Re: Four people decided the fate of debian with systemd. Bad faith likely
On Sat, 01 Mar 2014 23:53:28 -0600
yaro@marupa.net wrote:
> Which probably demonstrates why there's no hidden agenda going on surrounding
> systemd and there were legitimate reasons why it was finally chosen.
Of course there were legitimate reasons, but only those reasons that are
important for mega-organizations.
> The trouble is, how effectively can the NSA hook itself into open source
> software? How easily could they get backdoors into something without upstream
> noticing? Might be effective getting hooks into something downstream, but I
> don't see the NSA getting anything into something upstream without someone
> noticing, since patches are generally reviewed before integration.
>
> To sum up my thought on that, the NSA needs cooperation from someone OUTSIDE
> the NSA to get their hooks in. How likely is it a Debian package maintainer
> would be compromised? Would someone else notice? Would the maintainer be
> removed?
>
> I'm not saying it's implausible so much as it doesn't sound like it'd last
> long if they could get something in. Could you perhaps give me some insight
> into ways the NSA could do this? I just don't see most upstream people
> cooperating. Can the NSA force anyone to actually put backdoors in their own
> code?
For systemd, they for sure don't need to hook anyting in. Such complex
software like systemd, written in hurry can only have enormous number
of security holes and it'll take a long time until they are reasonlaby fixed. Such tight integration with high-level software on one side and kernel/udev(hardware) on the other hand clearly shows how the attacker can easily penetrate the whole system. They just need to find they and take advantage of already existing bugs. And after that, they'll probably even report them to the free software community.
Reply to: