Language Selection

English French German Italian Portuguese Spanish

Software flaws don't negate "many eyes" in open source

Filed under
OSS
Security

The allegations from Greg Perry regarding backdoors allegedly placed within OpenBSD about a decade ago seem to be shifting more and more into the realm of fantasy as each day goes by.

To date, Perry has not responded to my inquiry regarding his Dec. 11 e-mail to OpenBSD founder Theo de Raadt, nor to my knowledge has he responded publicly anywhere else. Meanwhile, the two (or three, depending on how you count it) people named in Perry's message to de Raadt as parties to this supposed backdoor activity, Scott Lowe and Jason Wright, have denied their involvement--the latter within the same [openbsd-tech] thread that started all this.

Since no one has heard any more from Perry, I will decline to speculate why he made these accusations, except to note that sometimes silence can speak volumes, and this may indeed be one of those instances.

While the accusations fly, de Raadt has indicated at least to one media outlet that an audit of this part of the OpenBSD code has found some bugs.

"We've been auditing since the mail came in! We have already found two bugs in our cryptographic code. We are assessing the impact. We are also assessing the 'archeological' [sic] aspects of this," de Raadt told iTWire.

It is not clear whether these bugs would allow the insertion of a backdoor or sideways entry-point into an OpenBSD system, nor if, based on de Raadt's statements to iTWire's Sam Varghese, these are the only bugs in this part of OpenBSD.

My colleague Glyn Moody tapped on any possible existence of such bugs in OpenBSD--planted or not--as a fundamental problem with one of the core tenets of free and open source software (FLOSS) development:

rest here




More in Tux Machines

Elementary OS: Freya 0.3.1 is Here!

After just a few months, we’re excited to announce a major upgrade for elementary OS Freya! This new version 0.3.1 closes about 200 reports and brings new features, tons of fixes, better hardware support, visual polish, and enhanced translations. We’re very proud to share some elementary OS download stats as well! So far, elementary OS has been downloaded an estimated 5 million times. Of those downloads, we’re seeing that almost 70% are coming from Windows and OS X. So, “Welcome and congratulations!” to the over 3 million new users of an open source operating system! Read more

Announcing dex, an Open Source OpenID Connect Identity Provider from CoreOS

Today we are pleased to announce a new CoreOS open source project called dex: a standards-based identity provider and authentication solution. Just about every project requires some sort of authentication and user-management. Applications need a way for users to log-in securely from a variety of platforms such as web, mobile, CLI tools and automated systems. Developers typically use a platform-dependent solution or, just as often, find existing solutions don't quite address their needs and so they resort to writing their own solution from scratch. Read more

Samsung rolls out a round, Tizen-based Gear S2 watch

Samsung debuted its gen 2 smartwatch: a round, 11.5mm thick “Gear S2″ device with a 1.2-inch 360×360 pixel AMOLED display. As expected, it runs Tizen. Samsung’s Tizen Linux-based Gear S2 smartwatch, which was recently teased at the Galaxy Note 5 and Edge S6+ launch, features a round watch-faced, up to three days battery life, and a rotating bezel to augment the touchscreen UI. A slightly thicker 3G model with up to two hours of life supports voice calls, according to a report from The Verge. Read more

GNOME 3.17.91 released!

Hi, the second beta release of the GNOME 3.17 development cycle is finally here! With this release we are officially now in "The String Freeze" [1] (that stacks with all the current freezes): - String Freeze: no string changes may be made without confirmation from the l10n team (gnome-i18n ) and notification to both the release team and the GDP (gnome-doc-list ). Read more