Google Calls On Companies To Devote More Engineers To Upstream Linux, Toolchains
In addition to Google backing the Rust initiative for the Linux kernel, they also acknowledge there is a manpower issue.
The post notes that stable Linux kernel releases see close to 100 new fixes each week, but given that rate of change vendors are not always picking up the latest fixes or in some cases just trying to cherry-pick the "important" fixes. Besides acknowledging the need for more upstream kernel developers, the post also encourages vendors to go the route of chasing the latest Linux stable or LTS kernel releases in order to incorporate all fixes.
The Google Security Blog post calls for more engineers to fix bugs earlier, more engineers are needed for code review, more engineers are also needed to work on testing and infrastructure around the kernel, and there is also an engineer shortage when it comes to working on security and compiler toolchain development.
Google's conservative estimates put the Linux kernel and its toolchains being "underinvested by at least 100 engineers, so it's up to everyone to bring their developer talent together upstream. This is the only solution that will ensure a balance of security at reasonable long-term cost."
Their post in full should now be live on the Google Security Blog.