Group: Software/FSDG distributions/Security

From LibrePlanet
Jump to: navigation, search
(Repdoducible builds and bootstrapable builds: fix copy-paste leftovers)
(Access control: Update apparmor status)
Line 192: Line 192:
 
|-
 
|-
 
! Guix
 
! Guix
| {{no}}<ref>Guix has some [https://packages.guix.gnu.org/search/?query=apparmor apparmor related packages] and its kernel also has apparmor available. Though it doesn't seem to have any profiles.</ref>
+
| {{no}}<ref>Guix has the [https://packages.guix.gnu.org/search/?query=apparmor apparmor related packages] with some basic apparmor profiles inside, and its kernel also has apparmor available. However at the time of writing [https://guix.gnu.org/en/manual/devel/en/guix.html the Guix manual] has no information at all about apparmor, and there is no service definition for it. In addition apparmor would probably need a way to find its profiles installed by other packages than apparmor. And finally some packages like hplip don't install yet apparmor profiles.</ref>
 
| {{no}}<ref>https://guix.gnu.org/en/manual/devel/en/guix.html#SELinux-Support</ref>
 
| {{no}}<ref>https://guix.gnu.org/en/manual/devel/en/guix.html#SELinux-Support</ref>
 
|-
 
|-
Line 204: Line 204:
 
|-
 
|-
 
! Parabola
 
! Parabola
| ?
+
| {{yes|Can be enabled}}<ref>The Parabola kernel has apparmor, and the apparmor package (and various other packages) ship profiles in /etc/apparmor.d. There is also some documentation in the [https://wiki.archlinux.org/title/AppArmor AppArmor] Arch Linux wiki page.</ref>
 
| {{no}}<ref>Parabola has some SELinux related packages in the pcr repository, but they were only added to enable the development of SELinux policies for other distributions (Replicant). At the time of writing Parabola still doesn't have proper SELinux integration.</ref>
 
| {{no}}<ref>Parabola has some SELinux related packages in the pcr repository, but they were only added to enable the development of SELinux policies for other distributions (Replicant). At the time of writing Parabola still doesn't have proper SELinux integration.</ref>
 
|-
 
|-

Revision as of 12:20, 28 February 2023

Introduction

This page tracks the progress of FSDG distributions with regard to reproducible builds, bootstrapable builds and other similar security features.

Distributing software

Releases and signatures

Distribution Signed installers Comments
Dragora 3.0-beta1 Checksums only[1]
  • There are instructions to build the release yourself but there is no instructions to verify the source code.
  • As a workaround it might be possible to download the checksums through various ways (using multiple Tor routes, local connection), and compare them. Also make sure to download the checksums from the official website or a trusted mirror.
Dynebolic 3.0-beta Broken: signed broken checksums (md5)[2] You could still download the images multiple time and compare them with cmp. Though it's far from ideal.
Guix 1.4.0 Yes, signed images[3]
Guix "latest" No[4] Workaround: Use Guix 1.4.0 and update it.
Hyperbola v0.4.2 Yes, signed images[5]
LibreCMC Yes, signed checksums[6]
Parabola Yes[7]
ProteanOS Yes: signed ProteanOS Development Kit commits[8]
PureOS 10 (byzantium) Checksums only.[9]
  • Workaround: Install PureOS from Parabola with debootstrap and pureos-archive-keyring
  • As a workaround it might also be possible to download the checksums through various ways (using multiple Tor routes, local connection), and compare them. Also make sure to download the checksums from the official website or a trusted mirror.
Replicant 6.0 0004 Yes, signed images[10]
Trisquel 10.0.1 Yes, signed images[11]
Ututo S No: broken checksums (md5) only[12] You could still download the images multiple time and compare them with cmp. Though it's far from ideal.

Development source code and signatures

Distribution Signed development source code
Dragora ?
Dynebolic ?
Guix Yes, signed commits, authentication tool and instructions[13]
Hyperbola ?
LibreCMC ?
Parabola No policies requiring to sign commits
ProteanOS Yes: signed commit and verification instructions.[14]
PureOS ?
Replicant No policies requiring to sign commits
Trisquel ?
Ututo S ?

Repdoducible builds and bootstrapable builds

Distribution Reproducible builds officially supported[15] Comments
Dragora ?
  • Not mentioned in the list of project supporting reproducible builds[16].
Dynebolic ?
  • Not mentioned in the list of project supporting reproducible builds[16].
Guix Yes
  • Encourage any users to use the Guix challenge command to check the reproducibility of builds, and builds are supposed to be reproducible for all users (independently of the specific CPU, username, etc)
  • Goes beyond reproducible builds and has efforts to make Guix bootstrapable
  • Mentioned in the list of project supporting reproducible builds[16].
Hyperbola ?
  • Not mentioned in the list of project supporting reproducible builds[16] but Arch Linux is mentioned there so maybe it's easier to add reproducible builds to Hyperbola.
LibreCMC ?
  • Not mentioned in the list of project supporting reproducible builds[16] but OpenWRT is mentioned, so it might be easier to add reproducible builds to LibreCMC.
Parabola ?
  • Not mentioned in the list of project supporting reproducible builds[16] but Arch Linux is mentioned there, and for x86_64 some of the stock Arch Linux are reused. So at least part of Parabola is reproducible.
  • It has a wiki page that has a plan to add reproducible builds[17] but it needs people to work on actually doing some research on how to add reproducible builds and to implement it.
  • Arch Linux status: https://tests.reproducible-builds.org/archlinux/archlinux.html
ProteanOS ?
  • Not mentioned in the list of project supporting reproducible builds[16].
PureOS ?
  • Not mentioned in the list of project supporting reproducible builds[16] but Debian is mentioned there so maybe it's easier to add reproducible builds to PureOS.
Replicant not yet
  • Not using the Android prebuilt toolchain is the first priority, then we probably need to find how to activate reproducible builds when building releases.
  • Not mentioned in the list of project supporting reproducible builds[16].
Trisquel ?
  • Not mentioned in the list of project supporting reproducible builds[16] and Ubuntu is not mentioned there either, but Debian is mentioned so maybe it's easier to add reproducible builds to Trisquel.
Ututo S ?
  • Not mentioned in the list of project supporting reproducible builds[16].

Security features

Access control

Distribution Apparmor SELinux
Dragora ? ?
Dynebolic ? ?
Guix No[18] No[19]
Hyperbola ? ?
LibreCMC ? ?
Parabola Can be enabled[20] No[21]
ProteanOS ? ?
PureOS ? Can be enabled
Replicant 6.0 No Yes, difficult to disable
Replicant 11 No No
Trisquel 10 (nabia) Enabled by default, easy to disable[22] Can be enabled
Ututo S ? ?
  1. https://mirror.fsf.org/dragora/v3/iso/beta1/
  2. https://files.dyne.org/dynebolic/
  3. https://guix.gnu.org/en/download/
  4. https://guix.gnu.org/en/download/latest/
  5. https://wiki.hyperbola.info/doku.php?id=en:manual:verify_live_images
  6. signed checksums: https://librecmc.org/librecmc/downloads/snapshots/v1.5.12/targets/ath79/generic/
  7. https://wiki.parabola.nu/Get_Parabola
  8. http://proteanos.com/doc/install/prokit/
  9. https://downloads.puri.sm/byzantium/gnome/2022-06-02/
  10. https://ftp.osuosl.org/pub/replicant/images/replicant-6.0/0004/images/
  11. https://cdimage.trisquel.info/trisquel-images/
  12. http://www.ututo.org/downloads/
  13. https://guix.gnu.org/en/manual/devel/en/guix.html#Building-from-Git
  14. http://proteanos.com/doc/install/prokit/
  15. If reproducible builds officially supported, we should be able to open bugs about non reproducible packages and/or send patches to fix them. If it is not supported we could try to send patches to enable reproducible builds and/or help the distribution supporting it instead.
  16. 16.0016.0116.0216.0316.0416.0516.0616.0716.0816.0916.10 The official lists of projects supporting reproducible is at https://reproducible-builds.org/projects/ . Note that not all theses projects are FSDG compliant and that some might even contain nonfree software and other really problematic issues.
  17. https://wiki.parabola.nu/Reproducible_Builds
  18. Guix has the apparmor related packages with some basic apparmor profiles inside, and its kernel also has apparmor available. However at the time of writing the Guix manual has no information at all about apparmor, and there is no service definition for it. In addition apparmor would probably need a way to find its profiles installed by other packages than apparmor. And finally some packages like hplip don't install yet apparmor profiles.
  19. https://guix.gnu.org/en/manual/devel/en/guix.html#SELinux-Support
  20. The Parabola kernel has apparmor, and the apparmor package (and various other packages) ship profiles in /etc/apparmor.d. There is also some documentation in the AppArmor Arch Linux wiki page.
  21. Parabola has some SELinux related packages in the pcr repository, but they were only added to enable the development of SELinux policies for other distributions (Replicant). At the time of writing Parabola still doesn't have proper SELinux integration.
  22. On Ubuntu apparmor is enabled by default, and Trisquel is based on Ubuntu.
Retrieved from "https://libreplanet.org/wiki?title=Group:Software/FSDG_distributions/Security&oldid=67700"