adding, 'You also don't need to make a big production out of it.'"
Torvalds also finds fault with the concept of "security labeling," where seemingly every update to the Linux kernel is blasted out as a security advisory: "What does the whole security labeling give you? Except for more fodder for either of the PR camps that I obviously think are both idiots pushing for their own agenda?" Torvalds additionally commented that "synchronized releases" from vendors with fixes under embargo, only delays the release of timely fixes for known bugs. Torvalds envisions a middle ground where security issues are kept private, but shared with relevant resources and not under a situation where embargoes are "some insane absolute thing."
There is no question that Torvalds likes to speak his mind and stir up controversy. But perhaps that is the whole point. If his assessment that the security community has become a giant self-perpetuating business is accurate, then perhaps some changes to how the security community addresses and fixes bugs requires an overhaul. At the very least, it makes for good drama.