Group: Software/FSDG distributions/Security
From LibrePlanet
(→Repdoducible builds and bootstrapable builds: fix copy-paste leftovers) |
(→Access control: Update apparmor status) |
||
Line 192: | Line 192: | ||
|- | |- | ||
! Guix | ! Guix | ||
− | | {{no}}<ref>Guix has | + | | {{no}}<ref>Guix has the [https://packages.guix.gnu.org/search/?query=apparmor apparmor related packages] with some basic apparmor profiles inside, and its kernel also has apparmor available. However at the time of writing [https://guix.gnu.org/en/manual/devel/en/guix.html the Guix manual] has no information at all about apparmor, and there is no service definition for it. In addition apparmor would probably need a way to find its profiles installed by other packages than apparmor. And finally some packages like hplip don't install yet apparmor profiles.</ref> |
| {{no}}<ref>https://guix.gnu.org/en/manual/devel/en/guix.html#SELinux-Support</ref> | | {{no}}<ref>https://guix.gnu.org/en/manual/devel/en/guix.html#SELinux-Support</ref> | ||
|- | |- | ||
Line 204: | Line 204: | ||
|- | |- | ||
! Parabola | ! Parabola | ||
− | | | + | | {{yes|Can be enabled}}<ref>The Parabola kernel has apparmor, and the apparmor package (and various other packages) ship profiles in /etc/apparmor.d. There is also some documentation in the [https://wiki.archlinux.org/title/AppArmor AppArmor] Arch Linux wiki page.</ref> |
| {{no}}<ref>Parabola has some SELinux related packages in the pcr repository, but they were only added to enable the development of SELinux policies for other distributions (Replicant). At the time of writing Parabola still doesn't have proper SELinux integration.</ref> | | {{no}}<ref>Parabola has some SELinux related packages in the pcr repository, but they were only added to enable the development of SELinux policies for other distributions (Replicant). At the time of writing Parabola still doesn't have proper SELinux integration.</ref> | ||
|- | |- |
Revision as of 12:20, 28 February 2023
Contents
Introduction
This page tracks the progress of FSDG distributions with regard to reproducible builds, bootstrapable builds and other similar security features.
Distributing software
Releases and signatures
Distribution | Signed installers | Comments |
---|---|---|
Dragora 3.0-beta1 | Checksums only[1] |
|
Dynebolic 3.0-beta | Broken: signed broken checksums (md5)[2] | You could still download the images multiple time and compare them with cmp. Though it's far from ideal. |
Guix 1.4.0 | Yes, signed images[3] | |
Guix "latest" | No[4] | Workaround: Use Guix 1.4.0 and update it. |
Hyperbola v0.4.2 | Yes, signed images[5] | |
LibreCMC | Yes, signed checksums[6] | |
Parabola | Yes[7] | |
ProteanOS | Yes: signed ProteanOS Development Kit commits[8] | |
PureOS 10 (byzantium) | Checksums only.[9] |
|
Replicant 6.0 0004 | Yes, signed images[10] | |
Trisquel 10.0.1 | Yes, signed images[11] | |
Ututo S | No: broken checksums (md5) only[12] | You could still download the images multiple time and compare them with cmp. Though it's far from ideal. |
Development source code and signatures
Distribution | Signed development source code |
---|---|
Dragora | ? |
Dynebolic | ? |
Guix | Yes, signed commits, authentication tool and instructions[13] |
Hyperbola | ? |
LibreCMC | ? |
Parabola | No policies requiring to sign commits |
ProteanOS | Yes: signed commit and verification instructions.[14] |
PureOS | ? |
Replicant | No policies requiring to sign commits |
Trisquel | ? |
Ututo S | ? |
Repdoducible builds and bootstrapable builds
Distribution | Reproducible builds officially supported[15] | Comments |
---|---|---|
Dragora | ? |
|
Dynebolic | ? |
|
Guix | Yes |
|
Hyperbola | ? |
|
LibreCMC | ? |
|
Parabola | ? |
|
ProteanOS | ? |
|
PureOS | ? |
|
Replicant | not yet |
|
Trisquel | ? |
|
Ututo S | ? |
|
Security features
Access control
Distribution | Apparmor | SELinux |
---|---|---|
Dragora | ? | ? |
Dynebolic | ? | ? |
Guix | No[18] | No[19] |
Hyperbola | ? | ? |
LibreCMC | ? | ? |
Parabola | Can be enabled[20] | No[21] |
ProteanOS | ? | ? |
PureOS | ? | Can be enabled |
Replicant 6.0 | No | Yes, difficult to disable |
Replicant 11 | No | No |
Trisquel 10 (nabia) | Enabled by default, easy to disable[22] | Can be enabled |
Ututo S | ? | ? |
- ↑ https://mirror.fsf.org/dragora/v3/iso/beta1/
- ↑ https://files.dyne.org/dynebolic/
- ↑ https://guix.gnu.org/en/download/
- ↑ https://guix.gnu.org/en/download/latest/
- ↑ https://wiki.hyperbola.info/doku.php?id=en:manual:verify_live_images
- ↑ signed checksums: https://librecmc.org/librecmc/downloads/snapshots/v1.5.12/targets/ath79/generic/
- ↑ https://wiki.parabola.nu/Get_Parabola
- ↑ http://proteanos.com/doc/install/prokit/
- ↑ https://downloads.puri.sm/byzantium/gnome/2022-06-02/
- ↑ https://ftp.osuosl.org/pub/replicant/images/replicant-6.0/0004/images/
- ↑ https://cdimage.trisquel.info/trisquel-images/
- ↑ http://www.ututo.org/downloads/
- ↑ https://guix.gnu.org/en/manual/devel/en/guix.html#Building-from-Git
- ↑ http://proteanos.com/doc/install/prokit/
- ↑ If reproducible builds officially supported, we should be able to open bugs about non reproducible packages and/or send patches to fix them. If it is not supported we could try to send patches to enable reproducible builds and/or help the distribution supporting it instead.
- ↑ 16.0016.0116.0216.0316.0416.0516.0616.0716.0816.0916.10 The official lists of projects supporting reproducible is at https://reproducible-builds.org/projects/ . Note that not all theses projects are FSDG compliant and that some might even contain nonfree software and other really problematic issues.
- ↑ https://wiki.parabola.nu/Reproducible_Builds
- ↑ Guix has the apparmor related packages with some basic apparmor profiles inside, and its kernel also has apparmor available. However at the time of writing the Guix manual has no information at all about apparmor, and there is no service definition for it. In addition apparmor would probably need a way to find its profiles installed by other packages than apparmor. And finally some packages like hplip don't install yet apparmor profiles.
- ↑ https://guix.gnu.org/en/manual/devel/en/guix.html#SELinux-Support
- ↑ The Parabola kernel has apparmor, and the apparmor package (and various other packages) ship profiles in /etc/apparmor.d. There is also some documentation in the AppArmor Arch Linux wiki page.
- ↑ Parabola has some SELinux related packages in the pcr repository, but they were only added to enable the development of SELinux policies for other distributions (Replicant). At the time of writing Parabola still doesn't have proper SELinux integration.
- ↑ On Ubuntu apparmor is enabled by default, and Trisquel is based on Ubuntu.