Liquorix and kernel.org
What is your view on the recent attack at kernel.org? Are the kernel packages safe to compile now? There has been no notification from kernel.org that all is well. How are you preventing the contamination of the liquorix kernels?
Back to top |
|||||
Well, there's nothing to worry about. Even if the intent of the hackers on kernel.org was to taint the kernel sources, they would not have been successful. If they were successful, everyone would know.
Any changes made to the kernel source will require a change of the hash that makes up a commit for which the source was changed. Thus, if you were trying to taint the source of a kernel tag, the tag's hash would change. The only option for a hacker would to add a new commit with malicious code. Unfortunately, this won't work either, because the maintainer of each git repository has a copy on their computer. When they try to push changes to kernel.org, they'll get a warning that they're losing history by pushing. Even if the maintainer doesn't care and forces a push, the malicious code would be lost. There's nothing to worry about, it's really easy to accidentally subdue the contamination. Back to top |
|||||
See this by Joey Hess:
kitenet.net/~joey/blog/entry/size_of_the_git_sha1_collision_attack_surface/ And this by Zook lwn.net/Articles/457539/ Back to top |
|||||
There is nothing I can do if or if not the sources were tainted.
There are developers and kernel hackers more talented than I am that get paid to work on the kernel source. They can audit the code if they want. Back to top |
|||||
Thank you for your comments. I will continue to use the liquorix kernel. That doesn't mean I have confidence in the original source, but what can I do. The debian kernel, the aptosid kernel, in fact all linux kernels, ultimately come from the same source, kernel.org.
Over at debianuserforums.org it has been suggested to use the BSD kernel. I'm not sure I'm ready to do that. I have a squeeze install whose kernel pre-dates the attack, but squeeze is boring. The kernel.org team is not telling what is going on and not knowing produces anxiety in me. I'm sure it will pass. Back to top |
|||||
All times are GMT - 8 Hours
|