Big tech won't chip in is my bet. My company maintains its own version of Linux that has some specific certifications. Updating that box requires an act of god. My bet is that the companies that can afford to will create their own "LTS" versions that just get older and older, and more broken and exploited as time goes on…
My bet is that the companies that can afford to will create their own “LTS” versions that just get older and older, and more broken and exploited as time goes on
They will trade in the Confidentiality and Integrity for just Availability.
When something like a hack finally drops the availability they will be forced to act.
They will never do a pentest tho.
Same story all over from government, small companies, all the way up to medical in big corporate hospitals and systems that could cause harm to human life.
Security is at most a checkbox somewhere that just gets checked regardless of the true state of the system. If it still works don't fix it.
Big tech won't suffer. They will just fork and maintain (and probably enshittify) their own kernel.
Small and mid tech will suffer, however. The article just mentions Android as the prime example for embedded systems and forgets to mention that 80-90% of industrial embedded systems run on Linux (at least of the bigger ones that require an actual OS).
Those will either be driven to Microsoft's shitty half-done, hardly documented embedded OS versions or some company rises as the white knight offering and maintaining LTS Linux kernels. Both scenarios will increase cost of course that will eventually come out of us consumers' pockets. The former, worse scenario will make industrial applications even less secure on top.
Pretty sure all big tech companies already have engineers on payroll for this specific reason. Intel, Microsoft, Google, Amazon have SWEs working on the kernel, networking, even DEs for their own needs and integrations.
Does big tech run 6 yo kernels? This seems like a corporation problem not wanting to spend the money properly maintaining their systems. If big tech isn’t dogfooding a 6yo kernel, it doesn’t make sense to do it.
Yes, according to the article, while this doesn’t affect the PC/server as much because the distributions take care of security for the most part, where this will have problems is the phone/IoT space (which is why Linux initially started maintaining 6 yo kernels, to cater to that market).
It's not like most phones are getting updates past two years at this point anyway, and while it would be nice if we could actually get software updates and keep our devices longer, I have my doubts that is ever going to happen on Android. I have more faith that someday I'll get my dream RISC-V powered phone with several Linux distros to choose between or even dual boot.
IoT devices are a slightly different story, but I'm skeptical that Linux offering 6 year kernels has made a meaningful difference in those devices actually getting updates.
The article points out that the kernel version used in a phone is basically frozen when development of the device starts. They're suggesting that at 2 years of support, the kernel will be EOL about when the phone is released.
That is the real problem, why is it frozen so early? Why not keep it up to date for more of the development lifecycle rather than shipping a 2 year old kernel. It is not like you have to worry about OTA updates if you have not shipped it yet,
Drivers from 3rd party. Didn't work on phone development, but was part of a company that developed setup boxes.
We will get a kernel from broadcom with all the necessary drivers that was tested for that configuration. Updating was very hard without support and might cost a lot.
Big tech chipping in is how we get Amazon spyware/Microsoft apps built into OS. I agree with respectable salary for developers. I think if Linux org ran the same campaign as Wikipedia it would gather a lot more donations. The whole world runs on some form of the Linux kernel.
While I agree, Linus isn't getting younger and as we are seeing, long time lead maintainers are starting to step down. It would be a shame if Linux kernel and subsequently it's OS's, turns into what happened to Android. We see it happening time and time again (e.g. Reddit, Twitter), when there is the possibility for more revenue, these companies will kill anything that was developed 'for the people '
Good. Either big tech chip in and start helping maintain the LTS kernels or pay a respectable salary to those who maintain it.
Big tech won't chip in is my bet. My company maintains its own version of Linux that has some specific certifications. Updating that box requires an act of god. My bet is that the companies that can afford to will create their own "LTS" versions that just get older and older, and more broken and exploited as time goes on…
Sorry, long night at work =/
So more like a "Long Term Unsupported" LTU?
I vote for “Long-Term Supported But We Cut The Staff Down To The IT Intern”, or LTSBWCTSDTTITI for short.
They will trade in the Confidentiality and Integrity for just Availability.
When something like a hack finally drops the availability they will be forced to act.
They will never do a pentest tho.
Same story all over from government, small companies, all the way up to medical in big corporate hospitals and systems that could cause harm to human life.
Security is at most a checkbox somewhere that just gets checked regardless of the true state of the system. If it still works don't fix it.
deleted by creator
Big tech won't suffer. They will just fork and maintain (and probably enshittify) their own kernel.
Small and mid tech will suffer, however. The article just mentions Android as the prime example for embedded systems and forgets to mention that 80-90% of industrial embedded systems run on Linux (at least of the bigger ones that require an actual OS).
Those will either be driven to Microsoft's shitty half-done, hardly documented embedded OS versions or some company rises as the white knight offering and maintaining LTS Linux kernels. Both scenarios will increase cost of course that will eventually come out of us consumers' pockets. The former, worse scenario will make industrial applications even less secure on top.
Do Redhat and SUSE not maintain their own LTS kernels for their enterprise distributions?
Pretty sure all big tech companies already have engineers on payroll for this specific reason. Intel, Microsoft, Google, Amazon have SWEs working on the kernel, networking, even DEs for their own needs and integrations.
And yet still the maintainers don’t want to maintain 6 yo kernels because it’s cumbersome and an unpaid position.
Unpaid? A lot of kernel devs do get paid, especially the core ones that would be looking after this stuff.
https://www.pingdom.com/blog/linux-kernel-development-numbers/
Does big tech run 6 yo kernels? This seems like a corporation problem not wanting to spend the money properly maintaining their systems. If big tech isn’t dogfooding a 6yo kernel, it doesn’t make sense to do it.
Yes, according to the article, while this doesn’t affect the PC/server as much because the distributions take care of security for the most part, where this will have problems is the phone/IoT space (which is why Linux initially started maintaining 6 yo kernels, to cater to that market).
It's not like most phones are getting updates past two years at this point anyway, and while it would be nice if we could actually get software updates and keep our devices longer, I have my doubts that is ever going to happen on Android. I have more faith that someday I'll get my dream RISC-V powered phone with several Linux distros to choose between or even dual boot.
IoT devices are a slightly different story, but I'm skeptical that Linux offering 6 year kernels has made a meaningful difference in those devices actually getting updates.
The article points out that the kernel version used in a phone is basically frozen when development of the device starts. They're suggesting that at 2 years of support, the kernel will be EOL about when the phone is released.
That is the real problem, why is it frozen so early? Why not keep it up to date for more of the development lifecycle rather than shipping a 2 year old kernel. It is not like you have to worry about OTA updates if you have not shipped it yet,
Drivers from 3rd party. Didn't work on phone development, but was part of a company that developed setup boxes.
We will get a kernel from broadcom with all the necessary drivers that was tested for that configuration. Updating was very hard without support and might cost a lot.
See the Fairphone, you might be surprised
Or Samsung phones, they have 4 or 5 years of updates.
Fairphone is targeting 8-10 years with the new model
Think printers, factory machines and so on. If they run Linux and not Windows CE, it’s always an ancient kernel.
Big tech chipping in is how we get Amazon spyware/Microsoft apps built into OS. I agree with respectable salary for developers. I think if Linux org ran the same campaign as Wikipedia it would gather a lot more donations. The whole world runs on some form of the Linux kernel.
That’s not how the Linux kernel works…
The final decision on what is merged into the kernel is Linus’ decision and that’s how it’s been the last 30 years.
Microsoft bakes spyware into the operating system because they own the NT kernel and the Windows OS.
Amazon clones the Linux kernel, modifies it and adds it’s own garbage software, then builds it.
The main Linux kernel is free of any spy shit and that’s how it’s likely going to remain.
While I agree, Linus isn't getting younger and as we are seeing, long time lead maintainers are starting to step down. It would be a shame if Linux kernel and subsequently it's OS's, turns into what happened to Android. We see it happening time and time again (e.g. Reddit, Twitter), when there is the possibility for more revenue, these companies will kill anything that was developed 'for the people '
At least any spy shit that we know of. Just look at the obfuscated C contest what’s possible in that abomination of a language.
Any code that is anywhere near that unreadable let alone purposefully obfuscated is not making it past the review process
Sorry, I meant the Underhanded C contest. This is a contest for code that looks benign, but does something completely different.
http://www.underhanded-c.org/