Conversation

saying #linux kernel is at the point where testing it and reporting more security bugs does not have any value anymore? I am concerned. "We are drowning in syzkaller reports and just throwing them at us doesn't really help anyone here anymore" lore.kernel.org/dri-devel/2020

104

Replying to

and

No. Both triage and fixing are labor intensive. It's of no immediate usefulness to find new bugs when there's already a shortage of labor to fix the ones already reported. Of course it becomes useful later once there is.

Replying to

If new reports at least come with some of the triage work already done, they're a lot more useful.

Replying to

It's a big deal that they come with reproducible test cases though. It's a lot better than a typical bug report in that regard. Any crash of the core kernel from userspace could be treated as a serious, priority issue if it was robust and not scaled far beyond maintainability.

Replying to

Linux doesn't have a labor shortage. Rather, the proportion of people working on correctness/robustness/security is tiny. There is far too much code being added and changed. Their attitude drives away many people who try to improve these things too.

6:23 PM · Jul 13, 2020Twitter Web App

Replying to

It's a great example of how simply throwing more and more resources at a project isn't a recipe for robustness or security. They'll just keep piling on the complexity and attack surface because it's the culture and design of the project. Give the same developers a trillion...

Replying to

dollars and twenty years to build a new kernel and I think they'll end up with a similar massively complex and bloated monolithic kernel. Same reasons that giving the OpenSSL developers a bunch of funding isn't going to fix it, and the Linux kernel already has immense funding.

Show replies

Replying to

I call that a labor shortage. They don't have enough volunteer or paid people to work on the stuff that needs to be done. They have plenty paid (by third parties) to work on other things (that those third parties want done).

Replying to

Bingo. We have plenty of paid developers for new features wanted by those companies paying for that work. We have almost no paid developers to do bug fixing and maintenance and patch reviews.

Show replies

Replying to

A lot of the stuff being changed is repaying technical debt.