Almost all of Linux's development work is conducted in the open. Almost. One of the few exceptions is when companies or hackers reveal unpatched security holes to Linux developers. In those cases, these issues are first revealed in the closed linux-distro list. Now, Microsoft, which is -- believe it or not -- rolling its own Linux distributions, has asked to join this restricted security list.
This list, linux-distros, includes developers from FreeBSD, NetBSD, and most of the major Linux distributors. This includes Canonical, Debian, Red Hat, SUSE, and cloud Linux vendors such as Amazon Web Services (AWS) and Oracle.
This list's purpose is to "report and discuss security issues that are not yet public (but that are to be made public very soon)". How soon? The list's maintainers ask that security holes be kept private for no more than 14 days after being revealed to the group. For example, Intel's CPU Meltdown and Spectre security bugs would not have been discussed on linux-distros. Security issues that are already publicly discussed are handled in the OSS-Security mailing list.
Sasha Levin, a Microsoft Linux kernel developer -- yes, there are such people these days -- asked for Microsoft to be given access to the list because, in short, Microsoft is a Linux distributor.
Specifically, Microsoft provides several distro-like builds that are not derivative of an existing distribution and based on open-source components. These are:
- Azure Sphere: This Linux-based IoT device provides, among various things, security updates to deployed IoT devices. As the project is about to step out of public preview into the GA stage, we expect millions of these devices to be publicly used.
- Windows Subsystem for Linux v2: A Linux-based distro that runs as a virtual machine on top of Windows hosts. WSL2 is currently available for public preview and scheduled for GA in early 2020.
- Products such as Azure HDInsight and the Azure Kubernetes Service provide public access to a Linux based distribution.
In addition, Levin asked him because: "Microsoft has decades long history of addressing security issues via [the Microsoft Security Response Center] MSRC. While we are able to quickly (<1-2 hours) create a build to address disclosed security issues, we require extensive testing and validation before we make these builds public. Being members of this mailing list would provide us the additional time we need for extensive testing."
All of which makes good sense. Besides, Levin revealed in a follow-up note to the discussion that: "the Linux usage on our cloud has surpassed Windows, as a by-product of that MSRC has started receiving security reports of issues with Linux code both from users and vendors. It's also the case that issues that are common for Windows and Linux (like those speculative hardware bugs)."
Greg Kroah-Hartman, the Linux stable branch kernel maintainer, vouched for Levin. "He is a long-time kernel developer and has been helping with the stable kernel releases for a few years now, with full write permissions to the stable kernel trees."
Indeed, Kroah-Hartman had "suggested that Microsoft join linux-distros a year or so ago when
it became evident that they were becoming a Linux distro, and it is good to see that they are now doing so".
While some people still see Microsoft as the enemy of all things Linux, Microsoft appears to be seen as a full Linux development partner. As Tyler Hicks, a Canonical Linux kernel engineer, wrote: "They've been beneficial to the greater Linux community and I feel like their direct involvement on linux-distros would benefit other members."
A vote is expected on Microsoft's membership request in the next few days. I'll be surprised if Microsoft isn't admitted to the list.
- Linux vs. Zombieload
- Nasty security bug found and fixed in Linux apt
- Netflix to Linux users: Patch SACK Panic kernel bug now to stop remote attacks