[linux-elitists] Rooted kernel.org hosts (was: PJ takes her victory lap)
jays at panix.com
Wed Aug 31 22:53:30 PDT 2011
Elitists! Please forgive my failure to arrange proper
threading, if thread be not arranged properly!
On Wed, 31 Aug 2011, Rick Moen <rick at linuxmafia.com> wrote:
> Quoting Rick Moen (rick at linuxmafia.com):
>> In other news, here.kernel.org was recently determined to be hax0red, and
>> Jon C. kindly explained to journos why the sky remains determinedly unfallen.
> Typo; I knew full well that the hostname is 'hera', but my fingers were
> in rebellion.
> Anyway, cross-posting my query from LWN:
> I'm curious about two points not (to my knowledge) yet covered, probably
> for the simple reason that there hasn't been enough time for proper
> 1. What was the escalation path to root?
> 2. Completely aside from the git repo contents, were the downloadable
> *.tar.[gz|bz2] source archives trojaned? Are there any non-site-local
> mechanisms in place to detect such tampering (other than, of course, the
> fact that the Linux Kernel Archives OpenPGP key is well known, and some
> of us bother to check the *.tar.[gz|bz2].sign files?
>From front page of http://www.kernel.org just now:
However, it's also useful to note that the potential damage of
cracking kernel.org is far less than typical software
repositories. That's because kernel development takes place using
the git distributed revision control system, designed by Linus
Torvalds. For each of the nearly 40,000 files in the Linux
kernel, a cryptographically secure SHA-1 hash is calculated to
uniquely define the exact contents of that file. Git is designed
so that the name of each version of the kernel depends upon the
complete development history leading up to that version. Once it
is published, it is not possible to change the old versions
without it being noticed.
Those files and the corresponding hashes exist not just on the
kernel.org machine and its mirrors, but on the hard drives of
each several thousand kernel developers, distribution
maintainers, and other users of kernel.org. Any tampering with
any file in the kernel.org repository would immediately be
noticed by each developer as they updated their personal
repository, which most do daily.
Here is a copy of Satoshi Nakamoto's announcement of his Bitcoin
paper on the cryptography list:
Bitcoin P2P e-cash paper
Sat, 01 Nov 2008 16:16:33 -0700
I've been working on a new electronic cash system that's fully
peer-to-peer, with no trusted third party.
The paper is available at:
The main properties:
Double-spending is prevented with a peer-to-peer network.
No mint or other trusted parties.
Participants can be anonymous.
New coins are made from Hashcash style proof-of-work.
The proof-of-work for new coin generation also powers the
network to prevent double-spending.
Bitcoin: A Peer-to-Peer Electronic Cash System
Abstract. A purely peer-to-peer version of electronic cash would
allow online payments to be sent directly from one party to another
without the burdens of going through a financial institution.
Digital signatures provide part of the solution, but the main
benefits are lost if a trusted party is still required to prevent
double-spending. We propose a solution to the double-spending
problem using a peer-to-peer network. The network timestamps
transactions by hashing them into an ongoing chain of hash-based
proof-of-work, forming a record that cannot be changed without
redoing the proof-of-work. The longest chain not only serves as
proof of the sequence of events witnessed, but proof that it came
from the largest pool of CPU power. As long as honest nodes control
the most CPU power on the network, they can generate the longest
chain and outpace any attackers. The network itself requires
minimal structure. Messages are broadcasted on a best effort basis,
and nodes can leave and rejoin the network at will, accepting the
longest proof-of-work chain as proof of what happened while they
Full paper at:
The announcement is archived at
The Linux kernel "web of Git" is a realization of an
approximation of the "Bitcoin web", that is, Satoshi's block
chain system. The claim is that, by somewhat different means,
the Linux kernel web is also somewhat resilient against attack by
injection of bad blocks^Wkernel trees.
> Do not Cc: anyone else on mail sent to this list. The list server is set for maximum one recipient.
> linux-elitists mailing list
> linux-elitists at zgp.org
More information about the linux-elitists