Group: Software/FSDG distributions/Security

From LibrePlanet
Jump to: navigation, search
(Releases and signatures: Add workarounds for the lack of signatures)
(Add workarounds for checksum-only or no-working-checksums releases)
Line 1: Line 1:
== Introduction ==
 
 
This page tracks the progress of FSDG distributions with regard to reproducible builds, bootstrapable builds and other similar security features.
 
 
 
== Releases and signatures ==
 
== Releases and signatures ==
  
Line 13: Line 9:
 
| {{no|Checksums only}}<ref>https://mirror.fsf.org/dragora/v3/iso/beta1/</ref>
 
| {{no|Checksums only}}<ref>https://mirror.fsf.org/dragora/v3/iso/beta1/</ref>
 
|  
 
|  
 +
* There are [https://git.savannah.nongnu.org/cgit/dragora.git/tree/BOOTSTRAPPING.md instructions to build the release yourself] but there is no instructions to verify the source code.
 +
* As a workaround it might be possible to download the checksums through various ways (using multiple Tor routes, local connection), and compare them. Also make sure to download the checksums from the official website or a trusted mirror.
 
|-
 
|-
 
! Dynebolic 3.0-beta
 
! Dynebolic 3.0-beta
 
| {{no|Broken: signed broken checksums (md5)}}<ref>https://files.dyne.org/dynebolic/</ref>
 
| {{no|Broken: signed broken checksums (md5)}}<ref>https://files.dyne.org/dynebolic/</ref>
|
+
| You could still download the images multiple time and compare them with cmp. Though it's far from ideal.
 
|-
 
|-
 
! Guix 1.4.0
 
! Guix 1.4.0
Line 44: Line 42:
 
! PureOS 10 (byzantium)
 
! PureOS 10 (byzantium)
 
| {{no|Checksums only}}.<ref>https://downloads.puri.sm/byzantium/gnome/2022-06-02/</ref>
 
| {{no|Checksums only}}.<ref>https://downloads.puri.sm/byzantium/gnome/2022-06-02/</ref>
| Workaround: Install PureOS from Parabola with debootstrap and pureos-archive-keyring
+
|  
 +
* Workaround: Install PureOS from Parabola with debootstrap and pureos-archive-keyring
 +
* As a workaround it might also be possible to download the checksums through various ways (using multiple Tor routes, local connection), and compare them. Also make sure to download the checksums from the official website or a trusted mirror.
 
|-
 
|-
 
! Replicant 6.0 0004
 
! Replicant 6.0 0004
Line 56: Line 56:
 
! Ututo S
 
! Ututo S
 
| {{no|No: broken checksums (md5) only}}<ref>http://www.ututo.org/downloads/</ref>
 
| {{no|No: broken checksums (md5) only}}<ref>http://www.ututo.org/downloads/</ref>
|
+
| You could still download the images multiple time and compare them with cmp. Though it's far from ideal.
|}
 
 
 
== Development source code and signatures ==
 
 
 
{| class="wikitable"  border="1"
 
! Distribution
 
! Signed development source code
 
|-
 
! Dragora
 
| ?
 
|-
 
! Dynebolic
 
| ?
 
|-
 
! Guix
 
| {{yes|Yes, signed commits, authentication tool and instructions}}<ref>https://guix.gnu.org/en/manual/devel/en/guix.html#Building-from-Git</ref>
 
|-
 
! Hyperbola
 
| ?
 
|-
 
! LibreCMC
 
| ?
 
|-
 
! Parabola
 
| {{no|No policies requiring to sign commits}}
 
|-
 
! ProteanOS
 
| {{yes|Yes: signed commit and verification instructions.}}<ref>http://proteanos.com/doc/install/prokit/</ref>
 
|-
 
! PureOS
 
| ?
 
|-
 
! Replicant
 
| {{no|No policies requiring to sign commits}}
 
|-
 
! Trisquel
 
| ?
 
|-
 
! Ututo S
 
| ?
 
|}
 
 
 
== Repdoducible builds and bootstrapable builds ==
 
=== Self hosted distributions ===
 
 
 
{| class="wikitable"  border="1"
 
! Distribution
 
! Reproducible builds officially supported<ref name="supported-definition">If reproducible builds officially supported, we should be able to open bugs about non reproducible packages and/or send patches to fix them. If it is not supported we could try to send patches to enable reproducible builds and/or help the distribution supporting it instead.</ref>
 
! Comments
 
|-
 
! Dragora
 
| ?
 
|
 
* Not mentioned in the list of project supporting reproducible builds<ref name="reproducible-projects-list"> The official lists of projects supporting reproducible is at https://reproducible-builds.org/projects/ . Note that not all theses projects are FSDG compliant and that some might even contain nonfree software and other really problematic issues. </ref>.
 
|-
 
! Dynebolic
 
| ?
 
|
 
* Not mentioned in the list of project supporting reproducible builds<ref name=reproducible-projects-list/>.
 
|-
 
! Guix
 
| {{yes}}
 
|
 
* Encourage any users to use the Guix challenge command to check the reproducibility of builds, and builds are supposed to be reproducible for all users (independently of the specific CPU, username, etc)
 
* Goes beyond reproducible builds and has efforts to make Guix bootstrapable
 
* Mentioned in the list of project supporting reproducible builds<ref name="reproducible-projects-list"/>.
 
|-
 
! Hyperbola
 
| ?
 
|
 
* Not mentioned in the list of project supporting reproducible builds<ref name="reproducible-projects-list"/> but Arch Linux is mentioned there so maybe it's easier to add reproducible builds to Hyperbola.
 
|-
 
! Parabola
 
| ?
 
|
 
* Not mentioned in the list of project supporting reproducible builds<ref name="reproducible-projects-list"/> but Arch Linux is mentioned there, and for x86_64 some of the stock Arch Linux are reused. So at least part of Parabola is reproducible.
 
* It has a wiki page that has a plan to add reproducible builds<ref>https://wiki.parabola.nu/Reproducible_Builds</ref> but it needs people to work on actually doing some research on how to add reproducible builds and to implement it.
 
* Arch Linux status: https://tests.reproducible-builds.org/archlinux/archlinux.html
 
|-
 
! PureOS
 
| ?
 
|
 
* Not mentioned in the list of project supporting reproducible builds<ref name="reproducible-projects-list"/> but Debian is mentioned there so maybe it's easier to add reproducible builds to Hyperbola.
 
|-
 
! Trisquel
 
| ?
 
|
 
* Not mentioned in the list of project supporting reproducible builds<ref name="reproducible-projects-list"/> but Debian is mentioned there so maybe it's easier to add reproducible builds to Hyperbola.
 
|-
 
! Ututo S
 
| ?
 
|
 
* Not mentioned in the list of project supporting reproducible builds<ref name="reproducible-projects-list"/>.
 
|-
 
|}
 
 
 
=== Small distributions ===
 
{| class="wikitable"  border="1"
 
! Distribution
 
! Reproducible builds officially supported<ref name="supported-definition" />
 
! Comments
 
|-
 
! LibreCMC
 
| ?
 
|
 
* Not mentioned in the list of project supporting reproducible builds<ref name="reproducible-projects-list"/> but OpenWRT is mentioned, so it might be easier to add reproducible builds to LibreCMC.
 
|-
 
! ProteanOS
 
| ?
 
|
 
* Not mentioned in the list of project supporting reproducible builds<ref name="reproducible-projects-list"/>.
 
|-
 
! Replicant
 
| {{no|not yet}}
 
|
 
* Not using the Android prebuilt toolchain is the first priority, then we probably need to find how to activate reproducible builds when building releases.
 
* Not mentioned in the list of project supporting reproducible builds<ref name="reproducible-projects-list"/>.
 
|-
 
 
|}
 
|}

Revision as of 20:16, 22 February 2023

Releases and signatures

Distribution Signed installers Comments
Dragora 3.0-beta1 Checksums only[1]
  • There are instructions to build the release yourself but there is no instructions to verify the source code.
  • As a workaround it might be possible to download the checksums through various ways (using multiple Tor routes, local connection), and compare them. Also make sure to download the checksums from the official website or a trusted mirror.
Dynebolic 3.0-beta Broken: signed broken checksums (md5)[2] You could still download the images multiple time and compare them with cmp. Though it's far from ideal.
Guix 1.4.0 Yes, signed images[3]
Guix "latest" No[4] Workaround: Use Guix 1.4.0 and update it.
Hyperbola v0.4.2 Yes, signed images[5]
LibreCMC Yes, signed checksums[6]
Parabola Yes[7]
ProteanOS Yes: signed ProteanOS Development Kit commits[8]
PureOS 10 (byzantium) Checksums only.[9]
  • Workaround: Install PureOS from Parabola with debootstrap and pureos-archive-keyring
  • As a workaround it might also be possible to download the checksums through various ways (using multiple Tor routes, local connection), and compare them. Also make sure to download the checksums from the official website or a trusted mirror.
Replicant 6.0 0004 Yes, signed images[10]
Trisquel 10.0.1 Yes, signed images[11]
Ututo S No: broken checksums (md5) only[12] You could still download the images multiple time and compare them with cmp. Though it's far from ideal.
  1. https://mirror.fsf.org/dragora/v3/iso/beta1/
  2. https://files.dyne.org/dynebolic/
  3. https://guix.gnu.org/en/download/
  4. https://guix.gnu.org/en/download/latest/
  5. https://wiki.hyperbola.info/doku.php?id=en:manual:verify_live_images
  6. signed checksums: https://librecmc.org/librecmc/downloads/snapshots/v1.5.12/targets/ath79/generic/
  7. https://wiki.parabola.nu/Get_Parabola
  8. http://proteanos.com/doc/install/prokit/
  9. https://downloads.puri.sm/byzantium/gnome/2022-06-02/
  10. https://ftp.osuosl.org/pub/replicant/images/replicant-6.0/0004/images/
  11. https://cdimage.trisquel.info/trisquel-images/
  12. http://www.ututo.org/downloads/
Retrieved from "https://libreplanet.org/wiki?title=Group:Software/FSDG_distributions/Security&oldid=67666"