2016 was unequivocally Linux’s best year yet. It’s on more devices than ever before and more secure than ever before. Were there embarrassing moments along the way? Yes, I kept reasonably close to the news and watched a few of these evolve and get patched as quickly as they were found.
I’d also like to predict that 2017 will end being Linux’s best year yet. And I’ll even go one year further than other folks making predictions and say that 2018 will top them all.
For those of you who are glass half empty folks, let’s talk about a couple of the flaws found in 2016. LUKS looked pretty bad and Dirty Cow caused a few headaches, but the latter had a patch available within hours. And because it’s worth being redundant, let’s remember there was a patch within hours. While some would argue that the potential attack time for dirty cow was nine years, the published attack time was only a matter of hours. If you want to be a glass half empty type of person go ahead and set your clock for nine years. I still think that it was Linux’s best year ever and next year will be even better.
Why can I say this? Because Linux is honest. Honesty doesn’t mean perfection. It means openness. Linux’s faults are out there and ready for the world to see. Sometimes they’re caught early and sometimes they’re caught later.
2016 did burst the bubble on the narrative that in the land of a thousand eyeballs all bugs are shallow. It’s sounds nice, and I’m sure some projects run that way, but that’s not the way things are done anymore. I hope in 2017 we can make a better argument for open source security, and we can do it by talking about our talent management.
Outside of the honesty in the open source ecosystem, the open source talent management is our second greatest asset and every project lead knows how to leverage it. Jim Collins’ book Good to Great highlights business practices that if followed drastically improve a company’s performance in the long term. One of the most core principles is hiring the right talent, even if you have to wait for that talent to emerge. Linux’s talent management is unsurpassed because the power of that talent is published.
Want to know how good someone is? Read their code. Want to know how passionate they are? Read their posts. Bryan Lunduke has a full time job for being loud and passionate and remarkably entertaining while he flirts with a bit of rudeness. I know two project leads that recruit hires specifically from their volunteer pools. I’ve heard of Redhat and others doing the same. From what I can see, the researchers finding the bugs in the code aren’t locked behind ivory towers of corporate influence, they’re emancipated. They get hired to work on what they love and what they’re good at. They find the flaws and responsibly disclose what they’ve found. Because of their paycheck, they have the ability to research the technology that often doesn’t get looked at.