Group: Software/FSDG distributions/Security

Revision as of 12:36, 22 February 2023

Introduction

This page tracks the progress of FSDG distributions with regard to reproducible builds, bootstrapable builds and other similar security features.

Releases and signatures

Distribution	Signed installers
Dragora 3.0-beta1	Checksums only^[1]
Dynebolic 3.0-beta	Broken: signed broken checksums (md5)^[2]
Guix 1.4.0	Yes, signed images^[3]
Guix "latest"	No^[4]
Hyperbola v0.4.2	Yes, signed images^[5]
LibreCMC	Yes, signed checksums^[6]
Parabola	Yes^[7]
ProteanOS	Yes: signed ProteanOS Development Kit commits^[8]
PureOS 10 (byzantium)	Checksums only.^[9]
Replicant 6.0 0004	Yes, signed images^[10]
Trisquel 10.0.1	Yes, signed images^[11]
Ututo S	No: broken checksums (md5) only^[12]

Development source code and signatures

Distribution	Signed development source code
Dragora	?
Dynebolic	?
Guix	Yes, signed commits, authentication tool and instructions^[13]
Hyperbola	?
LibreCMC	?
Parabola	No policies requiring to sign commits
ProteanOS	Yes: signed commit and verification instructions.^[14]
PureOS	?
Replicant	No policies requiring to sign commits
Trisquel	?
Ututo S	?

Repdoducible builds and bootstrapable builds

Self hosted distributions

Distribution	Reproducible builds officially supported^[15]	Comments
Dragora	?	Not mentioned in the list of project supporting reproducible builds^[16].
Dynebolic	?	Not mentioned in the list of project supporting reproducible builds^[16].
Guix	Yes	Encourage any users to use the Guix challenge command to check the reproducibility of builds, and builds are supposed to be reproducible for all users (independently of the specific CPU, username, etc) Goes beyond reproducible builds and has efforts to make Guix bootstrapable Mentioned in the list of project supporting reproducible builds^[16].
Hyperbola	?	Not mentioned in the list of project supporting reproducible builds^[16] but Arch Linux is mentioned there so maybe it's easier to add reproducible builds to Hyperbola.
Parabola	?	Not mentioned in the list of project supporting reproducible builds^[16] but Arch Linux is mentioned there, and for x86_64 some of the stock Arch Linux are reused. So at least part of Parabola is reproducible. It has a wiki page that has a plan to add reproducible builds^[17] but it needs people to work on actually doing some research on how to add reproducible builds and to implement it. Arch Linux status: https://tests.reproducible-builds.org/archlinux/archlinux.html
PureOS	?	Not mentioned in the list of project supporting reproducible builds^[16] but Debian is mentioned there so maybe it's easier to add reproducible builds to Hyperbola.
Trisquel	?	Not mentioned in the list of project supporting reproducible builds^[16] but Debian is mentioned there so maybe it's easier to add reproducible builds to Hyperbola.
Ututo S	?	Not mentioned in the list of project supporting reproducible builds^[16].

Small distributions

Distribution	Reproducible builds officially supported^[15]	Comments
LibreCMC	?	Not mentioned in the list of project supporting reproducible builds^[16] but OpenWRT is mentioned, so it might be easier to add reproducible builds to LibreCMC.
ProteanOS	?	Not mentioned in the list of project supporting reproducible builds^[16].
Replicant	not yet	Not using the Android prebuilt toolchain is the first priority, then we probably need to find how to activate reproducible builds when building releases. Not mentioned in the list of project supporting reproducible builds^[16].

↑ https://mirror.fsf.org/dragora/v3/iso/beta1/
↑ https://files.dyne.org/dynebolic/
↑ https://guix.gnu.org/en/download/
↑ https://guix.gnu.org/en/download/latest/
↑ https://wiki.hyperbola.info/doku.php?id=en:manual:verify_live_images
↑ signed checksums: https://librecmc.org/librecmc/downloads/snapshots/v1.5.12/targets/ath79/generic/
↑ https://wiki.parabola.nu/Get_Parabola
↑ http://proteanos.com/doc/install/prokit/
↑ https://downloads.puri.sm/byzantium/gnome/2022-06-02/
↑ https://ftp.osuosl.org/pub/replicant/images/replicant-6.0/0004/images/
↑ https://cdimage.trisquel.info/trisquel-images/
↑ http://www.ututo.org/downloads/
↑ https://guix.gnu.org/en/manual/devel/en/guix.html#Building-from-Git
↑ http://proteanos.com/doc/install/prokit/
↑ ^15.0^15.1 If reproducible builds officially supported, we should be able to open bugs about non reproducible packages and/or send patches to fix them. If it is not supported we could try to send patches to enable reproducible builds and/or help the distribution supporting it instead.
↑ ^16.00^16.01^16.02^16.03^16.04^16.05^16.06^16.07^16.08^16.09^16.10 The official lists of projects supporting reproducible is at https://reproducible-builds.org/projects/ . Note that not all theses projects are FSDG compliant and that some might even contain nonfree software and other really problematic issues.
↑ https://wiki.parabola.nu/Reproducible_Builds

[1] ttps://mirror.fsf.org/dragora/v3/iso/beta1/

[2] ttps://files.dyne.org/dynebolic/

[3] ttps://guix.gnu.org/en/download/

[4] ttps://guix.gnu.org/en/download/latest/

[5] ttps://wiki.hyperbola.info/doku.php?id=en:manual:verify_live_images

[6] signed checksums: https://librecmc.org/librecmc/downloads/snapshots/v1.5.12/targets/ath79/generic/

[7] ttps://wiki.parabola.nu/Get_Parabola

[8] ttp://proteanos.com/doc/install/prokit/

[9] ttps://downloads.puri.sm/byzantium/gnome/2022-06-02/

[10] ttps://ftp.osuosl.org/pub/replicant/images/replicant-6.0/0004/images/

[11] ttps://cdimage.trisquel.info/trisquel-images/

[12] ttp://www.ututo.org/downloads/

[13] ttps://guix.gnu.org/en/manual/devel/en/guix.html#Building-from-Git

[14] ttp://proteanos.com/doc/install/prokit/

[supported-definition-15] 15.0^15.1 If reproducible builds officially supported, we should be able to open bugs about non reproducible packages and/or send patches to fix them. If it is not supported we could try to send patches to enable reproducible builds and/or help the distribution supporting it instead.

[reproducible-projects-list-16] 16.00^16.01^16.02^16.03^16.04^16.05^16.06^16.07^16.08^16.09^16.10 The official lists of projects supporting reproducible is at https://reproducible-builds.org/projects/ . Note that not all theses projects are FSDG compliant and that some might even contain nonfree software and other really problematic issues.

[17] ttps://wiki.parabola.nu/Reproducible_Builds

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

@@ Line 44: / Line 44: @@
 ! Ututo S
 | {{no|No: broken checksums (md5) only}}<ref>http://www.ututo.org/downloads/</ref>
+|}
+== Development source code and signatures ==
+{| class="wikitable"  border="1"
+! Distribution
+! Signed development source code
+|-
+! Dragora
+| ?
+|-
+! Dynebolic
+| ?
+|-
+! Guix
+| {{yes|Yes, signed commits, authentication tool and instructions}}<ref>https://guix.gnu.org/en/manual/devel/en/guix.html#Building-from-Git</ref>
+|-
+! Hyperbola
+| ?
+|-
+! LibreCMC
+| ?
+|-
+! Parabola
+| {{no|No policies requiring to sign commits}}
+|-
+! ProteanOS
+| {{yes|Yes: signed commit and verification instructions.}}<ref>http://proteanos.com/doc/install/prokit/</ref>
+|-
+! PureOS
+| ?
+|-
+! Replicant
+| {{no|No policies requiring to sign commits}}
+|-
+! Trisquel
+| ?
+|-
+! Ututo S
+| ?
 |}

Navigation menu

Group: Software/FSDG distributions/Security

Revision as of 12:36, 22 February 2023

Contents

Introduction

Releases and signatures

Development source code and signatures

Repdoducible builds and bootstrapable builds

Self hosted distributions

Small distributions

Campaigns

Get Involved