Sunday, 18 December 2016

LInux and the UK IPbill

Will openSUSE have a backdoor or will it be safe?

isn't Suse part of Micro Focus, which is British? Hence my concern.

openSUSE Chairman replies on :-

[–]rbrownsuseopenSUSE Chairman 30 points 6 days ago* :-

SUSE is part of Micro Focus, correct.
openSUSE is a community producing Linux distributions with all of its code and submissions very much in the open.

Our primary code servers are hosted in Germany, sponsored by SUSE Linux GmbH

If the IPbill does apply to the openSUSE Project (I believe it does not), I have no intention of following the provisions which give the UK government an opportunity to meddle in our communities code before release.

If any backdoor were added it would be done so in a transparent way that would be easily noticed in OBS. note: the project already firmly follows upstream projects first and very strictly documents divergence from those upstreams. It's very easy to see every patch we carry in every package.

Even if I had a different opinion, I still think it would be unworkable- the Tumbleweed release process alone would probably overwhelm Her Majesties Government with more requests per week than most companies would produce in many years.. "

Linux chief: ‘Open source is safer, and Linux is more secure than any other OS’ (exclusive)

J. O'Dell    November 26, 2013 9:27 AM

VentureBeat: Security and privacy has been the hottest topic this year, bar none. We’ve heard rumors that Linus [Torvalds, Linux creator] OK’d a Linux backdoor for the government.

Zemlin: If there were a backdoor in Linux, you’d know it.

The whole world can see every line of code in Linux. This is one of the reasons Linux is more secure than other operating systems and why open-source software overall is a safer than closed software. The transparency of the code ensures it’s secure.

And for the record: He wasn’t approached.

Father says Linus was approached:

"When my oldest son [Linus Torvalds] was asked the same question: “Has he been approached by the NSA about backdoors?” he said “No”, but at the same time he nodded. Then he was sort of in the legal free. He had given the right answer …everybody understood that the NSA had approached him."

Did Linus Torvalds backdoor Linux random number generation?:-
"Two years ago Linus overrode a decision by the maintainer of /dev/random and made a decision to include a patch by Intel which would make Linux rely blindly on output from RdRand (an implementation sealed in a chip and impossible to audit)
Matt Mcall, the maintainer of the Linux RNG was so appalled by this decision that he felt that he had no alternative but to quit the project." :-
Matt Mackall, the former maintainer of /dev/random, actually stepped down over this issue, because Linus overrode Matt and applied Intel's patch that used their hardware random number generator directly:

Ted Ts'o later reverted this, separating out Intel's hardware random number generation into a separate function that could be used to seed the entropy pool but wouldn't be trusted directly as the main kernel source of random numbers:
"If I had to guess what happened, some intel people pushed this as a feature, probably pushing it via one of the x86 git trees, and Linus either (a) didn't notice, or (b) didn't understand the implications, and then Matt quit in a huff --- by just stopping to do work, and not even updating the entry in the MAINTAINERS file."

 tytso 1199 days ago [-]
Not only did it happen before, just TODAY I had to fight back an attempt by a Red Hat engineer who wanted to add a configuration option which would once again allow RDRAND to be used directly, bypassing the entropy pool:

"It's unlikely that Intel (for example) was paid off by the US Government to do this, but it's impossible for them to prove otherwise --- especially since Bull Mountain is documented to use AES as a whitener. Hence, the output of an evil, trojan-horse version of RDRAND is statistically indistinguishable from an RDRAND implemented to the specifications claimed by Intel. Short of using a tunnelling electronic microscope to reverse engineer an Ivy Bridge chip and disassembling and analyzing the CPU microcode, there's no way for us to tell for sure." :-
Technology companies maintain that they work with the intelligence agencies only when legally compelled to do so.

The Guardian has previously reported that Microsoft co-operated with the NSA to circumvent encryption on the email and chat services.  
The company insisted that it was obliged to comply with "existing or future lawful demands" when designing its products.

The IPbill just brings this point out into the open.

Thursday, 15 December 2016

Is Linux being helped or hijacked by corporate involvement?

Is Linux being helped or hijacked by corporate involvement? AKA has Linux lost its way?
Who knows, but here are some thoughts:
Linux started as a student project and gathered an enthusiastic band of volunteers …..but look at it now.
“The Linux kernel is growing and changing faster than ever, but its development is increasingly being supported by a select group of companies, rather than by volunteer developers.
That’s according to the latest survey of Linux kernel of development by the Linux Foundation, which it published to coincide with the kickoff of this year’s Linux Foundation Collaboration Summit on Wednesday.
Whether the decline in volunteer code contributions since Linux’s early days is actually a bad thing, however, is open to debate.
For one thing, kernel development is something of a rarified skill, and coders who successfully submit patches probably won’t stay unemployed for long. Now they’re volunteers; now they aren’t.
Also, the Linux kernel has hardly been taken over by some Good Ol’ Boys network of top IT companies. One developer who consistently makes the list of top kernel contributors, for example, is H Hartley Sweeten of Vision Engraving Systems, a maker of industrial engraving equipment.
Similarly, the Linux Foundation announced on Wednesday that its latest member is media giant Bloomberg, which has joined as Gold member and says it will “continue to take on a more prominent role in the broader community development and collaboration behind Linux.”

from the comments on this page:
Is this trend isolated or common?
Date: 2016-01-22 11:51 pm (UTC)
From: (Anonymous)
So far I count:
– Linux Foundation quietly dropped community representation:-
– The Radeon related conspiracies (I didn’t look at it in depth yet).
– The libusb related conspiracy (See Peter Stuge’s talk at 32C3).
– The foundation corporate membership limit change attempt.
Is there other examples of such patterns that I missed?
Are theses isolated incidents? Or are they part of a bigger picture?
If it is, I can only think of corporate control over free software projects, but why?
I guess free software companies wouldn’t benefit from it.
However I think that the proprietary software companies would. They nowadays depend on free software so they can’t kill it, they probably don’t want to either.
However controlling the associations and leveraging such control could be used to help prevent free software from replacing their proprietary products.
Here I’m only wondering if something is happening, and I don’t have any answers.

Link Reply Thread Hide 1 comment
Re: Is this trend isolated or common?
Date: 2016-01-23 12:18 am (UTC)
From: (Anonymous)
Free software has always been a threat to the “capitalist” business model espoused by the big corporations. This model has no room for products that threaten their high profit margins, so they always attempt to buy or hijack the problem people and products. An example from the dark side is Mark Russinovich being bought off by Microsoft after the Sony rootkit affair.
Another way to look at the Linux Foundation is that we have isolated the problem to a small place and made the corporates pour their money into a different rat hole, but we have to act on that approach, perhaps by forking the kernel and making the community version the important one, removing the Linux Foundation’s influence over the real world by simple community action.
While this approach would seem cruel in that Torvalds would be shorn of his halo, in fact devolving the “governance” of the Linux kernel would serve as a way of keeping him honest, and potentially improve the overall product. Just like all of the MySQL forks forced Oracle to be honest, so would a hurd of Linux forks force “Linux” back to the real world. :-
People like Linus Torvalds and I don’t plan the kernel evolution. We don’t sit there and think up the roadmap for the next two years, then assign resources to the various new features. That’s because we don’t have any resources. The resources are all owned by the various corporations who use and contribute to Linux, as well as by the various independent contributors out there. It’s those people who own the resources who decide…
— Andrew Morton, 2005
Linux is evolution, not intelligent design
— Linus Torvalds, 2005[122][123]
“The real question behind the debate, as I see it, is who controls The Linux Foundation? The users or the companies?
Garrett sees this move as The Linux Foundation taking one more step away from the community and towards the corporate world. Zemlin doesn’t address this point specifically but, tellingly, he does say that the “process for recruiting community directors should be changed to be in line with other leading organizations in our community and industry.”
In addition, as Garrett pointed out, individuals no longer longer have “The ability to run for and vote for a Linux Foundation board seat and influence the direction of the foundation.”
Personally, I see this as a move towards more corporate control of the Foundation. But, as the saying goes, who pays the piper calls the tune. I find nothing surprising about this move.
While open-source users love the concept of community, the “community” has been made up of corporate executives and employees for well over a decade now. Only the most idealistic open-source developer and leaders and, ironically, open source’s most fervent enemies still think of Linux and open-source projects being created and controlled by private individuals.
Besides, the overwhelming majority of The Linux Foundation board of directors has always been made up of corporately chosen directors. Still, this Linux Foundation decision rubs me the wrong way. Linux started as an individual’s project that quickly gathered the support of many bright programmers. There should always be a place for individuals rather than corporations to have their say in The Linux Foundation’s leadership.
I hope Sandler, who is a strong, brilliant open-source leader, not only is allowed to run for office, but wins a place on the board. I also hope the Foundation restores the right for individuals to vote and run for office on the board. This is not asking for much, and it would restore faith that the Foundation still has room left for the little people and not just the big companies.”
“They” tried, for years, to destroy Linux. “Only hackers use it”, “only hippies use it”, “only communists or terrorists use it”, “we own patents for most of it” and each one failed. Now they’re attacking it from within and it’s worked beautifully. One community torn asunder over systemd. Most distros now firmly in the palm of Red Hat and thus under their control. The modularity and control that distinguished Linux from other OS’s, now mostly gone and by the time Poettering has finished, it will all be gone. And then it will be too late.
Thankfully there are still some distros holding out – Slackware, Crux, Pisi, Manjaro OpenRC and Devuan if it gets off the ground. Long may they continue to resist. But I don’t hold out much hope in the long run. This is Corporate takeover 101 and so few even see what’s happening that the chances of stopping it are next to zero. Sad.
A cornerstone of Linux’s success is its huge user community. Since 2005, some 11,800 individual developers from nearly 1,200 different companies have contributed to the kernel, the Linux Foundation says. Linux is the largest collaborative development project in history and it is being developed faster than any other software in the world.
And now Linux is accelerating tech innovation via open collaboration at all levels – from the chip and on up through the entire hardware and software stacks.
Ultimately, open source isn’t about code. It’s about community, and as Bert Hubert suggests, “community is the best predictor of the future of a project.” That community isn’t fostered by jerk project leads or corporate overlords pretending to be friendly foundations. It’s the heart of today’s biggest challenges in open source — as it was in the last decade.
The Linux model inspired IBM, NVIDIA, Mellanox, Google, and Tyan to create the OpenPOWER initiative in December 2013. OpenPOWER does for hardware what Linux has done for software: makes it free and open source
it has become increasingly common for companies to maintain control of important open source tools.
That can make for more efficient decision making. But as we’ve seen with Node, it can also lead to tensions between the parent company and outside developers who adopt and develop the technology. How the Node community deals with these tensions could set important precedents for how other important open source technologies, such as the cloud computing tool Docker, are managed.