[CentOS-devel] CentOS Interoperability SIG

Wed Jan 29 11:16:10 UTC 2014
Ljubomir Ljubojevic <centos at plnet.rs>

On 01/29/2014 06:10 AM, Johnny Hughes wrote:
> If CentOS exists as a rebuild of the EL codebase and if the rebuilt code
> works and is tested by the community ... AND if the same source code can
> be used as the basis for the addon variant or repos seamlessly (as is
> our goal), then why does someone else need to rebuild the rebuilt code
> again under another name?

The reason does not have to be to build public distro, or maybe public 
but for other purposes. One of the issues every user of CentOS is facing 
is security.

Reality is that CentOS rebuilds packages to be 100% binary compatible. 
That means rebuilding against specific versions of packages for 
dependencies. Essentially, you packages will have same security bug RHEL 
has, if that bug was created with manipulating environment. I read 
recently an article which explains how compiling first with modified 
compiler then with "proper"/vanila one can introduce changes in the way 
same code of the package will be binary different.

So first thing that comes to my mind is: If several persons inside Red 
Hat decide which environment will be created to build a package, is it 
possible those persons to be working with NSA to implant hardly 
detectable security holes? Even Read Hat CEO does not have to be aware 
of that. And if process is non-transparent and needs tweaking, then one 
can assume foul play is possible.

As a normal CentOS user, I do not really care much if my system has such 
sophisticated hole, but any foreign govt (not-USA) would have serious 
concerns to use something USA could have tampered with.

For example, Russian govt uses (as far as I remember) REL (Rosa 
Enterprise Linux). They are part of Russian govt FOSS Project, for use 
by all govt branches, just like RHEL is used by USA govt. What about 
other govts that distrust both USA and Russians?

And with recent claims that NSA is also running industrial espionage in 
favor of USA companies, Big international companies could be reluctant 
to use either RHEL or CentOS, or any other 100% binary clone.

Argument about USA govt using same packages does not have to be true. 
Since Red Hat has closed update/package network with accounts, how hard 
would it be to hook USA govt systems to slightly different channel with 
few key packages without bugs that exist for all other users of Red Hat? 
maybe just a active symlink creation pointing to secret packages.

That is why people might want to totally control building process 
without spending large amounts of time. Even if only to compare packages 
built against different environment.

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

StarOS, Mikrotik and CentOS/RHEL/Linux consultant