2.4 Kernel Maintainer Marcelo Tosatti Interviewed

Jeremy Andrews writes "KernelTrap has an interview with Marcelo Tosatti. Marcelo became the maintainer of the 2.4 stable kernel when he was 18 years old, releasing his first kernel, 2.4.16, on November 26'th of 2001. Two years later, he recently released 2.4.23 and plans to soon put the 2.4 stable kernel tree into maintenance mode, only addressing bugs and security issues. Living in Brazil, Marcelo currently works for Cyclades Corporation. In this interview he looks at how he became the 2.4 maintainer, the challenges involved, and brings us up to date with the current status of the 2.4 kernel."

How is this line not getting mroe attention?

JA: During the 2.4.23 release cycle, a bug was fixed in the do_brk() function. This bug was recently exploited in a high profile break-in of four Debian Project Linux servers. Why was 2.4.23 not released sooner when this bug was first fixed?

Marcelo Tosatti: When I first applied the fix (sent from Andrew Morton), I didn't realize it was an exploitable bug (I understood it could crash the box).


This guy just took responsibility for sitting on a known fix, which directly led to Debian compromise.

It also led to a rapid patch cycle all over the place, as opposed to a more stable and controlled cycle, since everyone who saw Andrew Morton's patch could research the vuln and create the exploit.

This delay gave blackhats a lot more time than whitehats.

Perhaps this argues strongly for closed security bug reporting a la OIS' "responsible disclosure" model.

The dreadlocks are new for me

[agoliveira]

I worked with Marcelo at Conectiva (man, I missed that place but...) and that's *not* his real hair :)
He probably just went to a hair stylist and made that... thing :-D
I swear I never imagined Marcelo doing this kind of stuff but he's a kernel developer so you can expect anything!

Re:The dreadlocks are new for me

[vadim_t]

He's been like that for a while, I've seen him with that kind of hair at HispaLinux (big spanish Linux conference) which was in September. At the beginning I though he was one of the people who came to attend to his talk :-)

Unfortunately, he's not the right person to talk in public, he seemed to be really nervous and didn't tell anything very new. Nobody can do everything though. I'm really happy with how the 2.4 kernel evolved.

But...???

When will he fix the critical bugs in the system so we can actually use it? Our company runs on Windows NT 3.5(!) SP2 and it has had an uptime of now 1500+ days on some of our main server. Our server is an 8 Way 486 50Mhz machine with 72MB of RAM. It has been smoothly been running since we installed it in December 1995, however its rapdidly increasing maintenance costs are damaging us. The company who gave us this machine has gone out of business.

We are now concidering wether to get a Windows 2003 server, Solaris 10 or a Linux Enterprise server. Concidering the high profile bugs that exploited key Linux websites, and the increasing ligitation against it, we do not think we should use Linux in such an environment where we need uninterrupted operation. We do not need kernel panics, root exploits, and we ceraintley don't want to put our precious source code at risk of espenage because of the Legal bindings of Linux.

Sure, you can moderate this -1, troll or flamebait if the truth offends you (Which shouldn't, your very pathetic if it does), but if our server was to go down for even a SECOND, we would go out of business! We need Nine 9's reliabillity, and Open Source can only proivde 2 to 3 9's at best.

Child Labor

[The+Tyro]

is probably a misplaced concern for a guy like this.

He's working at an ISP, not a sweat shop or factory floor (what most child labor laws were designed to prevent, if I recall my history correctly).

He's working with his head, not his back... bully for him (I can think of a few places that could use a teenage prodigy or two).

Picture of his wife

I found it.