Worried about the security of Linux and open-source code, Google is sponsoring a pair of full-time developers to work on the kernel’s security. From a report:
The internet giant builds code from its own repositories rather than downloading outside binaries, though given the pace at which code is being added to Linux, this task is non-trivial. Google’s open-source security team lead Dan Lorenc spoke to The Register about its approach, and why it will not use pre-built binaries despite their convenience. But first: the two individuals full-time sponsored by Google are Gustavo Silva, whose work includes eliminating some classes of buffer overflow risks and on kernel self-protection, and Nathan Chancellor, who fixes bugs in the Clang/LLVM compilers and improves compiler warnings. Both are already working at the Linux Foundation, so what is new?
“Gustavo’s been working on the Linux kernel at the Linux Foundation for several years now,” Lorenc tells us. “We’ve actually been sponsoring it within the Foundation for a number of years. The main change is that we’re trying to talk about it more, to encourage other companies to participate. It’s a model that works, we’re trying to expand it, find contributors that want to turn this into a full-time thing, and giving them the funding to do that.” It is in the nature of open source that Google’s funding benefits other Linux users, and it is also in the company’s interests. How important is Linux to Google? “It’s absolutely critical. Google started on Linux. We use it everywhere,” says Lorenc. That being the case, why can Google only manage “Gold” membership of the Linux Foundation ($100,000 per annum), whereas others including Microsoft, Intel, Facebook, and Red Hat are “Platinum”, which contributes $500,000 annually? “I’m not sure about that stuff. There are dozens of sub-foundations which we are also members of,” he adds. Google is ahead of AWS, which is a mere “Silver” member ($20,000 a year).