Topic: Torvalds's comments were unfortunate

[toasty0]

Linux creator Linus Thorvalds has labeled makers of the OpenBSD operating system a "bunch of masturbating monkeys", as part of a wider critique of what he said was self-centered behavior in the IT security industry.

In an email to the Linux kernel developer mailing list, Torvalds said a section of the security industry was dedicated to finding bugs in software only to publicize their findings and gain notoriety.

The row erupted in the Gmane mailing list after a developer for the PaX Team, which patches the Linux kernel, accused Torvalds and other top Linux kernel developers of "covering up [the] security impact of bugs" by not clearly labeling them as security flaws.

Torvalds wrote that disclosing the bug itself was enough, without having to label each individual security flaw. He added that taking the bugs to the "security circus" level only glorified the wrong kind of behavior. "It makes heroes out of security people, as if the people who [...] fix normal bugs aren't as important," wrote Torvalds.

What was left behind for the developers were all the "boring" bugs, which Torvalds considered more important due to their volume.

"Boring normal bugs are way more important, just because there's a lot more of them," wrote Torvalds. "I don't think some spectacular security hole should be glorified or cared about as being any more 'special' than a random spectacular crash due to bad locking," he said.

The Linux leader went on to state that "security people are often the black-and-white kind of people that I can't stand".

Torvalds appeared particularly irked by the creators of the OpenBSD operating system, who have focused on security and auditing when developing their variant of Unix. OpenBSD is known to be used in high-security environments such as the US Federal Bureau of Investigation.

"I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them. To me, security is important. But it's no less important than everything else that is also important!" Torvalds concluded.

Torvalds's comments drew various reactions from the OpenBSD developer community. In an email exchange with ZDNet.co.uk, developer Ken Westerback wrote that an interest in security should lead to fixing all bugs.

"As far as I am concerned OpenBSD is the project with the most demonstrated interest in fixing all bugs found, no matter how trivial, and to systematically examine all source code for instances of bugs encountered," wrote Westerback. "I believe that this is the bedrock principle of pursuing security — software that 'just works' rather than software with Rube Goldberg constructs of knobs and security theatre scenery." Westerback wrote that software produced by people interested in security "probably works better in most cases because a belief in simplicity, clarity and consistency usually produces better code than other approaches."

Developer Kjell Wooding agreed that OpenBSD coders treat bugs with equal significance.

"There is a certain irony to Linus's comment there," wrote Wooding in an email to ZDNet.co.uk. "The 'a bug is a bug' principle that he is espousing is exactly the approach taken by the OpenBSD developers that I know. The OpenBSD I know doesn't concentrate on security — it concentrates on correctness."

OpenBSD developer Bob Beck told ZDNet.co.uk that Torvalds's comments showed "ignorance", as OpenBSD coders did take the approach of dealing with bugs equally.

"The comments sound like much of the usual chest beating we are used to seeing to make all the fanboys and girls on the lists swoon," wrote Beck. "Realistically it just demonstrates an ignorance of the OpenBSD project."

Beck added that Torvalds's comments were unfortunate, in that they could encourage Linux "fanboys and girls" to not focus on code quality.

"Those sorts of unfounded statements probably contribute to the type of attitude in Linux distributions that results in them introducing spectacular bugs into software ported into their distributions from OpenBSD, such as the recent Debian vulnerabilities," wrote Beck. "To the fanboys this says 'don't listen to security concerned people — they're just masturbating monkeys'. Which leads to more bugs to fix."

Both Wooding and Beck took Torvalds's comments in good humor. "I don't know what Linus's beef is. He seems to be on the same page with respect to this issue. And the 'masturbating monkey' thing? Well that's just funny," wrote Wooding.

OpenBSD developer Artur Grabowski wrote on Thursday that Torvalds had been in touch with the OpenBSD community.

"I talked to Linus about this already, he was humble about it and said it didn't look like it from the outside that we shared the same view," wrote Grabowski. "We all had a laugh about it."

[Dash Jones]

That's an interesting viewpoint...and I can see both points of view.

For starters, take Vista.  I hear it's very good for security in some ways, but everyone I've talked to, including those who originally were Pro-Vista, at least in the Business world, are switching and bailing from it.  It doesn't matter how secure something is if it fails as an OS and has so many bugs you lose productivity.  Hence, the things from Torvald make a LOT of sense in that light.

On the otherhand, things like the FBI NEED to have that security (actually Vista probably doesn't hold up in that either...yet I'd imagine) and so it doesn't matter how good the OS works, if hackers can get into the system, it's all for naught anyways.  With business computers which are online (which I keep over half OFFLINE since not only is it not needed for much of the work such as accounting and records, but it also keeps employees from wasting time browsing the internet and other wasteful activities like that) the same could be true.  If your computer get's hacked or compromised and makes it unuseable, then it doesn't matter how good the OS is.

Of course on the otherhand, for computers not online, what do I care about how good or not good it is in relation to internet security or online security?  What I care about then, isn't the security from online hackers...but how good the OS can operate along with the programs to achieve what is needed.

Interesting article and can present some interesting thoughts.

[Nemesis]

I've looked at part of the original discussion thread.  I don't know what brought up the "BSD" part but I do understand why Linus became annoyed.  He had one person (not a kernel contributer as far as I can tell) trying to change the policy on how bug fixes are listed.  Having an outsider trying to dictate the policy and ignoring the reasons for it became annoying. 

I looked up some things related to this guys postngs.  As far as I can tell he works on a security related Linux program and therefore wants all Linux things to be oriented towards the convenience of the project he works on.

The current, as I understand it. is to say WHAT was fixed whereas this person wanted them to change it to WHY, specifically in security matters to highlight how security flaws were vulnerable to attack.  Linus is against it as it pretty much gives a neon sign and blueprint to attract those seeking such flaws to exploit.

Basically Linus doesn't want those seeking to criminally exploit the flaws before fixes are disseminated to just be able to search for keywords in the change logs rather than have to actually work to distinguish bugs that don't have security issues from those that do.   

He also wants to avoid the idea that fixing security flaws is all that is important.  He does consider it important but he considers fixing all bugs to be important.

Again I don't know why the BSD part was brought up but can only assume that there is some past history there with some form of connection.

[toasty0]

I've looked at part of the original discussion thread.  I don't know what brought up the "BSD" part but I do understand why Linus became annoyed.  He had one person (not a kernel contributer as far as I can tell) trying to change the policy on how bug fixes are listed.  Having an outsider trying to dictate the policy and ignoring the reasons for it became annoying. 

I looked up some things related to this guys postngs.  As far as I can tell he works on a security related Linux program and therefore wants all Linux things to be oriented towards the convenience of the project he works on.

The current, as I understand it. is to say WHAT was fixed whereas this person wanted them to change it to WHY, specifically in security matters to highlight how security flaws were vulnerable to attack.  Linus is against it as it pretty much gives a neon sign and blueprint to attract those seeking such flaws to exploit.

Basically Linus doesn't want those seeking to criminally exploit the flaws before fixes are disseminated to just be able to search for keywords in the change logs rather than have to actually work to distinguish bugs that don't have security issues from those that do.   

He also wants to avoid the idea that fixing security flaws is all that is important.  He does consider it important but he considers fixing all bugs to be important.

Again I don't know why the BSD part was brought up but can only assume that there is some past history there with some form of connection.

So the "masturbating monkeys" comment was not the immature outburst of a spoiled brat?

[Dracho]

I've looked at part of the original discussion thread.  I don't know what brought up the "BSD" part but I do understand why Linus became annoyed.  He had one person (not a kernel contributer as far as I can tell) trying to change the policy on how bug fixes are listed.  Having an outsider trying to dictate the policy and ignoring the reasons for it became annoying. 

I looked up some things related to this guys postngs.  As far as I can tell he works on a security related Linux program and therefore wants all Linux things to be oriented towards the convenience of the project he works on.

The current, as I understand it. is to say WHAT was fixed whereas this person wanted them to change it to WHY, specifically in security matters to highlight how security flaws were vulnerable to attack.  Linus is against it as it pretty much gives a neon sign and blueprint to attract those seeking such flaws to exploit.

Basically Linus doesn't want those seeking to criminally exploit the flaws before fixes are disseminated to just be able to search for keywords in the change logs rather than have to actually work to distinguish bugs that don't have security issues from those that do.   

He also wants to avoid the idea that fixing security flaws is all that is important.  He does consider it important but he considers fixing all bugs to be important.

Again I don't know why the BSD part was brought up but can only assume that there is some past history there with some form of connection.

So the "masturbating monkeys" comment was not the immature outburst of a spoiled brat?

Some of that sort of stuff is regional in nature.  If he were from California or New England I'd say yes.  If he grew up in Texas, descriptions tend to be more... visual in nature.. and contain more... character..

Still, it's best in a business environment to just be factual.

[Nemesis]

So the "masturbating monkeys" comment was not the immature outburst of a spoiled brat?

I can't really say as I don't know enough of the history or what brought up BSD at all.  Can you explain what brought it up?

I do know that most people when systematically provoked will on occasion say/post things they wouldn't have when their heads were cooler.  How about you toasty0 have you ever posted something under provocation that you regretted later?  I know I have, which is why I made the policy of never posting while angry.

Overall Torvalds has a reputation as having a cool head.  During the Samizdat fiasco for example (where a book was going to be published by a "think tank" but never was) where he was being accused of stealing his orignal Linux code his main response was to point to some of the early versions and the lousy coding that he is embarassed to admit was his, including things that are plainly different from Unix because of his writting exclusively for the 386 at the time.  One of the key people he was accused of stealing from denies it and none of them support the claim of theft.

P.S. Dracho Linus Torvalds is from Finland and is ethnically Swedish.

[toasty0]

So the "masturbating monkeys" comment was not the immature outburst of a spoiled brat?

I can't really say as I don't know enough of the history or what brought up BSD at all.  Can you explain what brought it up?

I do know that most people when systematically provoked will on occasion say/post things they wouldn't have when their heads were cooler.  How about you toasty0 have you ever posted something under provocation that you regretted later?  I know I have, which is why I made the policy of never posting while angry.

Overall Torvalds has a reputation as having a cool head.  During the Samizdat fiasco for example (where a book was going to be published by a "think tank" but never was) where he was being accused of stealing his orignal Linux code his main response was to point to some of the early versions and the lousy coding that he is embarassed to admit was his, including things that are plainly different from Unix because of his writting exclusively for the 386 at the time.  One of the key people he was accused of stealing from denies it and none of them support the claim of theft.

P.S. Dracho Linus Torvalds is from Finland and is ethnically Swedish.

From what I gather the BSD folks want be more open and specific about the nature, breadth, and danger of the security flaws. Further, they're alledging that Linus is more interested in concealing the nature, or even the fact the flaws exist.

[Nemesis]

From what I gather the BSD folks want be more open and specific about the nature, breadth, and danger of the security flaws. Further, they're alledging that Linus is more interested in concealing the nature, or even the fact the flaws exist.

Why should their opinions matter on this?  They develop (and presumably use) a competing system.  They have their methods and the Linux developers have theirs. 

Linus seems to be focusing on them as bugs rather than a a special sub type of bugs called "security flaws".  Why should a non Linux kernel developer expect to be able to dictate to Linus and the other actual developers how they classify and label things?

If kernel developers from say Redhat and Novell were saying this I would be more inclined to listen as they are an actual part of the process.  I think that Linus himself would be more likely to listen as well.  But a non kernel person with his own vested interests trying to get changes made for HIS convenience?  I see no reason for him to be listened to or catered to.

Linus even at one point told the guy that this had been discussed several weeks ago and he made no noticeable effort to look up the earlier discussion.  He should have tried to find out if his questions had already been answered to his satisfaction but instead just kept on arguing that things should be changed for his convenience.  Naturally people got annoyed in time.

[toasty0]

From what I gather the BSD folks want be more open and specific about the nature, breadth, and danger of the security flaws. Further, they're alledging that Linus is more interested in concealing the nature, or even the fact the flaws exist.

Why should their opinions matter on this?  They develop (and presumably use) a competing system.  They have their methods and the Linux developers have theirs. 

Linus seems to be focusing on them as bugs rather than a a special sub type of bugs called "security flaws".  Why should a non Linux kernel developer expect to be able to dictate to Linus and the other actual developers how they classify and label things?

If kernel developers from say Redhat and Novell were saying this I would be more inclined to listen as they are an actual part of the process.  I think that Linus himself would be more likely to listen as well.  But a non kernel person with his own vested interests trying to get changes made for HIS convenience?  I see no reason for him to be listened to or catered to.

Linus even at one point told the guy that this had been discussed several weeks ago and he made no noticeable effort to look up the earlier discussion.  He should have tried to find out if his questions had already been answered to his satisfaction but instead just kept on arguing that things should be changed for his convenience.  Naturally people got annoyed in time.

Basically this boils down to them alledging that Linus is acting in an irresponsible manner and his response is to call them mastubating monkeys?  Ok, I get it.

[Nemesis]

Basically this boils down to them alledging that Linus is acting in an irresponsible manner and his response is to call them mastubating monkeys?  Ok, I get it.

Not really. 

Its one guy saying "this is being done in a way that isn't to MY benefit and you should change it to help me out".  Then he is told that it is fine how it is and that it satisfies most of the people actually working on it.  When he doesn't shut up Torvalds eventually became annoyed and said something in anger.  Why is it really news that a troll managed to get himself insulted?

[toasty0]

Basically this boils down to them alledging that Linus is acting in an irresponsible manner and his response is to call them mastubating monkeys?  Ok, I get it.

Not really. 

Its one guy saying "this is being done in a way that isn't to MY benefit and you should change it to help me out".  Then he is told that it is fine how it is and that it satisfies most of the people actually working on it.  When he doesn't shut up Torvalds eventually became annoyed and said something in anger.  Why is it really news that a troll managed to get himself insulted?

Not sure why it's news, unless there is more to it than "just a troll..."

[Nemesis]

Not sure why it's news, unless there is more to it than "just a troll..."

Perhaps it is being pushed as "News" by someone with an agenda in regards to Linux (there are many pro and con who do). 

As an example of this one "journalist" is spinning the SCO Group vs Novell as a victory for SCOG.  Since SCOG had its complaints tossed out and is paying $2.5 million (plus 5 years interest) and may have to pay court costs it is hard to see it as a victory for SCOG as the plaintiff.


Note: For those who don't know The SCO Group started a series of lawsuits in connection with Linux.  The core of those lawsuits hinged on their owning the Unix copyrights.  When Novell asserted that in fact THEY owned them SCOG started the lawsuit against Novell.  Novell was judged as owning the copyrights.