At a time when faith in open source code has been rocked by an outbreak of attacks based on the Shellshock and Heartbleed vulnerabilities, it's time to revisit what we know about Linux security. Linux is so widely used in enterprise IT, and deep inside Internet apps and operations, that any surprises related to Linux security would have painful ramifications.
In 2007, Andrew Morton, a no-nonsense colleague of Linus Torvalds known as the "colonel of the kernel," called for developers to spend time removing defects and vulnerabilities. "I would like to see people spend more time fixing bugs and less time on new features. That's my personal opinion," he said in an interview at the time.
So how's that going? Since Morton issued his call, Linux has added several million lines of code and many thousands of patches and new features. The Linux kernel development process has shown marked improvement on the security front. It was as good as, or better than, most commercial code when Morton issued his 2007 challenge. As InformationWeek checked into its defect-fixing record, it was surprising how many gains have been made in the last three years.
Linux is better than most commercial code. For example, where one defect per 1,000 lines of code is considered quality, Linux in July 2014 had .55 defects per 1,000 lines. Linux also is better than most other open source projects. That didn't happen overnight, and it didn't happen without changes to the kernel process. What has happened with Linux should serve as a standard by which other projects are measured. As concern grows about the security and maintainability of open source code in the Internet's infrastructure, there may be lessons to learn from Linux's example.
Linux is an extremely large software project. It had 4,100 contributors to its last release, and over half of them were new contributors. It's one thing for a small and practiced software team to ride herd on a tight code base and police each other's bugs. It's another thing entirely to clean up a long-term project with a sprawling and revolving list of contributors. The larger the project, the higher the likely rate of defects. With that in mind, let's look at steps Linux has taken, learn about the people involved in that effort, and explore how Linux stacks up in 2015.
Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio
[Interop ITX 2017] State Of DevOps ReportThe DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.