Linked by Eugenia Loli on Thu 6th Nov 2003 05:32 UTC, submitted by Jeremy Andrews
Linux KernelTrap has a very interesting article about a recent attempt to sneak a "back door" into the Linux 2.6 kernel. Evidently someone managed to break into the CVS server that mirrors the kernel source tree and add a small patch allowing one to locally obtain "root" super-user access. Fortunately, during an export from the master BitKeeper version of the kernel source tree into the CVS mirror, the change was detected and quickly removed.
Order by: Score:
An open structure!
by Anonymous on Thu 6th Nov 2003 05:38 UTC

Haha...Microsoft marvel and learn.

Im not sure if this is in the article or not...
by carbon-12 on Thu 6th Nov 2003 05:45 UTC

but how did they break in?

Reads like an ad for BitKeeper
by Anonymous on Thu 6th Nov 2003 06:04 UTC

The discussion reads like a 'CVS is insecure, use BitKeeper instead' - which is fine, but I wonder whether this will lead to more pressure to abandon CVS entirely in Linux kernel development?

It seems that BitKeeper obviously has advantages over CVS, but is there a free implementation of a BitKeeper 'client' which can be bundled with distros etc.?

If CVS doesn't automatically identify changes like this, how can you guard against it on a cvs-based system?







Who did
by *nix User on Thu 6th Nov 2003 06:04 UTC

Did anyone go through the logs?? Track the IP address??? Can we say Jail Time!!!

CCC Hack
by jeti on Thu 6th Nov 2003 06:26 UTC

Does anyone remember the age-old login hack the CCC was once able to smuggle in?

BitKeeper License
by dpi on Thu 6th Nov 2003 06:35 UTC

Good it's catched by BK. That's hereby granted.

However regarding the license i have things to say:

"Your license to use BitKeeper free of charge is revoked if you or your employer develop, produce, sell, or resell a source management tool."

IOW: you may not use this software if your intention is to compete with BitKeeper.

More serious flaws and non-free aspects in this license can be found here:

http://www.google.com/search?q=BitKeeper+license

First URL contains a lot of info.

I don't understand why a free software project like Linux uses such non-free product for their sourcecode. Yet another argument Linux isn't really much into freedom, if you ask me.

Replies
by Bascule on Thu 6th Nov 2003 06:47 UTC

Anonymous (IP: ---.jetstream.xtra.co.nz)

The discussion reads like a 'CVS is insecure, use BitKeeper instead' - which is fine, but I wonder whether this will lead to more pressure to abandon CVS entirely in Linux kernel development?

There's no security 'issue' with CVS if configured properly. All CVS operations can be tunneled through ssh. It will be interesting to see how the server's security was compromised, but I'm guessing by a leaked/compromised password.

dpi (IP: ---.ipv4.freeshell.bofx.net)

I don't understand why a free software project like Linux uses such non-free product for their sourcecode. Yet another argument Linux isn't really much into freedom, if you ask me.

CVS is a highly problematic collaborative development system. Branch management in CVS (and for that matter, CVS in general) is a nightmare. The management of directories is especially problematic, as there is no way to remove directories due to underlying limitations of RCS to manage revisions across directories. Moving files within the repository while preserving revision information is needlessly difficult.

Open source alternatives to CVS are plagued with problems of their own. For example, the lead developer of arch unexpectedly stopped developing it. There may well be some open source tools which are beginning to approach the functionality of BitKeeper, and when Linus decides both he and the tools are ready I'm certain he'll switch. However, I don't believe it's within the scope of your knowledge to judge what tools are needed for a collaborative development project on the scale of the Linux kernel.

Re: Bitkeeper License
by Anony Mouse on Thu 6th Nov 2003 06:48 UTC

Firstly, does anybody else get a feeling of "this [backdoor attempt] was bound to happen sooner or later?"


dpi wrote:
I don't understand why a free software project like Linux uses such non-free product for their sourcecode. Yet another argument Linux isn't really much into freedom, if you ask me.

Don't get your people confused. Torvalds != Stallman.

Linus is developing a Kernel. Sure, it's GPL.

How he decides to develop the tool is his own business. He could use Edlin if he really wanted too.

It doesn't have any bearing on the freedom of Linux - which is a kernel, remember? It also has no bearing on the ideals of the "GNU/Linux camp" and the FSF.

Linus simply chose a tool that was available. Would you prefer him to drop kernel development altogether and spend the next 16 years developing a CVS replacement?


Or, did I just respond to a troll?

Oh no!
by Anonymous on Thu 6th Nov 2003 07:41 UTC

Does this mean that someone managed to download the source code? I bet it'll be on those "Warez sitez" in no time now.

Seriously, it sounds like a compromised password - apparently the changes were recorded as being made by Dave Miller, one of the longest serving hackers there. Did he write his password down somewhere?

Is linux safe?
by Anonymous on Thu 6th Nov 2003 08:57 UTC

a question that arises. seems like it was just by luck this sec vulnerability was found. How many others are lying around?

v RE: Is linux safe?
by Grant on Thu 6th Nov 2003 09:09 UTC
BK has nothing to do with it
by Anonymous on Thu 6th Nov 2003 09:38 UTC

It wasn't catched by Bitkeeper. A script detected a change commited to the cvs repository by davem, but only the script is authorized to do cvs commits. Bitkeeper hadn't anything to do with it. More details on LKML.

Re: Bitkeeper License
by dpi on Thu 6th Nov 2003 12:02 UTC

<Bascule> CVS is a highly problematic collaborative development system. Branch management in CVS (and for that matter, CVS in general) is a nightmare. The management of directories is especially problematic, as there is no way to remove directories due to underlying limitations of RCS to manage revisions across directories. Moving files within the repository while preserving revision information is needlessly difficult.

Open source alternatives to CVS are plagued with problems of their own. For example, the lead developer of arch unexpectedly stopped developing it. There may well be some open source tools which are beginning to approach the functionality of BitKeeper, and when Linus decides both he and the tools are ready I'm certain he'll switch. However, I don't believe it's within the scope of your knowledge to judge what tools are needed for a collaborative development project on the scale of the Linux kernel.


The lead developer of arch did not unexpected stopped; this was announced. He didn't find a commercial supporter for his project, therefore it ''died''.

So which other SCM projects suck too according to you?

Why do *BSD, OpenOffice, Mozilla, Apache developers use CVS then? Aren't those big projects too? How they solve this issue? What do they smoke?

My problem with this license is what's beeing described in these 2 threads: http://www.debian.org/News/weekly/2002/39/index.en.html

People who happen to work for a large companies like IBM where also _someone_ is working with 1 line of code to a SCM (iow a competitor) cannot use the free (beer) version. Even if such hasn't got anything to do with it. They have to pay a certain amount [which differs on various factors]. Why do you think the RedHat people are all pissed because of BK? I see it as exploitation pur sang.

There are more problems. He can change the license anytime making the old license useless. Therefore his claim that when his company is gone, he's gonna release his software as GPL, cannot be guaranteed too. Funny thing indeed is like the earlier URL mentions, that when BK is gone the source of it will become GPL according to it's current license, so when not using it you make it less populair therefore more likely it'll die (when he doesn't change his license on the fly which he has done in the past, without updating the license stated on the site).

As for your last comment: indeed, i don't, regarding the technical aspect, since i don't have the experience. I use RCS. However i do have knowledge about freedom and i've done research on this aspect in this situation.

[This is besides any point but i'll write it anyway. Some people on the earlier posted URL claim McVoy has a huge ego. I don't know him, but his appeals to authority and force make me feel to agree.]

<Anony Mouse> Don't get your people confused. Torvalds != Stallman.

Exactly, that's why my argument gives Linus less freedom as ''freedom fighter''. Cause in my eyes, he isn't, and the fact he uses and supports proprietary software as server makes my point more as-is, imo.

How he decides to develop the tool is his own business.

No. That would count for ie. when Linus would use Windows as his desktop. That is his business. This is dependancy hell.

When you work together in a non-hierarchical way, you do this based on consensus. Granted, there's a lot of concensus in Free Software projects in general, including the Linux kernel. But here, i see a recession because BK is the main tree because Free Software is being developed depending on a non-free project. Non-fre by itself ain't bad, but it's license is in such way problematic that it creates various problems for people of the team. Using BK affects ALL developers, and some developers and/or companies are suffering from this. Yet this is taken as ''colleteral damage''. So saying ''his own business'' is shortsighted if you ask me.

It doesn't have any bearing on the freedom of Linux - which is a kernel, remember? It also has no bearing on the ideals of the "GNU/Linux camp" and the FSF.

For developers, it does. Since not using BK has disadvantages: they have to submit patches. Someone with BK access has to implement them. Yeah that's effective...

Linus simply chose a tool that was available. Would you prefer him to drop kernel development altogether and spend the next 16 years developing a CVS replacement?

Oh please, 16 years is highly exagerating. There _are_ alternatives to this style, even alternatives which use BK; but not as the centralized core; which it currently is.

Or, did I just respond to a troll?

''That's my business!''. At least i don't post using a some general nick, instead i use my own nick with my own IP address. If you have problems go whine to my ISP: abuse et xs4all dowt nl IPv4 213.84.111.64/30 - while you're at it, please include a warm hug from me to them (:

Re: Bitkeeper License
by Peter Hoeg on Thu 6th Nov 2003 12:58 UTC

dpi: I simply don't understand why you get so worked up about it. Nobody forces people at IBM or RedHat or any other place for that matter to use BK. There is a CVS gateway and the maintainers still accept patches as regular diffs. So if LM changes the license? NOBODY is worse off than before, as we can just go back to the way it has always been. Nobody looses.

Re:Who did
by Ryan on Thu 6th Nov 2003 13:30 UTC

sun, microsoft and plenty of others would gain a lot from making linux look insecure. call me paranoid but there are a lot of commercial interests that are seriously threatened by all of this linux craze.

I still think that the SCO suit is linked to MS and i believe that MS will do anything to maintain its position. Personally i wonder what happens when the conventional, barely illegal but massively unethical, questionable activity fails to kill linux/open source. What then? more bribes (i mean campaign contributions) to ashcroft and busshy or what?

MS won't go down easy. That company is worse than saddaam hussein or osama saved bush's presidency bin laden. There is no telling what they will do.

OpenCM
by Sean on Thu 6th Nov 2003 14:17 UTC

I have been considering OpenCM (http://www.opencm.org/) as a replacement for CVS. I have just not had the time to compare the two well enough.

Re: dpi (IP: ---.ipv4.freeshell.bofx.net)
by drsmithy on Thu 6th Nov 2003 14:43 UTC

I don't understand why a free software project like Linux uses such non-free product for their sourcecode.

Because Linus is pragmatic. He's a hacker, not a political activist. It's his code and he's chosen to use what he believes to be the best tool for the job - as is his perogative.

Re:Who did
by luckystrike on Thu 6th Nov 2003 14:48 UTC

MS won't go down easy. That company is worse than saddaam hussein or osama saved bush's presidency bin laden. There is no telling what they will do.

:roll:
The consequences of SUN, Oracle or MS getting caught far outweigh any benefits of breaching security and thus surely negates such a possibility.

There's no way any commercial outfit would expose themselves to this...

This whole episode just underscores yet another weakness of open source software. You should deal with it in ways more constructive than starting a witch hunt.

Re: Bitkeeper License
by Anonymous on Thu 6th Nov 2003 14:52 UTC

To DPI,

Once again, Linus can do whatever he wants with the kernel with any tools. Not happy with that (or any Big compagnies in your collateralty (!) damaged)? Fine, make a copy of the tree and start to use another tool (CVS and Cie). You're free. Linus too. It's his pet.

P.

RE: Re:Who did
by Drill Sgt on Thu 6th Nov 2003 15:02 UTC

"This whole episode just underscores yet another weakness of open source software. You should deal with it in ways more constructive than starting a witch hunt."

Well, not just OSS in general. There has been plenty of commercial software repositories where the same type of thing has happened in the past. This is not specific to OSS, so it is a weakness of software development in general, where there are many people working on the same code base.

Get real. Zero risk doesn't exist.
by Olivier on Thu 6th Nov 2003 15:35 UTC

In which world has there ever been <strong>anything </strong> unbreakable,absolutely safe ? Even intelligence services know that : they have counter intelligence services.

Why would computing be expected to be faultless ? Granted, some security models are better than others (no need to point fingers here) but the mere existence of bugs implies the existence of vulnerabilities.
As long as everyone keeps that in mind, then there is a fighting chance.

anyone tried vesta ?
by mariuz on Thu 6th Nov 2003 15:59 UTC

It was used @ compaq
http://www.vestasys.org/doc/tutorial.html
very nice from the tutorial
I think is better than cvs ...IMHO

Re: Bitkeeper License
by Jack Perry on Thu 6th Nov 2003 16:00 UTC

Exactly, that's why my argument gives Linus less freedom as ''freedom fighter''. Cause in my eyes, he isn't, and the fact he uses and supports proprietary software as server makes my point more as-is, imo.

IIRC, Linus himself rejects the "freedom fighter" label. For Linus, this was a hobby, which (as he explicitly stated from the outset) was not meant to be a professional project like GNU. It's not Linus who tried to co-opt the GNU label; it's the GNU types who have been co-opting his kernel. It's ironic that they should then turn around and criticize him for "breaking the faith."

RE: Re:Who did
by ryan on Thu 6th Nov 2003 16:56 UTC

"The consequences of SUN, Oracle or MS getting caught far outweigh any benefits of breaching security and thus surely negates such a possibility."

no company would ever do this directly. That's not how things work. That are lots of channels to get things done indirectly so long as you have money though. Getting caught is nearly impossible. you keep the trail long and/or indirect and then again you can always count on the media to spin it or ignore it. the potential loss of billions encourages moral flexibility and lots of creativity. With the bunch of clowns in power in the US and rising in the EU, pretty much anything is fair game.

who cares about how people develop code
by cAPTAIN^k on Thu 6th Nov 2003 19:40 UTC

honestly, get over it guys ;)

next you'll be having a spitting match about how the monitor linus uses has some sort of proprietry design *SHOCK*HORROR*

v luckystrike
by Anonymous2likeEveryoneElse on Thu 6th Nov 2003 20:44 UTC
Once in a while they do get caught...
by HereSince00 on Thu 6th Nov 2003 23:21 UTC

"The consequences of SUN, Oracle or MS getting caught far outweigh any benefits of breaching security and thus surely negates such a possibility."

no company would ever do this directly. That's not how things work. That are lots of channels to get things done indirectly so long as you have money though. Getting caught is nearly impossible. you keep the trail long and/or indirect and then again you can always count on the media to spin it or ignore it. the potential loss of billions encourages moral flexibility and lots of creativity. With the bunch of clowns in power in the US and rising in the EU, pretty much anything is fair game.


Remember Oracle hiring private investigators to dig through Microsoft's trash:
http://www.wired.com/news/politics/0,1283,37278,00.html



Re Once in a while they do get caught...
by luckystrike on Fri 7th Nov 2003 01:34 UTC


Remember Oracle hiring private investigators to dig through Microsoft's trash:
http://www.wired.com/news/politics/0,1283,37278,00.html


Espionage between corporations is expected. It's the norm. But one firm doing actual harm to another...such as the mentioned back door planting...has to be rare.

And doing it to the free software movement and getting caught would be absolute corporate suicide.

no company would ever do this directly. That's not how things work


We all realize this...but whether it's direct or indirect, no company would leave themselves exposed to an unplugged hole that could be traced back to the source. MS,Sun and others are too smart for that.

Nixon
by Anonymous on Fri 7th Nov 2003 14:17 UTC

If you study the stupid things that the Nixon administration did that allowed them to get get caught you will see that the only thing that allowed it to go on for so long was people's disbelief that they were capable of being outright criminals...After Enron, I hold no disbelief about Bush, Microsoft etc. I guess you have to ask yourself one question, are they capable of systematic lies and conspiracy? Do you they hold some delusional truth they are pursuing that would allow them to overlook such hypocrisy? Are they capable of going beyond the point of no return, beyond being able to cover their asses? Because thats when they get caught and all act so very shocked.

correction
by Anonymous on Fri 7th Nov 2003 14:20 UTC

sorry, that should read:

Because thats when they get caught and (we) all act so very shocked.

They caught this one
by Smartpatrol on Fri 7th Nov 2003 17:16 UTC

How many trojans suceeded getting into the linux code base? we may never know.