Linux kernel's Kroah-Hartman: We're not struggling to get new coders, it's code review that's the bottleneck
Plus: 'Intel is not doing well with disclosures. I’m not happy. It’s not getting better'
Open Source Summit Europe Speaking in an "Ask the Experts" session at the online Open Source Summit Europe conference today, Linux kernel's stable branch maintainer Greg Kroah-Hartman said there are plenty of new contributors to the code though the bottleneck is finding the people to review it.
Perhaps in response to comments reported here from Linux Foundation board member Sarah Novotny, Kroah-Hartman was asked whether the reliance on plain-text email for submitting kernel patches for discussion was deterring new contributors.
“That is not what’s holding back contributions,” Kroah-Hartman told the virtual audience. "We have over 200 new developers show up every single release. So every three months we have 200 new developers. We do not have a problem of new developers right now.
“Yes, it is hard to get your email client to work but we have it documented really well … we have tutorials, posts on how to do this. We’ve [also] been working on lore.kernel.org to make things easier. But our main bottleneck is maintainers. It’s reviewing.”
The kernel developer said that he has “over 700 patches a week that I have to review, and that is our bottleneck right now.” He added that “if you want to submit a patch, there is no reason why you shouldn’t be reviewing other people’s patches.
"It’s just like with music, you don’t start off writing music, you start off reading music and criticising music. Same thing with programming, you should be reading and reviewing other people’s code.”
Kroah-Hartman also talked about progress with enabling use of Rust for writing kernel code. “The Rust developers talked to Linus [Torvalds] a year and a half ago, and we said sure, wonderful, let’s see how it works.” There was a session on the subject at the recent Linux Plumbers Conference, he said.
“Right now you run the bleeding edge Rust compiler," Kroah-Hartman said. "There’s some interesting interactions that’re going to happen with object lifespans and the C objects we have versus the Rust objects, it will be interesting to see how they handle that. But they’re working on it … it’s just another language.”
Linus Torvalds hails 'historic' Linux 5.10 for ditching defunct addressing artefactREAD MORE
What does he think about using Linux in a safety-critical environment? “Anyone who’s ever flown in a plane, it’s been controlled by Linux, for the past decade, so it’s in safety-critical environments today,” he said, grinning.
“It runs telecoms systems, it runs stock markets, it runs satellites, it keeps mega yachts from tipping over, it’s been in automotive as well, in the head units for a long time … nobody wants to write an operating system, they just want to write applications to solve their problems. There are certifications we’re working on but that’s independent of Linux itself,” he said.
The discussion then turned to the security of LTS (Long Term Support) releases. Do not cherry-pick updates, warned Kroah-Hartman.
“Cherry-picking always fails, I will guarantee you. We fix known security issues every single week. We fix tons of unknown security issues every single week. Keeping on top of that and determining what is and is not a security thing is impossible.”
This month, Intel jumped the gun by revealing security holes in the Linux kernel's Bluetooth stack, saying the software would be fixed in kernel version 5.9 then later 5.10, which isn't due for release until December. Unfortunately, in its advisory, Intel pointed to the specific kernel source code patches that close the holes, which weren't explicitly labeled as security fixes presumably so as not to draw a lot of attention to them. Now the world knows where to find bugs – dubbed BleedingTooth by the Google engineers who found them – which can be potentially exploited to gain root privileges or execute code on nearby vulnerable devices over the air.
In light of this, does Kroah-Hartman have any thoughts about the collaboration and security disclosure process with Intel? “Intel is not doing well with disclosures. I’m not happy. It’s not getting better. As proof, the Bluetooth problem was Intel, it wasn’t disclosed properly,” said Kroah-Hartman.
For its part, the chip maker claims it “follows a disclosure practice called coordinated disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.”
It seems the kernel maintainers are still not happy with the process. While the mitigations are available in source form, kernels incorporating the fixes are yet to be formally released. ®