Can we still trust in British companies... and in Ubuntu ? (relaxed version)

[Martin_Gerber]

Now take all these facts plus the fact that Canonical is a British company and that Ubuntu is the most well-known Linux derivative.

I think it is no longer absurd that some programmers of Canonical might work for the GCHQ and that they already added some backdoors to Ubuntu that allow the GCHQ to remote-access every Ubuntu-PC and Ubuntu-server. In particular I think it is a doubtful quality assessment that the GCHQ itself awarded Ubuntu as the most secure OS [16].

I really hope for a clear statement of Canonical or of Mark Shuttleworth against total surveillance - for example Canonical could move its head office away from the UK to some country that shows much less surveillance fanaticism.

What do you think about all this? Does the loss of trust in British companies also affect Ubuntu? Or is everything just fine and I am simply paranoid?

(Note: I am responsible for ~30 Ubuntu-desktop-PCs and 5 Ubuntu-internet/intranet-webservers, and I am really worrying whether I should stop using Ubuntu)

[Martin_Gerber]

(let me just copy&paste the answer of mastablasta, given in the other thread)

the code is open. so what backdoors are you talking about? and what kind of activities are you doing on desktops that would even attract some government attention?

Cannonical doesn't create the OS from scratch, they repackage Debian, add a few features, add some programs and you get Ubuntu in the end. yes, you are paranoid.

if you feel you can't shake off the paranoia then use Tails, but you will never know if anyone inserted anything into the OS unless you are prepared to check all the code. another option would be to assemble your own Linux from scratch.

[Barsoom88]

Paranoia occurs when an event is NOT happening. Edward Snowden proved is was. Hence, no paranoia.

[zombifier25]

Paranoia occurs when an event is NOT happening. Edward Snowden proved is was. Hence, no paranoia.

Elaborate? Because as far as we're concerned Ubuntu is a repackaged Debian, and its source code is completely open source. Any bug (as in tracking bug) inserted into the code would be discovered immediately by the maintainers.

[howefield]

Thread moved to the "Ubuntu, Linux and OS Chat" forum, and OP edited to comply with Code of Conduct.

[grahammechanical]

I think it is no longer absurd

It is the height of absurdity to make assumptions and then turn those assumptions into beliefs. It is even more absurd to then demand evidence that what you believe is false. And then to claim that as no one is providing evidence that the belief is false, then it must be surely be true and you were right all along.

Do you not realise that by using the internet to access this forum which is hosted on Canonical servers and by making such assertions you have exposed yourself to the very people that you wish to hide from? Now, if what you claim is not true, then we are safe talking about these matters.

I do not have to be a Vulcan to know that what you have done is illogical. The biggest security risk to those computers you are responsible for is the users of those machines themselves.

[oldos2er]

(Note: I am responsible for ~30 Ubuntu-desktop-PCs and 5 Ubuntu-internet/intranet-webservers, and I am really worrying whether I should stop using Ubuntu)

And use which OS?

[Martin_Gerber]

@mastablasta, @zombifier25
The latest OpenSSL-Heartbleed and the Bash-Bug show that even open source does not protect us from dramatic bugs that stay open for years. New source may also contain subtle "bugs" intentionally. But probably even more important is that the binaries need not to match the source. Almost nobody compiles Ubuntu from scratch, but relies on the provided binaries - which might include some slightly modified "special versions" of typically used software (Firefox, System Services, ...). Technically, adding backdoors to binaries is a simple issue, so it's all about "trusting the distributor". I totally lost my trust in companies from the US, and I am loosing my trust in companies from the UK.

@grahammechanical
I do not see these forums as the lion's den. I am enthusiastically addicted to Ubuntu over many years now. But my enthusiasm is damped because of the reasons explained in my OP. So I am hoping for some new reasons that allow me to be enthusiastic again. For example, probably someone here knows some interview with CEOs from Canonical or with Mark Shuttleworth, where they regard Snowden with favour, or that they support the Wau Holland Foundation, etc., or that they do other proactive things that show that Ubuntu takes a firm stand against total surveillance.

@oldos2er
> And use which OS?
Many Linuxes belong to Red Hat or Novell. So probably the distributed community structure of Debian is much more trustworthy than any Five-Eyes-company. And there are some BSD variants, which might also fit my needs. I don't want to use something like Tails, which automatically routes everything via the Tor network. I just want to use some OS in which I can trust in as much as possible.

Some of you asked why I care about this at all if I am no terrorist? The examples in the OP show that NSA/GCHQ do not only spy out because of terrorism, but also for political and economical reasons (and I do state-of-the-art research on sensitive data). Further, not only terrorists have to fear reprisals, but also other people, like for example Ilija Trojanow, Saad Allami, Evo Morales, Justin Carter, Henry Smith, David Miranda, ... since I travel job-related to US and UK, it might also happen to me. Not because I am a terrorist, but because I publically criticize total surveillance - which is apparently the same according to Bush's logic of "who is not with us is against us", and Cameron's logic of "modern democracy".

[ian-weisser]

But probably even more important is that the binaries need not to match the source. Almost nobody compiles Ubuntu from scratch, but relies on the provided binaries.

The source package input, build systems, and build logs for both Debian and Ubuntu are thoroughly transparent and duplicable, though quite dull and tedious. Setting up your own identical build system is not difficult.

You are welcome to randomly select and build anything you wish, and to look for hash mismaches that would indicate an unexpected difference. I mean it: You are totally welcome to verify any builds you like.

You probably can't do them all, but you can do a sample. You can do a couple each day. You can work through a lot if you give yourself a little time.

We can't prove a negative, but the tools are already here for you to satisfy your concerns to your own satisfaction.

[zombifier25]

@mastablasta, @zombifier25
The latest OpenSSL-Heartbleed and the Bash-Bug show that even open source does not protect us from dramatic bugs that stay open for years.

I'm not talking about those types of bug though. Those are honest software bugs that can be overlooked by the developers (Launchpad and Bugzilla exist for a reason)