Group: Software/FSDG distributions/Security

Latest revision as of 21:06, 11 May 2026

Introduction

This page tracks the progress of FSDG distributions with regard to reproducible builds, bootstrapable builds and other similar security features.

Distributing software

Releases and signatures

Distribution	Signed installers	Comments
Dragora 3.0-beta2	Yes, signed images^[1].
Dynebolic 4.0.0-beta	Yes, signed images^[2]
Guix 1.5.0	Yes, signed images^[3]
Guix "latest"	No^[4]	Workaround: Use Guix 1.5.0 and update it.
Hyperbola v0.4.2	Yes, signed images^[5]
LibreCMC	Yes, signed checksums^[6]
Parabola	Yes^[7]
ProteanOS	Yes: signed ProteanOS Development Kit commits^[8]
PureOS 10 (byzantium)	Checksums only.^[9]	Workaround: Install PureOS from Guix or Parabola with debootstrap and pureos-archive-keyring As a workaround it might also be possible to download the checksums through various ways (using multiple Tor routes, local connection), and compare them. Also make sure to download the checksums from the official website or a trusted mirror.
PureOS 11 (crimson)	Checksums only.^[10]	Workaround: Install PureOS from Guix or Parabola with debootstrap and pureos-archive-keyring As a workaround it might also be possible to download the checksums through various ways (using multiple Tor routes, local connection), and compare them. Also make sure to download the checksums from the official website or a trusted mirror.
Replicant 6.0 0004	Yes, signed images^[11]
Trisquel 11 (aramo)	Yes, signed images^[12]
Trisquel 12 (ecne)	Yes, signed images^[13]
Ututo S	No: broken checksums (md5) only^[14]	You could still download the images multiple time and compare them with cmp. Though it's far from ideal.

Development source code and signatures

Distribution	Signed development source code
Dragora	No policies requiring to sign commits ^[15].
Dynebolic	?
Guix	Yes, signed commits, authentication tool and instructions^[16]
Hyperbola	?
LibreCMC	?
Parabola	No policies requiring to sign commits
ProteanOS	Yes: signed commit and verification instructions.^[17]
PureOS	?
Replicant	No policies requiring to sign commits^[15]^[18].
Trisquel	?
Ututo S	?

Security updates and packages

Distribution	Security updates available	Automatic security updates	Tools to check for CVEs	Signed packages	Protection against mirrors with outdated packages	Known security issues	Security related bug reports	Comments
Dragora 3.0-beta1
Dynebolic 4.0.0-beta	No^[19]	No^[20]				No security updates
Guix 1.5.0	No^[21]	No^[22]	yes: guix lint	Yes	Yes: The package definition come directly from Guix through HTTPS and are signed.^[23] Mirrors build packages and the signatures are enforced. Guix challenge can be used to check if the packages are reproducible.	No security updates		Guix 1.5.0 can easily be updated to Guix "latest".
Guix "latest"	Yes	can be enabled^[24]	yes: guix lint	Yes	Yes: The package definition come directly from Guix through HTTPS and are signed.^[25] Mirrors build packages and the signatures are enforced. Guix challenge can be used to check if the packages are reproducible.		link
Hyperbola v0.4.2				Yes^[26]	No: All mirrors use https or onion^[27] Trusts secondary mirrors for packages database: uses secondary mirrors first^[28] It Doesn't enforce package database signatures^[29]
LibreCMC
Parabola	Yes	No^[30]	?	Yes^[31]	partial: Mirror redirection for packages that also uses https.^[32] Doesn't enforce package database signatures^[33]	boot flow hijack possible in some situations	packages documentation
ProteanOS
PureOS 10 (byzantium)	Yes	can be enabled^[34]		Yes
Replicant 6.0 0004	Very few security updates^[35]	No^[36]	No	N/A (no packages)	N/A (no packages)	Based on Android 6.0 which is not maintained anymore Use an old version of Webview which is full of security vulnerabilities. Many applications use the builtin Webview, including non-browser applications.
Trisquel 10 (nabia)	Yes	can be enabled^[37]		Yes
Trisquel 11 (aramo)	Yes	can be enabled^[38]		Yes
Ututo S

Repdoducible builds and bootstrapable builds

Distribution	Reproducible builds officially supported^[39]	Comments
Dragora	No	Not mentioned in the list of project supporting reproducible builds^[40].
Dynebolic	No	Not mentioned in the list of project supporting reproducible builds^[40].
Guix	Yes	Encourage any users to use the Guix challenge command to check the reproducibility of builds, and builds are supposed to be reproducible for all users (independently of the specific CPU, username, etc) Part of Guix is now bootstrapable.^[41]. Mentioned in the list of project supporting reproducible builds^[40].
Hyperbola	No	Not mentioned in the list of project supporting reproducible builds^[40] but Arch Linux is mentioned there so maybe it's easier to add reproducible builds to Hyperbola.
LibreCMC	No	Not mentioned in the list of project supporting reproducible builds^[40] but OpenWRT is mentioned, so it might be easier to add reproducible builds to LibreCMC.
Parabola	partial (Arch packages only)	Not mentioned in the list of project supporting reproducible builds^[40] but Arch Linux is mentioned there, and for x86_64 some of the stock Arch Linux are reused. So at least part of Parabola is reproducible. It has a wiki page that has a plan to add reproducible builds^[42] but it needs people to work on actually doing some research on how to add reproducible builds and to implement it. Arch Linux status: https://tests.reproducible-builds.org/archlinux/archlinux.html
ProteanOS	No	Not mentioned in the list of project supporting reproducible builds^[40].
PureOS	No	Not mentioned in the list of project supporting reproducible builds^[40] but Debian is mentioned there so maybe it's easier to add reproducible builds to PureOS.
Replicant	No	Not using the Android prebuilt toolchain is the first priority, then we probably need to find how to activate reproducible builds when building releases. Not mentioned in the list of project supporting reproducible builds^[40].
Trisquel	Yes	Mentioned in the list of project supporting reproducible builds^[40]. Does cross-distribution reproducibility tests with Ubuntu
Ututo S	No	Not mentioned in the list of project supporting reproducible builds^[40].

Note that a "Yes" for reproducible means that the distribution cares about reproducibility.

So volunteers are welcome to report bugs on specific packages and/or to help fixing these bugs (maintainers also don't have an infinite time).

If we look in more details at the status of reproducibility, what "reproducible" means can vary a lot across time and distributions or operating systems.

Most distribution take 2 different setup and have some variations (like a different hostname, time of build, etc) and see if they manage to reproduce the same binary.

But some distributions have way more variations than that. For instance Guix have packages that can be reproduced with Guix being built differently (like the Guix being built by Trisquel, and the one being built by Guix).

So in these cases the binaries that are reproducible are safer as they are less likely to have malicious modifications when the whole compilation chain has been done from multiple distributions because according to the Trusting Trust paper, if the binary is the same, it either has the same malicious modification(s) or no malicious modifications. And carrying around the same malicious modification across widely different distributions and architectures is probably harder to achieve than to do it on a single distribution.

Security features

Access control

Distribution	Apparmor	Lockdown	SELinux	Smack	Tomoyo	Yama
Dragora	No^[43]	?	No^[44]	No^[45]	No^[46]	No^[47]
Dynebolic	?	?	?	?	?	?
Guix	No^[48]	No^[49]	No^[50]	No^[51]	No^[52]	Yes^[53]
Hyperbola	No^[54]	No^[55]	No^[56]	No^[57]	No^[58]	Yes^[59]
LibreCMC	?	?	?	?	?	?
Parabola	Can be enabled^[60]	Can be enabled on x86^[61]	No^[62]	No^[63]	Can be enabled for x86_64 and i686^[64]	Yes^[65]
ProteanOS	?	?	?	?	?	?
PureOS 10 (byzantium)	Enabled by default, easy to disable^[66]	Can be enabled on x86_64^[67]	Can be enabled	No^[68]	Can be enabled^[69]	Yes^[70]
Replicant 6.0	No	No^[71]	Yes, difficult to disable^[72]	No^[73]	No^[74]	No^[75]
Replicant 11	No	No^[76]	No	No^[77]	No^[78]	No^[79]
Trisquel 12 (ecne)	Enabled by default, easy to disable^[80]	Can be enabled at least on x86^[81]	Can be enabled	No^[82]	Can be enabled^[83]	Yes^[84]
Ututo S	?	?	?	?	?	?

↑ Signing key: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x35bdb9d46b56b5facb647c9b3aaf1cec203a99d5
↑ See Group:Software/FSDG_distributions/Dynebolic_signing_key for the public key that signed the images.
↑ https://guix.gnu.org/en/download/
↑ https://guix.gnu.org/en/download/latest/
↑ https://wiki.hyperbola.info/doku.php?id=en:manual:verify_live_images
↑ signed checksums: https://librecmc.org/librecmc/downloads/snapshots/v1.5.12/targets/ath79/generic/
↑ https://wiki.parabola.nu/Get_Parabola
↑ http://proteanos.com/doc/install/prokit/
↑ https://downloads.puri.sm/byzantium/gnome/2023-06-14/ . There is also a bugreport about it.
↑ https://downloads.puri.sm/crimson/gnome/2024-05-10/ . There is also a bugreport about it.
↑ https://ftp.osuosl.org/pub/replicant/images/replicant-6.0/0004/images/
↑ https://cdimage.trisquel.info/trisquel-images/
↑ https://cdimage.trisquel.info/trisquel-images/
↑ http://www.ututo.org/downloads/
↑ ^15.0^15.1 Most commits are signed by the maintainer but other commits are not signed and there are no documented policies requiring to sign commits.
↑ https://guix.gnu.org/en/manual/devel/en/guix.html#Building-from-Git
↑ http://proteanos.com/doc/install/prokit/
↑ Replicant also consist of many repositories, and even if all commits were or are signed, it would be complicated to verify each repository without any tools for that. While in theory Replicant has a manifest file with repositories and commits/branches to use, it doesn't always use fixe revisions as this makes rebasing the changes easier. In addition there are Apache rewrite rules in place to redirect repositories when they were renamed between Android versions, so that also complicates things.
↑ From free-distros.html" "This is a “static” distro, normally run from a live CD. Since it will not receive security updates, it should be used offline."
↑ From free-distros.html" "This is a “static” distro, normally run from a live CD. Since it will not receive security updates, it should be used offline."
↑ There is no backport of the security fixes to stable releases. Instead users are encouraged to run guix pull to get the latest Guix version along with security fixes.
↑ There is no backport of the security fixes to stable releases. Instead users are encouraged to run guix pull to get the latest Guix version along with security fixes.
↑ The Guix channel is https://git.savannah.gnu.org/git/guix.git and channels signatures are enforced. If builders don't have a given package, the computer running guix will try to compile that package instead.
↑ The Guix manual explains how to enable unattended upgrades
↑ The Guix channel is https://git.savannah.gnu.org/git/guix.git and channels signatures are enforced. If builders don't have a given package, the computer running guix will try to compile that package instead.
↑ /etc/pacman.conf has the following:
SigLevel = Required DatabaseOptional
LocalFileSigLevel = Optional
↑ reference: https://repo.hyperbola.info:50000/other/mirrorlist/mirrorlist.txt
↑ Reference: the default /etc/pacman.d/mirrorlist
↑ Reference: /etc/pacman.conf has "SigLevel = [...] DatabaseOptional"
↑ Any kind of automatic updates are very very strongly discouraged. Even completely unofficial software to do that warn users very strongly and put a lot of mechanisms in place to make sure that users will be aware that this will break their system at some point.
↑ /etc/pacman.conf has the following by default:
SigLevel = Required DatabaseOptional
LocalFileSigLevel = Optional
↑ According to the default /etc/pacman.d/mirrorlist, it only uses "https://redirector.parabola.nu/$repo/os/$arch".
↑ However even if the redirector uses https, the package database signatures are not enforced since Parabola has "SigLevel = [...] DatabaseOptional" in /etc/pacman.conf by default.
↑ This can be done by installing and configuring the unattended-upgrades package
↑ In the latest Replicant 6.0 releases, only serious privacy issues were fixed. Since it's based on unmaintained Android versions its contributors cannot fix security updates without porting Replicant to newer Android versions.
↑ Users are expected to manually install new releases.
↑ This can be done by installing and configuring the unattended-upgrades package
↑ This can be done by installing and configuring the unattended-upgrades package
↑ If reproducible builds officially supported, the distribution should be listed on https://reproducible-builds.org, users should be able to open bugs about non reproducible packages and/or send patches to fix them. If it is not supported we could try to send patches to enable reproducible builds and/or help the distribution supporting it instead.
↑ ^40.00^40.01^40.02^40.03^40.04^40.05^40.06^40.07^40.08^40.09^40.10 The official lists of projects supporting reproducible is at https://reproducible-builds.org/who/projects/ . Note that not all theses projects are FSDG compliant and that some might even contain nonfree software and other really problematic issues.
↑ Guix can now bootstrap its C toolchain (see The Full-Source Bootstrap: Building from source all the way down for more details), but some languages are not bootstraped yet (vala, Haskell, etc). See Group:Software/research/ProgrammingLanguages#Guix_status for more details.
↑ https://wiki.parabola.nu/Reproducible_Builds
↑ Dragora currently has 'CONFIG_SECURITY_APPARMOR is not set' inside config-amd64_generic
↑ Dragora currently has 'CONFIG_SECURITY_SELINUX is not set' inside config-amd64_generic
↑ Dragora currently has 'CONFIG_SECURITY_SMACK is not set' inside config-amd64_generic
↑ Dragora currently has 'CONFIG_SECURITY_TOMOYO is not set' inside config-amd64_generic
↑ Dragora currently has 'CONFIG_SECURITY_YAMA is not set' inside config-amd64_generic
↑ Guix has the AppArmor related packages with some basic AppArmor profiles inside, and its kernel also has AppArmor available. However at the time of writing the Guix manual has no information at all about AppArmor, and there is no service definition for it. In addition, AppArmor would probably need a way to find its profiles installed by other packages than AppArmor. And finally, some packages like hplip don't install yet AppArmor profiles.
↑ git grep -i lockdown in guix source code shows 'CONFIG_SECURITY_LOCKDOWN_LSM is not set'
↑ While there are SELinux policies for Guix, they are meant to use with a host distribution that supports SELinux. In addition there are many limitations that prevent this policy to make it practical or secure to use Guix. See the SELinux Support part in the Guix manual for more details.
↑ On x86_64 the kernel has 'CONFIG_SECURITY_SMACK=y' but there is no package for the smack userspace utilities.
↑ No tomoyo package
↑ On x86_64 the kernel has 'CONFIG_SECURITY_YAMA=y' and Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.
↑ Hyperbola has no apparmor package: https://www.hyperbola.info/packages/?q=apparmor
↑ It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have '# CONFIG_SECURITY_LOCKDOWN_LSM is not set'.
↑ It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"' and no CONFIG_SECURITY_SELINUX.
↑ It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have '# CONFIG_SECURITY_SMACK is not set'. In addition there is no package for the smack userspace utilities.
↑ It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have '# CONFIG_SECURITY_TOMOYO is not set'.
↑ It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have 'CONFIG_SECURITY_YAMA=y' and Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.
↑ The Parabola kernel has AppArmor, and the AppArmor package (and various other packages) ship profiles in /etc/apparmor.d. There is also some documentation in the AppArmor Arch Linux wiki page.
↑ linux-libre, linux-libre-lts and linux-libre-vanilla have the following configuration for i686 and x86_64: 'CONFIG_SECURITY_LOCKDOWN_LSM=y', '# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set' and 'CONFIG_LSM="landlock,lockdown,yama,integrity,bpf'. So on x86, lockdown is enabled by default if UEFI secure boot is on. However Parabola doesn't support UEFI Secure boot so we can assume it's disabled by default. Lockdown is not available on armv7h as all armv7h/aarch64 kernel have 'CONFIG_SECURITY_LOCKDOWN_LSM is not set'. There is documentation on how to enable lockdown manually in the Security#Kernel_lockdown_mode ArchLinux wiki page.
↑ Parabola has some SELinux related packages in the pcr repository, but they were only added to enable the development of SELinux policies for other distributions (Replicant). At the time of writing Parabola still doesn't have proper SELinux integration.
↑ At least one kernel package has 'CONFIG_SECURITY_SMACK=y' but only for armv7h (armv7h configuration for linux-libre-vanilla). Both i696 and x86_64 linux-libre-vanilla kernels have '# CONFIG_DEFAULT_SECURITY_SMACK is not set' (x86_64 configuration for linux-libre-vanilla and i686 configuration for linux-libre-vanilla). There is also no packages for smack userspace utilities.
↑ There is a tomoyo-tools package and at least one kernel package has 'CONFIG_SECURITY_TOMOYO=y' (x86_64 configuration for linux-libre-vanilla and i686 configuration for linux-libre-vanilla), Some armv7h kernel configuration have '# CONFIG_SECURITY_TOMOYO is not set' though like armv7h configuration for linux-libre-vanilla).
↑ At least one kernel package has 'CONFIG_SECURITY_YAMA=y' for both x86_64 and i686 (x86_64 configuration for linux-libre-vanilla and i686 configuration for linux-libre-vanilla), Some armv7h kernel configuration have '# CONFIG_SECURITY_YAMA is not set' though like armv7h configuration for linux-libre-vanilla). Note that Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.
↑ Installed from the iso installer, checked with sudo aa-status.
↑ linux-image-amd64 has the following configuration for i686 and x86_64: 'CONFIG_SECURITY_LOCKDOWN_LSM=y', 'CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y', 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"'. So on x86, lockdown is enabled by default if UEFI secure boot is on. Since PureOS supports UEFI Secure boot, it can be enabled if UEFI secure boot is enabled, but it can't be deactivated easily if UEFI secure boot can't be deactivated (it may be possible by passing kernel argument through grub).
↑ On x86_64 there no package for the userspace utilities and at least the linux-libre-amd64 has '# CONFIG_SECURITY_SMACK is not set'.
↑ On x86_64 there is a tomoyo-tools package and at least the linux-libre-amd64 has 'CONFIG_SECURITY_TOMOYO=y'.
↑ On x86_64 there at least the linux-libre-amd64 has 'CONFIG_SECURITY_YAMA=y' and Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.
↑ checked by running 'grep LOCKDOWN */arch/arm/configs/lineageos_*' in kernel/samsung in the Replicant 6.0 source code.
↑ There is no information on how to disable it so it's unknown if we just needs to edit some init files, or if we need to patch some files and recompile Replicant, etc. If you recompile Replicant 6.0, you will also have to generate scripts to migrate the data to your new signing key.
↑ checked by running 'grep SMACK */arch/arm/configs/lineageos_*' in kernel/samsung in the Replicant 6.0 source code.
↑ checked by running 'grep TOMOYO */arch/arm/configs/lineageos_*' in kernel/samsung in the Replicant 6.0 source code.
↑ checked by running 'grep YAMA */arch/arm/configs/lineageos_*' in kernel/samsung in the Replicant 6.0 source code.
↑ After running 'make ARCH=arm replicant_defconfig' in the kernel source, it creates a .config with 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"' and '# CONFIG_SECURITY_LOCKDOWN_LSM is not set', so lockdown is disabled.
↑ After running 'make ARCH=arm replicant_defconfig' in the kernel source, it creates a .config with 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"' and '# CONFIG_SECURITY_SMACK is not set', so yama is disabled.
↑ After running 'make ARCH=arm replicant_defconfig' in the kernel source, it creates a .config with 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"' and '# CONFIG_SECURITY_TOMOYO is not set', so tomoyo is disabled.
↑ After running 'make ARCH=arm replicant_defconfig' in the kernel source, it creates a .config with 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"' and '# CONFIG_SECURITY_YAMA is not set', so yama is disabled.
↑ On Ubuntu AppArmor is enabled by default, and Trisquel is based on Ubuntu.
↑ linux-image-6.17.0-23-generic has the following on x86_64: 'CONFIG_SECURITY_LOCKDOWN_LSM=y', 'CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y' and 'CONFIG_LSM="lockdown,yama,integrity,apparmor'. So at least on x86_64 lockdown is enabled by default if UEFI secure boot is on. However Trisquel 10 doesn't support UEFI Secure boot so we can assume it's disabled by default. Trisquel 10 also doesn't support i686 but it supports aarch64 and someone needs to check the status on aarch64. There is documentation on how to enable lockdown manually in the Security#Kernel_lockdown_mode ArchLinux wiki page.
↑ On x86_64 at least the linux-generic has 'CONFIG_SECURITY_SMACK=y' but there is no package for smack userspace utilities.
↑ On x86_64 there is a tomoyo-tools package and at least the linux-generic has 'CONFIG_SECURITY_TOMOYO=y'.
↑ On x86_64 at least the linux-generic has 'CONFIG_SECURITY_YAMA=y' and Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.

[1] Signing key: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x35bdb9d46b56b5facb647c9b3aaf1cec203a99d5

[2] See Group:Software/FSDG_distributions/Dynebolic_signing_key for the public key that signed the images.

[3] ttps://guix.gnu.org/en/download/

[4] ttps://guix.gnu.org/en/download/latest/

[5] ttps://wiki.hyperbola.info/doku.php?id=en:manual:verify_live_images

[6] signed checksums: https://librecmc.org/librecmc/downloads/snapshots/v1.5.12/targets/ath79/generic/

[7] ttps://wiki.parabola.nu/Get_Parabola

[8] ttp://proteanos.com/doc/install/prokit/

[9] ttps://downloads.puri.sm/byzantium/gnome/2023-06-14/ . There is also a bugreport about it.

[10] ttps://downloads.puri.sm/crimson/gnome/2024-05-10/ . There is also a bugreport about it.

[11] ttps://ftp.osuosl.org/pub/replicant/images/replicant-6.0/0004/images/

[12] ttps://cdimage.trisquel.info/trisquel-images/

[13] ttps://cdimage.trisquel.info/trisquel-images/

[14] ttp://www.ututo.org/downloads/

[signed-commits-but-no-policy-15] 15.0^15.1 Most commits are signed by the maintainer but other commits are not signed and there are no documented policies requiring to sign commits.

[16] ttps://guix.gnu.org/en/manual/devel/en/guix.html#Building-from-Git

[17] ttp://proteanos.com/doc/install/prokit/

[18] Replicant also consist of many repositories, and even if all commits were or are signed, it would be complicated to verify each repository without any tools for that. While in theory Replicant has a manifest file with repositories and commits/branches to use, it doesn't always use fixe revisions as this makes rebasing the changes easier. In addition there are Apache rewrite rules in place to redirect repositories when they were renamed between Android versions, so that also complicates things.

[19] From free-distros.html" "This is a “static” distro, normally run from a live CD. Since it will not receive security updates, it should be used offline."

[20] From free-distros.html" "This is a “static” distro, normally run from a live CD. Since it will not receive security updates, it should be used offline."

[21] There is no backport of the security fixes to stable releases. Instead users are encouraged to run guix pull to get the latest Guix version along with security fixes.

[22] There is no backport of the security fixes to stable releases. Instead users are encouraged to run guix pull to get the latest Guix version along with security fixes.

[23] The Guix channel is https://git.savannah.gnu.org/git/guix.git and channels signatures are enforced. If builders don't have a given package, the computer running guix will try to compile that package instead.

[24] The Guix manual explains how to enable unattended upgrades

[25] The Guix channel is https://git.savannah.gnu.org/git/guix.git and channels signatures are enforced. If builders don't have a given package, the computer running guix will try to compile that package instead.

[26] /etc/pacman.conf has the following:
SigLevel = Required DatabaseOptional
LocalFileSigLevel = Optional

[27] reference: https://repo.hyperbola.info:50000/other/mirrorlist/mirrorlist.txt

[28] Reference: the default /etc/pacman.d/mirrorlist

[29] Reference: /etc/pacman.conf has "SigLevel = [...] DatabaseOptional"

[30] Any kind of automatic updates are very very strongly discouraged. Even completely unofficial software to do that warn users very strongly and put a lot of mechanisms in place to make sure that users will be aware that this will break their system at some point.

[31] /etc/pacman.conf has the following by default:
SigLevel = Required DatabaseOptional
LocalFileSigLevel = Optional

[32] According to the default /etc/pacman.d/mirrorlist, it only uses "https://redirector.parabola.nu/$repo/os/$arch".

[33] However even if the redirector uses https, the package database signatures are not enforced since Parabola has "SigLevel = [...] DatabaseOptional" in /etc/pacman.conf by default.

[34] This can be done by installing and configuring the unattended-upgrades package

[35] In the latest Replicant 6.0 releases, only serious privacy issues were fixed. Since it's based on unmaintained Android versions its contributors cannot fix security updates without porting Replicant to newer Android versions.

[36] Users are expected to manually install new releases.

[37] This can be done by installing and configuring the unattended-upgrades package

[38] This can be done by installing and configuring the unattended-upgrades package

[supported-definition-39] If reproducible builds officially supported, the distribution should be listed on https://reproducible-builds.org, users should be able to open bugs about non reproducible packages and/or send patches to fix them. If it is not supported we could try to send patches to enable reproducible builds and/or help the distribution supporting it instead.

[reproducible-projects-list-40] 40.00^40.01^40.02^40.03^40.04^40.05^40.06^40.07^40.08^40.09^40.10 The official lists of projects supporting reproducible is at https://reproducible-builds.org/who/projects/ . Note that not all theses projects are FSDG compliant and that some might even contain nonfree software and other really problematic issues.

[41] Guix can now bootstrap its C toolchain (see The Full-Source Bootstrap: Building from source all the way down for more details), but some languages are not bootstraped yet (vala, Haskell, etc). See Group:Software/research/ProgrammingLanguages#Guix_status for more details.

[42] ttps://wiki.parabola.nu/Reproducible_Builds

[dragora-apparmor-43] Dragora currently has 'CONFIG_SECURITY_APPARMOR is not set' inside config-amd64_generic

[dragora-selinux-44] Dragora currently has 'CONFIG_SECURITY_SELINUX is not set' inside config-amd64_generic

[dragora-smack-45] Dragora currently has 'CONFIG_SECURITY_SMACK is not set' inside config-amd64_generic

[dragora-tomoyo-46] Dragora currently has 'CONFIG_SECURITY_TOMOYO is not set' inside config-amd64_generic

[dragora-yama-47] Dragora currently has 'CONFIG_SECURITY_YAMA is not set' inside config-amd64_generic

[48] Guix has the AppArmor related packages with some basic AppArmor profiles inside, and its kernel also has AppArmor available. However at the time of writing the Guix manual has no information at all about AppArmor, and there is no service definition for it. In addition, AppArmor would probably need a way to find its profiles installed by other packages than AppArmor. And finally, some packages like hplip don't install yet AppArmor profiles.

[49] t grep -i lockdown in guix source code shows 'CONFIG_SECURITY_LOCKDOWN_LSM is not set'

[50] While there are SELinux policies for Guix, they are meant to use with a host distribution that supports SELinux. In addition there are many limitations that prevent this policy to make it practical or secure to use Guix. See the SELinux Support part in the Guix manual for more details.

[51] On x86_64 the kernel has 'CONFIG_SECURITY_SMACK=y' but there is no package for the smack userspace utilities.

[52] No tomoyo package

[53] On x86_64 the kernel has 'CONFIG_SECURITY_YAMA=y' and Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.

[54] Hyperbola has no apparmor package: https://www.hyperbola.info/packages/?q=apparmor

[55] It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have '# CONFIG_SECURITY_LOCKDOWN_LSM is not set'.

[56] It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"' and no CONFIG_SECURITY_SELINUX.

[57] It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have '# CONFIG_SECURITY_SMACK is not set'. In addition there is no package for the smack userspace utilities.

[58] It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have '# CONFIG_SECURITY_TOMOYO is not set'.

[59] It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have 'CONFIG_SECURITY_YAMA=y' and Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.

[60] The Parabola kernel has AppArmor, and the AppArmor package (and various other packages) ship profiles in /etc/apparmor.d. There is also some documentation in the AppArmor Arch Linux wiki page.

[61] ux-libre, linux-libre-lts and linux-libre-vanilla have the following configuration for i686 and x86_64: 'CONFIG_SECURITY_LOCKDOWN_LSM=y', '# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set' and 'CONFIG_LSM="landlock,lockdown,yama,integrity,bpf'. So on x86, lockdown is enabled by default if UEFI secure boot is on. However Parabola doesn't support UEFI Secure boot so we can assume it's disabled by default. Lockdown is not available on armv7h as all armv7h/aarch64 kernel have 'CONFIG_SECURITY_LOCKDOWN_LSM is not set'. There is documentation on how to enable lockdown manually in the Security#Kernel_lockdown_mode ArchLinux wiki page.

[62] Parabola has some SELinux related packages in the pcr repository, but they were only added to enable the development of SELinux policies for other distributions (Replicant). At the time of writing Parabola still doesn't have proper SELinux integration.

[63] At least one kernel package has 'CONFIG_SECURITY_SMACK=y' but only for armv7h (armv7h configuration for linux-libre-vanilla). Both i696 and x86_64 linux-libre-vanilla kernels have '# CONFIG_DEFAULT_SECURITY_SMACK is not set' (x86_64 configuration for linux-libre-vanilla and i686 configuration for linux-libre-vanilla). There is also no packages for smack userspace utilities.

[64] There is a tomoyo-tools package and at least one kernel package has 'CONFIG_SECURITY_TOMOYO=y' (x86_64 configuration for linux-libre-vanilla and i686 configuration for linux-libre-vanilla), Some armv7h kernel configuration have '# CONFIG_SECURITY_TOMOYO is not set' though like armv7h configuration for linux-libre-vanilla).

[65] At least one kernel package has 'CONFIG_SECURITY_YAMA=y' for both x86_64 and i686 (x86_64 configuration for linux-libre-vanilla and i686 configuration for linux-libre-vanilla), Some armv7h kernel configuration have '# CONFIG_SECURITY_YAMA is not set' though like armv7h configuration for linux-libre-vanilla). Note that Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.

[66] Installed from the iso installer, checked with sudo aa-status.

[67] ux-image-amd64 has the following configuration for i686 and x86_64: 'CONFIG_SECURITY_LOCKDOWN_LSM=y', 'CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y', 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"'. So on x86, lockdown is enabled by default if UEFI secure boot is on. Since PureOS supports UEFI Secure boot, it can be enabled if UEFI secure boot is enabled, but it can't be deactivated easily if UEFI secure boot can't be deactivated (it may be possible by passing kernel argument through grub).

[68] On x86_64 there no package for the userspace utilities and at least the linux-libre-amd64 has '# CONFIG_SECURITY_SMACK is not set'.

[69] On x86_64 there is a tomoyo-tools package and at least the linux-libre-amd64 has 'CONFIG_SECURITY_TOMOYO=y'.

[70] On x86_64 there at least the linux-libre-amd64 has 'CONFIG_SECURITY_YAMA=y' and Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.

[71] y running 'grep LOCKDOWN */arch/arm/configs/lineageos_*' in kernel/samsung in the Replicant 6.0 source code.

[72] There is no information on how to disable it so it's unknown if we just needs to edit some init files, or if we need to patch some files and recompile Replicant, etc. If you recompile Replicant 6.0, you will also have to generate scripts to migrate the data to your new signing key.

[73] y running 'grep SMACK */arch/arm/configs/lineageos_*' in kernel/samsung in the Replicant 6.0 source code.

[74] y running 'grep TOMOYO */arch/arm/configs/lineageos_*' in kernel/samsung in the Replicant 6.0 source code.

[75] y running 'grep YAMA */arch/arm/configs/lineageos_*' in kernel/samsung in the Replicant 6.0 source code.

[76] After running 'make ARCH=arm replicant_defconfig' in the kernel source, it creates a .config with 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"' and '# CONFIG_SECURITY_LOCKDOWN_LSM is not set', so lockdown is disabled.

[77] After running 'make ARCH=arm replicant_defconfig' in the kernel source, it creates a .config with 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"' and '# CONFIG_SECURITY_SMACK is not set', so yama is disabled.

[78] After running 'make ARCH=arm replicant_defconfig' in the kernel source, it creates a .config with 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"' and '# CONFIG_SECURITY_TOMOYO is not set', so tomoyo is disabled.

[79] After running 'make ARCH=arm replicant_defconfig' in the kernel source, it creates a .config with 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"' and '# CONFIG_SECURITY_YAMA is not set', so yama is disabled.

[80] On Ubuntu AppArmor is enabled by default, and Trisquel is based on Ubuntu.

[81] ux-image-6.17.0-23-generic has the following on x86_64: 'CONFIG_SECURITY_LOCKDOWN_LSM=y', 'CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y' and 'CONFIG_LSM="lockdown,yama,integrity,apparmor'. So at least on x86_64 lockdown is enabled by default if UEFI secure boot is on. However Trisquel 10 doesn't support UEFI Secure boot so we can assume it's disabled by default. Trisquel 10 also doesn't support i686 but it supports aarch64 and someone needs to check the status on aarch64. There is documentation on how to enable lockdown manually in the Security#Kernel_lockdown_mode ArchLinux wiki page.

[82] On x86_64 at least the linux-generic has 'CONFIG_SECURITY_SMACK=y' but there is no package for smack userspace utilities.

[83] On x86_64 there is a tomoyo-tools package and at least the linux-generic has 'CONFIG_SECURITY_TOMOYO=y'.

[84] On x86_64 at least the linux-generic has 'CONFIG_SECURITY_YAMA=y' and Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

[35]

[36]

[37]

[38]

[39]

[40]

[41]

[42]

[43]

[44]

[45]

[46]

[47]

[48]

[49]

[50]

[51]

[52]

[53]

[54]

[55]

[56]

[57]

[58]

[59]

[60]

[61]

[62]

[63]

[64]

[65]

[66]

[67]

[68]

[69]

[70]

[71]

[72]

[73]

[74]

[75]

[76]

[77]

[78]

[79]

[80]

[81]

[82]

[83]

[84]

Navigation menu