Thanks for your detailed response, I will try to address those points one by one. Am So., 5. Jan. 2020 um 09:15 Uhr schrieb Greg KH <greg@xxxxxxxxx>: > > On Sun, Jan 05, 2020 at 04:49:32AM +0100, Evan Rudford wrote: > > The problem of underfunding plagues many open source projects. > > Does it? Citation please :) > And compared to what exactly? Linux might be hard to compare with other open source projects because of its enormous scale. But anyways, I saw many different open source projects that were underfunded based on their "GitHub-situation". Even large projects like "webpack" seem to suffer from underfunding right now. Here is a citation for you: https://webpack.js.org/blog/2020-10-10-webpack-5-release/ Also some "medium-sized" projects like https://github.com/typeorm/typeorm tend to be underfunded unless a company is willing to sponsor them. > > Although code reviews and technical discussions are working well, I > > argue that the testing infrastructure of the kernel is lacking. > > Does it? No one can argue we are "doing to much testing", and more > testing is always wanted, and happening, can you help with that effort? Well, yes I would help, but it seems to be hard unless you are working for one of those companies who are actually doing kernel-testing. > > Severe bugs are discovered late, and they are discovered by developers > > that should not be exposed to that amount of breakage. > > Specifics please. This is perhaps only relevant for some specific users. When I see a critical bug report, then I always ask the question: Could this bug have been catched by a test-suite with reasonable efforts compared to the size of the project? Or is it such a weird corner case that no test-suite could have realistically catched this bug, other than by pure luck? For most projects, I tend to lean towards the first answer. > Remember that Linux runs on _EVERYTHING_ so testing on _EVERYTHING_ is > sometimes a bit hard and bugs only show up later on when people get > around to running newer kernels on their specific hardware/workload. > > > Moreover, I feel that security issues do not receive enough resources. This is perhaps hard to argue because the competition isn't good. To be honest, I feel that neither Linux nor any other "major" OS is reaching "high" security-standards. It is a fallacy to think that the security-situation is good just because nobody else is better. And of course, rewriting Linux is nearly impossible, but I doubt that Linux will ever become "truly secure" as long as everything is written in C. Let's face the reality: C is an excellent systems programming language, but it is like an "unprotected chainsaw" with respect to security. > Again, citation please? I would argue that right now we have too many > people/resources working on security issues that are really really minor > in the overall scheme of things. > greg k-h I agree that the current security-efforts might not be well-directed for the overall scheme of things. However, I don't think that security has "too many" people in total. It might be true that "minor" security-issues are eating too many resources, but there are still "non-minor" security issues that are not yet addressed.
