Developers are often accused of not thinking about security, but Linux kernel founder Linus Torvalds has had enough of security people who don't think about developers and end-users.
After blasting some kernel developers last week for killing processes in the name of hardening the kernel, Torvalds has offered a more measured explanation for his frustration with security myopia.
While he agrees that having multiple layers of security in the kernel is a good idea, certain ways of implementing it are not, in particular if it annoys users and developers by killing processes that break users' machines and wreck core kernel code. Because ultimately, if there are no users, there's not much point in having a supremely secure kernel, Torvalds contends.
"'Do no harm' should be your mantra for any new hardening work," Torvalds instructed security developers, reminding them to see the bigger picture.
"Keep your eye on the endpoint, and that this is just the first step. You need to not p**s off users, and you need to not p**s off developers," he said.
"Because in the end, those users really do matter. Without those users, your system may be 'secure', but all your security work was still just masturbation. You didn't do anything useful at all in the end."
In last week's message regarding a Google Pixel developer's hardening-focused pull request, he was annoyed that it wasn't tested properly, which he guessed was due to the attitude that "security is so important that nothing else matters".
He offered a reminder of what it means from different perspectives when a security person has found an invalid access. For the security person, the job's done, but for the developer "the bad access was just a symptom, and it needs to be reported, and debugged, and fixed, so that the bug actually gets corrected".
Torvalds' advice to security-focused contributors is to just report the bug rather than killing a process.
"As a developer, I do want the report. But if you killed the user program in the process, I'm actually _less_ likely to get the report, because the latent access was most likely in some really rare and nasty case, or we would have found it already. In the kernel, there's a high likelihood that it was in a driver, for example," Torvalds explained.
"Because it's the kernel, and because it's a driver, it's quite likely that killing the offender will do bad things to various random locks that were held, or maybe it happens in an interrupt and the whole machine is now dead if we're unlucky because there really were some very core locks being held."
At least one well-known security person agreed with Torvalds' assessment.
Previous and related coverage
The prominent Linux engineer has suggested models used to approach kernel security are entirely wrong.
Linux 4.14 release candidate five is out. "Go out and test," says Linus Torvalds.