Linus Torvalds discusses Linux development, security and AI at KubeCon

At the KubeCon + CloudNativeCon + Open Source Summit in Hong Kong last week, Linus Torvalds, the creator of the Linux kernel, provided a rare glimpse into the inner workings of the open source software community.

In a conversation with Dirk Hohndel, head of Verizon’s open source programme office, Torvalds addressed the ongoing challenges of operating system development, noting that even after three decades, fundamental issues in Linux, like memory management, persist.

“It’s interesting that we’re still discussing core issues that I would have thought were solved ages ago,” he said, “but new behaviour patterns end up meaning that we still need to tweak these core things.”

The early years of kernel development were also chaotic, with many people and organisations involved, leading Torvalds to enforce strict rules in release management about a decade ago.

“If your code is not ready by the time the merge window opens, I will not take it, because I don’t want the kind of pain that we had 20-plus years ago,” he said.

Today, one of the hallmarks of the Linux kernel’s development process is its structured and reliable release schedule of around nine weeks. This has contributed to the project’s success and provided a model for other open source projects to follow.

With about 60 common vulnerabilities and exposures (CVEs) issued by the Linux security team per week, Torvalds also emphasised the importance of addressing vulnerabilities quickly and criticised the IT industry’s tendency to impose long embargoes on security bugs.

“People have these 90-day delays before anything gets done, and sometimes the 90-day embargoes end up being more like 400-day embargoes,” he said. “It’s very demoralising for developers when they sometimes have a known bug that they need to sit on because they have agreed with some external party that they won’t talk about it.”

In response, Torvalds has resisted lengthy embargoes, with the kernel security team limiting them to one week “because the usual IT security policies just end up hurting development for a lot of people”.

It’s very demoralising for developers when they sometimes have a known bug that they need to sit on because they have agreed with some external party that they won’t talk about it

Hardware-related security bugs pose a particular challenge, with suppliers having enormously long embargoes.

“It’s much less stressful now than it was a couple of years ago when we had multiple hardware bugs that everybody in the core kernel community knew about but couldn’t do anything about because we were not allowed to even mention what was going on,” he said.

Torvalds also touched on the slow adoption of the Rust programming language in the Linux kernel, attributing this to resistance from long-time kernel developers who are deeply familiar with the C programming language, as well as the instability of Rust’s infrastructure.

“It was only in the last release that we finally got to a point where the Rust compiler that we can use for the kernel is the standard upstream Rust compiler, and we don’t need to have extra version checks and things like that. I’m hoping we’re over some of the initial problems, but it has taken us two years and we’re not there yet,” Torvalds said.

Discussing the potential of artificial intelligence (AI) in kernel development, Torvalds said while AI can generate code in languages like JavaScript, it hasn’t yet proven useful in identifying patterns in source code.

“I’m much more interested in finding bugs proactively, doing code reviews, and helping maintainers and developers write better code. I think we will get there but we’re not quite there yet,” he said.

On supporting cloud and AI workloads, Torvalds emphasised his role as a kernel specialist.

“When the AI people came in, it was wonderful because somebody in Nvidia got much more involved on the kernel side, and Nvidia went from being on my list of companies who are not good, to my list of companies who are doing really good work.

“But that doesn’t mean that I personally end up being interested in the AI side. I’d be interested in what we need to do to support the AI side, and there was a lot of memory management stuff, in particular, that ended up being done for AI models that want to use accelerators in the user space and so on.

“I still see myself as a core kernel person and I think it’s a good thing that people specialise,” Torvalds said, adding that his response to questions about Linux use in the cloud is: “I know Linux; I don’t know cloud.”