Group: Software/FSDG distributions/Security
From LibrePlanet
(→Releases and signatures: Add information on development source code signatures) |
(→Releases and signatures: Add workarounds for the lack of signatures) |
||
Line 8: | Line 8: | ||
! Distribution | ! Distribution | ||
! Signed installers | ! Signed installers | ||
+ | ! Comments | ||
|- | |- | ||
! Dragora 3.0-beta1 | ! Dragora 3.0-beta1 | ||
| {{no|Checksums only}}<ref>https://mirror.fsf.org/dragora/v3/iso/beta1/</ref> | | {{no|Checksums only}}<ref>https://mirror.fsf.org/dragora/v3/iso/beta1/</ref> | ||
+ | | | ||
|- | |- | ||
! Dynebolic 3.0-beta | ! Dynebolic 3.0-beta | ||
| {{no|Broken: signed broken checksums (md5)}}<ref>https://files.dyne.org/dynebolic/</ref> | | {{no|Broken: signed broken checksums (md5)}}<ref>https://files.dyne.org/dynebolic/</ref> | ||
+ | | | ||
|- | |- | ||
! Guix 1.4.0 | ! Guix 1.4.0 | ||
| {{yes|Yes, signed images}}<ref>https://guix.gnu.org/en/download/</ref> | | {{yes|Yes, signed images}}<ref>https://guix.gnu.org/en/download/</ref> | ||
+ | | | ||
|- | |- | ||
! Guix "latest" | ! Guix "latest" | ||
| {{no}}<ref>https://guix.gnu.org/en/download/latest/</ref> | | {{no}}<ref>https://guix.gnu.org/en/download/latest/</ref> | ||
+ | | Workaround: Use Guix 1.4.0 and update it. | ||
|- | |- | ||
! Hyperbola v0.4.2 | ! Hyperbola v0.4.2 | ||
| {{yes|Yes, signed images}}<ref>https://wiki.hyperbola.info/doku.php?id=en:manual:verify_live_images</ref> | | {{yes|Yes, signed images}}<ref>https://wiki.hyperbola.info/doku.php?id=en:manual:verify_live_images</ref> | ||
+ | | | ||
|- | |- | ||
! LibreCMC | ! LibreCMC | ||
| {{yes|Yes, signed checksums}}<ref>signed checksums: https://librecmc.org/librecmc/downloads/snapshots/v1.5.12/targets/ath79/generic/</ref> | | {{yes|Yes, signed checksums}}<ref>signed checksums: https://librecmc.org/librecmc/downloads/snapshots/v1.5.12/targets/ath79/generic/</ref> | ||
+ | | | ||
|- | |- | ||
! Parabola | ! Parabola | ||
| {{yes}}<ref>https://wiki.parabola.nu/Get_Parabola</ref> | | {{yes}}<ref>https://wiki.parabola.nu/Get_Parabola</ref> | ||
+ | | | ||
|- | |- | ||
! ProteanOS | ! ProteanOS | ||
| {{yes|Yes: signed ProteanOS Development Kit commits}}<ref>http://proteanos.com/doc/install/prokit/</ref> | | {{yes|Yes: signed ProteanOS Development Kit commits}}<ref>http://proteanos.com/doc/install/prokit/</ref> | ||
+ | | | ||
|- | |- | ||
! PureOS 10 (byzantium) | ! PureOS 10 (byzantium) | ||
| {{no|Checksums only}}.<ref>https://downloads.puri.sm/byzantium/gnome/2022-06-02/</ref> | | {{no|Checksums only}}.<ref>https://downloads.puri.sm/byzantium/gnome/2022-06-02/</ref> | ||
+ | | Workaround: Install PureOS from Parabola with debootstrap and pureos-archive-keyring | ||
|- | |- | ||
! Replicant 6.0 0004 | ! Replicant 6.0 0004 | ||
| {{yes|Yes, signed images}}<ref>https://ftp.osuosl.org/pub/replicant/images/replicant-6.0/0004/images/</ref> | | {{yes|Yes, signed images}}<ref>https://ftp.osuosl.org/pub/replicant/images/replicant-6.0/0004/images/</ref> | ||
+ | | | ||
|- | |- | ||
! Trisquel 10.0.1 | ! Trisquel 10.0.1 | ||
| {{yes|Yes, signed images}}<ref>https://cdimage.trisquel.info/trisquel-images/</ref> | | {{yes|Yes, signed images}}<ref>https://cdimage.trisquel.info/trisquel-images/</ref> | ||
+ | | | ||
|- | |- | ||
! Ututo S | ! Ututo S | ||
| {{no|No: broken checksums (md5) only}}<ref>http://www.ututo.org/downloads/</ref> | | {{no|No: broken checksums (md5) only}}<ref>http://www.ututo.org/downloads/</ref> | ||
+ | | | ||
|} | |} | ||
Revision as of 19:38, 22 February 2023
Contents
Introduction
This page tracks the progress of FSDG distributions with regard to reproducible builds, bootstrapable builds and other similar security features.
Releases and signatures
Distribution | Signed installers | Comments |
---|---|---|
Dragora 3.0-beta1 | Checksums only[1] | |
Dynebolic 3.0-beta | Broken: signed broken checksums (md5)[2] | |
Guix 1.4.0 | Yes, signed images[3] | |
Guix "latest" | No[4] | Workaround: Use Guix 1.4.0 and update it. |
Hyperbola v0.4.2 | Yes, signed images[5] | |
LibreCMC | Yes, signed checksums[6] | |
Parabola | Yes[7] | |
ProteanOS | Yes: signed ProteanOS Development Kit commits[8] | |
PureOS 10 (byzantium) | Checksums only.[9] | Workaround: Install PureOS from Parabola with debootstrap and pureos-archive-keyring |
Replicant 6.0 0004 | Yes, signed images[10] | |
Trisquel 10.0.1 | Yes, signed images[11] | |
Ututo S | No: broken checksums (md5) only[12] |
Development source code and signatures
Distribution | Signed development source code |
---|---|
Dragora | ? |
Dynebolic | ? |
Guix | Yes, signed commits, authentication tool and instructions[13] |
Hyperbola | ? |
LibreCMC | ? |
Parabola | No policies requiring to sign commits |
ProteanOS | Yes: signed commit and verification instructions.[14] |
PureOS | ? |
Replicant | No policies requiring to sign commits |
Trisquel | ? |
Ututo S | ? |
Repdoducible builds and bootstrapable builds
Self hosted distributions
Distribution | Reproducible builds officially supported[15] | Comments |
---|---|---|
Dragora | ? |
|
Dynebolic | ? |
|
Guix | Yes |
|
Hyperbola | ? |
|
Parabola | ? |
|
PureOS | ? |
|
Trisquel | ? |
|
Ututo S | ? |
|
Small distributions
Distribution | Reproducible builds officially supported[15] | Comments |
---|---|---|
LibreCMC | ? |
|
ProteanOS | ? |
|
Replicant | not yet |
|
- ↑ https://mirror.fsf.org/dragora/v3/iso/beta1/
- ↑ https://files.dyne.org/dynebolic/
- ↑ https://guix.gnu.org/en/download/
- ↑ https://guix.gnu.org/en/download/latest/
- ↑ https://wiki.hyperbola.info/doku.php?id=en:manual:verify_live_images
- ↑ signed checksums: https://librecmc.org/librecmc/downloads/snapshots/v1.5.12/targets/ath79/generic/
- ↑ https://wiki.parabola.nu/Get_Parabola
- ↑ http://proteanos.com/doc/install/prokit/
- ↑ https://downloads.puri.sm/byzantium/gnome/2022-06-02/
- ↑ https://ftp.osuosl.org/pub/replicant/images/replicant-6.0/0004/images/
- ↑ https://cdimage.trisquel.info/trisquel-images/
- ↑ http://www.ututo.org/downloads/
- ↑ https://guix.gnu.org/en/manual/devel/en/guix.html#Building-from-Git
- ↑ http://proteanos.com/doc/install/prokit/
- ↑ 15.015.1 If reproducible builds officially supported, we should be able to open bugs about non reproducible packages and/or send patches to fix them. If it is not supported we could try to send patches to enable reproducible builds and/or help the distribution supporting it instead.
- ↑ 16.0016.0116.0216.0316.0416.0516.0616.0716.0816.0916.10 The official lists of projects supporting reproducible is at https://reproducible-builds.org/projects/ . Note that not all theses projects are FSDG compliant and that some might even contain nonfree software and other really problematic issues.
- ↑ https://wiki.parabola.nu/Reproducible_Builds