Tin Hats Vs Red Hat
Off the Beat: Bruce Byfield's Blog
Ordinarily, I avoid anything to do with Roy Schestowitz and TechRights. The interaction is rarely worth the seemingly compulsive abuse I inevitably receive. However, Schestowitz's recent claim that Red Hat Enterprise Linux (RHEL) includes a back door for the NSA is an exception -- especially since the story has been picked up by FOSS Force (http://fossforce.com/), where, despite the site's skepticial coverage of the claim, its latest poll shows that 34% believe the story, and 27% don't know what to think.
Schestowitz writes that RHEL cannot be trusted because "RHEL is binary and based on news from half a decade ago, the NSA is said to be involved in the building process." To support this suggestion, he refers to a seemingly random collection of evidence, such as previous articles he has written that are long on speculation and short on credibility, and a couple of major but unexceptional recent security advisories. For further proof, he mentions that Red Hat CEO Jim Whitehurst once worked for Boeing, which he ties into the US government by mentioning its extensive Pentagon contracts. He ends by urging readers to use CentOS instead, on the grounds that "CentOS is built from source (publicly visible)" and that "blind faith in binary distributions is a bad thing."
Strangely enough, my own preferences are much the same as the ones that Schestowitz declares; I prefer community-based distributions and I am wary of large corporations like Red Hat. However, unlike Schestowitz, I also feel a responsibility to avoid slinging accusations unless I have evidence to support them -- and, in this case, no evidence exists.
Binary vs. source
Most of what Schestowitz mentions in his article is not evidence so much as facts that help to create an air of suspicion around Red Hat. His main argument is that Red Hat is untrustworthy because it distributes binaries, and CentOS makes source code easily available.
When saying that "RHEL is binary," Schestowitz may be reflecting the fact that finding its download site from the Red Hat main site is difficult. Instead, the site emphasizes evaluation copies and a $99 developers' copy.
Alternatively, Schestowitz may be vaguely remembering the fact that, for the last few years, Red Hat has shipped kernels with patches pre-applied, which makes identifying the changes more difficult. This change is widely believed to be intended as an obstacle to borrowings from its rival Oracle.
Yet, even if Red Hat's kernel was available only in binary form, you could always build your own kernel from sources downloaded the Linux Kernel Archives. You might have some difficulties because you are missing RHEL's own patches, but users try such experiments regularly, and, with patience and online research, many succeed.
Fortunately, such an extra effort is unnecessary. Whatever the source of Schestowitz's statement, it is plainly incorrect. Scroll down the list of files in RHEL's download site, and you find that the source code is there for the download. Apparently, Schestowitz forgot that, by the terms of the free-licenses on which all distributions are built, Red Hat is obligated to provide source code.
You might argue -- as he does not -- that Red Hat's arrangements keep to the letter of its licenses while undermining their spirit, but that is not at all the same as providing only binary code.
The false alarm
Even if Schestowitz was right, switching from RHEL to CentOS would not free you from the possibility of a back door. After all, CentOS is build on the same source code as RHEL makes available for downloading, just like other RHEL derivatives. If a backdoor existed, sooner or later, the developers of CentOS or other RHEL-derived distributions would have noticed before now. For that matter, so would RHEL customers, for whom kernel patches are still available separately. All these developers, I imagine, would respond with howls of outrage at the betrayal.
True, the paranoid might speculate whether Red Hat was doing some sleight of hand, making clean source code available for download while shipping with a tainted kernel. But if you have reached that stage of suspicion, you would stay closer to lucid if you avoided the major distributions altogether and using Linux from Scratch.
The idea of corporate corruption plays well in free software. I'm not comfortable with defending a billion dollar corporation myself. Yet Schestowitz's claims can only seem plausible if you have never had anything to do with source code, fail to do some basic research, and forget anything you ever knew about licensing. As for his solution of moving to CentOS, any security problems could not possibly be improved by the effort.
In other words, the alarm is over, and for now you can stand down. There's no emergency so far as anyone can see, and your tin foil hat will only get you laughed at if you go outside.
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.
-
DebConf24 to be Held in South Korea
Busan will be the location of the latest DebConf running July 28 through August 4
-
Fedora Unleashes Atomic Desktops
Fedora has combined its solid distribution with rpm-ostree system to make it possible to deliver a new family of Fedora spins, called Fedora Atomic Desktops.
-
Bootloader Vulnerability Affects Nearly All Linux Distributions
The developers of shim have released a version to fix numerous security flaws, including one that could enable remote control execution of malicious code under certain circumstances.