Why Linus is right (as usual) – Security problems are primarily just bugs

Errata Security posted a story “Why Linus is right (as usual)” about how code changes should be handled in Linux. Linus’ basic belief is that code changes should be small continual changes and not heaping big changes. Big changes can introduce unforeseen problems like Obamacare and the Trump tax reforms. Here an excerpt of the article:

Linus has an unwritten manifesto of how the Linux kernel should be maintained. It’s not written down in one place, instead we are supposed to reverse engineer it from his scathing emails, where he calls people morons for not understanding it. This is one such scathing email. The rules he’s expressing here are:

  • Large changes to the kernel should happen in small iterative steps, each one thoroughly debugged.
  • Minor security concerns aren’t major emergencies; they don’t allow bypassing the rules more than any other bug/feature.

Last year, some security “hardening” code was added to the kernel to prevent a class of buffer-overflow/out-of-bounds issues. This code didn’t address any particular 0day vulnerability, but was designed to prevent a class of future potential exploits from being exploited. This is reasonable.

While the original article does not have any comments I found one on-going discussion about the article on Hacker News.