The specifics everyone should understand are as follows...
1.) All of bugs found so far look like unintentional mistakes. Of
course, there's always some wise-ass that will say that a perfect
backdoor should look like an unintentional mistake, so proving intent
is impossible.
2.) No one has done the work necessary to prove the bugs found so far
are actually exploitable. Publicly speculating and debating whether or
not a bug is exploitable is harmful and disingenuous.
3.) Due to complexity, completely proving the code is perfect and free
of all exploitable bugs is intractable. The very best anyone can ever
say is, "I personally didn't find any bugs during my audit."
Given the above, ANY accusation of intentionally putting a backdoor
into code is indefensible, and hence, it is nothing more than vicious
rhetorical defamation. Even if such an accusation is true, it is still
fallacious and must be discarded.
I hope you don't mind if I pilfer a wonderfully descriptive phrase from
you, but I feel accusations of Gregory Perry qualifies him as a
"mendacious kook." I'm not omniscient, so I would never say there's
"zero chance" of a backdoor being placed in anything. None the less, in
this situation, we basically agree. I believe it is exceedingly unlikely
a backdoor ever made it into the tree.
The real problem is Perry made some very serious and damaging
allegations. If Theo had just ignored this kook, he would have been
taken to task for not divulging and addressing them.
Theo did exactly what you suggested in his initial Dec 14th message to
the security-announce@openbsd list:
> The mail came in privately from a person I have not talked to for nearly 10 years. I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this. Therefore I am making it public so that (a) those who use the code can audit it for these problems, (b) those that are angry at the story can take other actions, (c) if it is not true, those who are being accused can defend themselves.
I think the initial message to security-announce@ was more than enough.
The underlying cause of your complaint about "refusing to put this to
bed" by stating his opinions in subsequent emails can be found in your
own actions; people demanding they have an imaginary "right" to be told
more.
Essentially, you asked for it to continue. The same is true for many
others, so you are certainly not alone. And yes, even my discussing this
with you publicly on HN means I'm also at fault for the continuation.
The accusations made against Jason Wright and Angelos Keromytis are
indefensible, so I cannot defend them. You cannot defend them. Theo
cannot defend them. No one can defend them, and they cannot defend
themselves. The one thing all of us should clearly and loudly say is,
"The accusations are indefensible, fallacious, and should be discarded,
but we should still look at the code again to see if there are any
undiscovered bugs."
OpenBSD being trolled by some kook is not newsworthy. It happens all the
time. All the articles on HN and elsewhere are just whoring a
fallacious and most likely falsified controversy, and by doing so,
defaming two people who gave their time and effort to develop open
source code.
I am angry. After making great contributions to open source, two great
hackers, Jason Wright and Angelos Keromytis, are being defamed and I am
unable to prove they are innocent because no one can prove they are
innocent of indefensible accusations. It's frustrating.
Out of respect for Jason and Angelos, I'm done talking about it.
The tough question is, why does it take an overly verbose village idiot
like me to clearly state the obvious?
Your heart is clearly in the right place. I feel for you. You and I agree about way, way more than we disagree about. But your summary ignores the plain words of Theo's email. The people talking about this on HN are not "whoring" the controversy. Someone else is, and you know who I think that is.
The specifics everyone should understand are as follows...
1.) All of bugs found so far look like unintentional mistakes. Of course, there's always some wise-ass that will say that a perfect backdoor should look like an unintentional mistake, so proving intent is impossible.
2.) No one has done the work necessary to prove the bugs found so far are actually exploitable. Publicly speculating and debating whether or not a bug is exploitable is harmful and disingenuous.
3.) Due to complexity, completely proving the code is perfect and free of all exploitable bugs is intractable. The very best anyone can ever say is, "I personally didn't find any bugs during my audit."
Given the above, ANY accusation of intentionally putting a backdoor into code is indefensible, and hence, it is nothing more than vicious rhetorical defamation. Even if such an accusation is true, it is still fallacious and must be discarded.
I hope you don't mind if I pilfer a wonderfully descriptive phrase from you, but I feel accusations of Gregory Perry qualifies him as a "mendacious kook." I'm not omniscient, so I would never say there's "zero chance" of a backdoor being placed in anything. None the less, in this situation, we basically agree. I believe it is exceedingly unlikely a backdoor ever made it into the tree.
The real problem is Perry made some very serious and damaging allegations. If Theo had just ignored this kook, he would have been taken to task for not divulging and addressing them.
Theo did exactly what you suggested in his initial Dec 14th message to the security-announce@openbsd list:
http://marc.info/?l=openbsd-security-announce&m=12923753...
I think the initial message to security-announce@ was more than enough. The underlying cause of your complaint about "refusing to put this to bed" by stating his opinions in subsequent emails can be found in your own actions; people demanding they have an imaginary "right" to be told more.Essentially, you asked for it to continue. The same is true for many others, so you are certainly not alone. And yes, even my discussing this with you publicly on HN means I'm also at fault for the continuation.
The accusations made against Jason Wright and Angelos Keromytis are indefensible, so I cannot defend them. You cannot defend them. Theo cannot defend them. No one can defend them, and they cannot defend themselves. The one thing all of us should clearly and loudly say is, "The accusations are indefensible, fallacious, and should be discarded, but we should still look at the code again to see if there are any undiscovered bugs."
OpenBSD being trolled by some kook is not newsworthy. It happens all the time. All the articles on HN and elsewhere are just whoring a fallacious and most likely falsified controversy, and by doing so, defaming two people who gave their time and effort to develop open source code.
I am angry. After making great contributions to open source, two great hackers, Jason Wright and Angelos Keromytis, are being defamed and I am unable to prove they are innocent because no one can prove they are innocent of indefensible accusations. It's frustrating.
Out of respect for Jason and Angelos, I'm done talking about it.
The tough question is, why does it take an overly verbose village idiot like me to clearly state the obvious?