The Complete Magazine on Open Source

Security Is All About Finding Bugs, Says Linux Creator Torvalds

, / 161 0

Linux founder Linus Torvalds explains what he thinks about security and why he doesn’t think about the ‘next 10 years of Linux’.

When asked on how he feels being the boss of Linux, Linus Torvalds, the father of Linux boasted, “I love open source and how all the credit comes to me. Realistically though, I only have the power to say no.”
Torvalds was sharing stage with Linux Foundation Executive Director Jim Zemlin at the ongoing Linux extravaganza LinuxCon. Zemlin questioned Torvalds on many issues that have been ‘bugging’ the Linux users for a while now. Mentioning the high-profile open-source vulnerabilities that occurred last year, including the Heartbleed and Shellshock flaws, Zemlin asked how Torvalds sees the security issue in Linux, to which the Linux pioneer replied, “What I see is that security is bugs. Most of the security issues we’ve had in the kernel have been just completely stupid bugs that nobody really would have thought of as security issues normally, except that some clever person is able to take advantage of it.” Torvalds expressed that he differs with the security community in many ways because it sees issues only as right or wrong, black and white.
He asserted that it is not possible to completely get rid of bugs in a software, but some of those bugs will be security issues, he clarified. He agreed that security will not be perfect in Linux ever, because ‘bugs are inevitable’. That said, he commended the Linux community for being carefil and emphasised that it has “strict standards on how to get code into the kernel.
Torvalds said, “The only real solution to security is to admit that bugs happen, and then mitigate them by having multiple layers, so if you have a hole in one component, the next layer will catch the issue.”
“Anyone that thinks that we’ll be entirely secure is just not realistic; we’ll always have issues,” he added.
Zemlin also discussed Docker containers with Torvalds, which is a hot topic at the LinuxCon this year. Torvalds said, “He doesn’t really think much about containers as the Linux kernel tends to be fairly far removed from buzzwords.
We’re an infrastructure play and I only care about how people use the kernel.”
Commenting on the emerging technology called the Internet of Things (IoT), where Linux is of prime importance, Torvalds said, “We’re trying to be a lean-and-mean IoT machine. But it’s always hard to get rid of unnecessary fat.”
Zemlin also asked Torvalds about his vision for Linux in the coming 10 years and Torvalds promptly said, “I’m a very plodding, pedestrian person and look only about six months ahead. I look at the current release and the next one, as I don’t think planning 10 years ahead is sane.”
“I think that with open source, you have companies that are trying to make the next 10 years happen, so those companies can push their own agenda in Linux,” Torvalds said. “They know what they need for the next 10 years, so even if I’m not forward-thinking, the whole process encourages forward-thinking behaviour.