[conspire] xz exploit and backdoor

[Rick Moen]

Quoting Ron / BCLUG (admin at bclug.ca):

> I was mistaken - LibreSSL was the thing I was thinking of, not the
> hallucination called LibreSSH.
> 
> OpenSSL being responsible for HeartBleed, not OpenSSH.
> 
> I have a memory like a steel trap: rusty.

Honestly, I wasn't sure, myself!  And, as I said, in years past, I
actually made a point of keeping meticulously informed about what
software implements the SSH protocols.  And my uncertainty was further
fueled by other people making the same mistake, like my friend Rob
Landley on the Linux kernel mailing list, a decade ago, where he typed 
"LibreSSH" in a long and otherwise articulate and useful screed about
reducing software complexity and shedding spaghetti code:

  I thought we'd moved _on_ from the days of "this site optimized for
  Internet Explorer", but systemd is that all over again. Linux is all
  about modularity where you swap out OpenSSH for LibreSSH (or Dropbear)
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  and swap out XFree86 for X.org and swap out glibc for eglibc (or uclibc
  or musl) and you have at least a fighting chance to make it work.
  Unfortunately, the systemd developers take the suggestion that you might
  want to keep the option of doing that open as some sort of personal
  attack.

https://lkml.org/lkml/2015/4/8/772

Rob was, in general terms, voicing my own larger concerns, which is part
of why I quoted that.  Notice, though, that "OpenSSH" wasn't just a
one-letter typo on his part; he really thought there was a
plug-compatible substitute for Portable OpenSSH of that name.  Funny,
but this shows it isn't just you.  ;->

When I was responding to you, [too] late at night (apologies for the
typos and punctuation errors, but I was tired out), I was thinking,
"Wait, LibreSSL makes sense because it's an OpenBSD Foundation cleanup
of the OpenSSL train-wreck, but what would 'LibreSSH' be?  An OpenBSD
Foundation cleanup of OpenBSD Foundation's own OpenSSH code?"

So, while I was thinking "I see no evidence of a LibreSSH ever
existing", I had enough uncertainty, fueled by things like Rob Landley's
own error, that I was honestly uncertain.


> Wait a second, I thought Chromium was, if not de-Googled, pre-Googled
> (the open browser that Google added their stuff to)?
[snip where you read what they do]

> Ah, okay, I feel comfortable with that as a backup browser.

On my own part:  Conditionally, with reservations.

The Blink/V8 browser engine is obviously compelling, and I'm glad it
exists.  The fact that it's single-sourced from the 2nd nosiest
corporation in the world is regrettable to say the least, and relying
_solely_ or primarily on it is Right Out, i.e., Firefox and Mozilla
Corporation remain very important, warts'n'all.

Part of my point about ungoogled-chromium's feasibility is that its
delta from Chromium is a fairly stable patchset that (almost entirely)
strips out undesired junk.  Based on that fact, I guesstimate that 
keeping it feasible and useful is not _too_ onerous a chore for a
relatively small band of volunteers.

Maintaining _Chromium_, by contrast, is a dizzyingly complex and
expensive task, that I imagine teams of volunteers without corporate
backing couldn't hand, any more than Firefox would be maintainable
without Mozilla Corporation having a revenue base, and continuing to see
its future in the browser codebase.

Web browsers are just that complex -- as Deirdre, who's been an insider
on WebKit / Apple Safari, can tell you.  Worryingly, they are also a
major attack target with a huge attack surface.  And about the best
protection we in the open source world have relies on those two big
corporate products, the Blink/V8 engine (Chromium) and the
Gecko/SpiderMonkey engine (Firefox).

Goanna is a Gecko fork (option 3), but I don't know much about it.
https://en.wikipedia.org/wiki/Goanna_(software)

Apple's WebKit2 (fully open source under LGPLv2.1 and BSD 2-clause)
is the other practical browser engine (option 4), forked by Lisa Melton
in -- whoa!  -- 2001 from KDE's kHTML (Konqueror, etc.).

I don't think there's (yet?) been much takeup of WebKit2 (or the
preceding WebKit) in open source browsers.  It's of course the lion's
share of code underlying and comprising Apple's proprietary Safari
Web browser, which by the way, aside from being proprietary is worthy of
respect.  Most of what else's been based on WebKit so far is third-party
proprietary project, such as (and this strikes me as wacky) the Google
Chrome browser for iOS, built atop WebKit and _not_ built atop an iOS
port of Google's Blink engine.

There are some open source browsers based on WebKit, but they're
really obscure:  GNOME's "Web" (formerly Epiphany), and also the
Japanese browser Midori, in the latter case until the project got bought
out in 2019, at which point it got recoded for Gecko.  As far as I know,
that's it.

> Yeah, that'll do.
> 
> Long Live Firefox.

So say we all.
https://www.youtube.com/watch?v=EisvM8F_5PE

(Hey, link is from another of Canada's gifts to world culture, BSG.)

A great speech, despite Adama lying shamelessly to almost everyone, 
having no such plan, and not even having any clear idea what to do.
Metaphor, anyone?

-- 
Cheers,             "Are you sure it’s that simple?  After all my time here, 
Rick Moen           I’ve yet to see any problem, however complicated, which 
rick at linuxmafia.com when you looked at it the right way, didn’t become still 
McQ! (4x80)         more complicated."     -- Poul Anderson, in "Call Me Joe"