[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

the RISKS of Red Hat (as it stands)

From: Tom Lord
Subject: the RISKS of Red Hat (as it stands)
Date: Tue, 3 Sep 2002 21:30:08 -0700 (PDT)

------- Start of forwarded message (with minor edits) -------
Date: Sat, 31 Aug 2002 11:19:59 -0700 (PDT)
From: Tom Lord <>
To: andru@CS.Cornell.EDU
Subject: RISKS of Red Hat
X-UIDL: c,!#!XlV!!#dd"!!:R!!

Andrew, you suggested or asked for a concise argument.  There's too
many things wrong here to put the whole dispute in just one argument,
but here's a good aspect to focus on:

This is just about the risks.  The complementary arguments are about
how fixing these risks can also lead to improved business models, even
if the risks never become an issue.

        1) Red Hat is the de facto controller and/or filter (for the
           business world and many individuals) of a lot of very
           important source, including many foundational components
           upon which everything else in the system depends for
           correct and secure operation (e.g., GCC).

        2) The infrastructure they have built and defend makes many
           aspects of Red Hat a black-box single-point-of-failure for
           those components, hence for everything that depends on

           2a) One classic attack is documented in Ken Thompson's "On
               Trusting Trust" ACM Turing Award lecture.  How many of
               the world's compilations are performed by a GCC binary
               that descends from a GCC binary that originates at Red
               Hat (for example) or from a vendor compiler of a decade
               ago that nobody has the source for?  The nice thing
               about the compiler attack is that anyone with access to
               Red Hat's facilities is likely to be able to pull it
               off without being noticed.

           2b) Another classic attack centers on the idea of
               d.o.s.'ing Red Hat before launching other widespread
               attacks on sites running Red Hat.  Presumably they have
               other paths to larger customers but "2 x very weak ==
               very weak".  Other approaches, such as intensive
               background checks and access limitations on the site
               are both expensive, liability inducing, and far less
               effective than simply managing the source better.

           2c) The volume of source handled by Red Hat, divided by the
               total number of employees (nevermind engineers), is 
               absurd.   Just that metric alone should raise red flags.

Arch is a cornerstone element for an infrastruture that can eliminate
that single-point-of-failure weakness.  In addition to the raw
technology, it might help to explore how to use arch to fully
appreciate what I'm proposing -- but if your eyes simply glaze over
when I talk about patch sets or star-topology, that's a problem.

Arch isn't rocket science -- it's just good sense.  It's also a big
challenge to figure out how to incorporate it into existing businesses

- -t
------- End of forwarded message -------

reply via email to

[Prev in Thread] Current Thread [Next in Thread]