>> 1) XEN is developed by people working for a company based in
>> the U.S.
Some fun stats for Xen 4.6 changesets, as used by Cubes:
Lines of Code: ~150,000
This is from
and related pages (and similar pages with 4.6 replaced by 4.x):
Lines of code added/removed:
Vers People Empl Added Rempved NSA-Add NSA-Rem
4.4 81 29 38048 25989 121
4.5 102 39 80906 141593 6714 2645
4.6 96 30 124035 90299 459 193
4.7 102 36 106606 37160 ? ?
Now, about 4.7. Note that the page for only lists individual names, does
not list any company affiliations or employers at all. An odd
So the NSA barely contributed for 4.4, contributed a significant amount
for 4.5, a bit for 4.6, and then either stopped contributing, or are doing
so in a non-transparent way through individuals for 4.7. :(
I can't say that's confidence-inspiring. Xen's change from 4.6 to 4.7 to
not listing employers almost has a slight "warrant canary" feel to it. :S
The source is open, I guess, but still, smart people can sneak in subtle
backdoor bugs. As we have seen.
Also, out of those 100 individuals, what are the odds that the NSA could
sneak in a few apparently unaffiliated "representatives" to submit some
Now, I'm sure a good many of the people at NSA just want a stable,
reliable, professional operating system to use for their work, and
contribute back to Linux in turn to make it better.
It'd be refreshing and inspiring to see them fixing our critical tech
tools rather than hopelessly busting them. Go America.
But given their history of sneaking in back doors through subtle code
bugs, it does make one a bit, err, cautious.
Xen is a much bigger and faster-moving target than I ever expected for a
After discovering I was being victimized by some keylogging and some other
covert surveillance hw/sw, I spend a fair bit of time about how to use a
computer with confidence, assuming that you can't necessarily trust the
hardware nor software.
Is it possible to have a secure environment, where you don't fully trust
the hardware/software? And unless you've designed the hardware and
software yourself (or they're both open and heavily and transparently
reviewed), and your never let either out of your sight and protection, how
can you ever fully trust hardware/software?
(For example, things such as a password safe on a memory key can help
partially thwart even a hardware keylogger, since online/etc. passwords
are never typed. Can this type of small success be achieved for a whole
system? It's daunting.)
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to firstname.lastname@example.org.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.