Good!
In the related theregister.co.uk article I commented that this kinda of bullying behaviour belonged in the previous century. Pleased to see this apology, makes me think Linus is a good person at heart :)
Linux overlord Linus Torvalds has apologised – a bit – for calling some security-centric kernel contributors “f*cking morons”. Torvalds unleashed a profanity-laden rant at Google developer Kees Cook over the latter's proposal to harden the kernel. Another Google security chap, Matthew Garrett, asked Torvalds: “Can you clarify …
"Personal goodliness is not correlative with software development ability. Jus' sayin'."
I don't recall saying it was ;)
Dunno why so many peops are opposed to my comment. There's a difference between, "Do not even f!cking dare to commit such untested code again, I know you can do better than this!" and "You're a f!cking moron, you're work is a pile of etc".
What Torvalds (and historically, Microsoft) understands and many tunnel vision security researchers forget is that you don't break userspace. That's the starting point. Implementing a security feature and then retroactively checking whether you've broken existing software is getting the entire process backwards. As with the 18th Amendment[1], it doesn't matter how demonstrable the benefits are - if you're being cavalier with operational realities you're either doomed from the start or you have to proceed very slowly and incrementally, taking the user base with you every step of the way.
[1] The (failed) American attempt to prohibit recreational consumption of alcohol because of the obvious benefit to overall public health.
[1] The (failed) American attempt to prohibit recreational consumption of alcohol because of the obvious benefit to overall public health.
I thought the (failed) American attempt to prohibit recreational consumption of alcohol was the result of a wave of puritan religious evangelical fervour.
More like anti-immigrant (Irish, Italian, German) fervor. "The right people" could get booze with no problems throughout. They could (and did) even get non-poisonous booze, unlike those who played whack-a-mole with the escalating "denaturant" efforts of the feds.
All of which strays a bit afield of the Linux developer discussion. Sorry.
The comparison with the US constitution is misplaced and not helpful.
The comparison was based on evangelical zealots, so determined to better the lot of their fellow man that they railroad through their bright, shiny, pristine vision of the future with insufficient consideration of whether the great unwashed will actually put up with the consequences of what they're proposing.
Any change that requires such a list is a bad, and usually completely broken feature, as no list of affected applications can ever be complete.
Don't Break Userspace is a fundamental requirement of any operating system.*
Don't Break Drivers is a secondary one that isn't quite as critical, but close.**
*Apple break userspace on a regular basis. Bastards.
** Microsoft broke drivers in Vista. Look how that turned out.
If you are going to change behavior in userspace, especially if by "changing behavior" you mean the kernel will panic in cases it previously didn't or a process will get killed in response to something that may not even be a problem, the correct way to handle it is with warnings to the kernel log.
Then kernel maintainers can collect reports and see which warnings are real (i.e. actual security issue) and which ones are false alarms, and adjust the code appropriately. Once you have it down to where you are sure the warnings only come for the real thing, then you can change behavior, because you know you are actually fixing something (i.e. closing a security loophole or simply fixing a software bug that was exposed by a process doing something it really shouldn't do but actually didn't want to do)
If "security experts" lived in de middle ages, they would end up on de same place as witches, since they bother people with harmful things nobody understands.
So it is good Sir Torvalds stands strong as the sole guardian against the crap storm of feature creep nobody wants, nobody understands except the hackers and the ever present push from the "windows guys" to pollute Linux with bloat like systemd.
Indeed.
And it's pretty pragmatic.
TL:DR. Get the monitoring code in live installs. Collect data on rogue accesses and what's making them. Let it run a while. Then consider is it simple incompetence or actual malice.
Torvalds occasional outbursts make great click bait but IRL I think it's because he doesn't suffer fools gladly and can't understand why this fairly obvious course of action isn't obvious to so many security types, other than not being able to see outside of their personal problem silo.
He may be over worked and he may on rare occasion every few years or so use a bad word here and there.
But he always does one thing with regards to code: Uses His Common Sense.
Which is surprisingly rare for people these days.
Plus he is right in regards a security issue is still a bug. It's a bad bug, but a bug none the less. Fixing said bugs or coding in such a way that minimizes the likely hood of them occuring is better than coding around the bugs to allow them to exist.
Plus kernel panic or shutdown on security bug being detected? That's a Denial of Service attack waiting to happen.
Think about it, if you find one that can trigger it, and also if find another bug that gives you enough access to do it on remote servers? You could take servers down instantly for fun with minimal access.
Fixing said bugs or coding in such a way that minimizes the likely hood of them occuring is better than coding around the bugs to allow them to exist.
Whilst adopting a better mental approach is definitely desirable, I believe Linus was suggesting that it is the overall layered approach to the kernel design that would limit the damage that a single bug could do.
What Linus needs is a good scrum master -- that will fix it. You can organize the open source community to do virtual stand-ups at 9am [you may need to shower before noon]. Hire 3 project managers for each contributor. Have "one on one" meetings with each every other day. Have each contributor add their progress to jira. Then Linus will be able to tell by the burn down chart when the next release will be. The open source community will probably need to hire an army of consultants to do scrum training and give out certificates at least once a year.
--
scrum must die.
Linus pioneered not only a new OS but also new ways of developing and distributing it.
"release early and often" was the mantra in the good old days. Users found the bugs and they were fixed - very quickly. If someone cannot cope with this they should wait to upgrade until other hardier souls, or people not running mission critical systems, found the bugs.
Linux has been a dynamic and vigorous ecosystem. Linus found exactly the right formula to manage it. If the genes that made this possible are linked to others like sweariness then "ce la vie". Deal with it. Don't try to put ridiculous code into the system, and just grin and say sorry if you inadvertently do so.
Which makes one wonder how in hell we got stuck with pulseaudio and systemd! :-)
Yeah, it's me. again. I hope the mods let this through, because I wrote this after-the-fact after I monologued it in the IT office, to much laughter and knee-slapping of my cow-orkers. Co-workers? Cowork-ers? What the hell is a cowork? And who the hell would ers it? Sounds suspect to me. The sort of suspect that requires darkness, a deserted alley, a $50 bill, and a confused hooker. *note to self*
Anyway, I hope the censors give this a pass, because it's Thanksgiving, it's about Linus, and at least 2 other people at my job thought it was funny. Unfortunately, it's a tad strong-worded, obscene, and derogatory. Pretty much like any Linus outburst that makes the news. Forgive me, for I have sinned. I'll say my ten Hail Marys and slam my hand in the vestibule door five times. Amen. And I tried really hard not to type the F-bomb, but we all know Linus uses it a ton.
*my personal idea of what goes through Linus's head. Alcohol may or may not have been involved in thinking this up*
<Linus's Mind on the latest kernel-panic mess>
ARE YOU FSCKING KIDDING ME?
WHERE ARE MY SWIM TRUNKS?
ARE YOU FSCKING MORONS? SURE, LET'S KILL *EVERYTHING* OFF IF SOMETHING MISBEHAVES! *THAT* MAKES THE USERS HAPPY! IT'S NOT LIKE THEY ARE *USING* THAT SERVER OR ANYTHING!
WHERE ARE MY GODDAMN SWIM TRUNKS? FSCKING HELL!
WHAT THE SHIT! YOUR CHANGE WRECKS SO MUCH SHIT YOU HAVE TO HAVE 'PLAN B' ON-HAND FOR IT!??!?! YOU WANT TO PEDDLE THE 'MORNING AFTER PILL' TO USERS WHO UPGRADE? DID YOU FSCK THEM THAT BADLY?
WHERE THE FSCK ARE MY SWIM TRUNKS!??!?!?!??!?!?!
JESUS-FSUCKIN-CHRIST-ON-A-POGO-STICK-FSCKING-MOTHER-MARY, WHAT PART OF 'THOU SHALT NOT BREAK SHIT' IS UNCLEAR, YOU FSCKING HEATHANS?
maybe I already packed them.....let me check......
CAN I NOT ENJOY A FSCKING VACATION AWAY FROM YOU INBRED, MOUTH-BREATHING, GLUE-EATING, SISTER-FSCKING, IGNORANT, GOAT-HUMPING, BANJO-PLAYING R&TARDS FOR EVEN *ONE* FSCKING DAY?
GODDAMNIT I SWEAR I WILL STOP THE EARTH'S ROTATION UNTIL MY SWIM TRUNKS ARE FOUND! damn... do i even own swim trunks?
*YES* *I* *AM* *A* *GOD*. Consider the fact that you're ranting about me on your android phone, or iPhone, they both run Linux. Being that it's thanksgiving and all, and your lazy ass isn't at work, working. Like you should be. Meanwhile, this God wants a private beach and a dozen Singapore Slings so I can forget about the dumbass shit the devs just did. Consider this a brief respite from my usual acrid retorts, because I'm relaxing in a chair, and lazily thinking up new retorts for you ret@rds that piss me off. Because you all are feeble minded and can't think things through. And you insist on pushing broken shit forward into new releases. Fix. Your. Broken. Shit. While I sit here drinking my drink. In my swim trunks.
*HOLY CHRIST* *NO* DON'T COMMIT THE CHANGE YET. IT AFFECTS THE KERNEL, AND COULD CAUSE A SHIT-TON OF MACHINES TO KERNEL PANIC, YOU FSCKTARD! I'D KICK THE SHIT OUT OF YOU, BUT THERE WOULD BE NOTHING LEFT! OPEN SOURCE MEANS VOLUNTEER WORK, BUT YOU ACT LIKE YOU WANT TO GIVE EVERYBODY ROOT ACCESS BECAUSE YOU FEEL SORRY THEIR DOG DIED FROM HERPES THAT YOUR FRIEND'S SISTER'S COUSIN'S BROTHER'S FRIEND'S TWICE REMOVED (AND ONCE ADDED) COUSIN'S NEPHEW'S UNCLE'S ACQUAINTANCE'S HALF-STEP-INBRED-HILLBILLY-FSCKTARD'S, NEIGHBOR'S, BOSS', COW-ORKER'S, STRANGER-ON-THE-SUBWAY,LOCAL-NEWS-REPORTER'S,[IMAGINE FSCKTARD BLOGGER DOUCEBAG HERE] BLOGGER'S GAVE IT!
I'M STILL WAITING ON MY SWIM TRUNKS DAMNIT!!! WHY DO I HAVE TO DO *EVERYTHING* AROUND HERE?
[fin]
Happy Thanksgiving to all, and I hope you got at least a chuckle out of this. I can just imagine Linus going the hell off due to missing swim trunks. And I'm glad my servers won't be kernel panic-ing over the Thanksgiving holiday. I hope.
Wishing great holidays, non-stressful family visits, clean patches, and no insistent SMS from the server rooms to all!
Fuck apologizing, if he finds a fucked up way someone approaches their job then they should get used to profanity till they start thinking on how an end user is affected by their bullshit. He was so right in the way he put them in their place that they will rethink what they are doing next time. Sure if you are fixing a big security hole you might go a little over board if that is being actively exploited but if they are just changing something because and overdo it then they need to see it from a user perspective like Linus is doing.