[GLLUG] RedHat spooked ?

[James Holland]

Yes I was there too. I can't believe he didn't answer the question. I 
found the conference pretty boring and corporate though - seemed more to 
do with publicising their products!

Though I seem to remember the question was: Since you have collaborated 
with the NSA over SELinux, are you still in collusion with them?

On 19/06/14 21:41, Alain Williams wrote:
> Today I have been at the RedHat forum in London. This was largely
> about what is new in RHEL 7 (released recently). There is much in
> there that is interesting and I have been looking forwards to. RedHat
> has been my distro of preference for almost 20 years.
>
> One question asked but curiously answered has got me very worried -
> it was the question that I was going to ask. The question was asked
> to Graham Biswell (RedHat Principle Solution Architect, UK &
> Ireland).
>
> Question: What assurances can you give us that RedHat has not been
> spooked by the NSA.
>
> Answer: Please raise that on a support ticket to be given an answer
> in writing.
>
> (Wording prob inexact, by my memory, but the right sentiment.)
>
> This raises all sorts of interesting questions:
>
> * Are there any NSA  back doors in RedHat - in the same way that
> seems likely with products from Microsoft and other proprietary
> vendors ?
>
> * Do the compiled RedHat binaries reflect exactly the sources that
> they publish ?
>
> * Do any of the RedHat patches generate a NSA backdoor ?
>
> * Did Mr Biswell answer as he did because he has sufficient integrity
> to want to not lie ?
>
> * Have I been complacent in assuming that Open Source distributions
> have not been spooked ?
>
> * Earlier this year RedHat took over the (European) CentOS project
> (in essence). We were given several commercial reasons as to why this
> makes sense for RedHat. Is another reason that this brings CentOS
> under RedHat control and thus subject to the demands of the NSA (via
> the Patriot act or whatever) ?
>
> * Should I be compiling and using my own: kernels, glib, openssl and
> ssh ?
>
> * Am I being overly paranoid ? I think that I need to be.
>
> Please note: it is not my intention to libel anyone, however this is
> an important area where tough questions need to be asked. We cannot,
> unfortunately, accept what we are told at face value - Edward Snowden
> has shown us that.
>
> I am not aware of a project that recompiles (the important parts of)
> Linux distros with the aim of verifying that they have not been
> spooked.  Is anyone aware of one ? Creating such a project would be
> interesting and although some progress would be easy, it is probably
> hard to do properly and fully [think validating the compiler].  This
> probably ought to also be done for: Suse, Debian and others.
>
> If we find nothing does this enhance the reputation of Open Source or
> just show that the NSA is more devious than we thought ?
>
> (I use the term 'NSA' as a sobriquet for all of the world's spooks
> and security services.)
>
>