On Tue, Jul 17, 2018 at 11:21:15PM +0200, Alessandro Selli wrote:
> My point is that the chances there is a backdoor in the Linux kernel
> are about as high as the chances tomorrow an alien ship abducts the world's
> leaders to take them captive to another solar system

Actually, it's pretty likely some odd driver has a limited backdoor (aka an
intentional exploitable bug), and 99.999% chance there's a number of
unintentional bugs the NSA, GRU and so on know of but don't let the public
know, saving them for high-value targets.

Then there are local exploits. Ted Ts'o for example keeps fuzzying ext4 for
years yet exploitable bugs still pop up frequently -- usually just DoS but
arbitrary code execution isn't unheard of. That's a simple filesystem --
on the other hand, we got plenty of ridiculously complex filesystems as
well. And ones like qnx4/qnx6 that have been effectively unmaintained for
years, yet have modules enabled in distro kernels (including ours), probed
whenever someone inserts a removable filesystem. Current desktop
environments do so even when the screen is locked.

Same for other USB subsystems. All it takes is a device on the other end of
the USB cable to identify itself as a 1997 Mattel Sidewinder joystick or
such, whose driver has slightly inadequate input validation, to exploit a
locked machine.

Or so on, so on...

> that there's no way we, or any single minor distro devs, could make the
> kernel any more secure than it currently is and that trying to do it would
> drain a huge amount of resources

Minor distributions should follow the rule:
"Do one thing and do it well."

Choosing secure defaults is in scope, but searching for backdoors is not.
This is upstreamish work, thus it's not a distro thing. For free software
to work, any capable developer should cooperate, but you do such audits
without the distro hat on.


Meow!
--
// If you believe in so-called "intellectual property", please immediately
// cease using counterfeit alphabets. Instead, contact the nearest temple
// of Amon, whose priests will provide you with scribal services for all
// your writing needs, for Reasonable And Non-Discriminatory prices.