Group: Software/FSDG distributions/Security

From LibrePlanet
Jump to: navigation, search

Introduction

This page tracks the progress of FSDG distributions with regard to reproducible builds, bootstrapable builds and other similar security features.

Distributing software

Releases and signatures

Distribution Signed installers Comments
Dragora 3.0-beta2 Yes, signed images[1].
Dynebolic 3.0-beta Broken: signed broken checksums (md5)[2] You could still download the images multiple time and compare them with cmp. Though it's far from ideal.
Dynebolic 4.0.0-beta Yes, signed images[3], but can't find the signing public key.
Guix 1.4.0 Yes, signed images[4]
Guix "latest" No[5] Workaround: Use Guix 1.4.0 and update it.
Hyperbola v0.4.2 Yes, signed images[6]
LibreCMC Yes, signed checksums[7]
Parabola Yes[8]
ProteanOS Yes: signed ProteanOS Development Kit commits[9]
PureOS 10 (byzantium) Checksums only.[10]
  • Workaround: Install PureOS from Parabola with debootstrap and pureos-archive-keyring
  • As a workaround it might also be possible to download the checksums through various ways (using multiple Tor routes, local connection), and compare them. Also make sure to download the checksums from the official website or a trusted mirror.
Replicant 6.0 0004 Yes, signed images[11]
Trisquel 10.0.1 Yes, signed images[12]
Ututo S No: broken checksums (md5) only[13] You could still download the images multiple time and compare them with cmp. Though it's far from ideal.

Development source code and signatures

Distribution Signed development source code
Dragora No policies requiring to sign commits [14].
Dynebolic ?
Guix Yes, signed commits, authentication tool and instructions[15]
Hyperbola ?
LibreCMC ?
Parabola No policies requiring to sign commits
ProteanOS Yes: signed commit and verification instructions.[16]
PureOS ?
Replicant No policies requiring to sign commits[14][17].
Trisquel ?
Ututo S ?

Security updates and packages

Distribution Security updates available Automatic security updates Tools to check for CVEs Signed packages Protection against mirrors with outdated packages Known security issues Security related bug reports Comments
Dragora 3.0-beta1
Dynebolic 3.0-beta No[18] No[19]
  • No security updates
Guix 1.4.0 No[20] No[21] yes: guix lint Yes Yes:
  • The package definition come directly from Guix through HTTPS and are signed.[22]
  • Mirrors build packages and the signatures are enforced. Guix challenge can be used to check if the packages are reproducible.
  • No security updates
Guix 1.4.0 can easily be updated to Guix "latest".
Guix "latest" Yes can be enabled[23] yes: guix lint Yes Yes:
  • The package definition come directly from Guix through HTTPS and are signed.[24]
  • Mirrors build packages and the signatures are enforced. Guix challenge can be used to check if the packages are reproducible.
link
Hyperbola v0.4.2 Yes[25] No:
  • All mirrors use https or onion[26]
  • Trusts secondary mirrors for packages database:
    • uses secondary mirrors first[27]
    • It Doesn't enforce package database signatures[28]
LibreCMC
Parabola Yes No[29] ? Yes[30] partial:
  • Mirror redirection for packages that also uses https.[31]
  • Doesn't enforce package database signatures[32]
ProteanOS
PureOS 10 (byzantium) Yes can be enabled[33] Yes
Replicant 6.0 0004 Very few security updates[34] No[35] No N/A (no packages) N/A (no packages)
  • Based on Android 6.0 which is not maintained anymore
  • Use an old version of Webview which is full of security vulnerabilities. Many applications use the builtin Webview, including non-browser applications.
Trisquel 10.0.1 Yes can be enabled[36] Yes
Ututo S

Repdoducible builds and bootstrapable builds

Distribution Reproducible builds officially supported[37] Comments
Dragora No
  • Not mentioned in the list of project supporting reproducible builds[38].
Dynebolic No
  • Not mentioned in the list of project supporting reproducible builds[38].
Guix Yes
  • Encourage any users to use the Guix challenge command to check the reproducibility of builds, and builds are supposed to be reproducible for all users (independently of the specific CPU, username, etc)
  • Part of Guix is now bootstrapable.[39].
  • Mentioned in the list of project supporting reproducible builds[38].
Hyperbola No
  • Not mentioned in the list of project supporting reproducible builds[38] but Arch Linux is mentioned there so maybe it's easier to add reproducible builds to Hyperbola.
LibreCMC No
  • Not mentioned in the list of project supporting reproducible builds[38] but OpenWRT is mentioned, so it might be easier to add reproducible builds to LibreCMC.
Parabola partial (Arch packages only)
  • Not mentioned in the list of project supporting reproducible builds[38] but Arch Linux is mentioned there, and for x86_64 some of the stock Arch Linux are reused. So at least part of Parabola is reproducible.
  • It has a wiki page that has a plan to add reproducible builds[40] but it needs people to work on actually doing some research on how to add reproducible builds and to implement it.
  • Arch Linux status: https://tests.reproducible-builds.org/archlinux/archlinux.html
ProteanOS No
  • Not mentioned in the list of project supporting reproducible builds[38].
PureOS No
  • Not mentioned in the list of project supporting reproducible builds[38] but Debian is mentioned there so maybe it's easier to add reproducible builds to PureOS.
Replicant No
  • Not using the Android prebuilt toolchain is the first priority, then we probably need to find how to activate reproducible builds when building releases.
  • Not mentioned in the list of project supporting reproducible builds[38].
Trisquel Yes
  • Mentioned in the list of project supporting reproducible builds[38].
Ututo S No
  • Not mentioned in the list of project supporting reproducible builds[38].

Security features

Access control

Distribution Apparmor Lockdown SELinux Smack Tomoyo Yama
Dragora No[41] ? No[42] No[43] No[44] No[45]
Dynebolic ? ? ? ? ? ?
Guix No[46] No[47] No[48] No[49] No[50] Yes[51]
Hyperbola No[52] No[53] No[54] No[55] No[56] Yes[57]
LibreCMC ? ? ? ? ? ?
Parabola Can be enabled[58] Can be enabled on x86[59] No[60] No[61] Can be enabled for x86_64 and i686[62] Yes[63]
ProteanOS ? ? ? ? ? ?
PureOS 10 (byzantium) Enabled by default, easy to disable[64] Can be enabled on x86_64[65] Can be enabled No[66] Can be enabled[67] Yes[68]
Replicant 6.0 No No[69] Yes, difficult to disable[70] No[71] No[72] No[73]
Replicant 11 No No[74] No No[75] No[76] No[77]
Trisquel 10 (nabia) Enabled by default, easy to disable[78] Can be enabled at least on x86[79] Can be enabled No[80] Can be enabled[81] Yes[82]
Ututo S ? ? ? ? ? ?
  1. Signing key: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x35bdb9d46b56b5facb647c9b3aaf1cec203a99d5
  2. https://files.dyne.org/dynebolic/
  3. https://files.dyne.org/dynebolic/
  4. https://guix.gnu.org/en/download/
  5. https://guix.gnu.org/en/download/latest/
  6. https://wiki.hyperbola.info/doku.php?id=en:manual:verify_live_images
  7. signed checksums: https://librecmc.org/librecmc/downloads/snapshots/v1.5.12/targets/ath79/generic/
  8. https://wiki.parabola.nu/Get_Parabola
  9. http://proteanos.com/doc/install/prokit/
  10. https://downloads.puri.sm/byzantium/gnome/2023-06-14/ . There is also a bugreport about it.
  11. https://ftp.osuosl.org/pub/replicant/images/replicant-6.0/0004/images/
  12. https://cdimage.trisquel.info/trisquel-images/
  13. http://www.ututo.org/downloads/
  14. 14.014.1 Most commits are signed by the maintainer but other commits are not signed and there are no documented policies requiring to sign commits.
  15. https://guix.gnu.org/en/manual/devel/en/guix.html#Building-from-Git
  16. http://proteanos.com/doc/install/prokit/
  17. Replicant also consist of many repositories, and even if all commits were or are signed, it would be complicated to verify each repository without any tools for that. While in theory Replicant has a manifest file with repositories and commits/branches to use, it doesn't always use fixe revisions as this makes rebasing the changes easier. In addition there are Apache rewrite rules in place to redirect repositories when they were renamed between Android versions, so that also complicates things.
  18. From free-distros.html" "This is a “static” distro, normally run from a live CD. Since it will not receive security updates, it should be used offline."
  19. From free-distros.html" "This is a “static” distro, normally run from a live CD. Since it will not receive security updates, it should be used offline."
  20. There is no backport of the security fixes to stable releases. Instead users are encouraged to run guix pull to get the latest Guix version along with security fixes.
  21. There is no backport of the security fixes to stable releases. Instead users are encouraged to run guix pull to get the latest Guix version along with security fixes.
  22. The Guix channel is https://git.savannah.gnu.org/git/guix.git and channels signatures are enforced. If builders don't have a given package, the computer running guix will try to compile that package instead.
  23. The Guix manual explains how to enable unattended upgrades
  24. The Guix channel is https://git.savannah.gnu.org/git/guix.git and channels signatures are enforced. If builders don't have a given package, the computer running guix will try to compile that package instead.
  25. /etc/pacman.conf has the following:
    SigLevel = Required DatabaseOptional
    LocalFileSigLevel = Optional
  26. reference: https://repo.hyperbola.info:50000/other/mirrorlist/mirrorlist.txt
  27. Reference: the default /etc/pacman.d/mirrorlist
  28. Reference: /etc/pacman.conf has "SigLevel = [...] DatabaseOptional"
  29. Any kind of automatic updates are very very strongly discouraged. Even completely unofficial software to do that warn users very strongly and put a lot of mechanisms in place to make sure that users will be aware that this will break their system at some point.
  30. /etc/pacman.conf has the following by default:
    SigLevel = Required DatabaseOptional
    LocalFileSigLevel = Optional
  31. According to the default /etc/pacman.d/mirrorlist, it only uses "https://redirector.parabola.nu/$repo/os/$arch".
  32. However even if the redirector uses https, the package database signatures are not enforced since Parabola has "SigLevel = [...] DatabaseOptional" in /etc/pacman.conf by default.
  33. This can be done by installing and configuring the unattended-upgrades package
  34. In the latest Replicant 6.0 releases, only serious privacy issues were fixed. Since it's based on unmaintained Android versions its contributors cannot fix security updates without porting Replicant to newer Android versions.
  35. Users are expected to manually install new releases.
  36. This can be done by installing and configuring the unattended-upgrades package
  37. If reproducible builds officially supported, the distribution should be listed on https://reproducible-builds.org, users should be able to open bugs about non reproducible packages and/or send patches to fix them. If it is not supported we could try to send patches to enable reproducible builds and/or help the distribution supporting it instead.
  38. 38.0038.0138.0238.0338.0438.0538.0638.0738.0838.0938.10 The official lists of projects supporting reproducible is at https://reproducible-builds.org/who/projects/ . Note that not all theses projects are FSDG compliant and that some might even contain nonfree software and other really problematic issues.
  39. Guix can now bootstrap its C toolchain (see The Full-Source Bootstrap: Building from source all the way down for more details), but some languages are not bootstraped yet (vala, Haskell, etc). See Group:Software/research/ProgrammingLanguages#Guix_status for more details.
  40. https://wiki.parabola.nu/Reproducible_Builds
  41. Dragora currently has 'CONFIG_SECURITY_APPARMOR is not set' inside config-amd64_generic
  42. Dragora currently has 'CONFIG_SECURITY_SELINUX is not set' inside config-amd64_generic
  43. Dragora currently has 'CONFIG_SECURITY_SMACK is not set' inside config-amd64_generic
  44. Dragora currently has 'CONFIG_SECURITY_TOMOYO is not set' inside config-amd64_generic
  45. Dragora currently has 'CONFIG_SECURITY_YAMA is not set' inside config-amd64_generic
  46. Guix has the AppArmor related packages with some basic AppArmor profiles inside, and its kernel also has AppArmor available. However at the time of writing the Guix manual has no information at all about AppArmor, and there is no service definition for it. In addition, AppArmor would probably need a way to find its profiles installed by other packages than AppArmor. And finally, some packages like hplip don't install yet AppArmor profiles.
  47. git grep -i lockdown in guix source code shows 'CONFIG_SECURITY_LOCKDOWN_LSM is not set'
  48. While there are SELinux policies for Guix, they are meant to use with a host distribution that supports SELinux. In addition there are many limitations that prevent this policy to make it practical or secure to use Guix. See the SELinux Support part in the Guix manual for more details.
  49. On x86_64 the kernel has 'CONFIG_SECURITY_SMACK=y' but there is no package for the smack userspace utilities.
  50. No tomoyo package
  51. On x86_64 the kernel has 'CONFIG_SECURITY_YAMA=y' and Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.
  52. Hyperbola has no apparmor package: https://www.hyperbola.info/packages/?q=apparmor
  53. It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have '# CONFIG_SECURITY_LOCKDOWN_LSM is not set'.
  54. It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"' and no CONFIG_SECURITY_SELINUX.
  55. It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have '# CONFIG_SECURITY_SMACK is not set'. In addition there is no package for the smack userspace utilities.
  56. It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have '# CONFIG_SECURITY_TOMOYO is not set'.
  57. It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have 'CONFIG_SECURITY_YAMA=y' and Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.
  58. The Parabola kernel has AppArmor, and the AppArmor package (and various other packages) ship profiles in /etc/apparmor.d. There is also some documentation in the AppArmor Arch Linux wiki page.
  59. linux-libre, linux-libre-lts and linux-libre-vanilla have the following configuration for i686 and x86_64: 'CONFIG_SECURITY_LOCKDOWN_LSM=y', '# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set' and 'CONFIG_LSM="landlock,lockdown,yama,integrity,bpf'. So on x86, lockdown is enabled by default if UEFI secure boot is on. However Parabola doesn't support UEFI Secure boot so we can assume it's disabled by default. Lockdown is not available on armv7h as all armv7h/aarch64 kernel have 'CONFIG_SECURITY_LOCKDOWN_LSM is not set'. There is documentation on how to enable lockdown manually in the Security#Kernel_lockdown_mode ArchLinux wiki page.
  60. Parabola has some SELinux related packages in the pcr repository, but they were only added to enable the development of SELinux policies for other distributions (Replicant). At the time of writing Parabola still doesn't have proper SELinux integration.
  61. At least one kernel package has 'CONFIG_SECURITY_SMACK=y' but only for armv7h (armv7h configuration for linux-libre-vanilla). Both i696 and x86_64 linux-libre-vanilla kernels have '# CONFIG_DEFAULT_SECURITY_SMACK is not set' (x86_64 configuration for linux-libre-vanilla and i686 configuration for linux-libre-vanilla). There is also no packages for smack userspace utilities.
  62. There is a tomoyo-tools package and at least one kernel package has 'CONFIG_SECURITY_TOMOYO=y' (x86_64 configuration for linux-libre-vanilla and i686 configuration for linux-libre-vanilla), Some armv7h kernel configuration have '# CONFIG_SECURITY_TOMOYO is not set' though like armv7h configuration for linux-libre-vanilla).
  63. At least one kernel package has 'CONFIG_SECURITY_YAMA=y' for both x86_64 and i686 (x86_64 configuration for linux-libre-vanilla and i686 configuration for linux-libre-vanilla), Some armv7h kernel configuration have '# CONFIG_SECURITY_YAMA is not set' though like armv7h configuration for linux-libre-vanilla). Note that Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.
  64. Installed from the iso installer, checked with sudo aa-status.
  65. linux-image-amd64 has the following configuration for i686 and x86_64: 'CONFIG_SECURITY_LOCKDOWN_LSM=y', 'CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y', 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"'. So on x86, lockdown is enabled by default if UEFI secure boot is on. Since PureOS supports UEFI Secure boot, it can be enabled if UEFI secure boot is enabled, but it can't be deactivated easily if UEFI secure boot can't be deactivated (it may be possible by passing kernel argument through grub).
  66. On x86_64 there no package for the userspace utilities and at least the linux-libre-amd64 has '# CONFIG_SECURITY_SMACK is not set'.
  67. On x86_64 there is a tomoyo-tools package and at least the linux-libre-amd64 has 'CONFIG_SECURITY_TOMOYO=y'.
  68. On x86_64 there at least the linux-libre-amd64 has 'CONFIG_SECURITY_YAMA=y' and Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.
  69. checked by running 'grep LOCKDOWN */arch/arm/configs/lineageos_*' in kernel/samsung in the Replicant 6.0 source code.
  70. There is no information on how to disable it so it's unknown if we just needs to edit some init files, or if we need to patch some files and recompile Replicant, etc. If you recompile Replicant 6.0, you will also have to generate scripts to migrate the data to your new signing key.
  71. checked by running 'grep SMACK */arch/arm/configs/lineageos_*' in kernel/samsung in the Replicant 6.0 source code.
  72. checked by running 'grep TOMOYO */arch/arm/configs/lineageos_*' in kernel/samsung in the Replicant 6.0 source code.
  73. checked by running 'grep YAMA */arch/arm/configs/lineageos_*' in kernel/samsung in the Replicant 6.0 source code.
  74. After running 'make ARCH=arm replicant_defconfig' in the kernel source, it creates a .config with 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"' and '# CONFIG_SECURITY_LOCKDOWN_LSM is not set', so lockdown is disabled.
  75. After running 'make ARCH=arm replicant_defconfig' in the kernel source, it creates a .config with 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"' and '# CONFIG_SECURITY_SMACK is not set', so yama is disabled.
  76. After running 'make ARCH=arm replicant_defconfig' in the kernel source, it creates a .config with 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"' and '# CONFIG_SECURITY_TOMOYO is not set', so tomoyo is disabled.
  77. After running 'make ARCH=arm replicant_defconfig' in the kernel source, it creates a .config with 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"' and '# CONFIG_SECURITY_YAMA is not set', so yama is disabled.
  78. On Ubuntu AppArmor is enabled by default, and Trisquel is based on Ubuntu.
  79. linux-image-5.13.0-52-generic has the following on x86_64: 'CONFIG_SECURITY_LOCKDOWN_LSM=y', 'CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y' and 'CONFIG_LSM="lockdown,yama,integrity,apparmor'. So at least on x86_64 lockdown is enabled by default if UEFI secure boot is on. However Trisquel 10 doesn't support UEFI Secure boot so we can assume it's disabled by default. Trisquel 10 also doesn't support i686 but it supports aarch64 and someone needs to check the status on aarch64. There is documentation on how to enable lockdown manually in the Security#Kernel_lockdown_mode ArchLinux wiki page.
  80. On x86_64 at least the linux-generic has 'CONFIG_SECURITY_SMACK=y' but there is no package for smack userspace utilities.
  81. On x86_64 there is a tomoyo-tools package and at least the linux-generic has 'CONFIG_SECURITY_TOMOYO=y'.
  82. On x86_64 at least the linux-generic has 'CONFIG_SECURITY_YAMA=y' and Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.