Quoting Arnt Karlsen (a...@iaksess.no): > On Thu, 23 Nov 2017 14:47:40 +0100, John wrote in message > <02372660-5727-d160-fe49-e3a4963f8...@atlantech.com>: > > > On 23/11/17 12:28, Arnt Karlsen wrote: > > > ..the kernel guys has this far proven more trustworthy, IME. > > > > Number of times unknown third parties have inserted bad code into the > > linux kernel: 1.
If we want to tell the entire truth about that, the kernel development chain was not compromised in the 2011 breach. All of the canonical kernel source in git and all of the sha1-signed patchsets were untouched. The compromise was of several of the kernel.org servers probably via stolen developer ssh credentials. This is thus something else entirely. For a couple of years, a detailed forensics report was promised[1] but never appeared. I made an issue of this a few years ago on LWN.net and elsewhere including with some friends among the Linux kernel developer community, and got only lame and passive-aggressive brush-offs. > ..only once? Don't forget the runtime backdoor attacks. Again, this is distortive without the _entire_ truth. Once again, you are not talking about any compromise of the kernel development chain. You are talking about someone breaking into _way_-downstream points of distribution, such as for example an eastern European intruder who compomised Linux Mint's Web site (via some hapless unfixed vulnerability that I cannot find at the moment). Having the ability to edit the Linux Mint Web site, the intruder altered the mirror site page to point some downloaders to an unauthorised site in Bulgaria that served up trojaned copies of Linux Mint that had backdooring built into the (fraudulent) distro kernel. That _obviously_ is not the same as a security problem with the kernel itself, and I'm disappointed that both you and John are distorting the truth by implication. Blaming the kernel developers for that would be like blaming my Kryptonite bicycle lock for weakness against burglars after someone picks it up and hands it to a burglar. For completeness, as long as we are ponying up phony examples of 'third parties inserting bad code into the Linux kernel', one could cite the 2003 attempt to backdoor kernel sources via the BitKeeper-to-CVS gateway (https://linux.slashdot.org/story/03/11/06/058249/linux-kernel-back-door-hack-attempt-discovered). But, again, tell the _entire_ truth: That gateway was an export from the kernel development chain, not part _of_ the development chain. The actual canonical kernel source, then kept in BK, was untouched along with all the signed patchsets. This was shortly before McVoy ended the kernel team's use of BK and Linus & friends immediately developed git to replace it. Seriously, guys, less bullshit on security matters, please. Some of us can actually detect it and find it annoying. [1] E.g., on the front page's Site News (http://web.archive.org/web/20111004011725/http://kernel.org/) an item later quietly dropped. _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
