Linux Foundation: Bugs Can Be Made Shallow With Proper Funding

jones_supa writes The record amount of security challenges in 2014 undermined the confidence many had in high quality of open source software. Jim Zemlin, executive director of the Linux Foundation, addressed the issue head-on during last week's Linux Collaboration Summit. Zemlin quoted the oft-repeated Linus' law, which states that given enough eyes, all bugs are shallow. "In these cases the eyeballs weren't really looking", Zemlin said. "Modern software security is hard because modern software is very complex," he continued. Such complexity requires dedicated engineers, and thus the solution is to fund projects that need help. To date, the foundation's Core Infrastructure Initiative has helped out the NTP, OpenSSL and GnuPG projects, with more likely to come. The second key initiative is the Core Infrastructure Census, which aims to find the next Heartbleed before it occurs. The census is looking to find underfunded projects and those that may not have enough eyeballs looking at the code today."

Whose Eyes?

[Capt.Albatross]

Even for non-security bugs, the many-eyes hypothesis contains a large dose of wishful thinking, but at least in that case most eyes are looking with the same purpose. When it comes to security, however, it is a race between black-hat and white-hat eyes, and the former only have to win once.

Re:The best bug is the one not written

[Gaygirlie]

Software can't be made secure afterwards, it must be the the primary goal.

That's bullshit. Software can definitely be made secure afterwards even if it wasn't that to begin with, there is no other obstacle to that than manpower and time. Also, security being a primary goal does not guarantee that there won't be bugs, so again, that makes that saying utterly ignorant. Bugs, by very definition, are accidental issues, not designed-in features, and no amount of "primary goals" will guarantee that mistakes and accidents won't happen.

Re:Linux was better when there was little funding.

[BarbaraHudson]

As Heinlein noted, TANSTAAFL, just like there's no such thing as free beer. Everything has a cost. Even free software.

And when you have such a fragmented ecosystem, the attack surface is going to be huge (after all, an OS is more than just a kernel), and the idea that "with enough eyes all bugs are shallow" is patently false. So it turns out that open source has been to a large extent relying on the same "security through obscurity" model. This was fine a decade ago, but the competition have stepped up their game and can afford to throw money and bodies at the job without begging.

The solution would be to do a code freeze for 2-3 years while the developers of the various projects audit their code and the ways other projects interact with their code - not just for security problems, but to get rid of bloat and cruft. That's not going to happen, because it makes too much sense. Everyone wants the newest shiny.

Linux was definitely better when there were fewer distros. What a mess.

Re:Second Linus Law: Curse the bugs out

[Kjella]

Maybe Linus isn't cursing at the developers with enough frequency or intensity?

It seems the kernel is rarely the problem, so I'd say the amount of cursing is just right. The problem is Linus doesn't run all these other projects.

Re:Linux was better when there was little funding.

[tlhIngan]

Over time, as Linux has gotten more and funding, it has gotten worse and worse. I initially switched to Linux because it generally just worked, and it worked better than many of the alternatives. But now it's just getting fucking horrible. I mean, look at systemd. Normal users, and especially power users, don't want it. It just causes problem after problem for many people.

No, it hasn't gotten worse. It has gotten responsive to user demands.

Back in the 90s when life was simple, users were simple. Unless you used an Amiga or MacOS, if you played a sound, that was it - no one else could play a sound (MacOS and Amiga had software mixers so you could listen to music AND hear application generated sounds - you could use exclusive mode if you needed it, though).

Likewise, you logged in and you rarely had things starting up just for you.

And your networking options were... single. You either had Ethernet, or a modem, and only one IP per host. And rarely did you move - I mean, if you were on Ethernet, it was assumed you were on the same network permanently, or at least changes were rare.

Nowadays, user demands have gone way up. Audio has to be mixed by the OS because the user may listen to tunes, start yakking on VoIP, and having sound effects played while gaming, all simultaneously. The VoIP call goes over say, a Bluetooth headset or the communications path, while the music and sound effects play through the main speakers. Oh, and no application is to dare use the HDMI port to send audio as it's hooked to a monitor with no speakers. A modern PC can easily have 4 or 5 different ways to play audio.

Likewise, when you log in, you probably have a few per-user services you like to have - either from the environment you're using or other services. It would be a shame if logging in again restarted those services (e.g., you log in locally, then log in remotely over ssh) or if those multiple sessions couldn't communicate with each other (e.g., you make a change remotely, and it fails to propagate through the rest of the logins).

And networks... well, an Ethernet port or WiFi? A user may connect to many different networks in a single day, and have more than a few ways to send a packet around. Perhaps they're hooked to their same network multiple ways - either dual Ethernet, or Ethernet plus WiFi. And maybe the next time the connection is re-established, those ports need to be firewalled because it went from private network to public.

Back in the old days, well, audio was simple because your PC couldn't really do multiple things at once. Networks were generally safe so it didn't matter that you didn't bring up the firewall on the public Ethernet connection. And users didn't run too many things in the background because no one could imagine needing to log into the console AND over ssh simultaneously, or they could just remotely kill the session because there wasn't important stuff to save.

And it's perfectly fine on a server that sits in a rack and never moves until it's powered down and retired. But modern users need this complexity just to manage their normal use case. Sure you can force the user to tell you what kind of network is at the other end, or to re-establish the VPN, but users want computers to do stuff automatically - I mean, why should I tell the computer this coffeeshop WiFi is public over and over again - can't it remember?

Or to reconfigure my VoiIP app because I attach my Bluetooth headset to my computer so it now uses that - why can't it ask for a communications headset, and if one isn't available right now, use the default audio hardware. Then when one suddenly appears (Bluetooth!), automagically use that? Zero reconfiguration, event he app doesn't have to reopen the audio device because the audio core did it internally.

It should be telling that the most popular Linux "distribution" in the world is Android, which has its own init system (like systemd, it manages processes, events, and other things), its own audio