- Related Stories
-
OpenBSD founder makes funding plea
March 23, 2006 -
Developers give OpenBSD to public
May 1, 2003 -
Defense agency pulls OpenBSD funding
April 17, 2003
A correction was made to this story. Read below for details.
Linux creator Linus Torvalds has labeled makers of the OpenBSD operating system a "bunch of masturbating monkeys," as part of a wider critique of what he said was self-centered behavior in the IT security industry.
In an e-mail to the Linux kernel developer mailing list, Torvalds said a section of the security industry was dedicated to finding bugs in software only to publicize their findings and gain notoriety.
The row erupted in the Gmane mailing list after a developer for the PaX Team, which patches the Linux kernel, accused Torvalds and other top Linux kernel developers of "covering up (the) security impact of bugs" by not clearly labeling them as security flaws.
Torvalds wrote that disclosing the bug itself was enough, without having to label each individual security flaw. He added that taking the bugs to the "security circus" level only glorified the wrong kind of behavior. "It makes heroes out of security people, as if the people who...fix normal bugs aren't as important," wrote Torvalds.
What was left behind for the developers were all the "boring" bugs, which Torvalds considered more important due to their volume.
"Boring normal bugs are way more important, just because there's a lot more of them," wrote Torvalds. "I don't think some spectacular security hole should be glorified or cared about as being any more 'special' than a random spectacular crash due to bad locking," he said.
The Linux leader went on to state that "security people are often the black-and-white kind of people that I can't stand."
Torvalds appeared particularly irked by the creators of the OpenBSD operating system, who have focused on security and auditing when developing their variant of Unix. OpenBSD is known to be used in high-security environments such as the U.S. Federal Bureau of Investigation.
"I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them. To me, security is important. But it's no less important than everything else that is also important!" Torvalds concluded.
Torvalds' comments drew various reactions from the OpenBSD developer community. In an e-mail exchange with ZDNet.co.uk, developer Ken Westerback wrote that an interest in security should lead to fixing all bugs.
"As far as I am concerned OpenBSD is the project with the most demonstrated interest in fixing all bugs found, no matter how trivial, and to systematically examine all source code for instances of bugs encountered," wrote Westerback. "I believe that this is the bedrock principle of pursuing security--software that 'just works' rather than software with Rube Goldberg constructs of knobs and security theater scenery."
Westerback wrote that software produced by people interested in security "probably works better in most cases because a belief in simplicity, clarity, and consistency usually produces better code than other approaches."
Developer Kjell Wooding agreed that OpenBSD coders treat bugs with equal significance.
"There is a certain irony to Linus' comment there," wrote Wooding in an e-mail to ZDNet.co.uk. "The 'a bug is a bug' principle that he is espousing is exactly the approach taken by the OpenBSD developers that I know. The OpenBSD I know doesn't concentrate on security--it concentrates on correctness."
OpenBSD developer Bob Beck told ZDNet.co.uk that Torvalds' comments showed "ignorance," as OpenBSD coders did take the approach of dealing with bugs equally.
"The comments sound like much of the usual chestbeating we are used to seeing to make all the fanboys and girls on the lists swoon," wrote Beck. "Realistically it just demonstrates an ignorance of the OpenBSD project."
Beck added that Torvalds' comments were unfortunate, in that they could encourage Linux "fanboys and girls" to not focus on code quality.
"Those sorts of unfounded statements probably contribute to the type of attitude in Linux distributions that results in them introducing spectacular bugs into software ported into their distributions from OpenBSD, such as the recent Debian vulnerabilities," wrote Beck. "To the fanboys, this says 'don't listen to security-concerned people--they're just masturbating monkeys.' Which leads to more bugs to fix."
Both Wooding and Beck took Torvalds' comments in good humor. "I don't know what Linus' beef is. He seems to be on the same page with respect to this issue. And the 'masturbating monkey' thing? Well that's just funny," wrote Wooding.
OpenBSD developer Artur Grabowski wrote on Thursday that Torvalds had been in touch with the OpenBSD community.
"I talked to Linus about this already, he was humble about it and said it didn't look like it from the outside that we shared the same view," wrote Grabowski. "We all had a laugh about it."
Liam Tung writes for ZDNet Australia. Tom Espiner, who reports for ZDNet.co.uk in London, contributed to this report.
See more CNET content tagged:
OpenBSD,
Linus Torvalds,
Linux kernel,
bug,
monkey
@ groink_hi: It would be interesting to check what these people are using today (WordPerfect or Word), because Linux mother still uses Windows, LOL.
Also, about the latest "high security breach", some are too bizarre and happens in rare and specific cases, other will required to have access to a pc and other are simply nothing.
Anyways BSD can be more secure rather Linux but lack on several function and performance, not to say a community and several application, so it's not rare to find that linux is way more popular in comparison with bsd (with the exception of osx).
@ MSSlayer: OMG, bye-bye Symantec and the whole security applications industry, it's as easy as "programming with security in mind", how could people not have thought of that before, forget about the error-prone nature of the human being, we have a new Isaac Newton, his name is MSSlayer.
Here's to a bunch of masturbating monkeys being free.
Let's stay that way.
Miles
Of course, 90% of CNet's click bait consists of reprinted security press releases, so I don't expect them to side editorially with him.
I think that is the source of Torvald's frustration.
Forcing him to treat every "potential" security issue equally is as idiotic as treating every risk we face equally.
In everyday life people use "risk assessment" automatically to decide how to prioritize various risks we face daily.
That "common sense" should be used for security issues as well.
Just becuase one exists, does NOT mean it will be exploited.
If it is exploited, it does not mean it will be able to be used in a truly harmful way.
If it is exploited, it could happen literally years from the date the issue developed.
To demand all issues be treated with a simple-minded, paranoid ASAP mentality means valuable creative energy which is always in short-supply is being used up to solve issues that are NOT a threat, and may never be a threat.
I think someone like TOrvalds is smart enough to know even better than the security marketeers how likely and how quickly an issue is going to develop into a "threat."
Now true everyone needs some checks, but Torvalds is right.
Not every security threat is equal, and treating them as such wastes valuable time and effort of such men.
If we lived every day life like that, no one would ever get out of bed, no one would ever drive a car.
The threat from merely walking to the bathroom and dying from an accidental fall, or dying in a car accident is probably 1000x of times more likely than the threats Torvalds is referring to morphing into something truly serious.
So he's right 100%
Debian does this. They ship security fixes pronto, and tell you what exploit was closed.
Puerile potty mouth makes both Linus and Linux unattractive. It reinforces the impression of a hacker's playground, not something you really want to use.
His latest silliness has pushed even *me* to look at BSD as a refuge of sanity.
I've been through enough Linux disasters. Forget security bugs, you're lucky if the last released kernel doesn't crash. Only after about 10 patches does it begin to feel stable. That Linus can't see something wrong says volumes.
So I am looking at BSD. OpenBSD has a structured engineering flow with code reviews.
Of course the problem with BSD flavors is hardware drivers. But when I look back over years lost to Linux drivers and kernel configs to make hardware work, I realize it would be less time consuming to roll my own drivers for BSD or OpenSolaris.
I live in a world of rewarding bad behavior -- It is incredibly destructive and stops all useful progress dead in its tracks. Unfortunately the only cure is to hope that those in charge recognize the damage before the organization dies.
"I'm a bastard. I have absolutely no clue why people can ever think otherwise. Yet they do. People think I'm a nice guy, and the fact is that I'm a scheming, conniving bastard who doesn't care for any hurt feelings or lost hours of work, if it just results in what I consider to be a better system. And I'm not just saying that. I'm really not a very nice person. I can say "I don't care" with a straight face, and really mean it."
* Torvalds, Linus (2000-09-06). Message to linux-kernel mailing list. Retrieved on 2007-05-28.
Just use what's best. Right now, that's linux. So what if the dude's a jerk? Just because Reiser was a crazy freak who killed his wife doesn't mean he didn't make a good file system, dangit!
-
by thedreaming
July 28, 2008 12:54 PM PDT
- I've never understood why so called "security experts" tell the whole universe about a security flaw they found. Doesn't it make sense to quietly contact the responsible people and simply tell them, "Excuse me, I found a flaw in your program. It is located here." This way the responsible party can fix the flaw quickly without worry that someone will try to exploit it before they can patch it.
-
Reply to this comment
-
See all 31 Comments >>