Stemming from a security researcher and his team proposing a new Linux Security Module (LSM) three years ago and it not being accepted to the mainline kernel, he raised issue over the lack of review/action to Linus Torvalds and the mailing lists. In particular, seeking more guidance for how new LSMs should be introduced and raised the possibility of taking the issue to the Linux Foundation Technical Advisory Board (TAB).
This mailing list post today laid out that a proposed TSEM LSM for a framework for generic security modeling was proposed but saw little review activity in the past three years or specific guidance on getting that LSM accepted to the Linux kernel. Thus seeking documented guidance on new Linux Security Module submissions for how they should be optimally introduced otherwise the developers are “prepared to pursue this through the [Technical Advisory Board] if necessary.”
How do you even get to a consensus model to tease these things out; when your answer is a refusal to engage with “pointless” things?
It just seems contentious to me, that anyone when considering this kind of rhetoric, would make claims in regards to the level of security that Linux (may) provide. It just feels something akin to playing in the realm of security theater.
Man, some people just love wasting others’ time and then getting mad when they say no more.
Linus’ apathy may keep ten different competing security ideas from each being mainlined, but it’s not impossible for them to continue and prove their worth out of tree until some sort of coherent best practices are established.
Meanwhile, actual security issues will continue to be patched as needed and Linux remains the most analyzed and targeted kernel in the world.
I feel like this is what the Technical Advisory Board should be replying with.