2 years ago

Category: android

In a recent blog post on the Google Security Blog, Google Kernel Security Engineer Kees Cook penned a call to arms by the title of “Linux Kernel Security Done Right” for organizations that rely on Linux but don’t contribute to the upstream Linux kernel. In the post, Cook argues that many of these organizations are caught in a seemingly endless cycle of trying to keep up with the latest updates, often spinning their wheels and expending effort to fix issues within their own forks of the Linux kernel.

Another part of the problem, said Cook, is that companies find themselves with a bit of technical debt, in terms of being so far behind the latest Linux kernel, but he argues that it is a one-time effort to bring everything up to date.

The way out of the technical debt hole is to start your new products on the latest kernel with that process in place, and then what problems that you encounter will quickly inform what’s needed to catch up old products because you’ll discover what needs testing, what use cases are truly important, and things along those lines,” he said.

In his blog post, Cook says that their “most conservative estimates” put the Linux kernel and its toolchains at needing “at least 100 engineers,” and so part of his endeavor here is to convince companies that their upstream-first participation with the Linux kernel benefits them first and foremost, but also has the added benefit of helping the community at large.