Language Selection

English French German Italian Portuguese Spanish

Software flaws don't negate "many eyes" in open source

Filed under
OSS
Security

The allegations from Greg Perry regarding backdoors allegedly placed within OpenBSD about a decade ago seem to be shifting more and more into the realm of fantasy as each day goes by.

To date, Perry has not responded to my inquiry regarding his Dec. 11 e-mail to OpenBSD founder Theo de Raadt, nor to my knowledge has he responded publicly anywhere else. Meanwhile, the two (or three, depending on how you count it) people named in Perry's message to de Raadt as parties to this supposed backdoor activity, Scott Lowe and Jason Wright, have denied their involvement--the latter within the same [openbsd-tech] thread that started all this.

Since no one has heard any more from Perry, I will decline to speculate why he made these accusations, except to note that sometimes silence can speak volumes, and this may indeed be one of those instances.

While the accusations fly, de Raadt has indicated at least to one media outlet that an audit of this part of the OpenBSD code has found some bugs.

"We've been auditing since the mail came in! We have already found two bugs in our cryptographic code. We are assessing the impact. We are also assessing the 'archeological' [sic] aspects of this," de Raadt told iTWire.

It is not clear whether these bugs would allow the insertion of a backdoor or sideways entry-point into an OpenBSD system, nor if, based on de Raadt's statements to iTWire's Sam Varghese, these are the only bugs in this part of OpenBSD.

My colleague Glyn Moody tapped on any possible existence of such bugs in OpenBSD--planted or not--as a fundamental problem with one of the core tenets of free and open source software (FLOSS) development:

rest here




More in Tux Machines

Android Leftovers

An Early Look At Linux 4.16 Performance On Five Systems

Here are some preliminary benchmarks of the Linux 4.16 development kernel compared to Linux 4.15 stable on five different systems. Last week I began testing out the Linux 4.16 kernel on a few different boxes and it's been going rather well (sans the ongoing AMD Raven Ridge Linux issues...). For some initial Linux 4.16 kernel benchmarks I have results today to share for a Core i5 6600K, Core i7 6800K, Xeon E3-1280 v5, Core i9 7980XE, and Ryzen 7 1800X as a few of the available boxes for testing. Tests on other hardware and a greater variety of tests will be coming in the days and weeks ahead as Linux 4.16 continues to stabilize. Read more

Oracle open-sources DTrace under the GPL

Oracle appears to have open-sourced DTrace, the system instrumentation tool that Sun Microsystems created in the early 2000s and which has been beloved of many-a-sysadmin ever since. As noted by developer Mark J. Wielaard, this commit by an Oracle developer shows that something is afoot. Read more

KDE receives 200,000 USD-donation from the Pineapple Fund

KDE e.V. is announcing today it has received a donation of 200,000 USD from the Pineapple Fund. With this donation, the Pineapple Fund recognizes that KDE as a community creates software which benefits the general public, advances the use of Free Software on all kinds of platforms, and protects users' privacy by putting first-class and easy to use tools in the hands of the people at zero cost. KDE joins a long list of prestigious charities, organizations and communities that the Pineapple Fund has so generously donated to. "KDE is immensely grateful for this donation. We would like to express our deeply felt appreciation towards the Pineapple Fund for their generosity" said Lydia Pinscher, President of KDE e.V.. "We will use the funds to further our cause to make Free Software accessible to everyone and on all platforms. The money will help us realize our vision of creating a world in which everyone has control over their digital life and enjoys freedom and privacy". Read more