There’s nothing like a rant to get the conversational ball rolling here in the Linux blogosphere, and if it can be a rant from Linus Torvalds himself, well, it doesn’t get much better than that.
That, in fact, is just what last week afforded in the form of a Google+ post from the father of Linux on the topic of openSUSE security.
“I don’t think I can talk about ‘security’ people without cursing, so you might want to avert your eyes now,” Torvalds began.
‘Please Just Kill Yourself Now’
“I gave OpenSUSE a try, because it worked so well at install-time on the Macbook Air, but I have to say, I’ve had enough,” he continued. “There is no way in hell I can honestly suggest that to anybody else any more.”
The reason? None other than the distro’s “moronic and wrong” security policy of requiring the root password for basic tasks such as changing the time zone, adding a new wireless network or — in Torvalds’ daughter’s case — connecting with the school printer.
Torvalds’ conclusion: “If you have anything to do with security in a distro, and think that my kids (replace ‘my kids’ with ‘sales people on the road’ if you think your main customers are businesses) need to have the root password to access some wireless network, or to be able to print out a paper, or to change the date-and-time settings, please just kill yourself now. The world will be a better place.”
‘Not Much Better Than Windows XP’
Harsh words? You bet. An instant hot topic in the blogosphere? Without a doubt.
Nearly 2,300 shares and 500 comments later on Google+ alone — not to mention another 300 or so comments over on Slashdot — there’s no end in sight to the debate.
Nestled on her favorite barstool down at the blogosphere’s Punchy Penguin Saloon, Linux Girl got an earful.
‘I’d Go Further’
“Linus is exactly right,” opined consultant and Slashdot blogger Gerhard Mack, for example. “Requiring root access for basic day-to-day needs makes it not much better than Windows XP.”
Similarly, “I agree 100 percent with Linus’s criticisms, but like many of the commenters, I’d go further,” offered Barbara Hudson, a blogger on Slashdot who goes by “Tom” on the site.
“I think that it would be a good idea for the developers (including Linus) to take a look at all the other criticisms that have been expressed in those threads and ask themselves if it’s time to rethink a few things that might have ‘seemed like a good idea at the time’ but are now just making for an overly complicated system with a built-in tendency toward brittleness,” Hudson suggested.
‘There’s Another OS for That’
“Nobody likes the idea of having to practically beat their operating system into submission, or of having to change distros every few years because something that used to work doesn’t any more, but this is the reality with Linux,” Hudson asserted.
“One good idea layered over another good idea added to another good idea sometimes ends up with really bad results,” she explained. “We don’t all want to be ‘protected from ourselves’ by more and more features that assume the user is a dummy. There’s another OS for that.”
So, while “everyone can be a dummy on occasion, if you act patronizing toward your users rather than listening to them and empowering them, don’t be surprised when they move their patronage elsewhere,” Hudson concluded. “It’s happening with opensuse, it’s happening with ubuntu, and no doubt other distros are also guilty.”
Indeed, after years of using openSUSE, “I’ve switched to Fedora,” she added.
‘The Future Is Consumers’
Slashdot blogger hairyfeet took a similar view.
“Ultimately the control should be with the LOCAL user,” hairyfeet told Linux Girl. “If the user DECIDES to go in and change that, they should be able to, but NEVER should locking out the local user be default.
“This just shows what OpenSUSE and the rest truly are, as there is only ONE place where even the local user is typically locked out……servers,” he added. “So why should anyone who is NOT a server administrator actually care about your product? Why should any of us want to mess with it?”
The future, however, “is NOT servers,” hairyfeet opined. “The future IS CONSUMERS. This is why Apple is now the largest company on the planet, it’s why MSFT is betting so much on Win 8. The writing is on the wall, guys — if you don’t want Linux to be as much of a niche product as the Raspberry Pi, you better see the way the world is changing and change with it.”
‘You Should Know Your Root Password’
Similarly, “I am not a systems administrator, and I have never used SUSE Linux,” began Roberto Lim, a lawyer and blogger on Mobile Raptor. “Novell has targeted this at the enterprise and not consumers, so it did not seem like the right distro to me.
“Root passwords and different levels of root access is really more relevant in a corporate set-up,” Lim added, but “if you are going to use Linux in your own PC, you should know your root password.”
Chris Travers, a Slashdot blogger who works on the LedgerSMB project, could see both sides of the issue.
‘You Could Cause a Lot of Mischief’
“On one hand Linux is very often used on servers, and things like printers are centrally managed on these servers,” Travers told Linux Girl. “I think you could cause a lot of mischief if you could add new printers to, or reconfigure existing printers on, a print server, and so requiring this for many things makes a great deal of sense on servers.”
On desktops however, “a lot of this gets in the way,” he pointed out. “If you have a distribution which may be run in both environments, this creates a bit of a problem, but the point is that the Linux distros I have worked with do not have the tools in place to make these problems manageable.”
Ideally, “I think you’d need to have group access to the functionality and then allow setting of the individual users as to whether they belong in that group or not,” he suggested.
‘We Need Security’
“I think Linus forgets that GNU/Linux distros run clients and servers and are multi-user/multi-tasking,” offered blogger Robert Pogson.
“We are not alone on our PCs thanks to malware,” Pogson explained. “We need security. Changing the system timezone/time/network access can mess things up — think intrusion detection and drive-by remote code execution.”
Of course, “that is probably overkill on a child’s notebook at school,” he acknowledged. “I can set up a PC in Debian GNU/Linux so that ordinary users can tweak things, using group permission, intelligent apps that can recalculate the time or whatever.
“If that cannot be done on SUSE, Linus is right,” Pogson said. “If he was just impatient and did not configure the system the way he wanted, Linus is wrong.”
Either way, “Linus is now 40+ years old,” Pogson concluded. “He should soon mellow a bit. I know I did around that age — my wife made sure of it…”