Summary of Linus Torvalds and Dirk Hohndel’s Conversation at Open Source Summit China Key points discussed by Torvalds and Hohndel:
- Linux Kernel Development:
- Release process: Torvalds discussed the structured and rhythmic nature of the current release process, contrasting it with the chaotic early days.
- Future plans: Torvalds expressed a focus on shorter-term goals and the ongoing work to address fundamental issues like memory management.
- Security: Torvalds emphasized that security vulnerabilities are simply bugs and encouraged users to stay updated with the latest stable kernel releases.
- Rust integration: Torvalds expressed disappointment in the slow adoption of Rust due to factors like resistance from older kernel developers and instability in Rust infrastructure.
- AI and Open Source:
- Potential benefits: Torvalds saw potential for AI tools to assist in code review and bug detection.
- Positive impact: Torvalds noted the increased involvement of companies like Nvidia in kernel development due to the rise of AI.
Overall, the conversation highlighted the ongoing evolution of the Linux kernel, the importance of security and updates, and the potential impact of emerging technologies like AI on open-source development.
You heard it here first folks. Linus said that AI is saving Linux, since it’s in NVIDIA’s interest to support the OS and AI will make Linux adoption less of a boogeyman.
Just remember, Linus said it not me!
Edit: not to imply that I said, or believe this. I’m just kind of surprised that he would (although the NVIDIA point seems spot on)
openQA from SUSE is proof that advanced automation tools can be extremely useful to developers. It would not be surprising if “AI” hardware and software is used for this and things like it in the future.
security vulnerabilities are simply bugs
I don’t know how he can still maintain this clearly insane stance. Pride?
Torvalds expressed disappointment in the slow adoption of Rust due to factors like resistance from older kernel developers and instability in Rust infrastructure.
This is a good sign at least!
potential for AI tools to assist in code review and bug detection
Definitely agree here. One thing I really liked that I saw a while ago is colour coding code based on how “surprising” each token was to the LLM, the idea being bugs would be more surprising. Neat idea. It didn’t seem to actually work very well but maybe it could be improved.
Biggest issue I have is that no company I’ve worked for is ever going to be ok with sending our code to some AI company’s servers, and the options for local models are super limited. So I can’t actually use any of this stuff except for hobbies.
security vulnerabilities are simply bugs
I don’t know how he can still maintain this clearly insane stance. Pride?
How else should it be handled?
Should what be handled? Security vulnerabilities? Here’s how you should handle security bugs differently to other bugs:
-
Report them separately and clearly. Don’t hide by omission the fact that they are security bugs (common practice in Linux apparently). Coordinate with major vendors how to push fixes.
-
They are generally more important than other bugs so you should put more effort into detecting and preventing them. E.g. using fuzzing, sandboxing, formal methods, safer languages, safety annotations, etc.
-
They have high value on the grey market and people actively try to create them, so you need to design your system under that assumption. An obvious thing to do is software isolation so a bug in - to pick a random example
xz- can’t bring down ssh. Software isolation, microkernels, sandboxing etc. help with this.
There’s no way you can say “they’re just bugs”. Maybe in the 80s. It’s not the 80s.
Report them separately and clearly. Don’t hide by omission the fact that they are security bugs (common practice in Linux apparently). Coordinate with major vendors how to push fixes.
That’s exactly how it works. Vulnerability found, reported and fixed in secret and when everything is in place everyone is informed to update.
They are generally more important than other bugs so you should put more effort into detecting and preventing them. E.g. using fuzzing, sandboxing, formal methods, safer languages, safety annotations, etc.
I don’t want to sound condescending, but what do you think all this talk about Rust and AI tools is about?
In the end you want to prevent all bugs from happening. Some filesystem bug randomly deleting data can be just as catastrophic as remote code execution.
And if some feature turns out to be a gaping security hole you’ll quickly see it turn into a bug. That’s what the quote is about. Every security issue is a bug so it has to be handled like a bug and squashed.
Priority in bugs exist independent of them being security related or something else. A critical bug will always get the highest priority fix.
I don’t want to sound condescending, but what do you think all this talk about Rust and AI tools is about?
Yeah I am aware. It’s very good that they’re looking at it and great that Linus is supportive and not a stuck-in-the-mud. Doesn’t invalidate my comment thought. He’s still saying security bugs are no worse than other bugs.
And if some feature turns out to be a gaping security hole you’ll quickly see it turn into a bug. That’s what the quote is about. Every security issue is a bug so it has to be handled like a bug and squashed.
I mean… I don’t think that’s what he’s saying. Nobody is saying not to fix security bugs…
-
- Linux Kernel Development:
Old timers resisting rust in the kernel because it’s not what they know… Understandable, but to the detriment of the kernel and its community.
This is why the Linux Foundation investing just 2% of its influx on the kernel is a problem. The kernel dev community could be brimming with new blood. Instead, the old guard has to keep the lights on because the aren’t enough successors.
