Linux Foundation: Bugs Can Be Made Shallow With Proper Funding

jones_supa writes The record amount of security challenges in 2014 undermined the confidence many had in high quality of open source software. Jim Zemlin, executive director of the Linux Foundation, addressed the issue head-on during last week's Linux Collaboration Summit. Zemlin quoted the oft-repeated Linus' law, which states that given enough eyes, all bugs are shallow. "In these cases the eyeballs weren't really looking", Zemlin said. "Modern software security is hard because modern software is very complex," he continued. Such complexity requires dedicated engineers, and thus the solution is to fund projects that need help. To date, the foundation's Core Infrastructure Initiative has helped out the NTP, OpenSSL and GnuPG projects, with more likely to come. The second key initiative is the Core Infrastructure Census, which aims to find the next Heartbleed before it occurs. The census is looking to find underfunded projects and those that may not have enough eyeballs looking at the code today."

Linux was better when there was little funding.

I've been using Linux for an awfully long time, since the mid 1990s (Yggdrasil, then Debian). Over time, as Linux has gotten more and funding, it has gotten worse and worse. I initially switched to Linux because it generally just worked, and it worked better than many of the alternatives. But now it's just getting fucking horrible. I mean, look at systemd. Normal users, and especially power users, don't want it. It just causes problem after problem for many people. Yet we have corporate interests and corporate-funded developers forcing it on us, even forcing it into community-oriented distros like Debian. GNOME and Firefox are other great examples of community-based open source projects that got co-opted by money and ruined, to the most recent versions of both being almost totally unusable. On the other hand, we see projects that get less commercial interest, like Slackware and Xfce, producing the most usable and reliable open source software systems around. Linux was better when there wasn't so much money floating around. Back then it was about creating great software, and doing things right. Now it's about everything but that.

Re:Linux was better when there was little funding.

[BarbaraHudson]

As Heinlein noted, TANSTAAFL, just like there's no such thing as free beer. Everything has a cost. Even free software.

And when you have such a fragmented ecosystem, the attack surface is going to be huge (after all, an OS is more than just a kernel), and the idea that "with enough eyes all bugs are shallow" is patently false. So it turns out that open source has been to a large extent relying on the same "security through obscurity" model. This was fine a decade ago, but the competition have stepped up their game and can afford to throw money and bodies at the job without begging.

The solution would be to do a code freeze for 2-3 years while the developers of the various projects audit their code and the ways other projects interact with their code - not just for security problems, but to get rid of bloat and cruft. That's not going to happen, because it makes too much sense. Everyone wants the newest shiny.

Linux was definitely better when there were fewer distros. What a mess.

Whose Eyes?

[Capt.Albatross]

Even for non-security bugs, the many-eyes hypothesis contains a large dose of wishful thinking, but at least in that case most eyes are looking with the same purpose. When it comes to security, however, it is a race between black-hat and white-hat eyes, and the former only have to win once.