by Paul Rubens

Who’s behind Linux now, and should you be afraid?

Apr 14, 20155 mins
DeveloperLinuxOpen Source

Most Linux kernel code isn’t developed by who you might think. Here’s a closer look at why this matters.

the new linux
Credit: Thinkstock

If you think that Linux is still the “rebel code”—the antiestablishment, software-just-wants-to-be-free operating system developed by independent programmers working on their own time — then it’s time to think again.

The Linux kernel is the lowest level of software running on a Linux system, charged with managing the hardware, running user programs, and maintaining security and integrity of the whole set up. What many people don’t realize is that development is now mainly carried out by a small group of paid developers.

[Related: Ultimate guide to Linux desktop environments ]

A large proportion of these developers are working for “the man” — large establishment companies in the software and hardware industries, for names like IBM, Intel, Texas Instruments and Cisco. That’s according to a Linux Foundation report on Linux kernel development published in February. I

Nobody codes for free

In fact, it turns out that more than 80 percent of all Linux kernel development is “demonstrably done by developers who are being paid for their work,” by these big (and sometimes smaller) companies, according to the report.

One organization that isn’t featured in the report’s list of companies paying its staff to develop the Linux kernel is Microsoft, a company whose proprietary software model once made it enemy No. 1 for many in the open source movement, but which now claims to embrace free code.

But one that is featured in the report is Huawei, the Chinese technology company founded by a former Chinese People’s Liberation Army officer. That’s a possible cause for concern: The company denies having links to the Chinese government, but some governments, including those in the U.S., U.K. and Australia, have banned the purchasing of certain Huawei hardware products amid worries that they may contain software back doors that could be used for spying.

[Related: 9 Linux Distros to Watch in 2015 ]

About 1 percent of all the changes to the Linux kernel are currently written by developers paid by Huawei, according to the report.

Keeping open source open

Amanda McPherson, vice president of developer forums at the Linux Foundation, points out that the whole point of open source software is to remain open to review and close scrutiny, in contrast to proprietary software that runs in many hardware products sold by Huawei and other companies.

“No one can submit a patch on their own,” she says. “Security is always a concern, but every patch goes through maintainers, and there is lots of code review. That is a much more secure mechanism than a closed system with no source code availability.”

That may be true, but the severe Heartbleed and Shellshock vulnerabilities recently discovered in the open source Bash and OpenSSL software demonstrate that insecure code can be introduced into open source products—unintentionally or perhaps deliberately —and remain undetected for years.

The fact that the vast majority of Linux kernel developers are paid to do so by their employers is a big change from the Linux that Linus Torvalds, then a student at the University of Helsinki, first announced on comp.os.minix in August 1991. At the time he said, “I’m doing a (free) operating system (just a hobby, won’t be big and professional like gnu) for 386(486) AT clones.”

In fact, the volume of contributions from students and other volunteers to the Linux kernel has been in steady decline for some time, according to the report: from 14.6 percent of contributions in 2012 to just 11.8 percent now.

“I think that when we started collecting these figures, it was a surprise that so many contributors are paid, and in fact it still is a surprise to the general public. But Linux is a highly commercial enterprise,” McPherson says. “Many people thought it was volunteers working in their basements. I think it is good that companies are contributing, even though they are contributing for selfish reasons. They are supporting Linux, but they can’t own it or dictate how it is developed.”

She points out that if Linux were an application, then paid-for developers would be adding features that met the needs of the corporations that paid them. But the kernel is much more low-level code, and the sorts of contributions that paid developers make often involve enabling hardware connections by providing kernel drivers.

Losing its amateur status

An interesting question, then, is why Linux kernel development has changed so much from the “just a hobby” approach originally envisioned by Torvalds back in 1991, to professional developers working on company time.

One obvious possible answer is that large enterprises, especially hardware manufacturers like Intel or Texas Instruments, have an interest in ensuring that there are Linux drivers for their hardware, and that the kernel can otherwise support their products. Over time, as Linux has become increasingly popular, this type of support has become increasingly important.

But McPherson believes a simpler reason is more plausible. “Kernel developers are in short supply, so anybody who demonstrates an ability to get code into the mainline tends not to have trouble finding job offers. Indeed, the bigger problem can be fending those offers off,” the report says.

On a more positive note, the report does highlight some of the achievements of what McPherson describes as “the most collaborative software project in history.”

Thanks to contributions from 11,695 developers working for over 1,200 companies, the kernel has been updated with major releases every 8 to 12 weeks. Each release includes more than 10,000 changes, which means that changes are accepted into the kernel at the staggering rate of more than seven every hour.