Schedulers can be objectively tested. There's this thing called "performance", that can generally be quantified on a load basis.
Yes, you can have crazy ideas in both schedulers and security. Yes, you can simplify both for a particular load. Yes, you can make mistakes in both. But the *discussion* on security seems to never get down to real numbers.
So the difference between them is simple: one is "hard science". The other one is "people wanking around with their opinions".
— Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel, by Linus Torvalds, kerneltrap.org, Monday, October 1, 2007 - 7:04 am
Linus Torvalds, inventor of Linux and thus originator of its associated industry, continues:
Another difference is that when it comes to schedulers, I feel like I actually can make an informed decision. Which means that I'm perfectly happy to just make that decision, and take the flak that I get for it. And I do (both decide, and get flak). That's my job.
In contrast, when it comes to security, I see people making IDIOTIC arguments, and I absolutely *know* that those arguments are pure and utter crap, and at the same time, I see that those people are supposed to be "experts".
For example, you security guys still debate "inodes" vs "pathnames", as if that was an either-or issue.
Quite frankly, I'm not a security person, but I can tell a bad argument from a good one. And an argument that says "inodes _or_ pathnames" is so full of shit that it's not even funny. And a person who says that it has to be one or the other is incompetent.
Yet that is *still* the level of disagreement I see.
His examples may be about schedulers and filesystem concepts, but his point applies to many other realms of security, as well.