"Your machine is insecure unless you're running my kernel," says Greg Kroah-Hartman. At CoreOS Fest in Berlin, Greg Kroah-Hartman, Linux kernel developer and maintainer of the stable branch, talked about an inconvenient truth about Linux and security: vendors are notoriously bad about implementing patches. For the last 15 years the kernel community has been following a rule to fix things as soon as possible. The Linux community fixes the bugs and pushed them so that vendors can push them to their users. But there is a problem. Kroah-Hartman said, “… nobody takes [the patches]. Someone fixed a bug in the TT1 layer about three years ago. It looked like a normal bug. We fixed it, pushed it in the new releases and got it out there. Three years later, someone realized there’s a security bug. You could go to a local root user and away you could go. Turns out Red Hat and SUSE had to go back and fix all of their old stuff. We have a very bad history of keeping bugs alive for a long time. Somebody did a check of it; most known bugs live for 5 years in systems. These are things that people know and know how to exploit. They’re not closed. That’s a problem in our infrastructure.” Android is another example cited by Kroah-Hartman. Android phones are based off long term kernel 3.10, and there has been a fix in the 3.10 stable kernel tree for about 6-8 months now [to a bug] that allows you to get root on Android phones. But Google has not updated the kernel yet, which makes these devices vulnerable to root access. “You can base your kernel and base your product on a long term kernel, but if you don’t take advantage of it, it means nothing,” said Kroah-Hartman. The matter of security is becoming more serious as Linux is becoming more and more widely used. Kroah-Hartman stressed that you have to get things updated soon and quickly. “I’m averaging 10 fixes per day of things that may or may not be a security bug, because I don’t have time to test to see if all of them are or not; but other people do,” he said. He took it one step further, saying that ”…your machine is insecure unless you’re running my kernel, or based on my kernel, or based on another one. If you’re not taking these fixes, then it is insecure.” Kroah-Hartman has a very clear message for any company or community building products around Linux, “You have to be able to update your machine. You have to be able to provide a system where your machines are updated and you constantly take advantage of it.” Related content opinion These are the most exciting Linux powered devices Did you know that Tesla cars ran on Linux?rn By Swapnil Bhartiya May 22, 2017 4 mins Linux Open Source opinion How Rackspace flew through turbulence in the private cloud Bryan Thompson, General Manager, OpenStack Private Cloud at Rackspace, talked about the second generation of cloud and some turbulence that OpenStack recently experienced.rn By Swapnil Bhartiya May 22, 2017 4 mins Open Source Cloud Computing Data Center opinion How Dell’s Project Sputnik came to life I met and talked to Barton George, the projectu2019s initiator and leader, to understand the backstory. By Swapnil Bhartiya May 22, 2017 10 mins Linux Open Source Computers and Peripherals opinion Elementary OS is trying to create a business model for open source app developers There is no dearth of Linux based operating systems, you will find dime a dozen. However there are only a few major ones that matter and elementary OS is among them. rn By Swapnil Bhartiya May 20, 2017 4 mins Linux Open Source Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe