>> 1) XEN is developed by people working for a company based in
>> the U.S.

Some fun stats for Xen 4.6 changesets, as used by Cubes:

Lines of Code: ~150,000

This is from


and related pages (and similar pages with 4.6 replaced by 4.x):

Lines of code added/removed:

Vers People Empl Added  Rempved NSA-Add NSA-Rem
4.4  81     29   38048  25989   121
4.5  102    39   80906  141593  6714    2645
4.6  96     30   124035 90299   459     193
4.7  102    36   106606 37160   ?       ?

Now, about 4.7.  Note that the page for only lists individual names, does
not list any company affiliations or employers at all.  An odd

So the NSA barely contributed for 4.4, contributed a significant amount
for 4.5, a bit for 4.6, and then either stopped contributing, or are doing
so in a non-transparent way through individuals for 4.7.  :(

I can't say that's confidence-inspiring.  Xen's change from 4.6 to 4.7 to
not listing employers almost has a slight "warrant canary" feel to it.  :S
 The source is open, I guess, but still, smart people can sneak in subtle
backdoor bugs.  As we have seen.

Also, out of those 100 individuals, what are the odds that the NSA could
sneak in a few apparently unaffiliated "representatives" to submit some
subtle changes.

Now, I'm sure a good many of the people at NSA just want a stable,
reliable, professional operating system to use for their work, and
contribute back to Linux in turn to make it better.

It'd be refreshing and inspiring to see them fixing our critical tech
tools rather than hopelessly busting them.  Go America.

But given their history of sneaking in back doors through subtle code
bugs, it does make one a bit, err, cautious.

Xen is a much bigger and faster-moving target than I ever expected for a

After discovering I was being victimized by some keylogging and some other
covert surveillance hw/sw, I spend a fair bit of time about how to use a
computer with confidence, assuming that you can't necessarily trust the
hardware nor software.

Is it possible to have a secure environment, where you don't fully trust
the hardware/software?  And unless you've designed the hardware and
software yourself (or they're both open and heavily and transparently
reviewed), and your never let either out of your sight and protection, how
can you ever fully trust hardware/software?

(For example, things such as a password safe on a memory key can help
partially thwart even a hardware keylogger, since online/etc. passwords
are never typed.  Can this type of small success be achieved for a whole
system?  It's daunting.)




You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to