Google Sponsors 2 Full-Time Devs To Improve Linux Security (theregister.com) 53
Worried about the security of Linux and open-source code, Google is sponsoring a pair of full-time developers to work on the kernel's security. From a report: The internet giant builds code from its own repositories rather than downloading outside binaries, though given the pace at which code is being added to Linux, this task is non-trivial. Google's open-source security team lead Dan Lorenc spoke to The Register about its approach, and why it will not use pre-built binaries despite their convenience. But first: the two individuals full-time sponsored by Google are Gustavo Silva, whose work includes eliminating some classes of buffer overflow risks and on kernel self-protection, and Nathan Chancellor, who fixes bugs in the Clang/LLVM compilers and improves compiler warnings. Both are already working at the Linux Foundation, so what is new?
"Gustavo's been working on the Linux kernel at the Linux Foundation for several years now," Lorenc tells us. "We've actually been sponsoring it within the Foundation for a number of years. The main change is that we're trying to talk about it more, to encourage other companies to participate. It's a model that works, we're trying to expand it, find contributors that want to turn this into a full-time thing, and giving them the funding to do that." It is in the nature of open source that Google's funding benefits other Linux users, and it is also in the company's interests. How important is Linux to Google? "It's absolutely critical. Google started on Linux. We use it everywhere," says Lorenc. That being the case, why can Google only manage "Gold" membership of the Linux Foundation ($100,000 per annum), whereas others including Microsoft, Intel, Facebook, and Red Hat are "Platinum", which contributes $500,000 annually? "I'm not sure about that stuff. There are dozens of sub-foundations which we are also members of," he adds. Google is ahead of AWS, which is a mere "Silver" member ($20,000 a year).
"Gustavo's been working on the Linux kernel at the Linux Foundation for several years now," Lorenc tells us. "We've actually been sponsoring it within the Foundation for a number of years. The main change is that we're trying to talk about it more, to encourage other companies to participate. It's a model that works, we're trying to expand it, find contributors that want to turn this into a full-time thing, and giving them the funding to do that." It is in the nature of open source that Google's funding benefits other Linux users, and it is also in the company's interests. How important is Linux to Google? "It's absolutely critical. Google started on Linux. We use it everywhere," says Lorenc. That being the case, why can Google only manage "Gold" membership of the Linux Foundation ($100,000 per annum), whereas others including Microsoft, Intel, Facebook, and Red Hat are "Platinum", which contributes $500,000 annually? "I'm not sure about that stuff. There are dozens of sub-foundations which we are also members of," he adds. Google is ahead of AWS, which is a mere "Silver" member ($20,000 a year).
Why bother? (Score:5, Funny)
Re: (Score:2)
Google’s going to cancel Linux?
Re: (Score:1)
Re: (Score:1)
Though this is one of these jokes that might not age well...
Re: (Score:2)
They're just going to kill the project anyway
Well...
How important is Linux to Google? "It's absolutely critical. Google started on Linux. We use it everywhere"
I say good luck killing "everywhere"...
Re: (Score:3)
I know it's supposed to be funny.
But in this case, at least it will have lasting benefits even when Google cancels it eventually.
Security isn't binary - it's not like you have it or not. It's a spectrum, so you can have a little security, a lot of it, or somewhere in-between.
Even if Google's team only fixes one security flaw in Linux before they're cancelled, it's still one less security flaw in Linux. It's not like Linux security will disappear if Google cancels
Re: (Score:2)
Passing the buck. (Score:2)
Whoo Hoo. Now the "soul-withering" and "insufferably boring" stuff can be done by someone else.
https://news.slashdot.org/stor... [slashdot.org]
Finding a niche. (Score:3)
And why not? Every job has boring parts - even making art: someone has to crank out a jillion gallons of paint every day for day after day after decade for all those artists to use.
That said - there are also people who find satisfaction in almost anything, though maybe not enough satisfaction to spend 8 hours a day doing it for fun. If you can connect those people with the right tempermant to a livelihood doing something they unusually find satisfying? ("find contributors that want to turn this into a ful
Re: (Score:2)
A thoughtful, insightful, optimistic, compassionate comment. Well done!
2.... (Score:3)
Full! Two!
Re: (Score:1)
they did the math, 2 devs provided the best ratio of PR to investment capital
Re: 2.... (Score:2)
Especially if they are outsourced to say India or Poland.
Re: (Score:2)
Especially if they are outsourced to say India or Poland.
They aren't.
One of the developers lives in Brazil, the other in Arizona.
Re: (Score:2)
> i dont know what brazil is like
Rather pessimistic, but it stars Robert De Niro:
https://www.imdb.com/title/tt0... [imdb.com]
Google wants to improve Linux Security? (Score:2)
RIGHT!
Google just wants to figure out how to add back doors that Chrome can exploit and kill other browsers, and hope nobody notices.
It's a trap! (Score:2)
They are going to make the Linux kernel phone home to google and spy on you, across all distributions.
Re: (Score:2)
Re: (Score:2)
Only after it's discovered. Which, we've seen several times (on probably accidental vulnerabilities) might take decades.
I mean, you have to figure that with its "industrial" popularity, inserting Linux backdoors is probably of interest to at least as many shadowy agencies as "sponsor" programmers at Microsoft or Apple. (And you'd be hard pressed to convince me there are no such programmers)
Re:Google wants to improve Linux Security? (Score:5, Insightful)
As cynical as I am, I suspect they really do.
Linux is the foundation upon which they've built their empire, and as the largest internet-surveillance company in existence, they present the one of the juiciest hacking targets in existence.
Meanwhile, Linux is primarily an "industrial" OS - most security breaches will be financed in the name of industrial espionage or disruption. While Google is (so far as I know) primarily a "consumer" surveillance company. And yeah, there's oddballs who use Linux on the desktop (I'm one of them, off and on), but the overwhelming majority of "consumer class" Linux users are using Android, or possibly ChromeOS, either of which presumably already have tons of Google spyware built on top.
Basically, Google has little incentive to build back doors into the foundation. Not to mention, the backlash if they were caught could be devastating. And thanks to SCO, Linux contributions are now closely documented, so the source of any back doors eventually found would be a matter of public record.
Re: (Score:1)
The largest number of Linux kernel users are of course all of the Android devices out there. Google might have an interest there too, for some reason.
Re: (Score:2)
If you're counting devices, I think Android would be hard pressed to rival the combined might of Google, Amazon, Apple, and everyone else's server farms.
But as I said - Android is already fully under Google's control. They can insert spyware wherever they want, there's no incentive for them to try to hide it in the foundation shared with the rest of the Linux, where it might one day be forgotten and bite them in the ass.
Why can't other subsystems be sponsored too? (Score:5, Interesting)
The Linux kernel is important, and having more eyeballs on the source code is a good thing. However, there are many places where it would be nice to have code go under more scrutiny by people who know what they are doing:
GNU Privacy Guard, OpenSSL and OpenSSH code, for example. AFIAK, only one maintainer is on each of them, and it is a cornerstone of Internet security. Would be nice if some of these mega-billion dollar companies would help with this. GPG needs a facelift, perhaps using a more efficient binary to ASCII algorithm, better compression, perfect forward secrecy, better hardware support, and so on.
Filesystems. I know that Facebook did a lot of work with btrfs, and the fact it has zstd compression is awesome. It would be nice to see that hammered out some more, to the point where OS distributions have it as an option. Ideally, btrfs should be what APFS is, and something that can work well from phones to servers.
Core security like AppArmor or SELinux improved.
None of this is glamorous work, but it would greatly improve the health of both the Android and Linux ecosystems as a whole.
Re: (Score:2)
It seems that it is not only the linux kernel these two people would work on. Or did I miss something?
Re: (Score:2)
And here we witness the practice of barely-concealed steganography via public forum?
Farewell Frank, it was nice knowing you. I hope they make it quick.
Amazon is silver level? (Score:2, Interesting)
20K a year? AWS would not exist without Linux, Docker, Kubernetes. Interesting.
Embrace, extend, extinguish... (Score:2)
This is rather worrisome for the future of linux. Anything Google gets its finger on should be considered a severe risk for security and privacy, especially if they say they're going to help with these things specifically. It may be time for a new independent OS ecosystem to start.
Re: (Score:2)
I don't trust Google. I do trust the Linux kernel team who approve or reject fixes. If you don't trust them, you shouldn't be using Linux anyhow, regardless of what Google does.
Lesser evil? (Score:1)
I don't know - if you don't trust them... your choices are pretty much to either give up computers entirely, or rely on someone far less trustworthy.
The Linux kernel team is, at best, a bunch of imperfect humans defending a target undoubtedly being assaulted by virtually every major shadowy government agency and criminal cartel in the world.
But pretty much all the other well-supported alternatives belong to an openly evil corporation. And they are no doubt *also* under attack by several major shadowy agenc
OpenIndiana is another option (Score:2)
Jeez...nice set of priorities there (Score:3, Insightful)
A whole TWO developers, eh? For the OS at the foundation of the Android machine that lets their advertising network blanket the Earth and collect/market the personal data of billions of peop^H^H^H^H subjects.
Gee, thanks.
Re: (Score:2)
Hey they're complying with the GPL. This is what RMS wanted.
Re: (Score:2)
I doubt they care about the security of Android, other than maybe keeping others from horning in on their revenue stream on a large scale.
But Linux is also the foundation of their internet empire, and given their internal data stores, they are no doubt a huge target of hackers the world over. I'd be surprised if they only pay two developers to secure it, but a lot of that security is probably specific to their own in-house distro.
Re: (Score:1)
A whole TWO developers, eh?
Two developers, if sufficiently skilled and experienced, can make a huge difference to projects of many different sizes. If they are good enough, they may prove very useful indeed.
But hey, if you want to be a sarcastic, ungrateful person, that is up to you.
I look forward to hearing about what the two developers accomplish a lot more than I do any further comment from you, if we are to talk about relative value.
Re: (Score:2)
Depends what they are working on. Maybe Google has some specific feature in mind and there is only enough work for 2 people, or they are the two experts doing the research/ground work and it may get added to later.
Also they probably need to ramp up slowly, so they can integrate with the Linux development process. Kernel maintainers don't really like big code dumps that make huge changes or add major features out of the blue, so throwing 100 developers at it right now likely wouldn't work.
Re: (Score:2)
They don't need to ramp up. Google has already been paying them to do this work, now they are just posting PR about it in the hope that we will love them.
But corporate pragmatism doesn't impress me, and Google is still working on replacing Linux in their mobile OS which will make it less useful to me, so fucking meh.
Re: (Score:2)
That's a lot more than Amazon provides, and look how heavily they depend on Linux.
Peanuts (Score:3)
Corporate greed knows no bounds...
Re: (Score:3)
Corporate greed knows no bounds...
Google has a lot more than two full-time developers working on Linux security. Android has a whole crew, and so does ChromeOS, and there are multiple teams that focus on Linux kernel security for various organizations that work on systems in data centers. The difference is that all of those are focused on kernel security as it relates to the various products, while these two are just donated to Linux work in general.
Also, note that, as the summary points out, these two engineers have been doing this work
Re: (Score:2, Insightful)
So? Still peanuts when they make mountains of money off Linux.
Re: (Score:2)
So? Still peanuts when they make mountains of money off Linux.
Out of curiosity, what do you think they should do?
Re: (Score:1)
Add two zeros to the donation. Then it would be small, but not pathetic as it currently is.
Re: (Score:2)
Add two zeros to the donation. Then it would be small, but not pathetic as it currently is.
That's probably not far off what the status quo is.
Re: (Score:2)
The status quo is under their control, not provided by an independent body. That is quite different. But yes at the _moment_ Google is a valuable Linux contributor, also in the security area. How long that will keep is anybodies guess.
Re: (Score:2)
The status quo is under their control, not provided by an independent body. That is quite different. But yes at the _moment_ Google is a valuable Linux contributor, also in the security area. How long that will keep is anybodies guess.
It'll continue for as long as contributing to Linux is valuable to Google. This is how open source works.
Re: (Score:2)
The status quo is under their control, not provided by an independent body. That is quite different. But yes at the _moment_ Google is a valuable Linux contributor, also in the security area. How long that will keep is anybodies guess.
It'll continue for as long as contributing to Linux is valuable to Google. This is how open source works.
That is not how large corporations work. This contribution can stop at any time, without warning and without sane reasons.
Good start but not quite right (Score:2)
Yes the kernel matters. But what also matters is the massive web of packages that may or may not be audited for security much less being improved
What work do the "foundations" actually do? (Score:2)
Do the foundations really do anything genuinely useful?
It seems to me that Google might well be contributing more to Linux by spending the money hiring these guys to improve security, than by giving the same money to the foundations