Google: Linux kernel and its toolchains are underinvested by at least 100 engineers

Google's open security team has claimed the Linux kernel code is not good enough, with nearly 100 new fixes every week, and that at least 100 more engineers are needed to work on it.

Kees Cook, a Google software engineer who has devoted much of his time to security features in the Linux kernel, has posted about continuing problems in the kernel which he said have insufficient focus.

"The stable kernel releases ('bug fixes only') each contain close to 100 new fixes per week," he said. This puts pressure on Linux vendors – including those who support the countless products which run Linux – to "ignore all the fixes, pick out only 'important' fixes, or face the daunting task of taking everything," he said.

Cook partly blames the C programming language. "With Linux written in C, it will continue to have a long tail of associated problems," he said. He added that the Mitre CVE (Common Vulnerabilities and Exposures) list, used by professionals to assess the importance of bugs, is not up to the task since "not all security flaws have CVEs assigned, nor are they assigned in a timely manner."

The only solution is to continually update to the latest version of the stable release used, but Cook said that "performing continuous kernel updates... faces enormous resistance within an organization due to fear of regressions – will the update break the product?" Another issue is that many vendors use old kernels and backport the fixes, which means redundant work as multiple engineers at different companies fix the same problem.

Leave a Comment