This article is more than 1 year old
Linus Torvalds on security: 'Do no harm, don't break users'
Fixing for the sake of security alone means 'all your work was just masturbation'
Linus Torvalds has offered a lengthy explanation of his thoughts on security, in which he explained a calmer and more detailed version of his expletive-laden thoughts on the topic earlier this week.
Torvalds was angry that developers wanted to kill dangerous processes in Linux, a measure that would have removed potential problems but done so in ways that users may not have enjoyed.
His long post on the matter suggested to security practitioners that “'Do no harm' should be your mantra for any new hardening work.”
“And that 'do no harm' may feel antithetical to the whole point,” Torvalds adedd. “You go 'but that doesn't work - then the bug still exists.' But remember - keep your eye on the endpoint, and that this is just the first step. You need to not piss off users, and you need to not piss of developers.”
Torvalds explained that the kind of security person he does not like thinks “the big win is when the access is _stopped_.”
“But from a developer standpoint, things _really_ are not done. Not even close. From a developer standpoint, the bad access was just a symptom, and it needs to be reported, and debugged, and fixed, so that the bug actually gets corrected,” he added. “So from a developer standpoint, the end point of hardening is just the starting point, and when _you_ think you're done, we're really only getting started.”
The Linux overseer added that when hardening efforts see a process or feature disabled, users see it as “just a latent bug that got exposed.”
“And the keyword here is that it was _latent_, and things used to work, and the hardening patch did something - probably fairly drastic - to turn it from 'dangerous' to 'benign' from a security perspective.”
“So from a user standpoint, the hardening was just a big nasty annoyance, and probably made their workflow _break_, without actually helping their case at all, because they never really saw the original bug as a problem to begin with.”
Torvalds' post explained his view that “... the number one rule of kernel development is that 'we don't break users'.”
“Because without users, your program is pointless, and all the development work you've done over decades is pointless.”
“Because in the end, those users really do matter. Without those users, your system may be 'secure', but all your security work was still just masturbation. You didn't do anything useful at all in the end.”
Torvalds therefore outlined his preferred way of working, which involves security people reporting issues first, so that kernel developers can address them root and branch as they update Linux.
“All I need is that the whole 'let's kill processes' mentality goes away, and that people acknowledge that the first step is always 'just report',” he wrote, then concluded with “Do no harm. Please.” ®