
Huawei dev team submit Linux patch with backdoor, Huawei denies involvement - gyzmau
https://androidrookies.com/huawei-dev-team-sends-a-buggy-hksp-patch-with-backdoor-to-linux-foundation/
======
addcninblue
Previous discussion:
[https://news.ycombinator.com/item?id=23137041](https://news.ycombinator.com/item?id=23137041)

------
voltagex_
I wonder whether it's better just to link to grsecurity here
[https://grsecurity.net/huawei_hksp_introduces_trivially_expl...](https://grsecurity.net/huawei_hksp_introduces_trivially_exploitable_vulnerability)

~~~
smcleod
Thank you, yes that's much better.

~~~
voltagex_
It turns out that this is what the previous thread that was also linked is
about.

------
fulafel
Grsecurity people have been involved in a lot of fights and accusations over
the years. Also this was a first posting of the patch set. I think it's pretty
hard to show malice here. Of course your bayesian prior will be influenced by
how paranoid you are about Huawei in general.

edit: apologies to Grsecurity, as pointed out downthread they make no
accusations of backdoors. Although apparently the Grsecurity blog post was
also altered after comments from Huwaeithe PSIRT, don't know what was in the
original version.

~~~
cycomanic
Actually if you read the grsecurity blog it is much more nuanced then the
linked story (and would have been a much better source to link to IMO).

In particular they do not insinuate a backdoor. In fact their post is pretty
consistent in that they criticize the quality (or lack thereof) and limited
understanding of security, which they have done for many others as well.

This seems to really be a story blown out of proportion based on the current
political climate. I don't believe a similar vulnerability in a patch from
cisco, Intel, Google or any of the others (and they had patches which were
similarly criticized by grsecurity) would have received a backdoor label in
the headlines.

That is not to say that we should not strongly scrutinise patches from Huawei.

~~~
fulafel
Good correction.

But reading the Grsecurity blog, it becomes even clearer that this is far from
production code and would be very far from passing any kind of QC for
production code.

