Greg K-H

Is @gregkh saying #linux kernel is at the point where testing it and reporting more security bugs does not have any value anymore? I am concerned. "We are drowning in syzkaller reports and just throwing them at us doesn't really help anyone here anymore" https://lore.kernel.org/dri-devel/20200710103910.GD1203263@kroah.com/ …

No. Both triage and fixing are labor intensive. It's of no immediate usefulness to find new bugs when there's already a shortage of labor to fix the ones already reported. Of course it becomes useful later once there is.

If new reports at least come with some of the triage work already done, they're a lot more useful.

It's a big deal that they come with reproducible test cases though. It's a lot better than a typical bug report in that regard. Any crash of the core kernel from userspace could be treated as a serious, priority issue if it was robust and not scaled far beyond maintainability.

Linux doesn't have a labor shortage. Rather, the proportion of people working on correctness/robustness/security is tiny. There is far too much code being added and changed. Their attitude drives away many people who try to improve these things too.

I call that a labor shortage. They don't have enough volunteer or paid people to work on the stuff that needs to be done. They have plenty paid (by third parties) to work on other things (that those third parties want done).

Bingo. We have plenty of paid developers for new features wanted by those companies paying for that work. We have almost no paid developers to do bug fixing and maintenance and patch reviews.

I don't think quality/security/testing can be improved by adding more people. We have tremendous amount of resources assigned to #linux already, 1000x average project has. It's possible to have good quality with 1 dev on a project, and bad quality with 10000 devs. 1/n