Is netcat-traditional used by CPFP?

Where is the source for the mksh audit?

I have already posted it above but here are the sources and quotes reposted. As part of the base system it has been through security auditing by the OpenBSD team. mksh is practically oksh. In the OpenBSD site, they refer to their implementation oksh/mksh simply as ksh.

mksh is supposed to be a superset of oksh (except GNU bash-style PS1, weird POSuX character classes, and an incompatible ulimit builtin change).

https://www.mirbsd.org/mksh.htm


Repost from above:

http://www.openbsd.org/faq/faq8.html

These compilers have not gone through the security audit and do not contain security enhancements like those in the base system ... [b]Unix shells: ksh and csh in the base system[/b]

http://www.openbsd.org/faq/faq15.html

[b]The packages and ports collection does NOT go through the same thorough security audit that is performed on the OpenBSD base system. [/b]Although we strive to keep the quality of the packages collection high, we just do not have enough human resources to ensure the same level of robustness and security.

ksh = base system = audited

It has been undergone security auditing no doubt about it.

Maybe I am wrong, but it seems there is a gap in auditing here.

  • MirOS BSD is not OpenBSD.
  • MirOS BSD does not claim making audits?
  • MirOS BSD uses mksh.
  • OpenBSD base system does not include mksh.
  • OpenBSD base system includes ksh? (Nevermind, because of next point.)
  • mksh is not same as ksh even if they share some code.
  • Even if ksh was audited and even if mksh and ksh are compatible (?), no one claimed that mksh was audited.

Also mksh is much less popular. Got an older by_vote popcon statistic by Debian on my hdd.

29 bash 170058 146517 8105 15377 59
4770 mksh 2356 422 1844 90 0

So I would assume that mksh attracts much less attention by potential people who could be interested to look for vulnerabilities.

Useful for a positive public opinion because less geeks will badmouth the project which is good for overall project health.

Let’s assume bash implementation is as secure as python implementation (assume by reality, not by public opinion).
Let’s assume python is more secure by public opinion.
Let’s assume we want more coders to make Whonix more secure and more audits.
Then I conclude it’s better to go by the time and go with python if this attracts more geeks rather them categorizing the project as bad and moving along.

[quote=“Patrick, post:23, topic:424”]Maybe I am wrong, but it seems there is a gap in auditing here.

  • MirOS BSD is not OpenBSD.
  • MirOS BSD does not claim making audits?
  • MirOS BSD uses mksh.
  • OpenBSD base system does not include mksh.
  • OpenBSD base system includes ksh? (Nevermind, because of next point.)
  • mksh is not same as ksh even if they share some code.
  • Even if ksh was audited and even if mksh and ksh are compatible (?), no one claimed that mksh was audited.

Also mksh is much less popular. Got an older by_vote popcon statistic by Debian on my hdd.

29 bash 170058 146517 8105 15377 59
4770 mksh 2356 422 1844 90 0

So I would assume that mksh attracts much less attention by potential people who could be interested to look for vulnerabilities.[/quote]

  1. Its a security oriented fork of OpenBSD that shares fixes and code.
  2. From an auditing perspective we are only interested in the mksh code
  3. mksh is the audited oksh with more fixes which were shared back with OpenBSD [1]
    4.They are both compatible with each other and with bash, with any specific code dependencies for the latter scanable for.

I can see there is huge confusion because of the semantics here. A short history of ksh: ksh was a proprietary shell in one of the ancient Unixes. At the turn of the millennium it was released under the name: pdksh in the public domain. OpenBSD took it over and then it audited six ways from Sunday, cleaned the code up and modernized it then called it oksh, MirBSD another security oriented fork took that exact same audited code and further slimmed it down, sharing any code fixes back with OpenBSD and called it mksh.

Since its dead in the water, the ‘ksh’ name bandied around, refers only to these fraternal twin open implementations only.

[1] MirBSD: mksh — old versions

mksh is a direct descendant from the OpenBSD /bin/ksh and contains all of its bug fixes and enhancements except the “GNU bash-like $PS1” and “POSIX character class support in globbing” changes and the incompatible “ulimit can handle multiple limits in one invocation” difference. Some of the more weird diffs in oksh have not been merged either.

I see you are reluctant for other reasons, but the security of this code is clear.

You once said that the burden of proof is on those who make a claim and I have made every effort to research this alternative before suggesting it. I have picked the shell with any history of auditing having ever been performed on its code.

Software/package popularity doesn’t mean much. Windows is “popular” but is a security and privacy nightmare.

At the end of the day what matters are the objective facts.

I have had a very fruitful correspondence with MirBSD’s lead dev. He is very patient and took the time to answer everything we have been discussing here in full detail. Thanks Thorsten!

Please read his reply on the mailinglist.

Patrick your comment? :slight_smile:

Terrific work, terrific answer. Need more time to digest this.

Created a github issue to not forget about this:
https://github.com/Whonix/Whonix/issues/301