Google is announcing today in cooperation with The Linux Foundation that they are providing funding for two full-time developers to focus solely on security issues.

Longtime Linux developers Gustavo Silva and Nathan Chancellor are the two that will now be focusing full-time on dealing with Linux security issues.

Today, Google and the Linux Foundation announced they are prioritizing funds to underwrite two full-time maintainers for Linux kernel security development, Gustavo Silva and Nathan Chancellor.

Silva and Chancellor’s exclusive focus is to maintain and improve kernel security and associated initiatives in order to ensure the world’s most pervasive open source software project is sustainable for decades to come.

In a nod to the growing importance of open source software, Google today announced that it will underwrite the salaries for two developers who will focus on Linux’s fundamental security.

The gesture may seem limited, but Google believes targeting the Linux kernel will have a broader impact on Linux’s underlying security. The company hopes other corporations will be inspired to do the same in an attempt to clear a lengthy backlog of items researchers already know need to be addressed.

The Linux kernel is the basic interface that sits between computer hardware and the software running on it. It has become the cornerstone of a large portion of the open source systems that have been deployed around the world.

Google and the Linux Foundation are prioritizing funds to underwrite two full-time maintainers for Linux kernel security development.

Gustavo Silva and Nathan Chancellor will focus on maintaining and improving kernel security and associated initiatives in order to ensure the world's most pervasive open source software project is sustainable for decades to come.

A recently published open source contributor survey from the Open Source Security Foundation (OpenSSF) and the Laboratory for Innovation Science at Harvard (LISH) has identified a need for additional work on security in open source software. While there are thousands involved in developing the Linux kernel this contribution from Google to underwrite two full-time Linux security maintainers signals the importance of security in the sustainability of open source software.

"At Google, security is always top of mind and we understand the critical role it plays to the sustainability of open source software," said Dan Lorenc, Staff Software Engineer, Google. "We're honored to support the efforts of both Gustavo Silva and Nathan Chancellor as they work to enhance the security of the Linux kernel."

Chancellor's work will be focused on triaging and fixing all bugs found with Clang/LLVM compilers while working on establishing continuous integration systems to support this work ongoing. Once those aims are well-established, he plans to begin adding features and polish to the kernel using these compiler technologies. Chancellor has been working on the Linux kernel for four and a half years. Two years ago, Chancellor started contributing to mainline Linux under the ClangBuiltLinux project, which is a collaborative effort to get the Linux kernel building with Clang and LLVM compiler tools.

The effort support Google’s strategy “to help support the critical open source projects that we’re relying on,” Google software engineer Dan Lorenc told SC Media.

“We do this in a bunch of ways, but the one that we like most is to work with existing maintainers and existing communities rather than coming in from the outside.”

Google will fund Gustavo Silva, who already works in a similar role eliminating buffer overflows and bolstering new security tools; and Nathan Chancellor, a new hire, who will focus on the Clang/LLVM compiler.

Using the Clang compiler for Linux is an accepted secondary option to build the operating system. But, said Lorenc, Clang is not particularly well maintained by full-time staff. Chancellor had been an active contributor to the project, but only in his free time.

To further bolster the security credentials of the Linux kernel, Google and the Linux Foundation have decided to fund two kernel developers to work exclusively on security-related developments.

The kernel developers, Gustavo Silva and Nathan Chancellor, are long-time kernel developers and have now been tasked to maintain and improve kernel security along with any associated initiatives.

“At Google, security is always top of mind and we understand the critical role it plays to the sustainability of open source software,” said Dan Lorenc, Staff Software Engineer, Google. “We’re honored to support the efforts of both Gustavo Silva and Nathan Chancellor as they work to enhance the security of the Linux kernel.”

Google and the Linux Foundation announced plans to provide funds to two Linux kernel security developers, one of whom is Nathan Chancellor, a well-known kernel developer on our forums. The two developers will focus their time on improving kernel security and associated initiatives.

The news comes on the heels of the Linux Foundation’s Open Source Security Foundation (OpenSSF) and the Laboratory for Innovation Science at Harvard (LISH) recently publishing an open-source contributor survey report that identified a need for additional work on security in open-source software. In a press release, the Linux Foundation said Google’s contribution to underwriting two full-time security maintainers signals how important it is to maintain the integrity of open-source software.

Together with the Linux Foundation, Google announced today that they would fund two Linux kernel developers' efforts as full-time maintainers exclusively focused on improving Linux security.

"While there are thousands of Linux kernel developers, all of whom take security into consideration as the due course of their work, this contribution from Google to underwrite two full-time Linux security maintainers signals the importance of security in the ongoing sustainability of open-source software," the Linux Foundation said in a statement released today.

Google and the Linux Foundation have announced plans to maintain and improve Linux’s long-term security. As part of the plan, the organizations will prioritize funds to underwrite long-time Linux kernel maintainers Gustavo Silva and Nathan Chancellor as full-time developers focused on Linux kernel security development.

This decision follows a survey by the Linux Foundation’s Open Source Security Foundation (OpenSSF) and the Laboratory for Innovation Science at Harvard (LISH), which found a need for additional security work on the Linux operating system.

Worried about the security of Linux and open-source code, Google is sponsoring a pair of full-time developers to work on the kernel's security.

The internet giant builds code from its own repositories rather than downloading outside binaries, though given the pace at which code is being added to Linux, this task is non-trivial. Google's open-source security team lead Dan Lorenc spoke to The Register about its approach, and why it will not use pre-built binaries despite their convenience.

But first: the two individuals full-time sponsored by Google are Gustavo Silva, whose work includes eliminating some classes of buffer overflow risks and on kernel self-protection, and Nathan Chancellor, who fixes bugs in the Clang/LLVM compilers and improves compiler warnings.

Both are already working at the Linux Foundation, so what is new? "Gustavo's been working on the Linux kernel at the Linux Foundation for several years now," Lorenc tells us. "We've actually been sponsoring it within the Foundation for a number of years. The main change is that we're trying to talk about it more, to encourage other companies to participate. It's a model that works, we're trying to expand it, find contributors that want to turn this into a full-time thing, and giving them the funding to do that."

Worried about the security of Linux and open-source code, Google is sponsoring a pair of full-time developers to work on the kernel's security

Linux is pretty secure right? Well, like everything else, there are and have been problems. Google is aware of this and they use Linux for a lot and now they're providing funding to help boost Linux security.

Announced by the Linux Foundation funding has been provided to prioritize two full-time maintainers, Gustavo Silva and Nathan Chancellor, who will focus solely on Linux Kernel security development to ensure "the world's most pervasive open source software project is sustainable for decades to come".

Silva will focus on "eliminating several classes of buffer overflows" as well as fixing bugs and developing defense mechanisms for the Linux kernel, The Linux Foundation said. Meanwhile, Chancellor's work will focus on triaging and fixing all bugs found with Clang/LLVM compilers.

"I hope that more and more people will start to use the LLVM compiler infrastructure project and contribute fixes to it and the kernel – it will go a long way towards improving Linux security for everyone," said Chancellor.

The move comes roughly six months after the formation of the Open Source Security Foundation (OpenSSF), a collective of big tech industry players working to improve the security of open-source software as it becomes pervasive in big industry applications, including data centers and critical infrastructure.

Linux Foundation will use the developers to work exclusively on security developments

Back in December we reported on Google's involvement in a new project from the Open Source Security Foundation to measure the criticality of open source projects as the first step on an undertaking to ensure that projects that are heavily relied on get the resources they need, see Taking Open Source Criticality Seriously. This funding, which is also motivated by findings from the 2020 FOSS Contributor Survey which identified a need for additional work on security in open source software, aims to ensure the long-term sustainability of Linux which is acknowledged as the world's most pervasive open source software as well as being among the top five in terms of its criticality score.

The Linux Foundation’s Open Source Security Foundation (OpenSSF) and the Laboratory for Innovation Science at Harvard (LISH) recently published an open source contributor survey report that identified a need for additional work on security in open source software, which includes the massively pervasive Linux operating system.

Linux is fueled by more than 20,000 contributors and as of August 2020, one million commits. While there are thousands of Linux kernel developers, all of whom take security into consideration as the due course of their work, this contribution from Google to underwrite two full-time Linux security maintainers signals the importance of security in the ongoing sustainability of open source software.

We’re back after a skipped Security News in Review last week. In this week’s edition of our roundup of the biggest cybersecurity news stories, we have reporting on ransomware attacks shutting down Underwriters Laboratories and a payment processor widely used by state and municipal governments, as well as a report on Google partnering with the Linux Foundation to hire two people whose sole job will be to improve the security of the Linux kernel.

Read on for the latest Security News in Review, and let us know if we missed anything.

Google and the Linux Foundation announced this week they will underwrite two full-time maintainers for Linux kernel security development.

Gustavo Silva is currently working full time on eliminating several classes of buffer overflows by transforming all instances of zero-length and one-element arrays into flexible-array members, which is the preferred and least error-prone mechanism to declare such variable-length types. He is also actively focusing on fixing bugs before they hit the mainline, while also proactively developing defense mechanisms that cut off whole classes of vulnerabilities. Silva sent his first kernel patch in 2010 and is an active member of the Kernel Self Protection Project (KSPP).

Nathan Chancellor will be focused on triaging and fixing all bugs found with Clang/LLVM compilers while working on establishing continuous integration (CI) systems to support this work. He has been working on the Linux kernel for four and a half years.

Google and the Linux Foundation announced that they are prioritizing funds to underwrite two full-time maintainers for Linux kernel security development, Gustavo Silva and Nathan Chancellor.

Silva and Chancellor’s exclusive focus will be to maintain and improve kernel security and associated initiatives in order to ensure the world’s most pervasive open source software project is sustainable for decades to come.

To help Linux maintainers stay ahead of the black hats, Google has funded two full-time Linux security developers well-versed in open source security.