Recently I have been deeply troubled by evidence revealing the degree to which U.S. based corporations (well actually all resident in any of the so-called
5-eyes countries) appear to have rolled over and assumed the position with respect to NSA inspired pressure to cripple public key encryption and facilitate intrusions into their software products. This has engendered in me a significant degree of doubt surrounding the integrity of RHEL; and therefore of CentOS since it claims to be a bug for bug, and therefore an exploit for exploit, copy of RHEL.
Reinforcing my doubt is the tale surrounding the long outstanding bug report respecting OpenSSL (https://bugzilla.redhat.com/show_bug.cgi?id19901) opened in October of 2007. This probelm was only recently addressed and then only after a good deal of pointed public questioning by numerous security commentators. RedHat’s reference to ‘patent’ issues surrounding this ‘bug’
are unsubstantiated by any documented evidence. The only response justifying Redhat’s lack of movement is some hand-waving about corporate legal opinion. Despite suggestive language by some RH employees
(https://bugzilla.redhat.com/show_bug.cgi?ida2265#c3) the exact nature of the patent legal problem was never specifically laid out for public comment. Equally troubling to me is the complete lack of any information on what patent issue was finally resolved and how it was resolved so that the related bugs could be fixed.
As patents (with very,very few exceptions) are by their very nature not secret one wonders if the so-called legal problem was of a fundamentally different nature, no less real but somewhat less savoury from a PR standpoint.
In consequence, after a good deal of agonizing over what was within my means to do, I have spent the weekend rebuilding Apache httpd from Apache sources to obtain TLSv1.2. While I still do not have a working copy (yet) I did learn a great deal of how RH back-porting patch policy appears to work. But in the process of researching how to get this package built I ran across a number of discussions respecting OpenSSL, which is the fundamental layer upon which pki rests, and RedHat
(http://www.linuxadvocates.com/2013/09/is-openssls-cryptography-broken.html). None of them were very comforting.
Where this discourse is leading is to is the question of whether or not CentOS
should provide OpenSSL built from clean sources as an extra or plus package and perhaps httpd, sshd and ssh-client and related pki based/reliant packages as well. Similarly, should CentOS.org provide tested spec files that will provide individual system admins a simple method of building these packages from source?
I think that CentOS.org probably should provide this but I am afraid that I
cannot make a strong public case. Suffice that my belief is informed from personal previous experience with federal agencies investigative techniques and the all too frequent willingness of commercial interests to take the road of least resistance when pressured. Particularly where the spectres of expensive litigation and targeted regulatory enforcement looms in the background.
I believe that the issue is of pressing interest to the entire community and I
would like to read what others have to say on the matter.