I understand that this is a technical and professional subreddit, but I think this is appropriate to call attention to and discuss.
Short story: (thanks to /u/i_mormon_stuff for the summary)
Netgate, the maintainers of pfSense, paid a developer to create a Wireguard implementation that would be compatible with FreeBSD.
They then shipped this implementation in pfSense version 2.5.0 and at the same time submitted it to the FreeBSD project for inclusion in FreeBSD 13.0. FreeBSD is the base operating system that pfSense is built on top of.
The developer of Wireguard a guy called Jason A. Donenfeld looked at the submitted code Netgate had produced and felt that it was of a poor quality. He then spoke with several people involved with the FreeBSD project and spent two weeks reworking Netgates code in the hopes it would be high enough quality to actually be included in FreeBSD 13.0 which is due to release soon.
This thread contains links to Jason's general outline of Netgates submitted code and his perception of its quality followed by a detailing of the efforts he and others put in to make it ready for FreeBSD 13.0, ultimately though they decided not to include it in 13.0 and will see if it can make it into the 13.1 release.
As you may be aware pfSense 2.5.0 (which is based on FreeBSD 12.x) already launched with this custom Wireguard implementation so it's already out there and being used by people in their firewalls during which time there is serious doubt being raised about its quality and safety by Wireguards creator Jason A. Donenfeld.
Then, Ars technica weighed in.
Then, approx 12 hours ago as of the time of this post, Scott Long, the director of software engineering at Netgate, posted this um... Blog post. It has since been taken down from Netgates website but the full text is here. The blog post is extraordinary as it directly accuses Jason of being an "attacker" and conspiring with the FreeBSD maintainers to destroy Netgates reputation
I know we try to stay out of industry drama here, but since this could have potential security implications, I think it should have attention called to it to at least assess the situation.
No comments:
Post a Comment