Security News > 2021 > August > Google: Linux kernel and its toolchains are underinvested by at least 100 engineers

Google: Linux kernel and its toolchains are underinvested by at least 100 engineers
2021-08-04 12:29

Google's open security team has claimed the Linux kernel code is not good enough, with nearly 100 new fixes every week, and that at least 100 more engineers are needed to work on it.

Kees Cook, a Google software engineer who has devoted much of his time to security features in the Linux kernel, has posted about continuing problems in the kernel which he said have insufficient focus.

Cook references Google's fuzzing tool, Syzkaller, which is currently reporting nearly 1,000 possible issues in the Linux kernel: about 400 a year are fixed, he said, but the number is growing by 100 per year as new ones are found.

What is the solution? Cook has a number of proposals, including moving away from the email-only workflow used for Linux development, introducing more automated testing and fuzzing, continuous integration, and other steps to make the development process "More efficient." Currently too much kernel testing happens after a version is released, he said.

According to Cook, "Based on our most conservative estimates, the Linux kernel and its toolchains are currently underinvested by at least 100 engineers." He suggested that companies move in-house engineers working on kernel code and security to work on the upstream kernel instead. "This is the only solution that will ensure a balance of security at reasonable long-term cost."

The company could employ an additional 100 Linux security engineers without blinking, as could Amazon, which likewise runs mostly on Linux and reported revenue for its last quarter of $113.1bn. In February this year, Google said it was sponsoring two full-time developers to work on upstream kernel security.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/08/04/google_linux_kernel_security/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Linux 11 64 2532 1569 67 4232
Kernel 3 0 7 4 1 12