Microsoft recently applied to join a private Linux kernel mailing list that is meant for reporting and discussing security issues privately before they are made public.
Why does Microsoft need to join this particular list and why does such a list exists in the first place when the kernel community runs its business publicly. Neither of the two is as complicated as it might seem.
First things first, what’s this list all about
It’s absolutely true the kernel community conducts all of its business in public, with total transparency. Even if there was a possibility of doing things privately, Linus Torvalds won’t do it.
However, there is one exception: security. If a vulnerability is found in an open source project that affects Linux, developers need a safe place to report that vulnerability and discuss it to create patches, test them and push updates. Such a discussion can’t happen in public. Bad actors will start exploiting the vulnerability as soon as it’s posted on the mailing list, compromising billions of users.
A private mailing list allows developers and vendors to report and discuss security-related issues so that they get enough time to work on a fix, test on their machines and push updates to users machines. By the time report becomes public, most systems are already patched. That’s one of the many reasons Linux vendors like Red Hat and SUSE have their patches ready when reports of vulnerabilities like Heartbleed, for example, become public.
Alexander Peslyak, a security specialist and longtime contributor to the Open Source community, created the private list called ‘linux-distros’ for the Linux kernel community to facilitate such reporting and discussion. Since the information shared with the list is extremely sensitive, there is a very stringent vetting process before anyone is subscribed to the list. The members have to follow some of the strictest policies. It’s not a list for lurkers, members are expected to make active contributions.
Why does Microsoft want to get on a private list that’s about Linux security?
If a company is shipping any product or selling any service that uses the Linux kernel it should be on this list. The company must be aware of all such vulnerabilities so it can keep its Linux based offerings secure. Microsoft is now one such company.
While Microsoft has been working with the kernel community for quite some time it wasn’t shipping any product with Linux kernel in it. Not anymore. Linux is fast becoming the protagonist of Microsoft’s enterprise story.
- The networking switch of Microsoft Azure Cloud is running on a Linux based operating system
- Microsoft’s Azure Cloud now has more customers running Linux than Windows.
- Microsoft’s Azure Sphere OS runs on Linux
- Windows 10 will soon bring the Linux kernel to the mainstream desktop market, becoming the most widely used ‘Linux distro’.
The latter two turn Microsoft from a user into a distributor. Yes, Microsoft is joining the ranks of Red Hat and SUSE to become a Linux distributor. With WSL2 Windows 10 will become a Linux distro like Ubuntu or RHEL. If Microsoft has to keep its Linux offering secure, they must be on this list.
That’s what it’s all about.
In fact, leading kernel developers like Greg Kroah-Hartman have been working with Microsoft for quite some time to bring them onto this list. “I also suggested that Microsoft join linux-distros a year or so ago when it became evident that they were becoming a Linux distro, and it is good to see that they are now doing so,” said Kroah-Hartman.
While being on the list helps Microsoft keep their Linux based products safe, it also brings Microsoft’s technical prowess to the Linux kernel community.
Will Microsoft be accepted?
When Sasha Levin, a Linux kernel maintainer at Microsoft applied to join the list, the move was applauded by the community. Kroah-Hartman was among the first developers to vouch for Levin’s proposal.
“To verify this, yes, I can vouch for Sasha. He is a long-time kernel developer and has been helping with the stable kernel releases for a few years now, with full write permissions to the stable kernel trees,” said Kroah-Hartman.
Anthony Liguori from the Amazon EC2 team also praised Microsoft and supported the application, “Microsoft has been very active in working with the broader community on Spectre/Meltdown style mitigations. I think the community would benefit overall from their participation on distros,” he said.
However, it wasn’t all praise. Levin had to prove to the community whether it qualifies to join the list or not. After a long and quite intensive discussion, it’s all but certain that Microsoft will be accepted into the mailing list, possibly, by the end of this week.
“Per our current policy and precedents, I see no valid reasons not to subscribe Microsoft (or part(s) of it, see below) to linux-distros. So I intend to figure out some detail and proceed with the subscription,” wrote Peslyak.
Once accepted, Microsoft will join companies like Oracle and Amazon who are already on the list.