Open-BSD scandal and concerns for Debian/Ubuntu

Colin Watson cjwatson at
Thu Dec 16 12:53:44 GMT 2010

[Moderator's note: normally I would advise that this sort of discussion
be taken to ubuntu-devel-discuss, as it's really much more relevant to
other projects such as the Linux kernel than to the development of
Ubuntu itself.  However, I thought it would be useful to have the chance
to reply to this on ubuntu-devel, since this has been in the news
recently and I'm sure various people are worried about it.]

On Wed, Dec 15, 2010 at 12:31:13PM -0500, Rodney V wrote:
> I am longtime user of Ubuntu, and I have concern regarding the recent
> allegations of the FBI placing malicious code in OpenBSD.
> Please forward this to other lists as you see fit.
> The reason for my concern is that the alleged code has been undetected
> for at least 10 years... This worries me that other distributions
> running Unix like enviroments may also be compromised by malicious code
> undetected in the Debian/Ubuntu systems as well- including
> applications for a very long time.

It is not at all obvious that the allegations are grounded in fact.  The
people named in the allegations have explicitly repudiated them (and of
course you might say that they would, but their comments seem pretty
convincing to me):

Who knows what the truth is?  I certainly don't.  However, it all smells
rather odd to me.  My first reaction on reading about it was that it
sounded like a smear campaign; wouldn't this be an excellent way to try
to wreck some developers' careers, if you were so inclined?  With enough
observation you might even predict that Theo would forward that private
e-mail and make use of that to make it all seem more plausible.  Of
course this is speculation not accusation - for all I know Mr. Perry
really is taking the first opportunity to expose a serious problem - and
I'm not involved either way, but generally I would recommend applying
some healthy scepticism when faced with this sort of thing rather than
getting too concerned straight away.  Nothing has been proven yet.

> I am asking that Devs and the community please perform a code audit. I
> know this may sound tedious, but the security of Ubuntu/Debian should
> not allowed to be compromised by anyone.

I understand that the OpenBSD people are performing a code audit anyway,
and they're best-placed to do so to start with; as the alleged point of
origin, they have all the history directly to hand and can make use of
it.  They have a superb reputation for this kind of thing and I don't
think there's much point in us trying to duplicate their work
independently.  If you're a security expert, that's probably the effort
you should be joining.  If they discover something, that will be a good
time to analyse other related codebases to try to work out whether it
spread.  Before that, we shouldn't allow ourselves to be excessively
sidetracked when there may be nothing in it.

In any case, I'd expect that the best organisations to perform such an
audit would be the maintainers of the IPSEC code in the Linux kernel,
related userspace tools, and so on.

Finally, this is the clearest post I've seen on this issue so far:

Colin Watson                                       [cjwatson at]

More information about the ubuntu-devel mailing list