Damn, Linus seems pissed his kernel hardening group can’t keep stealing grsecurity patches while he calls their fixes and patches garbage on mailing lists . I still remember when the kernel meltdown attacks happened and Pax security patches were being discussed (they’d solved it 5-6 years ago) and Linus still called them garbage lol, while asking Pax security to make it easier for Linux kernel project to take their patches in the future lmao.
Grsecurity have a great product and even better support, but unfortunately they don’t sell to individuals
Hello, first of all: sorry for putting this Thread in the wrong category
That’s very sad .
I’ve often heard that the patches were stolen by people, but I didn’t know that it was Linus and his people themselves.
Does anyone know more about this?
Technically you can’t steal public patches which have permissive license.
But what Linus did was very shitty: The group that was working on kernel hardening after a bunch of kernel level critical vulnerabilities were discovered (this was around when Microsoft switched Windows security around, post XP) constantly took patches from grsecurity, especially when working on kernels with companies like Intel, IBM, etc.
Now, grsecurity wasn’t getting any monetary benefit out of it, but the group working with Linus did. This was fine for a while. But then during discussing fixes for a very critical vuln, Linus butted in when one of the kernel folks talked about lifting patches from grsecurity, and he called their patches garbage. Similar incidents kept happening, and Linux did more things: He said RedHat and other corpo engineers could also do what grsecurity does, and when confronted by Pax Security, he devolved into personal attacks instead of technical ones. He also criticised that Pax security did not make it easier for Linux project to “borrow” their patches. The above linked mailing list is just one example, Linus followed Pax around on multiple similar lists with similar attacks.
This behaviour led to grsecurity stopping public patches and started building in private for just commercial customers. A great loss to Linux. A great win for Linus.
Linux Project has similarly created friction against projects like bcachefs and rust in Linux, which is terrible, since Linux has fallen behind a lot in security, with even Windows and MacOS being wayyy better than it. Linus himself admits the kernel is “too large” for there to not be security vulnerabilities, of course ignoring that you can reduce security issues to a minimum with defense in depth, which is what projects like rust in Linux and grsecurity and many others set out to do.
If you are interested, there are a lot of Linux project stories out there that have shaped how the kernel works and the philosophies that drive it (one of the prime example that Linus cites is “don’t break userspace”). I am always disappointed that security and defense in depth lost to “stability” and “compatibility” in development philosophies.