Conversation

saying #linux kernel is at the point where testing it and reporting more security bugs does not have any value anymore? I am concerned. "We are drowning in syzkaller reports and just throwing them at us doesn't really help anyone here anymore" lore.kernel.org/dri-devel/2020

104

Replying to

and

No. Both triage and fixing are labor intensive. It's of no immediate usefulness to find new bugs when there's already a shortage of labor to fix the ones already reported. Of course it becomes useful later once there is.

Replying to

If new reports at least come with some of the triage work already done, they're a lot more useful.

Replying to

It's a big deal that they come with reproducible test cases though. It's a lot better than a typical bug report in that regard. Any crash of the core kernel from userspace could be treated as a serious, priority issue if it was robust and not scaled far beyond maintainability.

Replying to

Linux doesn't have a labor shortage. Rather, the proportion of people working on correctness/robustness/security is tiny. There is far too much code being added and changed. Their attitude drives away many people who try to improve these things too.

Replying to

It's a great example of how simply throwing more and more resources at a project isn't a recipe for robustness or security. They'll just keep piling on the complexity and attack surface because it's the culture and design of the project. Give the same developers a trillion...

Replying to

dollars and twenty years to build a new kernel and I think they'll end up with a similar massively complex and bloated monolithic kernel. Same reasons that giving the OpenSSL developers a bunch of funding isn't going to fix it, and the Linux kernel already has immense funding.

Replying to

Whining about lack of developers after driving so many people away particularly when they're getting paid huge salaries and have immense backing of the project. If anyone asks me about contributing to the Linux kernel, I steer them to a more worthy project with a brighter future.

Replying to

Rather than setting them up for having their patches ignored, ridiculed, rejected for political reasons and/or driven through endless revisions to chase moving / inconsistent goal posts. Why bother? Let someone paid to work on it convince themselves it's not just getting worse.

6:47 PM · Jul 13, 2020Twitter Web App