merlin vs official build for the ac86u

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

128bit

Regular Contributor
for years now, i've been happy with the official builds but always considered the merlin builds as a way to enhance. i have 2 concerns: 1) security. is there a team that performs code reviews of the enhanced code? my worry is that someone could slide something nefarious in there especially if no one is looking and 2) how does one revert back to official should after merlin code has been installed.

let me also apologize in advance if anyone feels offended by this post. i was in the industry for some 40 years and have seen lots and yes, i'm paranoid but no disrespect is intended here. in fact, i'm in awe as to how well maintained this site is and the level of professionalism.

:)
 

RMerlin

Asuswrt-Merlin dev
is there a team that performs code reviews of the enhanced code?
Not that I`m aware of. However my code is available for anyone to review on Github, with the actual commit history visible for anyone to see and review.

my worry is that someone could slide something nefarious in there especially if no one is looking
Only two persons have write access to the Git repo, and 99% of the commits are from myself (pretty much 100% now, as the second developer no longer has time to work on it since he moved to a new job last year), so there's no chance of anyone slipping malicious commits in - it`s not a whole team of developers working on this, it`s pretty much only me.

how does one revert back to official should after merlin code has been installed.
Flash stock firmware like any other update, do a factory default reset, and reconfigure.
 

128bit

Regular Contributor
Not that I`m aware of. However my code is available for anyone to review on Github, with the actual commit history visible for anyone to see and review.


Only two persons have write access to the Git repo, and 99% of the commits are from myself (pretty much 100% now, as the second developer no longer has time to work on it since he moved to a new job last year), so there's no chance of anyone slipping malicious commits in - it`s not a whole team of developers working on this, it`s pretty much only me.


Flash stock firmware like any other update, do a factory default reset, and reconfigure.
appreciate your response and explanation and thanks for your very fine work.
 

Adooni

Senior Member
I can tell you that RMerlin is much better than AsusWRT with very useful tweaks and a lot people are using it for very long time rom 2015.

I would tell that do RMerlin is more secured than ori AsusWRT and additional you could add amtm components to it. In same point Asus will try to buy out RMerlin as they do not do good work :)
 

Yota

Senior Member
We all trust him because his work is transparent and he actively responds to questions.

What you should worry about most is supply chain attacks. because Asuswrt (official) always contains binary files without source code. Of course you can compare the hash of the binary file with the Asuswrt source code, but I don't think anyone has tried to actively do this.

He once told me that Asus would send him the unpublished source code in advance, so that he would not have to wait months to debug and merge the upstream code into Merlin firmware.

But Asus will send the code to his FTP server via the Internet, which means that this line is not absolutely secure. And because this is an open source project, many people don't want to see signatures in the souce code.
 

Yota

Senior Member
As he said:
I am not worried. The kind of sophistication involved in this type of attack mean you generally target multi-billion dollar targets, not an open source project that has about 150K potential targets, most of which being home-based and therefore worth pennies at best.

If you are worried, feel free to scan the source code yourself, it's all on my Github.

 

RMerlin

Asuswrt-Merlin dev
But Asus will send the code to his FTP server via the Internet, which means that this line is not absolutely secure.

For reasons I don't want to explain in detail, the chances of this happening are about nil. For starter, the binary content would require an attacker to have access to the unpublished Broadcom or Asus source code to recompile these. And somehow manage to download, modify, and re-upload a 1.5 GB tarball within the window of Asus uploading and myself downloading it, which is typically a few hours at most. That's not happening...

What you should worry about most is supply chain attacks.
This is why I refuse to implement any sort of automated firmware update mechanism, as I cannot guarantee adequate security in such a mechanism.
 

128bit

Regular Contributor
For reasons I don't want to explain in detail, the chances of this happening are about nil. For starter, the binary content would require an attacker to have access to the unpublished Broadcom or Asus source code to recompile these. And somehow manage to download, modify, and re-upload a 1.5 GB tarball within the window of Asus uploading and myself downloading it, which is typically a few hours at most. That's not happening...


This is why I refuse to implement any sort of automated firmware update mechanism, as I cannot guarantee adequate security in such a mechanism.
yeah, i agree! you'd have to decompile a binary, add the crap then recompile. pretty tough even if at all possible. then the hash would change. so no, while not impossible in this day and age, highly unlikely.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Top