[GLLUG] RedHat spooked ?

DL Neil GLLUG at GetAroundToIt.co.uk
Fri Jun 20 00:09:33 UTC 2014


(previous material filleted)


> Debian is trying, but it's not there yet. OpenBSD is probably more
> trustworthy than most - development has been done outside the USA for a
> long time, IIRC.

Fuel to the fire: if patches/updates are submitted to a US 'center',
then "done outside" means little...

>> Answer: Please raise that on a support ticket to be given an answer in
>> writing.

Which produced what response?


>> * Do the compiled RedHat binaries reflect exactly the sources that
>> they publish ?
> The better question is something like "How is RedHat working to
> demostrate that all binaries are verifiably buildable from published
> sources?" If they can do that, then they can just engage an external
> (non-US) company to do ongoing security audits of the open code, and
> provide a good level of security assurance.
> I'd find it surprising if RedHat has not been the target of the NSA. The
> questions to ask is whether or not the company has been compelled to
> assist. The only safeguard is transparency - all binaries must have full
> source available, and it must be demonstrably possible to cleanly
> rebuild identical binaries. You should also be suspicious of drivers
...
>> * Should I be compiling and using my own: kernels, glib, openssl and
>> ssh ?
>> I am not aware of a project that recompiles (the important parts of)
>> Linux distros with the aim of
>> verifying that they have not been spooked.  Is anyone aware of one ?

Back in the ?good old days* I recall an IT-Audit recommendation that
'our' sources be re-compiled (as independently as possible) and the
results binary-compared with the routines in 'production'. Back then, it
was addressed as a means of detecting an internal, unauthorised
'amendment' to code. I haven't been involved in such a process for
years, decades...

However, the assumption here is not only that the source and executables
match, but that there is no back-door in the source-code (as well). Hey,
if GCHQ, NSA, et al, feel they can muzzle 'anyone', why not write it in
directly?

In which case the compile-and-compare process would yield false
reassurance. So is what you're actually suggesting as required (also)
'eyes' on the source code. Oh boy!


* the data center was powered by dinosaurs in treadmills and
talking-techie included words such as "COBOL" and "BAL".

-- 
Regards,
=dn




More information about the GLLUG mailing list