Most open-source development work, like the name says, is done in the open. The exception is the first stages of security work. Unpatched security holes, however, are discussed and fixed behind closed doors. Now, Microsoft has been admitted to the closed linux-distro list.
Microsoft wanted in because, while Windows sure isn’t Linux, the company is, in fact, a Linux distributor. Sasha Levin, a Microsoft Linux kernel developer, pointed out Microsoft has several distro-like builds — which are not derivative of an existing distribution — that are based on open-source components. These are:
- Azure Sphere: This Linux-based IoT device provides, among various things, security updates to deployed IoT devices. As the project is about to step out of public preview into the GA stage, we expect millions of these devices to be publicly used.
- Windows Subsystem for Linux v2: A Linux based distro that runs as a virtual machine on top of Windows hosts. WSL2 is currently available for public preview and schedule for GA early 2020.
- Products such as Azure HDInsight and the Azure Kubernetes Service provide public access to a Linux based distribution.
In addition, Levin asked in, because:
“Microsoft has decades long history of addressing security issues via [the Microsoft Security Response Center] MSRC. While we are able to quickly (<1-2 hours) create a build to address disclosed security issues, we require extensive testing and validation before we make these builds public. Being members of this mailing list would provide us the additional time we need for extensive testing.”
All of which makes good sense. Besides, Levin revealed in a follow-up note to the discussion:
“The Linux usage on our cloud has surpassed Windows, as a by-product of that MSRC has started receiving security reports of issues with Linux code both from users and vendors. It’s also the case that issues that are common for Windows and Linux (like those speculative hardware bugs).”
As David A Wheeler, an open-source security expert, pointed out, the purpose of the list is to enable “everyone to coordinate so that users get fixes.” That includes Linux users on WIndows and Azure. So, he supported Microsoft being allowed into the private list.
Greg Kroah-Hartman, the Linux stable branch kernel maintainer, supported Levin. “He is a long-time kernel developer and has been helping with the stable kernel releases for a few years now, with full write permissions to the stable kernel trees,” he said.
Indeed, Kroah-Hartman had “suggested that Microsoft join linux-distros a year or so ago — when it became evident that they were becoming a Linux distro.”
Alexander “Solar Designer” Peslyak, security developer and founder of the open-source Openwall security website, announced Microsoft would be subscribed to the list. While some people — almost all outside the list — hated this idea because, in their minds, Microsoft is still The Evil Empire, Peslyak wrote that was “irrelevant per our currently specified membership criteria.”
“Microsoft doesn’t look all that different from many other large corporations, including some which already have their Linux distro teams represented on the list. Microsoft has a lasting stigma from its past actions from long ago. IMO, we shouldn’t let that result in a biased decision against current Microsoft.”
Officially, the Microsoft Linux Systems Group will join the list no later than Aug. 8, 2019.
This list, linux-distros, already included developers from FreeBSD, NetBSD, and most of the major Linux distributors. This includes Canonical, Debian, Red Hat, SUSE, and cloud Linux vendors such as Amazon Web Services (AWS) and Oracle.
This list’s purpose is to “report and discuss security issues that are not yet public (but that are to be made public very soon).” How soon? The list’s maintainers ask that security holes be kept private for no more than 14 days after being revealed to the group. So, for example, Intel’s Intel’s CPU Meltdown and Spectre security bugs would not have been discussed on linux-distros. Security issues that are already in the public’s eye are handled in the OSS-Security mailing list.