Linus Torvalds: Perfect Security in Linux is Impossible

Does Linus Torvalds fail to take security in the Linux kernel seriously, and is the world doomed because of it? That’s what the Washington Post suggests in a recent article about security in the open source OS.

The Post sums up Torvalds’s take on security as follows: “Security of any system can never be perfect. So it always must be weighed against other priorities — such as speed, flexibility and ease of use — in a series of inherently nuanced trade-offs.”

The Post also describes Torvalds as “the man who holds the future of the Internet in his hands.”

Taken together, the two points suggest that Torvalds is not serious enough about security in Linux, and that his lackadaisical approach endangers everyone who uses the Internet.

Both claims are problematic. First, it’s a pretty big — if flattering — stretch to say that Torvalds holds the Internet in his hands. The Linux kernel is an important part of the Internet because it powers many servers and networking devices, but there is much, much more to the Internet than Linux. The developers of the Apache HTTP server, PHP or MySQL, among other software platforms that play central roles in the Internet, are just as significant as the man behind the Linux kernel.

More important, there is arguably much to be said for Torvalds’s attitude toward security. Torvalds recognizes and is willing to admit that a completely secure system can simply never exist, since it’s impossible to be certain that no security vulnerability exists in any layer of a software stack.

That makes his message different, and less comforting, than that of developers who promise to deliver hacker-proof platforms. But those are false promises. It’s much healthier to admit that limitations exist than to cling to a fantasy where there are never security vulnerabilities.

Of course, if CTOs of major companies frankly admitted to the public that their software systems almost definitely have security flaws, and always will, their businesses would suffer. Torvalds can get away with more candor when it comes to Linux security. He doesn’t have a job to keep or a company’s image to promote.

All the same, it’s disappointing to see a platform like the Post — which has many non-technical readers who may think making software secure is just a matter of investing enough money in security — defame the Linux kernel for security issues.

After all, Linux has powered millions of servers for more than two decades without being the source of security breaches that have resulted in the theft of millions of people’s personal information. Increasingly few developers of other platforms can say the same in an era of recurring disclosures about massive security breaches of the software systems at businesses and government agencies.