Introduction
This page tracks the progress of FSDG distributions with regard to reproducible builds, bootstrapable builds and other similar security features.
Distributing software
Releases and signatures
Distribution
|
Signed installers
|
Comments
|
Dragora 3.0-beta1
|
Checksums only[1]
|
- There are instructions to build the release yourself but there is no instructions to verify the source code.
- As a workaround it might be possible to download the checksums through various ways (using multiple Tor routes, local connection), and compare them. Also make sure to download the checksums from the official website or a trusted mirror.
|
Dynebolic 3.0-beta
|
Broken: signed broken checksums (md5)[2]
|
You could still download the images multiple time and compare them with cmp. Though it's far from ideal.
|
Guix 1.4.0
|
Yes, signed images[3]
|
|
Guix "latest"
|
No[4]
|
Workaround: Use Guix 1.4.0 and update it.
|
Hyperbola v0.4.2
|
Yes, signed images[5]
|
|
LibreCMC
|
Yes, signed checksums[6]
|
|
Parabola
|
Yes[7]
|
|
ProteanOS
|
Yes: signed ProteanOS Development Kit commits[8]
|
|
PureOS 10 (byzantium)
|
Checksums only.[9]
|
- Workaround: Install PureOS from Parabola with debootstrap and pureos-archive-keyring
- As a workaround it might also be possible to download the checksums through various ways (using multiple Tor routes, local connection), and compare them. Also make sure to download the checksums from the official website or a trusted mirror.
|
Replicant 6.0 0004
|
Yes, signed images[10]
|
|
Trisquel 10.0.1
|
Yes, signed images[11]
|
|
Ututo S
|
No: broken checksums (md5) only[12]
|
You could still download the images multiple time and compare them with cmp. Though it's far from ideal.
|
Development source code and signatures
Distribution
|
Signed development source code
|
Dragora
|
?
|
Dynebolic
|
?
|
Guix
|
Yes, signed commits, authentication tool and instructions[13]
|
Hyperbola
|
?
|
LibreCMC
|
?
|
Parabola
|
No policies requiring to sign commits
|
ProteanOS
|
Yes: signed commit and verification instructions.[14]
|
PureOS
|
?
|
Replicant
|
No policies requiring to sign commits
|
Trisquel
|
?
|
Ututo S
|
?
|
Security updates and packages
Distribution
|
Security updates available
|
Automatic security updates
|
Tools to check for CVEs
|
Signed packages
|
Protection against mirrors with outdated packages
|
Known security issues
|
Comments
|
Dragora 3.0-beta1
|
|
|
|
|
Dynebolic 3.0-beta
|
No[15]
|
No[16]
|
|
|
|
|
|
Guix 1.4.0
|
No[17]
|
No[18]
|
yes: guix lint
|
Yes
|
Yes:
- The package definition come directly from Guix through HTTPS and are signed.[19]
- Mirrors build packages and the signatures are enforced. Guix challenge can be used to check if the packages are reproducible.
|
|
Guix 1.4.0 can easily be updated to Guix "latest".
|
Guix "latest"
|
Yes
|
can be enabled[20]
|
yes: guix lint
|
Yes
|
Yes:
- The package definition come directly from Guix through HTTPS and are signed.[21]
- Mirrors build packages and the signatures are enforced. Guix challenge can be used to check if the packages are reproducible.
|
|
|
Hyperbola v0.4.2
|
|
|
|
Yes[22]
|
No:
- All mirrors use https or onion[23]
- Trusts secondary mirrors for packages database:
- uses secondary mirrors first[24]
- It Doesn't enforce package database signatures[25]
|
|
|
LibreCMC
|
|
|
|
|
|
|
|
Parabola
|
Yes
|
No[26]
|
?
|
Yes[27]
|
partial:
- Mirror redirection for packages that also uses https.[28]
- Doesn't enforce package database signatures[29]
|
|
|
ProteanOS
|
|
|
|
|
|
|
|
PureOS 10 (byzantium)
|
Yes
|
can be enabled[30]
|
|
Yes
|
|
|
|
Replicant 6.0 0004
|
Very few security updates[31]
|
No[32]
|
No
|
N/A (no packages)
|
N/A (no packages)
|
- Based on Android 6.0 which is not maintained anymore
- Use an old version of Webview which is full of security vulnerabilities. Many applications use the builtin Webview, including non-browser applications.
|
|
Trisquel 10.0.1
|
Yes
|
can be enabled[33]
|
|
Yes
|
|
|
|
Ututo S
|
|
|
|
|
|
|
|
Repdoducible builds and bootstrapable builds
Distribution
|
Reproducible builds officially supported[34]
|
Comments
|
Dragora
|
?
|
- Not mentioned in the list of project supporting reproducible builds[35].
|
Dynebolic
|
?
|
- Not mentioned in the list of project supporting reproducible builds[35].
|
Guix
|
Yes
|
- Encourage any users to use the Guix challenge command to check the reproducibility of builds, and builds are supposed to be reproducible for all users (independently of the specific CPU, username, etc)
- Part of Guix is now bootstrapable.[36].
- Mentioned in the list of project supporting reproducible builds[35].
|
Hyperbola
|
?
|
- Not mentioned in the list of project supporting reproducible builds[35] but Arch Linux is mentioned there so maybe it's easier to add reproducible builds to Hyperbola.
|
LibreCMC
|
?
|
- Not mentioned in the list of project supporting reproducible builds[35] but OpenWRT is mentioned, so it might be easier to add reproducible builds to LibreCMC.
|
Parabola
|
?
|
- Not mentioned in the list of project supporting reproducible builds[35] but Arch Linux is mentioned there, and for x86_64 some of the stock Arch Linux are reused. So at least part of Parabola is reproducible.
- It has a wiki page that has a plan to add reproducible builds[37] but it needs people to work on actually doing some research on how to add reproducible builds and to implement it.
- Arch Linux status: https://tests.reproducible-builds.org/archlinux/archlinux.html
|
ProteanOS
|
?
|
- Not mentioned in the list of project supporting reproducible builds[35].
|
PureOS
|
?
|
- Not mentioned in the list of project supporting reproducible builds[35] but Debian is mentioned there so maybe it's easier to add reproducible builds to PureOS.
|
Replicant
|
No
|
- Not using the Android prebuilt toolchain is the first priority, then we probably need to find how to activate reproducible builds when building releases.
- Not mentioned in the list of project supporting reproducible builds[35].
|
Trisquel
|
Yes
|
- Mentioned in the list of project supporting reproducible builds[35].
|
Ututo S
|
?
|
- Not mentioned in the list of project supporting reproducible builds[35].
|
Security features
Access control
Distribution
|
Apparmor
|
Lockdown
|
SELinux
|
Dragora
|
?
|
?
|
?
|
Dynebolic
|
?
|
?
|
?
|
Guix
|
No[38]
|
No[39]
|
No[40]
|
Hyperbola
|
?
|
?
|
?
|
LibreCMC
|
?
|
?
|
?
|
Parabola
|
Can be enabled[41]
|
Can be enabled on x86[42]
|
No[43]
|
ProteanOS
|
?
|
?
|
?
|
PureOS 10 (byzantium)
|
?
|
Can be enabled on x86_64[44]
|
Can be enabled
|
Replicant 6.0
|
No
|
?
|
Yes, difficult to disable[45]
|
Replicant 11
|
No
|
?
|
No
|
Trisquel 10 (nabia)
|
Enabled by default, easy to disable[46]
|
Can be enabled at least on x86[47]
|
Can be enabled
|
Ututo S
|
?
|
?
|
?
|
-
↑ https://mirror.fsf.org/dragora/v3/iso/beta1/
-
↑ https://files.dyne.org/dynebolic/
-
↑ https://guix.gnu.org/en/download/
-
↑ https://guix.gnu.org/en/download/latest/
-
↑ https://wiki.hyperbola.info/doku.php?id=en:manual:verify_live_images
-
↑ signed checksums: https://librecmc.org/librecmc/downloads/snapshots/v1.5.12/targets/ath79/generic/
-
↑ https://wiki.parabola.nu/Get_Parabola
-
↑ http://proteanos.com/doc/install/prokit/
-
↑ https://downloads.puri.sm/byzantium/gnome/2022-06-02/
-
↑ https://ftp.osuosl.org/pub/replicant/images/replicant-6.0/0004/images/
-
↑ https://cdimage.trisquel.info/trisquel-images/
-
↑ http://www.ututo.org/downloads/
-
↑ https://guix.gnu.org/en/manual/devel/en/guix.html#Building-from-Git
-
↑ http://proteanos.com/doc/install/prokit/
-
↑ From free-distros.html" "This is a “static” distro, normally run from a live CD. Since it will not receive security updates, it should be used offline."
-
↑ From free-distros.html" "This is a “static” distro, normally run from a live CD. Since it will not receive security updates, it should be used offline."
-
↑ There is no backport of the security fixes to stable releases. Instead users are encouraged to run guix pull to get the latest Guix version along with security fixes.
-
↑ There is no backport of the security fixes to stable releases. Instead users are encouraged to run guix pull to get the latest Guix version along with security fixes.
-
↑ The Guix channel is https://git.savannah.gnu.org/git/guix.git and channels signatures are enforced. If builders don't have a given package, the computer running guix will try to compile that package instead.
-
↑ The Guix manual explains how to enable unattended upgrades
-
↑ The Guix channel is https://git.savannah.gnu.org/git/guix.git and channels signatures are enforced. If builders don't have a given package, the computer running guix will try to compile that package instead.
-
↑ /etc/pacman.conf has the following:
SigLevel = Required DatabaseOptional
LocalFileSigLevel = Optional
-
↑ reference: https://repo.hyperbola.info:50000/other/mirrorlist/mirrorlist.txt
-
↑ Reference: the default /etc/pacman.d/mirrorlist
-
↑ Reference: /etc/pacman.conf has "SigLevel = [...] DatabaseOptional"
-
↑ Any kind of automatic updates are very very strongly discouraged. Even completely unofficial software to do that warn users very strongly and put a lot of mechanisms in place to make sure that users will be aware that this will break their system at some point.
-
↑ /etc/pacman.conf has the following by default:
SigLevel = Required DatabaseOptional
LocalFileSigLevel = Optional
-
↑ According to the default /etc/pacman.d/mirrorlist, it only uses "https://redirector.parabola.nu/$repo/os/$arch".
-
↑ However even if the redirector uses https, the package database signatures are not enforced since Parabola has "SigLevel = [...] DatabaseOptional" in /etc/pacman.conf by default.
-
↑ This can be done by installing and configuring the unattended-upgrades package
-
↑ In the latest Replicant 6.0 releases, only serious privacy issues were fixed. Since it's based on unmaintained Android versions its contributors cannot fix security updates without porting Replicant to newer Android versions.
-
↑ Users are expected to manually install new releases.
-
↑ This can be done by installing and configuring the unattended-upgrades package
-
↑ If reproducible builds officially supported, we should be able to open bugs about non reproducible packages and/or send patches to fix them. If it is not supported we could try to send patches to enable reproducible builds and/or help the distribution supporting it instead.
-
↑ 35.0035.0135.0235.0335.0435.0535.0635.0735.0835.0935.10 The official lists of projects supporting reproducible is at https://reproducible-builds.org/projects/ . Note that not all theses projects are FSDG compliant and that some might even contain nonfree software and other really problematic issues.
-
↑ Guix can now bootstrap its C toolchain (see The Full-Source Bootstrap: Building from source all the way down for more details), but some languages are not bootstraped yet (vala, Haskell, etc). See Group:Software/research/ProgrammingLanguages#Guix_status for more details.
-
↑ https://wiki.parabola.nu/Reproducible_Builds
-
↑ Guix has the AppArmor related packages with some basic AppArmor profiles inside, and its kernel also has AppArmor available. However at the time of writing the Guix manual has no information at all about AppArmor, and there is no service definition for it. In addition, AppArmor would probably need a way to find its profiles installed by other packages than AppArmor. And finally, some packages like hplip don't install yet AppArmor profiles.
-
↑ git grep -i lockdown in guix source code shows 'CONFIG_SECURITY_LOCKDOWN_LSM is not set'
-
↑ While there are SELinux policies for Guix, they are meant to use with a host distribution that supports SELinux. In addition there are many limitations that prevent this policy to make it practical or secure to use Guix. See the SELinux Support part in the Guix manual for more details.
-
↑ The Parabola kernel has AppArmor, and the AppArmor package (and various other packages) ship profiles in /etc/apparmor.d. There is also some documentation in the AppArmor Arch Linux wiki page.
-
↑ linux-libre, linux-libre-lts and linux-libre-vanilla have the following configuration for i686 and x86_64:
'CONFIG_SECURITY_LOCKDOWN_LSM=y', '# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set' and 'CONFIG_LSM="landlock,lockdown,yama,integrity,bpf'. So on x86, lockdown is enabled by default if UEFI secure boot is on. However Parabola doesn't support UEFI Secure boot so we can assume it's disabled by default. Lockdown is not available on armv7h as all armv7h/aarch64 kernel have 'CONFIG_SECURITY_LOCKDOWN_LSM is not set'. There is documentation on how to enable lockdown manually in the Security#Kernel_lockdown_mode ArchLinux wiki page.
-
↑ Parabola has some SELinux related packages in the pcr repository, but they were only added to enable the development of SELinux policies for other distributions (Replicant). At the time of writing Parabola still doesn't have proper SELinux integration.
-
↑ linux-image-amd64 has the following configuration for i686 and x86_64:
'CONFIG_SECURITY_LOCKDOWN_LSM=y', 'CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y', 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"'. So on x86, lockdown is enabled by default if UEFI secure boot is on. Since PureOS supports UEFI Secure boot, it can be enabled if UEFI secure boot is enabled, but it can't be deactivated easily if UEFI secure boot can't be deactivated (it may be possible by passing kernel argument through grub).
-
↑ There is no information on how to disable it so it's unknown if we just needs to edit some init files, or if we need to patch some files and recompile Replicant, etc. If you recompile Replicant 6.0, you will also have to generate scripts to migrate the data to your new signing key.
-
↑ On Ubuntu AppArmor is enabled by default, and Trisquel is based on Ubuntu.
-
↑ linux-image-5.13.0-52-generic has the following on x86_64:
'CONFIG_SECURITY_LOCKDOWN_LSM=y', 'CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y' and 'CONFIG_LSM="lockdown,yama,integrity,apparmor'. So at least on x86_64 lockdown is enabled by default if UEFI secure boot is on. However Trisquel 10 doesn't support UEFI Secure boot so we can assume it's disabled by default. Trisquel 10 also doesn't support i686 but it supports aarch64 and someone needs to check the status on aarch64. There is documentation on how to enable lockdown manually in the Security#Kernel_lockdown_mode ArchLinux wiki page.