Linus Torvalds Talks Linux Security at LinuxCon

The founder of Linux explains why he's not thinking about the next 10 years of Linux and why security is all about finding bugs.

SEATTLE—At the annual LinuxCon event here, Linux creator Linus Torvalds revealed how he thinks about security. Torvalds was onstage with Linux Foundation Executive Director Jim Zemlin, who asked the Linux founder how he feels about being the boss of Linux. "I love open source and how all the credit comes to me," Torvalds said. "Realistically though, I only have the power to say no." Zemlin asked Torvalds how he sees security in Linux, which is a topic of increasing concern with multiple high-profile open-source vulnerabilities in the last year, including the Heartbleed and Shellshock flaws. Torvalds said he's sometimes at odds with the security community. In his view, many in the security community only see issues as black and white, right or wrong.

 

"What I see is that security is bugs," Torvalds said. "Most of the security issues we've had in the kernel have been just completely stupid bugs that nobody really would have thought of as security issues normally, except that some clever person is able to take advantage of it."

Torvalds stressed that it is not possible to ever entirely be rid of bugs in software and that some bugs will, in fact, be security issues. Given that bugs are inevitable, Torvalds said that security will never be perfect in Linux. That said, Torvalds emphasized that, in the Linux kernel, the community is very careful and has strict standards on how to get code into the kernel. "The only real solution to security is to admit that bugs happen," Torvalds said, "and then mitigate them by having multiple layers, so if you have a hole in one component, the next layer will catch the issue." Torvalds added, "Anyone that thinks that we'll be entirely secure is just not realistic; we'll always have issues." Zemlin also asked Torvalds about Docker containers, a hot topic at LinuxCon and the broader technology community in 2015. Torvalds said he doesn't really think much about containers as the Linux kernel tends to be fairly far removed from buzzwords. "We're an infrastructure play, and I only care about how people use the kernel," Torvalds said. Torvalds also talked about the emerging world of the Internet of things (IoT), where Linux is a major player today on embedded systems. A key concern about Linux on IoT devices, however, is the growing size of the Linux kernel. "We're trying to be a lean-and-mean IoT machine," Torvalds said. "But it's always hard to get rid of unnecessary fat." Realistically, the Linux kernel will not shrink down to the size it was 20 years ago, but it can still shrink to a certain degree, Torvalds said. "But if you do want to look at really small devices, you might need to look at other alternatives," he said.
Source: eWEEK