While Kees Cook's message is abolutely correct (that's why the Kernel Self-Protection project was founded which already yielded various security improvements in the latest kernel versions), the heading of this Ars article is rather sensationalistic and gives the impression that the Linux kernel is unsafe per se.
What I dont understand: in this entire article, not one mention was made of grsecurity. Grsecurity has exactly the goal of "squashing entire classes of bugs," and does so. Its not perfect for sure, but it should at least be a point of discussion right?
Yes, it should, particularly since many/most security improvements implemented/planned by the KSPP are motivated by Grsecurity techniques. However, I think that Grsecurity itself is not the universal solution because of too many incompatibilities.
Many believe in the lie that "Linux is the holy grail of security - by deafult". Try mentioning anything else and you'll crush their distorted beliefs and get agressive.
Nice piece on LWN.net on the KSPP followed by a brutal back and forth between LWN staff, LWN commentators, Spender and PAXTeam. Most of the specifics is over my head frankly but it's an interesting read regardless. Surprised that there was no mention of the new Loadpin LSM in the story itself. https://lwn.net/Articles/698827/#Comments
Spender sucks when it comes to politics. He alienates others by being an ******* and it doesnt help his cause. Unfortunately, there is bad blood between him and kernel development, and it goes way back. I get it though. Grsecurity/pax is fantastic and hes tired of playing games. I tend to agree that changes while positive are far from comprehensive. Its sort of like Microsoft introducing a new security feature in Windows- you have to laugh because, you know, its Windows- that little feature plugs 1 of the myriad of ways Windows can be pwned, and thats basically how Spender feels about security features being added by this new security kick.
