> People review the Linux kernel
Who reviews Linux kernel in anything but a very shallow and targeted way?
> I won't ever give up my right to review and for others to review what they can.
You have a right to inspect / review closed source software too.
Conversation
And I don't really see what stops inspecting / reviewing in with the same care / depth. It's not even obfuscated in any way.
If you took the alternate approach of getting official access to the sources, you give up your right to publish them, obviously not to review them.
1
But regardless, you're not really reviewing / auditing code, and there is not a community of people doing it. If there was, they wouldn't be blocked by only having compiled, unobfuscated libraries in some cases. As you're well aware there aren't even people interested in building
2
I starter with what I could do which is get a good determinstic build baseline... And I can't even keep up with that. Google closes bugs I file for determinism. They don't care.
AOSP seems too big to review or maintain in the way I want an OS reviewed and maintained. That sucks.
1
The Linux kernel is far beyond doing any kind of serious auditing / review, and there are not people even attempting to do that across it. Even Linus lacks a grasp of it as a whole. Chromium or any other functional browser engine is the same situation. What do you plan to ship?
1
You are preaching the the choir on these points.
I'll use the Linux kernel today because it is the least bad most audited thing that works.
Once I have an MVP I can try to use a microkernel the community can hope to audit.
I would love a SeL4 feature phone, for instance.
1
1
The truth is, I 100% agree with you. When there are millions of lines of code it is a black box the community will never be able to fully review.
This conversation has made me now double down on wanting get a feature phone with as little code as possible that can be audited.
1
1
The whole idea of ever having fully community reviewed and open devices without single points of failure when there is 250gb of source code to build android... who has time to build it let alone review it?
The leaner the tree, the better chance of useful decentralized review.
2
1
> there is 250gb of source code to build android
No, there isn't.
> who has time to build it let alone review it?
How exactly do you plan on doing any meaningful review of the Linux kernel, no one else is doing either? Also, a browser engine has more code + more time to build.
2
Chromium has more code that's actually used than the Android userspace and it takes more time to build. How are you going to review that? And the Linux kernel? You're going to get 400 developers to take 10 years to fully review Linux 4.14? And then what? What does it accomplish?
1
1
You seem to be more concerned about theoretical backdoors than very real and tangible vulnerabilities making those backdoors completely useless even if they do exist. Why would anyone even need to insert backdoors into these kinds of technologies? I don't get it, sorry.
How exactly do you intend on finding a subtle backdoor designed to be hidden with this kind of review anyway? I seriously doubt the chances of success even with a very small scale project. It's not like you will find most non-hidden vulnerabilities that are just accidents.
1
Most vendors don't bother with low level backdoors. They just pay a carrier to ship clumsy spyware apps. Compiling yourself and ripping out anything you can't build from source makes that level of attack go away.
1
Show replies