<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>
</p>
<div class="moz-text-flowed" style="font-family: -moz-fixed;
font-size: 12px;" lang="x-unicode">On 09/28/2016 09:20 AM, Ralf
Senderek wrote:
<br>
<blockquote type="cite" style="color: #000000;">On Tue, 27 Sep
2016, Jerry Leichter wrote:
<br>
<br>
<blockquote type="cite" style="color: #000000;">Not.
<br>
</blockquote>
<br>
Everyone who complains about this situation should have asked
himself:
<br>
"When did I last donate my time and effort to essential code
review?"
<br>
</blockquote>
<br>
Good point.
<br>
<br>
But Linus Torvalds seems to think that security is well handled by
(#1) writing good code in the first place, and (#2) letting the
distributions patch whatever vulnerabilities might fall through.
There has been some hard work to improve Linux security (such as
grsecurity) but it doesn't get much encouragement. Linux is too
busy moving forward as best it can--conquering the world--to worry
about such cruft.
<br>
<br>
<blockquote type="cite" style="color: #000000;">(including efforts
to reduce complexity).
<br>
</blockquote>
<br>
Those efforts don't have enough mindshare for me to have noticed
them. At least nothing beyond #1 above.
<br>
<br>
<blockquote type="cite" style="color: #000000;">And what are the
alternatives? Use Apple for its security?
<br>
</blockquote>
<br>
The situation is bad.
<br>
<br>
There is a trade-off between the constructive power that can be
built of complexity (features!), and the dangers that will be
camouflaged in that complexity. The incentives to build features
are quite real, but there is no back-pressure asking whether any
given feature is worth the added complexity. Complexity isn't seen
to be a liability, it is seen as an asset.
<br>
<br>
Has anyone ever been fired for adding some big useful feature? How
about for removing one?
<br>
<br>
The costs of complexity are real, but they aren't felt directly. A
bit like pouring untreated waste in a river: the benefits are
mine, but costs are someone else's.
<br>
<br>
-kb, the Kent who thinks computer security might somehow be jiu
jitsu-ed into a needed counter-pressure.
<br>
</div>
<br>
</body>
</html>