Liquorix and kernel.org
Posted: Sep 7, 11, 2:04 jheaton5
 Status: Interested
Joined: 15 Sep 2010
Posts: 49
Reply Quote
What is your view on the recent attack at kernel.org? Are the kernel packages safe to compile now? There has been no notification from kernel.org that all is well. How are you preventing the contamination of the liquorix kernels?
Back to top
Posted: Sep 7, 11, 16:44 damentz
 Status: Assistant
Joined: 09 Sep 2008
Posts: 1122
Reply Quote
Well, there's nothing to worry about. Even if the intent of the hackers on kernel.org was to taint the kernel sources, they would not have been successful. If they were successful, everyone would know.

Any changes made to the kernel source will require a change of the hash that makes up a commit for which the source was changed. Thus, if you were trying to taint the source of a kernel tag, the tag's hash would change.

The only option for a hacker would to add a new commit with malicious code. Unfortunately, this won't work either, because the maintainer of each git repository has a copy on their computer. When they try to push changes to kernel.org, they'll get a warning that they're losing history by pushing. Even if the maintainer doesn't care and forces a push, the malicious code would be lost.

There's nothing to worry about, it's really easy to accidentally subdue the contamination.
Back to top
Posted: Sep 8, 11, 1:43 jheaton5
 Status: Interested
Joined: 15 Sep 2010
Posts: 49
Reply Quote
See this by Joey Hess:
kitenet.net/~joey/blog/entry/size_of_the_git_sha1_collision_attack_surface/
And this by Zook
lwn.net/Articles/457539/
Back to top
Posted: Sep 10, 11, 0:36 damentz
 Status: Assistant
Joined: 09 Sep 2008
Posts: 1122
Reply Quote
There is nothing I can do if or if not the sources were tainted.

There are developers and kernel hackers more talented than I am that get paid to work on the kernel source. They can audit the code if they want.
Back to top
Posted: Sep 10, 11, 4:25 jheaton5
 Status: Interested
Joined: 15 Sep 2010
Posts: 49
Reply Quote
Thank you for your comments. I will continue to use the liquorix kernel. That doesn't mean I have confidence in the original source, but what can I do. The debian kernel, the aptosid kernel, in fact all linux kernels, ultimately come from the same source, kernel.org.

Over at debianuserforums.org it has been suggested to use the BSD kernel. I'm not sure I'm ready to do that. I have a squeeze install whose kernel pre-dates the attack, but squeeze is boring.

The kernel.org team is not telling what is going on and not knowing produces anxiety in me. I'm sure it will pass.
Back to top
Display posts from previous:   

All times are GMT - 8 Hours
Contact Us
Hosting: Pair Networks: 0.027
Forum Style © techpatterns.com
info

tech forums