document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-02-25 00:50:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #119 from tinyeyeser/master

Browse Source 
已翻译 by Mr小眼儿。开始翻译Are We Witnessing the Decline of Ubuntu.md
This commit is contained in:
Xingyu.Wang 2013-10-11 01:33:21 -07:00
commit cf72c3dbaf
3 changed files with 145 additions and 145 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

198
sources/Are We Witnessing the Decline of Ubuntu.md
View File

@ -1,104 +1,104 @@
Are We Witnessing the Decline of Ubuntu?
========================================
History is written years after the events it describes. But when the history of free software finally is written, I am increasingly convinced that this last year will be noted as the start of the decline of Ubuntu.
At first, the idea might seem ridiculous or spiteful. You can still find Ubuntu enthusiasts who exclaim over every move the distribution makes, and journalists still report founder Mark Shuttleworth's every word uncritically.
Community manager Jono Bacon is working hard to develop a community of app developers for the Ubuntu Touch mobile operating system, and occasionally Ubuntu's commercial arm Canonical announces prestige projects such as working with the Chinese government to develop a [national Chinese operating system][1], or being chosen to deliver the [Steam][2] gaming platform to Linux.
Nor can you deduce too much from the fact that Google trend shows a sharp decline in searches for "[Ubuntu][3]." Except for Android and Mageia, the same can be said of other [major distributions][4]. It is true, though, that none of the other distros have declined as sharply as Ubuntu, which is at less than half its height in October 2007, at a low that it has not been at since June 2006.
All the same, the suspicion remains. Ubuntu and Canonical have isolated themselves from the free software community that Shuttleworth once hoped to lead. In the last year, the community has signaled repeatedly that at least parts of it feel disempowered.
Worst of all, in the last year, initiative after initiative has failed, and profitability apparently continues to elude Canonical. All these seem like indicators of organizations that are starting into a tailspin that will be difficult to correct, assuming they are correctable at all.
###Semi-Splendid Isolation
The last year is a marked contrast to the first years of Ubuntu. In 2005-2007, Ubuntu was the latest and greatest hope for the Linux desktop, and criticism was limited largely to those who felt that Debian was not given enough credit or distrusted the motives of an eccentric millionaire.
In those early years, Ubuntu did many things to improve usability on the desktop. Probably the most noticeable was the installed support for multiple languages and keyboard locale switching that are now standard in all major distributions.
Gradually, however, Ubuntu and Canonical began to isolate themselves from the mainstream of the free software community. Shuttleworth's proposals that projects coordinate their releases and emphasize usability were largely ignored. Impatient with the speed of development in GNOME -- and, perhaps, seen as an upstart in the GNOME community -- Shuttleworth began the development of the Unity interface, a design project that intrigued him so much that he stepped down as Canonical CEO to oversee it.
Unity and all its details quickly became the major focus of new Ubuntu releases. If the package versions were sometimes less up to date as they once were, few noticed as Canonical imposed change after change, effectively giving the design team a veto over the Ubuntu community.
Yet for all the development effort lavished on Unity, the result was an interface that, for all its eye candy, was better suited for mobile devices than workstations or laptops. According to Distrowatch, only [11 distributions][4] default to Unity, although [79][5] are listed as derived from Ubuntu in general. Nor have other major distributions rushed to make Unity available, much less promote it.
The same is true of [Upstart][6], Ubuntu's replacement for the init daemon, and more recently, [Mir][7], Ubuntu's replacement for Wayland, which other projects see as the upcoming replacement for the X Window System.
While both remain free-licensed, in practice both Upstart and Mir are controlled by Canonical, mainly through a [contributor's agreement][8] which assigns all rights to the company.
This control is perhaps one of the reasons why Intel recently [announced][9] that it would not be supporting Mir. In the last four years, Ubuntu and Canonical have gone from welcome members of the free software community to being perceived as mavericks who obey the letter of free-licenses while undermining their spirit. Few, apparently, are prepared to do them any favors.
###Placing Its Own House Out of Order
The more Canonical has isolated itself from the rest of the community, the more it has also attempted to control the Ubuntu community.
This effort is widely interpreted as the result of increasingly determined efforts to make Canonical profitable. Although Canonical is quick to make support and partnership announcements, [these announcements][10] are always lacking any mention of a monetary value -- an omission that, after nine years of running the business, would seem unthinkable if there was any good news to report. But, whatever the reason, Canonical has increasingly imposed its decisions on the community of Ubuntu volunteers without consulting them.
Many of these decisions have been trivial in themselves. They range from decisions not to support a completely free-licensed version of Ubuntu or a KDE-based version to the repositioning of title bar icons and the introduction of the [HUD][11] menu replacement.
However, as in many disputes, the issues involved seem less important than the relationships involved. Unlike Canonical, Ubuntu on a daily basis runs much like any free software project, with discussion and consultation the expected norm. The introduction of a hierarchy with Canonical employees at the top and often wielding a veto power would be likely to cause friction even if done politely -- which, often, it has not been. Instead of welcoming debate, Canonical has been far more apt to urge people to stifle it in the name of making Ubuntu a success.
Matters came to a head in February 2013, with long-time Ubuntu contributors publicly questioning whether they had any role and many considering quitting (although in practice, only one seems to have).
These first signs of discontent were quieted largely through the diplomatic efforts of Jono Bacon, only to flare up a couple of months later over the [removal of a community link][11] from the Ubuntu home page.
Again, Bacon managed to smooth things over, and -- so far as an outsider can tell -- the community has been quiet in the months since. However, the longstanding community grievances are unlikely to have disappeared altogether, for the simple reason that Canonical continues to ignore much of the Ubuntu community. A new outburst seems only a matter of time.
###Lost without a Compass
Whether Canonical ever believed that the Ubuntu distribution could be profitable is unknown. Certainly, over a dozen earlier efforts to monetize distributions should have warned the company how unlikely the possibility was. But the years spent polishing Ubuntu suggest that Canonical hopes -- or hoped -- to do the impossible. Or perhaps Canonical simply sees a quality distribution as a pre-requisite to grander goals.
Either way, spending so much effort on Unity seems to have been a distraction. To this day, Canonical appears to lack a business plan that offers any reasonable chance of profitability.
To some undocumented extent, efforts like online storage, a music store, or corporate ads in the dash may be defraying the costs of developing Ubuntu. However, if together they make Ubuntu profitable, no one is mentioning the fact. Attempts to cut corners by holding developer's meetings online rather than in person suggest a company that is finding ways to cut corners, not one making a profit.
Just as important, these efforts can create other problems. In particular, the ads on the dash lead to concerns about privacy and to being called spyware by [Richard Stallman][12]. The ads were also a major prompt for community unrest.
Yet Canonical has taken over a year to [address the privacy concerns][13] -- and, even then, the lack of details means that it is asking users to trust it.
Other sidelines, like [Ubuntu TV][14], have yet to materialize. Currently, Ubuntu's main strategy seems to be convergence on multiple form factors, but the advisability of trying to break into a saturated market seems dubious. The Ubuntu Touch interface is scheduled to be released in October with the 13.10 environment, but if any phone manufacturers are shipping products with it pre-installed, then Canonical is saving the announcements for the release date.
Even worse was the [Ubuntu Edge][15] fundraiser, an attempt to crowdfund a cutting edge boutique phone. Had it worked, then Canonical might have established a small niche in the marketplace.
However, in the end, only forty percent of its $32 million goal was reached. Canonical tried to put a good face on the results, mainly because of the publicity the crowdfunding campaigned produced. But since the result now mean that Canonical has a reputation for failure among potential business partners, the rationale is hard to accept. The failure of Ubuntu Edge has left Canonical's business plans more indefinite and more unlikely than ever.
###Waiting for the Next Act
All this is not to say that either Canonical and Ubuntu are about to disappear overnight. Any decline is just beginning, not at the point of no return. The introduction of new faces, or even determined internal reform could still turn Canonical and Ubuntu around. Perhaps listening to the Ubuntu community would be useful as well.
Still, the problem remains that, after nine years, Canonical and Ubuntu have yet to succeed. Major contributors to the Linux desktop in their early years, they have not even helped themselves with recent innovations, let alone free software in general. Increasingly, the general impression is one of confusion and desperation, which in itself can contribute to the decline.
Even without reform, Ubuntu and Canonical may continue to glide on their previous reputations, although the Ubuntu Edge campaign suggests that may be less possible as many imagine. But increasingly, Canonical and Ubuntu seem to have been slipping from the position of leadership they had in their earliest years.
Whether they can reverse their decline or merely accelerate it by panicky half-measures is uncertain, but watching the possibilities play out should make for an interesting next couple of years.
via: http://www.datamation.com/open-source/are-we-witnessing-the-decline-of-ubuntu-1.html
Are We Witnessing the Decline of Ubuntu?
========================================
History is written years after the events it describes. But when the history of free software finally is written, I am increasingly convinced that this last year will be noted as the start of the decline of Ubuntu.
At first, the idea might seem ridiculous or spiteful. You can still find Ubuntu enthusiasts who exclaim over every move the distribution makes, and journalists still report founder Mark Shuttleworth's every word uncritically.
Community manager Jono Bacon is working hard to develop a community of app developers for the Ubuntu Touch mobile operating system, and occasionally Ubuntu's commercial arm Canonical announces prestige projects such as working with the Chinese government to develop a [national Chinese operating system][1], or being chosen to deliver the [Steam][2] gaming platform to Linux.
Nor can you deduce too much from the fact that Google trend shows a sharp decline in searches for "[Ubuntu][3]." Except for Android and Mageia, the same can be said of other [major distributions][4]. It is true, though, that none of the other distros have declined as sharply as Ubuntu, which is at less than half its height in October 2007, at a low that it has not been at since June 2006.
All the same, the suspicion remains. Ubuntu and Canonical have isolated themselves from the free software community that Shuttleworth once hoped to lead. In the last year, the community has signaled repeatedly that at least parts of it feel disempowered.
Worst of all, in the last year, initiative after initiative has failed, and profitability apparently continues to elude Canonical. All these seem like indicators of organizations that are starting into a tailspin that will be difficult to correct, assuming they are correctable at all.
###Semi-Splendid Isolation
The last year is a marked contrast to the first years of Ubuntu. In 2005-2007, Ubuntu was the latest and greatest hope for the Linux desktop, and criticism was limited largely to those who felt that Debian was not given enough credit or distrusted the motives of an eccentric millionaire.
In those early years, Ubuntu did many things to improve usability on the desktop. Probably the most noticeable was the installed support for multiple languages and keyboard locale switching that are now standard in all major distributions.
Gradually, however, Ubuntu and Canonical began to isolate themselves from the mainstream of the free software community. Shuttleworth's proposals that projects coordinate their releases and emphasize usability were largely ignored. Impatient with the speed of development in GNOME -- and, perhaps, seen as an upstart in the GNOME community -- Shuttleworth began the development of the Unity interface, a design project that intrigued him so much that he stepped down as Canonical CEO to oversee it.
Unity and all its details quickly became the major focus of new Ubuntu releases. If the package versions were sometimes less up to date as they once were, few noticed as Canonical imposed change after change, effectively giving the design team a veto over the Ubuntu community.
Yet for all the development effort lavished on Unity, the result was an interface that, for all its eye candy, was better suited for mobile devices than workstations or laptops. According to Distrowatch, only [11 distributions][4] default to Unity, although [79][5] are listed as derived from Ubuntu in general. Nor have other major distributions rushed to make Unity available, much less promote it.
The same is true of [Upstart][6], Ubuntu's replacement for the init daemon, and more recently, [Mir][7], Ubuntu's replacement for Wayland, which other projects see as the upcoming replacement for the X Window System.
While both remain free-licensed, in practice both Upstart and Mir are controlled by Canonical, mainly through a [contributor's agreement][8] which assigns all rights to the company.
This control is perhaps one of the reasons why Intel recently [announced][9] that it would not be supporting Mir. In the last four years, Ubuntu and Canonical have gone from welcome members of the free software community to being perceived as mavericks who obey the letter of free-licenses while undermining their spirit. Few, apparently, are prepared to do them any favors.
###Placing Its Own House Out of Order
The more Canonical has isolated itself from the rest of the community, the more it has also attempted to control the Ubuntu community.
This effort is widely interpreted as the result of increasingly determined efforts to make Canonical profitable. Although Canonical is quick to make support and partnership announcements, [these announcements][10] are always lacking any mention of a monetary value -- an omission that, after nine years of running the business, would seem unthinkable if there was any good news to report. But, whatever the reason, Canonical has increasingly imposed its decisions on the community of Ubuntu volunteers without consulting them.
Many of these decisions have been trivial in themselves. They range from decisions not to support a completely free-licensed version of Ubuntu or a KDE-based version to the repositioning of title bar icons and the introduction of the [HUD][11] menu replacement.
However, as in many disputes, the issues involved seem less important than the relationships involved. Unlike Canonical, Ubuntu on a daily basis runs much like any free software project, with discussion and consultation the expected norm. The introduction of a hierarchy with Canonical employees at the top and often wielding a veto power would be likely to cause friction even if done politely -- which, often, it has not been. Instead of welcoming debate, Canonical has been far more apt to urge people to stifle it in the name of making Ubuntu a success.
Matters came to a head in February 2013, with long-time Ubuntu contributors publicly questioning whether they had any role and many considering quitting (although in practice, only one seems to have).
These first signs of discontent were quieted largely through the diplomatic efforts of Jono Bacon, only to flare up a couple of months later over the [removal of a community link][11] from the Ubuntu home page.
Again, Bacon managed to smooth things over, and -- so far as an outsider can tell -- the community has been quiet in the months since. However, the longstanding community grievances are unlikely to have disappeared altogether, for the simple reason that Canonical continues to ignore much of the Ubuntu community. A new outburst seems only a matter of time.
###Lost without a Compass
Whether Canonical ever believed that the Ubuntu distribution could be profitable is unknown. Certainly, over a dozen earlier efforts to monetize distributions should have warned the company how unlikely the possibility was. But the years spent polishing Ubuntu suggest that Canonical hopes -- or hoped -- to do the impossible. Or perhaps Canonical simply sees a quality distribution as a pre-requisite to grander goals.
Either way, spending so much effort on Unity seems to have been a distraction. To this day, Canonical appears to lack a business plan that offers any reasonable chance of profitability.
To some undocumented extent, efforts like online storage, a music store, or corporate ads in the dash may be defraying the costs of developing Ubuntu. However, if together they make Ubuntu profitable, no one is mentioning the fact. Attempts to cut corners by holding developer's meetings online rather than in person suggest a company that is finding ways to cut corners, not one making a profit.
Just as important, these efforts can create other problems. In particular, the ads on the dash lead to concerns about privacy and to being called spyware by [Richard Stallman][12]. The ads were also a major prompt for community unrest.
Yet Canonical has taken over a year to [address the privacy concerns][13] -- and, even then, the lack of details means that it is asking users to trust it.
Other sidelines, like [Ubuntu TV][14], have yet to materialize. Currently, Ubuntu's main strategy seems to be convergence on multiple form factors, but the advisability of trying to break into a saturated market seems dubious. The Ubuntu Touch interface is scheduled to be released in October with the 13.10 environment, but if any phone manufacturers are shipping products with it pre-installed, then Canonical is saving the announcements for the release date.
Even worse was the [Ubuntu Edge][15] fundraiser, an attempt to crowdfund a cutting edge boutique phone. Had it worked, then Canonical might have established a small niche in the marketplace.
However, in the end, only forty percent of its $32 million goal was reached. Canonical tried to put a good face on the results, mainly because of the publicity the crowdfunding campaigned produced. But since the result now mean that Canonical has a reputation for failure among potential business partners, the rationale is hard to accept. The failure of Ubuntu Edge has left Canonical's business plans more indefinite and more unlikely than ever.
###Waiting for the Next Act
All this is not to say that either Canonical and Ubuntu are about to disappear overnight. Any decline is just beginning, not at the point of no return. The introduction of new faces, or even determined internal reform could still turn Canonical and Ubuntu around. Perhaps listening to the Ubuntu community would be useful as well.
Still, the problem remains that, after nine years, Canonical and Ubuntu have yet to succeed. Major contributors to the Linux desktop in their early years, they have not even helped themselves with recent innovations, let alone free software in general. Increasingly, the general impression is one of confusion and desperation, which in itself can contribute to the decline.
Even without reform, Ubuntu and Canonical may continue to glide on their previous reputations, although the Ubuntu Edge campaign suggests that may be less possible as many imagine. But increasingly, Canonical and Ubuntu seem to have been slipping from the position of leadership they had in their earliest years.
Whether they can reverse their decline or merely accelerate it by panicky half-measures is uncertain, but watching the possibilities play out should make for an interesting next couple of years.
via: http://www.datamation.com/open-source/are-we-witnessing-the-decline-of-ubuntu-1.html
本文由 [LCTT][] 原创翻译,[Linux中国][] 荣誉推出
译者:[译者ID][] 校对:[校对者ID][]
译者:[Mr小眼儿][] 校对:[校对者ID][]
[LCTT]:https://github.com/LCTT/TranslateProject
[Linux中国]:http://linux.cn/portal.php
[译者ID]:http://linux.cn/space/译者ID
[校对者ID]:http://linux.cn/space/校对者ID
[1]:http://www.canonical.com/content/canonical-and-chinese-standards-body-announce-ubuntu-collaboration
[2]:http://games.slashdot.org/story/13/02/14/2318247/valve-officially-launches-steam-for-linux
[3]:https://www.google.com/trends/explore?q=Ubuntu#q=Ubuntu%2C%20Canonical&cmpt=q
[4]:http://distrowatch.com/search.php?ostype=All&category=All&origin=All&basedon=All&notbasedon=None&desktop=Unity&architecture=All&status=Active
[5]:http://distrowatch.com/search.php?ostype=All&category=All&origin=All&basedon=Ubuntu&notbasedon=None&desktop=All&architecture=All&status=Active
[6]:http://en.wikipedia.org/wiki/Upstart
[7]:http://en.wikipedia.org/wiki/Mir_%28software%29
[8]:http://www.canonical.com/contributors
[9]:http://arstechnica.com/information-technology/2013/09/intel-rejection-of-ubuntus-mir-patch-forces-canonical-to-go-own-way/
[10]:http://www.canonical.com/about-canonical/news-and-events
[11]:https://wiki.ubuntu.com/Unity/HUD
[12]:https://www.fsf.org/blogs/rms/ubuntu-spyware-what-to-do
[13]:http://iloveubuntu.net/smart-scopes-anonymize-images-landing-users-dash-privacy-oriented
[14]:http://www.ubuntu.com/tv
[15]:http://www.datamation.com/open-source/ubuntu-edge-canonicals-big-gamble.html
[Mr小眼儿]:http://linux.cn/space/14801
[校对者ID]:http://linux.cn/space/校对者ID
[1]:http://www.canonical.com/content/canonical-and-chinese-standards-body-announce-ubuntu-collaboration
[2]:http://games.slashdot.org/story/13/02/14/2318247/valve-officially-launches-steam-for-linux
[3]:https://www.google.com/trends/explore?q=Ubuntu#q=Ubuntu%2C%20Canonical&cmpt=q
[4]:http://distrowatch.com/search.php?ostype=All&category=All&origin=All&basedon=All&notbasedon=None&desktop=Unity&architecture=All&status=Active
[5]:http://distrowatch.com/search.php?ostype=All&category=All&origin=All&basedon=Ubuntu&notbasedon=None&desktop=All&architecture=All&status=Active
[6]:http://en.wikipedia.org/wiki/Upstart
[7]:http://en.wikipedia.org/wiki/Mir_%28software%29
[8]:http://www.canonical.com/contributors
[9]:http://arstechnica.com/information-technology/2013/09/intel-rejection-of-ubuntus-mir-patch-forces-canonical-to-go-own-way/
[10]:http://www.canonical.com/about-canonical/news-and-events
[11]:https://wiki.ubuntu.com/Unity/HUD
[12]:https://www.fsf.org/blogs/rms/ubuntu-spyware-what-to-do
[13]:http://iloveubuntu.net/smart-scopes-anonymize-images-landing-users-dash-privacy-oriented
[14]:http://www.ubuntu.com/tv
[15]:http://www.datamation.com/open-source/ubuntu-edge-canonicals-big-gamble.html

46
sources/The Linux Backdoor Attempt of 2003.md
View File

@ -1,46 +0,0 @@
The Linux Backdoor Attempt of 2003
==================================
Josh [wrote][1] recently about a serious security bug that appeared in Debian Linux back in 2006, and whether it was really a backdoor inserted by the NSA. (He concluded that it probably was not.)
Today I want to write about another [incident][2], in 2003, in which someone tried to backdoor the Linux kernel. This one was definitely an attempt to insert a backdoor. But we dont know who it was that made the attempt—and we probably never will.
Back in 2003 Linux used a system called BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. Every change to the master code would come with a short explanation, which always included a pointer to the record of its approval.
But some people didnt like BitKeeper, so a second copy of the source code was kept so that developers could get the code via another code system called CVS. The CVS copy of the code was a direct clone of the primary BitKeeper copy.
But on Nov. 5, 2003, Larry McVoy [noticed][3] that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in (electronically) to the CVS server and inserted this change.
What did the change do? This is where it gets really interesting. The change modified the code of a Linux function called wait4, which a program could use to wait for something to happen. Specifically, it added these two lines of code:
if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;
[Exercise for readers who know the C programming language: What is unusual about this code? Answer appears below.]
A casual reading by an expert would interpret this as innocuous error-checking code to make wait4 return an error code when wait4 was called in a certain way that was forbidden by the documentation. But a really careful expert reader would notice that, near the end of the first line, it said “= 0” rather than “== 0”. The normal thing to write in code like this is “== 0”, which tests whether the user ID of the currently running code (current->uid) is equal to zero, without modifying the user ID. But what actually appears is “= 0”, which has the effect of setting the user ID to zero.
Setting the user ID to zero is a problem because user ID number zero is the “root” user, which is allowed to do absolutely anything it wants—to access all data, change the behavior of all code, and to compromise entirely the security of all parts of the system. So the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words … its a classic backdoor.
This is a very clever piece of work. It looks like innocuous error checking, but its really a back door. And it was slipped into the code outside the normal approval process, to avoid any possibility that the approval process would notice what was up.
But the attempt didnt work, because the Linux team was careful enough to notice that that this code was in the CVS repository without having gone through the normal approval process. Score one for Linux.
Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack. Unless somebody confesses, or a smoking-gun document turns up, well never know.
---
via: https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/
本文由 [LCTT][] 原创翻译,[Linux中国][] 荣誉推出
译者:[Mr小眼儿][] 校对:[校对者ID][]
[LCTT]:https://github.com/LCTT/TranslateProject
[Linux中国]:http://linux.cn/portal.php
[Mr小眼儿]:http://linux.cn/space/14801
[校对者ID]:http://linux.cn/space/校对者ID
[1]:https://freedom-to-tinker.com/blog/kroll/software-transparency-debian-openssl-bug/
[2]:https://lwn.net/Articles/57135/
[3]:https://lwn.net/Articles/57137/

46
translated/The Linux Backdoor Attempt of 2003.md Normal file
View File

@ -0,0 +1,46 @@
揭秘!—— 2003年Linux后门事件
==================================
最近Josh写了[一篇文章][1]讲述2006年Debian Linux中出现的一系列安全bug探讨了这些所谓bug是否是NSA植入的后门。最后他作出结论可能不是
今天我想讲述的是另外一个[事件][2]——2003年某些人试图在Linux内核中植入后门的故事。这次事件很明确的确有人想植入后门只是我们不知道此人是谁而且也许永远都不会知道了。
时间回到2003年当时Linux使用一套叫做BitKeeper的系统来存储Linux源代码的主拷贝。如果开发者想要提交一份针对源码的修改就必须经过一套严格的审核过程以决定这份修改是否能够合并进主拷贝。每个针对主拷贝的修改都必须附带一段说明说明当中都包括了一个记录相应审核过程的链接。
但是有些人不喜欢BitKeeper于是这些开发者们就用另一套叫做CVS的系统维护了一份Linux源代码的拷贝这样他们就能随时按自己喜欢的方式获取Linux源代码了。CVS中的代码其实就是直接克隆了BitKeeper中的代码。
但是在2003年11月5日的时候Larry McVoy[发现][3]CVS中的代码拷贝有一处改动并没有包含记录审核的链接。调查显示这一处改动由陌生人添加而且从未经过审核不仅如此在BitKeeper仓库的主拷贝中这一处改动竟然压根就不存在。经过进一步调查后可以明确显然有人入侵了CVS的服务器并植入了此处改动。
神秘人物究竟做了哪些改动这才是真正有趣的地方。改动修改的是Linux中一个叫wait4的函数程序可以使用该函数进行挂起操作以等待某些事件的触发。神秘人物添加的就是下面这两行代码
if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;
[有C语言编程经验的人也许会问这两行代码有什么特别的请接着往下看]
猛地一看好像这两行代码就是一段正常的错误校验代码当wait4函数被某种文档中禁止的方式调用时wait4就返回一个错误代码。但是一个真正认真的程序猿立刻就会发现代码中的问题注意看在第一行末尾“= 0”应该是“== 0”才对。是的“== 0”在这里才是判断当前运行代码的用户ID(current->uid)是否等于0而“= 0”不但无法判断反而修改了用户ID的值将其值赋值为0。
将用户ID设置为0这是一个很严重的问题因为ID为0的用户正是“root”而root账户可以在系统中做任何事情包括访问所有数据、修改任意代码的行为能够危及到整个系统各个部分的安全。因此这段代码的影响就是通过特殊手段使得任何调用wait4函数的软件都拥有了root权限。换句话说这就是一个典型的后门。
客观地说,这一招很漂亮。看起来就像是无关紧要的错误校验,但真是身份却是一个后门。而且它混在其他经过审核的代码中间,几乎规避了所有审核可能会注意到自己的可能性。
但是它终究还是失败了因为Linux小组有足够强的责任心注意到了CVS仓库中的这段代码没有经过常规审核。Linux还是略胜一筹。
这是NSA干的吗只能说有可能。因为有太多拥有技术能力和动机的人有可能实施了此次攻击。那么到底是谁呢除非某些人主动承认又或者发现新的确凿证据否则我们将永远不会知道。
---
via: https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/
本文由 [LCTT][] 原创翻译,[Linux中国][] 荣誉推出
译者:[Mr小眼儿][] 校对:[校对者ID][]
[LCTT]:https://github.com/LCTT/TranslateProject
[Linux中国]:http://linux.cn/portal.php
[Mr小眼儿]:http://linux.cn/space/14801
[校对者ID]:http://linux.cn/space/校对者ID
[1]:https://freedom-to-tinker.com/blog/kroll/software-transparency-debian-openssl-bug/
[2]:https://lwn.net/Articles/57135/
[3]:https://lwn.net/Articles/57137/