[CentOS] Can we trust RedHAt encryption tools?

Mon Jan 6 16:39:20 UTC 2014
m.roth at 5-cent.us <m.roth at 5-cent.us>

James B. Byrne wrote:
> Recently I have been deeply troubled by evidence revealing the degree to
> which U.S. based corporations (well actually all resident in any of the
> so-called 5-eyes countries) appear to have rolled over and assumed the
position with
> respect to NSA inspired pressure to cripple public key encryption and
> facilitate intrusions into their software products.  This has engendered
> in me a significant degree of doubt surrounding the integrity of RHEL; and
> therefore of CentOS since it claims to be a bug for bug, and therefore
an exploit
> for exploit, copy of RHEL.
<snip>
>
> Where this discourse is leading is to is the question of whether or not
> CentOS should provide OpenSSL built from clean sources as an extra or plus
> package and perhaps httpd, sshd and ssh-client and related pki
based/reliant
> packages as well. Similarly, should CentOS.org provide tested spec files
that will
> provide individual system admins a simple method of building these
> packages from source?
>
> I think that CentOS.org probably should provide this but I am afraid that
> I cannot make a strong public case.  Suffice that my belief is informed
from
<snip>
I agree, but I just don't know how much in the way of manhours that would
involved.

However, if you do get it all built, and build packages out of them, there
is an extras? contribs? repo, and I'd encourage you to submit it for that.

         mark