Group: Software/FSDG distributions/Security
From LibrePlanet
(→Security updates and packages: add links to security related bug reports) |
(→Security updates and packages: Add parabola security bugs.) |
||
Line 209: | Line 209: | ||
* Some outdated packages, Needs help to update them | * Some outdated packages, Needs help to update them | ||
| | | | ||
+ | * [https://labs.parabola.nu/projects/packages/issues?v[tracker_id][]=12 packages] | ||
+ | * [https://labs.parabola.nu/projects/documentation/issues?v[tracker_id][]=12 docmentation] | ||
| | | | ||
|- | |- |
Revision as of 10:49, 14 August 2024
Contents
Introduction
This page tracks the progress of FSDG distributions with regard to reproducible builds, bootstrapable builds and other similar security features.
Distributing software
Releases and signatures
Distribution | Signed installers | Comments |
---|---|---|
Dragora 3.0-beta2 | Yes, signed images[1]. | |
Dynebolic 3.0-beta | Broken: signed broken checksums (md5)[2] | You could still download the images multiple time and compare them with cmp. Though it's far from ideal. |
Dynebolic 4.0.0-beta | Yes, signed images[3], but can't find the signing public key. | |
Guix 1.4.0 | Yes, signed images[4] | |
Guix "latest" | No[5] | Workaround: Use Guix 1.4.0 and update it. |
Hyperbola v0.4.2 | Yes, signed images[6] | |
LibreCMC | Yes, signed checksums[7] | |
Parabola | Yes[8] | |
ProteanOS | Yes: signed ProteanOS Development Kit commits[9] | |
PureOS 10 (byzantium) | Checksums only.[10] |
|
Replicant 6.0 0004 | Yes, signed images[11] | |
Trisquel 10.0.1 | Yes, signed images[12] | |
Ututo S | No: broken checksums (md5) only[13] | You could still download the images multiple time and compare them with cmp. Though it's far from ideal. |
Development source code and signatures
Distribution | Signed development source code |
---|---|
Dragora | No policies requiring to sign commits [14]. |
Dynebolic | ? |
Guix | Yes, signed commits, authentication tool and instructions[15] |
Hyperbola | ? |
LibreCMC | ? |
Parabola | No policies requiring to sign commits |
ProteanOS | Yes: signed commit and verification instructions.[16] |
PureOS | ? |
Replicant | No policies requiring to sign commits[14][17]. |
Trisquel | ? |
Ututo S | ? |
Security updates and packages
Distribution | Security updates available | Automatic security updates | Tools to check for CVEs | Signed packages | Protection against mirrors with outdated packages | Known security issues | Security related bug reports | Comments |
---|---|---|---|---|---|---|---|---|
Dragora 3.0-beta1 | ||||||||
Dynebolic 3.0-beta | No[18] | No[19] |
|
|||||
Guix 1.4.0 | No[20] | No[21] | yes: guix lint | Yes | Yes:
|
|
Guix 1.4.0 can easily be updated to Guix "latest". | |
Guix "latest" | Yes | can be enabled[23] | yes: guix lint | Yes | Yes:
|
link | ||
Hyperbola v0.4.2 | Yes[25] | No: | ||||||
LibreCMC | ||||||||
Parabola | Yes | No[29] | ? | Yes[30] | partial: |
|
|
|
ProteanOS | ||||||||
PureOS 10 (byzantium) | Yes | can be enabled[33] | Yes | |||||
Replicant 6.0 0004 | Very few security updates[34] | No[35] | No | N/A (no packages) | N/A (no packages) |
|
||
Trisquel 10.0.1 | Yes | can be enabled[36] | Yes | |||||
Ututo S |
Repdoducible builds and bootstrapable builds
Distribution | Reproducible builds officially supported[37] | Comments |
---|---|---|
Dragora | No |
|
Dynebolic | No |
|
Guix | Yes |
|
Hyperbola | No |
|
LibreCMC | No |
|
Parabola | partial (Arch packages only) |
|
ProteanOS | No |
|
PureOS | No |
|
Replicant | No |
|
Trisquel | Yes |
|
Ututo S | No |
|
Security features
Access control
Distribution | Apparmor | Lockdown | SELinux | Smack | Tomoyo | Yama |
---|---|---|---|---|---|---|
Dragora | No[41] | ? | No[42] | No[43] | No[44] | No[45] |
Dynebolic | ? | ? | ? | ? | ? | ? |
Guix | No[46] | No[47] | No[48] | No[49] | No[50] | Yes[51] |
Hyperbola | No[52] | No[53] | No[54] | No[55] | No[56] | Yes[57] |
LibreCMC | ? | ? | ? | ? | ? | ? |
Parabola | Can be enabled[58] | Can be enabled on x86[59] | No[60] | No[61] | Can be enabled for x86_64 and i686[62] | Yes[63] |
ProteanOS | ? | ? | ? | ? | ? | ? |
PureOS 10 (byzantium) | Enabled by default, easy to disable[64] | Can be enabled on x86_64[65] | Can be enabled | No[66] | Can be enabled[67] | Yes[68] |
Replicant 6.0 | No | No[69] | Yes, difficult to disable[70] | No[71] | No[72] | No[73] |
Replicant 11 | No | No[74] | No | No[75] | No[76] | No[77] |
Trisquel 10 (nabia) | Enabled by default, easy to disable[78] | Can be enabled at least on x86[79] | Can be enabled | No[80] | Can be enabled[81] | Yes[82] |
Ututo S | ? | ? | ? | ? | ? | ? |
- ↑ Signing key: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x35bdb9d46b56b5facb647c9b3aaf1cec203a99d5
- ↑ https://files.dyne.org/dynebolic/
- ↑ https://files.dyne.org/dynebolic/
- ↑ https://guix.gnu.org/en/download/
- ↑ https://guix.gnu.org/en/download/latest/
- ↑ https://wiki.hyperbola.info/doku.php?id=en:manual:verify_live_images
- ↑ signed checksums: https://librecmc.org/librecmc/downloads/snapshots/v1.5.12/targets/ath79/generic/
- ↑ https://wiki.parabola.nu/Get_Parabola
- ↑ http://proteanos.com/doc/install/prokit/
- ↑ https://downloads.puri.sm/byzantium/gnome/2023-06-14/ . There is also a bugreport about it.
- ↑ https://ftp.osuosl.org/pub/replicant/images/replicant-6.0/0004/images/
- ↑ https://cdimage.trisquel.info/trisquel-images/
- ↑ http://www.ututo.org/downloads/
- ↑ 14.014.1 Most commits are signed by the maintainer but other commits are not signed and there are no documented policies requiring to sign commits.
- ↑ https://guix.gnu.org/en/manual/devel/en/guix.html#Building-from-Git
- ↑ http://proteanos.com/doc/install/prokit/
- ↑ Replicant also consist of many repositories, and even if all commits were or are signed, it would be complicated to verify each repository without any tools for that. While in theory Replicant has a manifest file with repositories and commits/branches to use, it doesn't always use fixe revisions as this makes rebasing the changes easier. In addition there are Apache rewrite rules in place to redirect repositories when they were renamed between Android versions, so that also complicates things.
- ↑ From free-distros.html" "This is a “static” distro, normally run from a live CD. Since it will not receive security updates, it should be used offline."
- ↑ From free-distros.html" "This is a “static” distro, normally run from a live CD. Since it will not receive security updates, it should be used offline."
- ↑ There is no backport of the security fixes to stable releases. Instead users are encouraged to run guix pull to get the latest Guix version along with security fixes.
- ↑ There is no backport of the security fixes to stable releases. Instead users are encouraged to run guix pull to get the latest Guix version along with security fixes.
- ↑ The Guix channel is https://git.savannah.gnu.org/git/guix.git and channels signatures are enforced. If builders don't have a given package, the computer running guix will try to compile that package instead.
- ↑ The Guix manual explains how to enable unattended upgrades
- ↑ The Guix channel is https://git.savannah.gnu.org/git/guix.git and channels signatures are enforced. If builders don't have a given package, the computer running guix will try to compile that package instead.
-
↑ /etc/pacman.conf has the following:
SigLevel = Required DatabaseOptional
LocalFileSigLevel = Optional
- ↑ reference: https://repo.hyperbola.info:50000/other/mirrorlist/mirrorlist.txt
- ↑ Reference: the default /etc/pacman.d/mirrorlist
- ↑ Reference: /etc/pacman.conf has "SigLevel = [...] DatabaseOptional"
- ↑ Any kind of automatic updates are very very strongly discouraged. Even completely unofficial software to do that warn users very strongly and put a lot of mechanisms in place to make sure that users will be aware that this will break their system at some point.
-
↑ /etc/pacman.conf has the following by default:
SigLevel = Required DatabaseOptional
LocalFileSigLevel = Optional
- ↑ According to the default /etc/pacman.d/mirrorlist, it only uses "https://redirector.parabola.nu/$repo/os/$arch".
- ↑ However even if the redirector uses https, the package database signatures are not enforced since Parabola has "SigLevel = [...] DatabaseOptional" in /etc/pacman.conf by default.
- ↑ This can be done by installing and configuring the unattended-upgrades package
- ↑ In the latest Replicant 6.0 releases, only serious privacy issues were fixed. Since it's based on unmaintained Android versions its contributors cannot fix security updates without porting Replicant to newer Android versions.
- ↑ Users are expected to manually install new releases.
- ↑ This can be done by installing and configuring the unattended-upgrades package
- ↑ If reproducible builds officially supported, the distribution should be listed on https://reproducible-builds.org, users should be able to open bugs about non reproducible packages and/or send patches to fix them. If it is not supported we could try to send patches to enable reproducible builds and/or help the distribution supporting it instead.
- ↑ 38.0038.0138.0238.0338.0438.0538.0638.0738.0838.0938.10 The official lists of projects supporting reproducible is at https://reproducible-builds.org/who/projects/ . Note that not all theses projects are FSDG compliant and that some might even contain nonfree software and other really problematic issues.
- ↑ Guix can now bootstrap its C toolchain (see The Full-Source Bootstrap: Building from source all the way down for more details), but some languages are not bootstraped yet (vala, Haskell, etc). See Group:Software/research/ProgrammingLanguages#Guix_status for more details.
- ↑ https://wiki.parabola.nu/Reproducible_Builds
- ↑ Dragora currently has 'CONFIG_SECURITY_APPARMOR is not set' inside config-amd64_generic
- ↑ Dragora currently has 'CONFIG_SECURITY_SELINUX is not set' inside config-amd64_generic
- ↑ Dragora currently has 'CONFIG_SECURITY_SMACK is not set' inside config-amd64_generic
- ↑ Dragora currently has 'CONFIG_SECURITY_TOMOYO is not set' inside config-amd64_generic
- ↑ Dragora currently has 'CONFIG_SECURITY_YAMA is not set' inside config-amd64_generic
- ↑ Guix has the AppArmor related packages with some basic AppArmor profiles inside, and its kernel also has AppArmor available. However at the time of writing the Guix manual has no information at all about AppArmor, and there is no service definition for it. In addition, AppArmor would probably need a way to find its profiles installed by other packages than AppArmor. And finally, some packages like hplip don't install yet AppArmor profiles.
- ↑ git grep -i lockdown in guix source code shows 'CONFIG_SECURITY_LOCKDOWN_LSM is not set'
- ↑ While there are SELinux policies for Guix, they are meant to use with a host distribution that supports SELinux. In addition there are many limitations that prevent this policy to make it practical or secure to use Guix. See the SELinux Support part in the Guix manual for more details.
- ↑ On x86_64 the kernel has 'CONFIG_SECURITY_SMACK=y' but there is no package for the smack userspace utilities.
- ↑ No tomoyo package
- ↑ On x86_64 the kernel has 'CONFIG_SECURITY_YAMA=y' and Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.
- ↑ Hyperbola has no apparmor package: https://www.hyperbola.info/packages/?q=apparmor
- ↑ It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have '# CONFIG_SECURITY_LOCKDOWN_LSM is not set'.
- ↑ It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"' and no CONFIG_SECURITY_SELINUX.
- ↑ It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have '# CONFIG_SECURITY_SMACK is not set'. In addition there is no package for the smack userspace utilities.
- ↑ It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have '# CONFIG_SECURITY_TOMOYO is not set'.
- ↑ It seems that Hyperbola only has 1 kernel package: linux-libre-lts. linux-libre-lts's both i686 configuration and x86_64 configuration have 'CONFIG_SECURITY_YAMA=y' and Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.
- ↑ The Parabola kernel has AppArmor, and the AppArmor package (and various other packages) ship profiles in /etc/apparmor.d. There is also some documentation in the AppArmor Arch Linux wiki page.
- ↑ linux-libre, linux-libre-lts and linux-libre-vanilla have the following configuration for i686 and x86_64: 'CONFIG_SECURITY_LOCKDOWN_LSM=y', '# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set' and 'CONFIG_LSM="landlock,lockdown,yama,integrity,bpf'. So on x86, lockdown is enabled by default if UEFI secure boot is on. However Parabola doesn't support UEFI Secure boot so we can assume it's disabled by default. Lockdown is not available on armv7h as all armv7h/aarch64 kernel have 'CONFIG_SECURITY_LOCKDOWN_LSM is not set'. There is documentation on how to enable lockdown manually in the Security#Kernel_lockdown_mode ArchLinux wiki page.
- ↑ Parabola has some SELinux related packages in the pcr repository, but they were only added to enable the development of SELinux policies for other distributions (Replicant). At the time of writing Parabola still doesn't have proper SELinux integration.
- ↑ At least one kernel package has 'CONFIG_SECURITY_SMACK=y' but only for armv7h (armv7h configuration for linux-libre-vanilla). Both i696 and x86_64 linux-libre-vanilla kernels have '# CONFIG_DEFAULT_SECURITY_SMACK is not set' (x86_64 configuration for linux-libre-vanilla and i686 configuration for linux-libre-vanilla). There is also no packages for smack userspace utilities.
- ↑ There is a tomoyo-tools package and at least one kernel package has 'CONFIG_SECURITY_TOMOYO=y' (x86_64 configuration for linux-libre-vanilla and i686 configuration for linux-libre-vanilla), Some armv7h kernel configuration have '# CONFIG_SECURITY_TOMOYO is not set' though like armv7h configuration for linux-libre-vanilla).
- ↑ At least one kernel package has 'CONFIG_SECURITY_YAMA=y' for both x86_64 and i686 (x86_64 configuration for linux-libre-vanilla and i686 configuration for linux-libre-vanilla), Some armv7h kernel configuration have '# CONFIG_SECURITY_YAMA is not set' though like armv7h configuration for linux-libre-vanilla). Note that Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.
- ↑ Installed from the iso installer, checked with sudo aa-status.
- ↑ linux-image-amd64 has the following configuration for i686 and x86_64: 'CONFIG_SECURITY_LOCKDOWN_LSM=y', 'CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y', 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"'. So on x86, lockdown is enabled by default if UEFI secure boot is on. Since PureOS supports UEFI Secure boot, it can be enabled if UEFI secure boot is enabled, but it can't be deactivated easily if UEFI secure boot can't be deactivated (it may be possible by passing kernel argument through grub).
- ↑ On x86_64 there no package for the userspace utilities and at least the linux-libre-amd64 has '# CONFIG_SECURITY_SMACK is not set'.
- ↑ On x86_64 there is a tomoyo-tools package and at least the linux-libre-amd64 has 'CONFIG_SECURITY_TOMOYO=y'.
- ↑ On x86_64 there at least the linux-libre-amd64 has 'CONFIG_SECURITY_YAMA=y' and Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.
- ↑ checked by running 'grep LOCKDOWN */arch/arm/configs/lineageos_*' in kernel/samsung in the Replicant 6.0 source code.
- ↑ There is no information on how to disable it so it's unknown if we just needs to edit some init files, or if we need to patch some files and recompile Replicant, etc. If you recompile Replicant 6.0, you will also have to generate scripts to migrate the data to your new signing key.
- ↑ checked by running 'grep SMACK */arch/arm/configs/lineageos_*' in kernel/samsung in the Replicant 6.0 source code.
- ↑ checked by running 'grep TOMOYO */arch/arm/configs/lineageos_*' in kernel/samsung in the Replicant 6.0 source code.
- ↑ checked by running 'grep YAMA */arch/arm/configs/lineageos_*' in kernel/samsung in the Replicant 6.0 source code.
- ↑ After running 'make ARCH=arm replicant_defconfig' in the kernel source, it creates a .config with 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"' and '# CONFIG_SECURITY_LOCKDOWN_LSM is not set', so lockdown is disabled.
- ↑ After running 'make ARCH=arm replicant_defconfig' in the kernel source, it creates a .config with 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"' and '# CONFIG_SECURITY_SMACK is not set', so yama is disabled.
- ↑ After running 'make ARCH=arm replicant_defconfig' in the kernel source, it creates a .config with 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"' and '# CONFIG_SECURITY_TOMOYO is not set', so tomoyo is disabled.
- ↑ After running 'make ARCH=arm replicant_defconfig' in the kernel source, it creates a .config with 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"' and '# CONFIG_SECURITY_YAMA is not set', so yama is disabled.
- ↑ On Ubuntu AppArmor is enabled by default, and Trisquel is based on Ubuntu.
- ↑ linux-image-5.13.0-52-generic has the following on x86_64: 'CONFIG_SECURITY_LOCKDOWN_LSM=y', 'CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y' and 'CONFIG_LSM="lockdown,yama,integrity,apparmor'. So at least on x86_64 lockdown is enabled by default if UEFI secure boot is on. However Trisquel 10 doesn't support UEFI Secure boot so we can assume it's disabled by default. Trisquel 10 also doesn't support i686 but it supports aarch64 and someone needs to check the status on aarch64. There is documentation on how to enable lockdown manually in the Security#Kernel_lockdown_mode ArchLinux wiki page.
- ↑ On x86_64 at least the linux-generic has 'CONFIG_SECURITY_SMACK=y' but there is no package for smack userspace utilities.
- ↑ On x86_64 there is a tomoyo-tools package and at least the linux-generic has 'CONFIG_SECURITY_TOMOYO=y'.
- ↑ On x86_64 at least the linux-generic has 'CONFIG_SECURITY_YAMA=y' and Yama doesn't seem specific userspace tools. Instead it adds system calls to enable processes to better protect themselves.