Linus Torvalds Talks Linux Security At LinuxCon

At the annual LinuxCon event in Seattle, Linux creator Linus Torvalds revealed how he thinks about security. Torvalds was onstage with Linux Foundation Executive Director Jim Zemlin, who asked the Linux founder how he feels about being the boss of Linux.

“I love open source and how all the credit comes to me,” Torvalds said. “Realistically though, I only have the power to say no.”

Zemlin asked Torvalds how he sees security in Linux, which is a topic of increasing concern with multiple high-profile open-source vulnerabilities in the last year, including the Heartbleed and Shellshock flaws.

Torvalds said he’s sometimes at odds with the security community. In his view, many in the security community only see issues as black and white, right or wrong.

Linux security

“What I see is that security is bugs,” Torvalds said. “Most of the security issues we’ve had in the kernel have been just completely stupid bugs that nobody really would have thought of as security issues normally, except that some clever person is able to take advantage of it.”

Torvalds stressed that it is not possible to ever entirely be rid of bugs in software and that some bugs will, in fact, be security issues. Given that bugs are inevitable, Torvalds said that security will never be perfect in Linux.

That said, Torvalds emphasized that, in the Linux kernel, the community is very careful and has strict standards on how to get code into the kernel.

“The only real solution to security is to admit that bugs happen,” Torvalds said, “and then mitigate them by having multiple layers, so if you have a hole in one component, the next layer will catch the issue.”

Torvalds added, “Anyone that thinks that we’ll be entirely secure is just not realistic; we’ll always have issues.”

Docker topic

Zemlin also asked Torvalds about Docker containers, a hot topic at LinuxCon and the broader technology community in 2015. Torvalds said he doesn’t really think much about containers as the Linux kernel tends to be fairly far removed from buzzwords.

“We’re an infrastructure play, and I only care about how people use the kernel,” Torvalds said.

Torvalds also talked about the emerging world of the Internet of things (IoT), where Linux is a major player today on embedded systems. A key concern about Linux on IoT devices, however, is the growing size of the Linux kernel.

“We’re trying to be a lean-and-mean IoT machine,” Torvalds said. “But it’s always hard to get rid of unnecessary fat.”

Realistically, the Linux kernel will not shrink down to the size it was 20 years ago, but it can still shrink to a certain degree, Torvalds said. “But if you do want to look at really small devices, you might need to look at other alternatives,” he said.

Zemlin also asked Torvalds about his vision for Linux and where Linux will be in 10 years. Torvalds responded that he doesn’t look all that far into the future. “I’m a very plodding, pedestrian person and look only about six months ahead,” Torvalds said. “I look at the current release and the next one, as I don’t think planning 10 years ahead is sane.”

Torvalds said that if he went back 10 years, there is no way he could have planned what has happened and landed in Linux today. While Torvalds himself isn’t looking 10 years into the future, that doesn’t mean there isn’t a vision for Linux.

“I think that with open source, you have companies that are trying to make the next 10 years happen, so those companies can push their own agenda in Linux,” Torvalds said. “They know what they need for the next 10 years, so even if I’m not forward-thinking, the whole process encourages forward-thinking behavior.

Originally published on eWeek