lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20200105212831.GD4253@mit.edu>
Date:   Sun, 5 Jan 2020 16:28:31 -0500
From:   "Theodore Y. Ts'o" <tytso@....edu>
To:     Evan Rudford <zocker76@...il.com>
Cc:     linux-kernel@...r.kernel.org
Subject: Re: Is the Linux kernel underfunded? Lack of quality and security?

On Sun, Jan 05, 2020 at 04:47:33AM +0100, Evan Rudford wrote:
> The problem of underfunding plagues many open source projects.
> I wonder whether the Linux kernel suffers from underfunding in
> comparison to its global reach.
> Although code reviews and technical discussions are working well, I
> argue that the testing infrastructure of the kernel is lacking.
> Severe bugs are discovered late, and they are discovered by developers
> that should not be exposed to that amount of breakage.
> Moreover, I feel that security issues do not receive enough resources.

It sounds like you are unaware of the Kernel Self Protection Project
(KSPP), which is focused on proactively improving the kernel's
security features, and the KernelCI project.  There is quite a lot of
work happening already.

One of the challenges is that is an extremely large number of
different ways a kernel can be configured, and that a *very* large
number of the bugs tend to be hardware specific.  Running CI on all
possible hardware that might run Linux is really not practical; but
there is a very large number of tests being run on both VM's and on
those hardware platforms that companies who are donating hardware to
KernelCI care about.

Keep in mind that there is *always* the opportunity to do more testing
and QA work.  Companies which care about specific hardware and
software configurations are contributing resources (both money and
engineering headcount) to improve the quality for those specific
configurations.  So there is *always* opportunities where more
resources can improve any product.  This is true whether you are
talking about, say, a $15,000 Ford Fiesta or a $115,000 Porsche 911.

If you have access to resources that you would like to contribute, and
have some specific areas where you would like to see improvement, we
can certainly put you in touch with the various organizations, such as
the Linux Foundation, which are organizing efforts such as KernelCI.
There are also a number of engineers from a goodly number of companies
contributing to the Kernel Self Protection Project.  If you are
interested in getting involved, please see:

    https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project

Cheers,

					- Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ