Why do I keep seeing Heartbleed and Shellshock mentioned in articles specifically about Linux security? Those two vulnerabilities had nothing to do with Linux.<p>Software using OpenSSL or bash on <i>any</i> platform were vulnerable. That includes Macs and Windows.<p>Linux is extremely popular for servers and embedded systems where OpenSSL and bash are common but bringing them up every time "security + Linux" are discussed is a bit like talking about tires that blow out whenever the topic of logistics comes up.
>Most of the security issues we've had in the kernel have been just completely stupid bugs...<p>Wouldn't that be an argument to be more stringent in reviewing and auditing the kernel code? I don't know to which extend they already do audits, but if you find a bug of a certain type, maybe consider combing the tree for other instances of that type of bug. I believe that's the approach OpenBSD has taken.
(by the way the article is dated August 2015)<p>I love the tone here. Not promising the moon.<p>Everybody knows there will be bugs. In general it's just that dance that you have to do around that, that you can't admit it.<p>Same about planning ten years to the future. Maybe you could give scenarios.<p>I guess he's expecting quite a lot from the audience.
Related to the recent interview notes by Brad Spender: <a href="https://grsecurity.net/~spender/interview_notes.txt" rel="nofollow">https://grsecurity.net/~spender/interview_notes.txt</a><p>IMO it's scary to hear Linus say that "security is just stupid bugs" and that he doesn't think about containers much (container/namespace security and functionality is a big and quickly emerging part of the kernel security landscape). Call it a lack of vision or whatever, but I think he should be doing more to architect for security and to recruit, place and reward talented people into security lead positions in the kernel community.