On Sat, 18 Jan 2014 15:04:48 -0500 Noah Meyerhans <noahm@debian.org> wrote: > On Sat, Jan 18, 2014 at 08:30:49PM +0100, Marco Saller wrote: > > i am not sure if this question has been asked or answered yet, please do not mind if i would ask it again. > > Is it possible that the NSA or other services included investigative software in some Debian packages? They don't need to do it. Software is full of security bugs. Most suitable are web browsers. NSA controls Internet backbone routers. Just check CVE records for Internet Explorer, Firefox or Chrome. Firefox ESR is meant for security, but 17 ESR had 11 updates, which means before bugs were corrected you were vulnerable. And probably there are still, but 17 ESR is not anymore supported and you have to go to 24 ESR which certainly brings new bugs and so on. > > It is absolutely possible. It's even possible that you yourself have > added such software to Debian! Can you prove that you haven't? > > That line of thinking leads to madness. The only rational conclusion, > once you start down that path, is to turn off your computers and move to > a remote cabin in the wilderness. What would make you highly suspicious. > It will never be possible to prove > that there is no malicious software in Debian or in any other OS. Beyond > that, it will never be possible to prove that there is no malicious > *hardware* running executing your OS. > > We can and do take care to ensure that all changes to Debian are made by > people authorized to make those changes. (Package uploads must be signed > by a Debian developer.) We can and do take care to ensure that that the > packages you download have not been modified in transmission (signing of > Release files, checksums on Packages files and on packages themselves.) > Etc. If deficiencies are found in our mechanisms or policies, then we > take steps to improve them. If violations are found, then we take steps > to audit for impact and resolve any potentially malicious actions that > we identify. We take great care to minimize the likelihood of any sort > of backdoor or malicious code in Debian, but none of this can provide > 100% proof that such a thing doesn't exist. But Debian doesn't support grsecurity and similar security enhancements for linux kernel[1], though PaX[2] is a serious protection from exploiting security bugs in software. I needed a lots of time in order to successfully patch Debian kernel with grsecurity, though I immediately removed all features/* patches. It's because patch B can assume patch A is applied and when patch A is not applied, than patch B fails. But it is possible patch B is still needed. For that reason, and the reason of availability of newer kernel in backports repo, my opinion is features patches are unneeded and make more problems than benefit. > Anybody that claims that > they can prove otherwise, for Debian or any other OS, is either lying or > ignorant. > > noah > [1] https://lists.debian.org/debian-devel/2003/09/msg01133.html [2] https://en.wikipedia.org/wiki/PaX -- Education is a process of making people see what is advanced and not obvious, but also not seeing what is basic and obvious. http://markorandjelovic.hopto.org
Attachment:
signature.asc
Description: PGP signature