Linux security problems should be public, says Torvalds
Linux founder Linus Torvalds has gone on the record about Linux security disclosures, and his desire to be more responsible with security disclosure timeframes.
At the recent linux.conf.au in Auckland, New Zealand, Linux pioneer Linus Torvalds expressed his views on the need for better security disclosure during a Q&A session with fellow panelists Bdale Garbee, Andrew Tridgell, and kernel coder Rusty Russell.
The linux.conf.au is widely regarded by delegates as one of the best community run Linux conferences worldwide and is one of the foremost open source conferences in the world. Every year open source geeks from across the globe gather to meet their fellow technologists, share the latest ideas and innovations, and spend a week collaborating on free, open source software projects.
Answering questions about security and bugs in the open source community, one question focused on the way that the reporting of bugs for Linux has changed in the last 12 months. Attending as a keynote speaker, Torvalds admitted that “security is just a hard problem”, however his comments about security were in favour of publicising issues, which Torvalds himself finds personally satisfying:
I’m a huge believer in just disclosing, still somewhat responsibly… but security problems need to be made public. And there are who people argue, and have argued for decades, that you never want to talk about security problems because that only helps the black hats. The fact is that I think you absolutely need to report them and and you need to report them in a reasonable time frame.
The definition of ‘reasonable’ according to Torvalds is what is currently being implemented on the kernel security mailing list, which is five working days. Torvalds accepts that for some people this is “a bit extreme.” While other projects may take a month or two to address certain concerns, Torvalds believes this is much better than preceding attitudes to security, noting the “years and years of silence” that was previously the norm.
You can watch Torvalds speak at the linux.conf.au panel discussion here.