Linus Torvalds' Followup On Software Security, Sensationalism And Self-Stimulating Simians

e-mail Linux kernel operating system

Word was that Torvalds had apologized to OpenBSD developers. ChannelWeb asked the Linux guru if that were true and whether he had any second thoughts on his initial e-mail "flame." Here is his response:

Heh. I did talk to an OpenBSD and#91;developerand#93;, and offered to apologize if they really thought "masturbating monkeys" was offensive, but at least that developer just found it funny.

So from that (admittedly very limited) sample, the actual developers are sane people, and (as usual) the problem is the whole media circus around security. Which was the whole point of the thread and the context in which I called people monkeys in the first place, which is kind of ironic.

Not that I'm surprised, of course.

id
unit-1659132512259
type
Sponsored post

Anyway, I find - yet again - that security issues get sensationalized, and that people seem to have trouble reacting to them sanely and with any kind of rational behavior. Which is what I was ranting against.

And yes, I think I was extremely unfair in ranting against the OpenBSD developers, although the reason I picked them was that they exemplify to a lot of people a single-mindedness about security.

If you care, the real issue (for me) is that clearly vendor- and PR-driven security models simply do not work. Embargoes are absolutely horrible, and giving gray hats "credit" for holding back and gaming the system and participating in that security circus just encourages bad behavior. That's my pretty strongly held opinion.

That said, the backlash to the vendor-driven back-patting behavior (the so-called "full disclosure" part) is equally wrong. The fact that one side is totally corrupt and doesn't work right does absolutely not mean that the opposite side is any better.

So my philosophy (which I tried to explain in the thread) is to not pander to either side. I don't pander to embargoes and the vendor-and#91;securityand#93; mentality of vendor-driven hiding of security issues, but I also refuse to pander to the crazies at the other end of the spectrum that believe that everything must be fully disclosed.

There is a sane middle road. Sadly, the people who are willing to see that are the people who can see the world as not black-and-white, and not a pure either-or place to be. Those people can also see that there are other issues than "security" that drive programming.

And that was what I was ranting and#91;againstand#93;. And as usual, I probably offended the crazies at both ends of the spectrum (which is where most "security" people are - they never seem to be the relaxed kind of person who can see both sides and decide to be somewhere in the middle).

But hey, I guess that's ok. I don't really mind the occasional flame-war.

If there is one thing you should take away from this, it's that "sensationalism" and people who crow about one single issue, is way, way, way overrated. It's sad how common it is, though.

I want to be known as a "radical moderate," to use the phrase from the Daily Show. I'm middle-of-the-road, and I'm absolutely passionate about it.

Linus