Buggy? Angry? LET IT ALL OUT says Linus Torvalds

'I'm not a nice person and I don't care about you': LinuxLord


Linux overlord Linus Torvalds has articulated views on security at Linux.conf.au, and seems to be closer to Google's way of thinking than Microsoft's.

Torvalds, along with Debian luminary Bdale Garbee, Samba man Andrew Tridgell, and kernel coder Rusty Russell spent an hour answering conference attendees' questions last week. That session has now made it to YouTube.

During a discussion about Linux security, Torvalds (at about 50:00) says “I'm a huge believer in just disclosing … somewhat responsibly … but security problems need to be made public. And there are people argue, and have argued for decades, that you never want to talk about security problems because that only helps the black hats. The fact is that I think you absolutely need to report them and and you need to report them in a reasonable time frame.”

What's reasonable? Torvalds says on the kernel security mailing list the disclosure time is five working days, “which for some people is a bit extreme.”

“In other projects it might be a month, or a couple of months,” he continues. “But that's so much better than the years and years of silence which we used to have.”

Might Torvalds have been aware of Google's twin disclosures of as-yet-unpatched Windows flaws last week? Sadly that question didn't come up during the talk.

Video of Torvalds giving the keynote speech at Australian Linux conference

Torvalds did, however, seem to be more sympathetic to Google's approach of giving vendors 90 days to disclose a flaw than other approaches that see vendors sit on bugs until they are ready to release a fix. Microsoft's monthly patch download is one such example of that thinking at work and, we now know, can see the company hold back fixes for bugs it knows about if it can't prepare a remedy in time for a release. Oracle releases patches every 90 days.

Torvalds' talk has also attracted much attention for Torvalds' remarks on his infamous intemperance.

“I am a really unpleasant person. Some people think I am nice and some people are then shocked when they learn different. I'm not a nice person and I don't care about you,” he told the conference.

“I care about the technology and I care about the kernel,” he said, going on to say that disagreements will always erupt once discussions go beyond those topics.

The kernel King went on to make remarks about what he called “diversity in open source” in the Linux community, saying it is “not about gender, not about skin colour” and that the Linux community is already very diverse as it comprises abrasive grumps like himself and others whose skills and personality types enable different types of contributions that advance the cause.

Torvalds went on to say his attitude comes from the fact “I like arguing" and that “I'm just not a huge believer in politeness and sensitivity being preferable over bluntly letting people know your feelings.” ®


Other stories you might like

  • Microsoft gives its partners power to change AD privileges on customer systems – without permission
    Somewhat counterintuitively, this is being done to improve security

    Microsoft has created a window of time in which its partners can – without permission – create new roles for themselves in customers' Active Directory implementations.

    Which sounds bonkers, so let's explain why Microsoft has even entertained the prospect.

    To begin, remember that criminals have figured out that attacking IT service providers offers a great way to find many other targets. Evidence of that approach can be found in attacks on ConnectWise, SolarWinds, Kaseya and other vendors that provide software to IT service providers.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Arrogant, subtle, entitled: 'Toxic' open source GitHub discussions examined
    Developer interactions sometimes contain their own kind of poison

    Analysis Toxic discussions on open-source GitHub projects tend to involve entitlement, subtle insults, and arrogance, according to an academic study. That contrasts with the toxic behavior – typically bad language, hate speech, and harassment – found on other corners of the web.

    Whether that seems obvious or not, it's an interesting point to consider because, for one thing, it means technical and non-technical methods to detect and curb toxic behavior on one part of the internet may not therefore work well on GitHub, and if you're involved in communities on the code-hosting giant, you may find this research useful in combating trolls and unacceptable conduct.

    It may also mean systems intended to automatically detect and report toxicity in open-source projects, or at least ones on GitHub, may need to be developed specifically for that task due to their unique nature.

    Continue reading

Biting the hand that feeds IT © 1998–2022