On Mon, 19 Aug 2024 at 14:57, David Hildenbrand <da...@redhat.com> wrote:
>
> On 19.08.24 22:35, Linus Torvalds wrote:
> >
> > Maybe. Or it might just lock up the machine.
>
> Yes, regarding the security concerns it might be a bit better that way.
> (no security expert, so I cannot judge ...)
The thing is, in a static universe where time does not flow, that might be true.
But in such a universe, we wouldn't actually be alive, much less do
kernel development.
In *REALITY*, security is not a single point in time. Real security is
about the *future* more than it is about anything else.
>From a user perspective, security is very much about things like "keep
your system up-to-date", because we _know_ old systems have (known)
bugs.
But the other side of that is that from a developer perspective, the
#1 thing in security is about fixing bugs.
Yes, you want to be conservative so that bugs you haven't fixed yet
don't cause problems, but that "be conservative" absolutely *has* to
be priority #2.
Because no amount of conservatism is going to help you unless you
actively fix the bugs.
And the thing is, a locked-up machine is really really hard to debug.
I can tell you from experience just what the bug reports will look
like, but I think you can guess.
So locking up is one of the worst things you can do. You are pretty
much always much better off making forward progress and try to report
the issue.
Including for security reasons. Because you'd rather have a security
issue today that you can debug, and fix for tomorrow.
A dead machine with a bug you can't debug is not actually suddenly a
really secure machine. Because somebody will just figure out a way to
take advantage of *that* bug too indirectly.
Being able to kill machines at your leisure is a great way to stress
other parts of your network, and suddenly that dead machine might be a
big security hazard when somebody figures out a weakness elsewhere
("Oh, look, there's a bug in the fail-over that allows me to do X").
Linus
