Some yahoo at Debian found what he thought was a bug in OpenSSL, and decided
to comment out some code without having any clue what purpose it served. That
purpose was to seed a pseudo-random number generator with entropy from memory,
specifically /dev/random
. This only broke the cryptographic security of
OpenSSL on Debian (and thus Ubuntu) while being mostly
undetectable. It’s quite likely attacks of the same ilk were
deliberately planted by various spy agencies.
This is just an extreme example of why I prefer to build open-source software
from source code myself rather than trust blindly in some packager whose
choice of compile-time settings almost certainly doesn’t match mine. I
have a framework of makefiles that specify how each package is built from
source (meta-makefiles, really). This includes checking for new versions of
the package, setting configure
options and make
environment variables. For
instance, to fetch the most recent version of OpenSSL, all I do is make sync-openssl; make openssl
then as root
run make install-openssl
. The
maintenance burden is low as I have been assembling these metamakefiles over
the last 12 years, targeting Solaris and OS X. The end-result is a
deterministic build according to my specifications.
My process would not ward against a malicious attack like Brian
Kernighan’s notorious trusting trust attack, but it has served me
well over the years.