Group: Software/FSDG distributions/Security

From LibrePlanet
< Group:Software‎ | FSDG distributions
Revision as of 11:26, 10 August 2023 by Mmcmahon (talk | contribs) (Fix typo and add capitalization for AppArmor and HTTPS)
Jump to: navigation, search

Introduction

This page tracks the progress of FSDG distributions with regard to reproducible builds, bootstrapable builds and other similar security features.

Distributing software

Releases and signatures

Distribution Signed installers Comments
Dragora 3.0-beta1 Checksums only[1]
  • There are instructions to build the release yourself but there is no instructions to verify the source code.
  • As a workaround it might be possible to download the checksums through various ways (using multiple Tor routes, local connection), and compare them. Also make sure to download the checksums from the official website or a trusted mirror.
Dynebolic 3.0-beta Broken: signed broken checksums (md5)[2] You could still download the images multiple time and compare them with cmp. Though it's far from ideal.
Guix 1.4.0 Yes, signed images[3]
Guix "latest" No[4] Workaround: Use Guix 1.4.0 and update it.
Hyperbola v0.4.2 Yes, signed images[5]
LibreCMC Yes, signed checksums[6]
Parabola Yes[7]
ProteanOS Yes: signed ProteanOS Development Kit commits[8]
PureOS 10 (byzantium) Checksums only.[9]
  • Workaround: Install PureOS from Parabola with debootstrap and pureos-archive-keyring
  • As a workaround it might also be possible to download the checksums through various ways (using multiple Tor routes, local connection), and compare them. Also make sure to download the checksums from the official website or a trusted mirror.
Replicant 6.0 0004 Yes, signed images[10]
Trisquel 10.0.1 Yes, signed images[11]
Ututo S No: broken checksums (md5) only[12] You could still download the images multiple time and compare them with cmp. Though it's far from ideal.

Development source code and signatures

Distribution Signed development source code
Dragora ?
Dynebolic ?
Guix Yes, signed commits, authentication tool and instructions[13]
Hyperbola ?
LibreCMC ?
Parabola No policies requiring to sign commits
ProteanOS Yes: signed commit and verification instructions.[14]
PureOS ?
Replicant No policies requiring to sign commits
Trisquel ?
Ututo S ?

Security updates and packages

Distribution Security updates available Automatic security updates Tools to check for CVEs Signed packages Protection against mirrors with outdated packages Known security issues Comments
Dragora 3.0-beta1
Dynebolic 3.0-beta No[15] No[16]
  • No security updates
Guix 1.4.0 No[17] No[18] yes: guix lint Yes Yes:
  • The package definition come directly from Guix through HTTPS and are signed.[19]
  • Mirrors build packages and the signatures are enforced. Guix challenge can be used to check if the packages are reproducible.
  • No security updates
Guix 1.4.0 can easily be updated to Guix "latest".
Guix "latest" Yes can be enabled[20] yes: guix lint Yes Yes:
  • The package definition come directly from Guix through HTTPS and are signed.[21]
  • Mirrors build packages and the signatures are enforced. Guix challenge can be used to check if the packages are reproducible.
Hyperbola v0.4.2 Yes[22] No:
  • All mirrors use https or onion[23]
  • Trusts secondary mirrors for packages database:
    • uses secondary mirrors first[24]
    • It Doesn't enforce package database signatures[25]
LibreCMC
Parabola Yes No[26] ? Yes[27] partial:
  • Mirror redirection for packages that also uses https.[28]
  • Doesn't enforce package database signatures[29]
ProteanOS
PureOS 10 (byzantium) Yes can be enabled[30] Yes
Replicant 6.0 0004 Very few security updates[31] No[32] No N/A (no packages) N/A (no packages)
  • Based on Android 6.0 which is not maintained anymore
  • Use an old version of Webview which is full of security vulnerabilities. Many applications use the builtin Webview, including non-browser applications.
Trisquel 10.0.1 Yes can be enabled[33] Yes
Ututo S

Repdoducible builds and bootstrapable builds

Distribution Reproducible builds officially supported[34] Comments
Dragora ?
  • Not mentioned in the list of project supporting reproducible builds[35].
Dynebolic ?
  • Not mentioned in the list of project supporting reproducible builds[35].
Guix Yes
  • Encourage any users to use the Guix challenge command to check the reproducibility of builds, and builds are supposed to be reproducible for all users (independently of the specific CPU, username, etc)
  • Part of Guix is now bootstrapable.[36].
  • Mentioned in the list of project supporting reproducible builds[35].
Hyperbola ?
  • Not mentioned in the list of project supporting reproducible builds[35] but Arch Linux is mentioned there so maybe it's easier to add reproducible builds to Hyperbola.
LibreCMC ?
  • Not mentioned in the list of project supporting reproducible builds[35] but OpenWRT is mentioned, so it might be easier to add reproducible builds to LibreCMC.
Parabola ?
  • Not mentioned in the list of project supporting reproducible builds[35] but Arch Linux is mentioned there, and for x86_64 some of the stock Arch Linux are reused. So at least part of Parabola is reproducible.
  • It has a wiki page that has a plan to add reproducible builds[37] but it needs people to work on actually doing some research on how to add reproducible builds and to implement it.
  • Arch Linux status: https://tests.reproducible-builds.org/archlinux/archlinux.html
ProteanOS ?
  • Not mentioned in the list of project supporting reproducible builds[35].
PureOS ?
  • Not mentioned in the list of project supporting reproducible builds[35] but Debian is mentioned there so maybe it's easier to add reproducible builds to PureOS.
Replicant No
  • Not using the Android prebuilt toolchain is the first priority, then we probably need to find how to activate reproducible builds when building releases.
  • Not mentioned in the list of project supporting reproducible builds[35].
Trisquel Yes
  • Mentioned in the list of project supporting reproducible builds[35].
Ututo S ?
  • Not mentioned in the list of project supporting reproducible builds[35].

Security features

Access control

Distribution Apparmor Lockdown SELinux
Dragora ? ? ?
Dynebolic ? ? ?
Guix No[38] No[39] No[40]
Hyperbola ? ? ?
LibreCMC ? ? ?
Parabola Can be enabled[41] Can be enabled on x86[42] No[43]
ProteanOS ? ? ?
PureOS 10 (byzantium) ? Can be enabled on x86_64[44] Can be enabled
Replicant 6.0 No ? Yes, difficult to disable[45]
Replicant 11 No ? No
Trisquel 10 (nabia) Enabled by default, easy to disable[46] Can be enabled at least on x86[47] Can be enabled
Ututo S ? ? ?
  1. https://mirror.fsf.org/dragora/v3/iso/beta1/
  2. https://files.dyne.org/dynebolic/
  3. https://guix.gnu.org/en/download/
  4. https://guix.gnu.org/en/download/latest/
  5. https://wiki.hyperbola.info/doku.php?id=en:manual:verify_live_images
  6. signed checksums: https://librecmc.org/librecmc/downloads/snapshots/v1.5.12/targets/ath79/generic/
  7. https://wiki.parabola.nu/Get_Parabola
  8. http://proteanos.com/doc/install/prokit/
  9. https://downloads.puri.sm/byzantium/gnome/2022-06-02/
  10. https://ftp.osuosl.org/pub/replicant/images/replicant-6.0/0004/images/
  11. https://cdimage.trisquel.info/trisquel-images/
  12. http://www.ututo.org/downloads/
  13. https://guix.gnu.org/en/manual/devel/en/guix.html#Building-from-Git
  14. http://proteanos.com/doc/install/prokit/
  15. From free-distros.html" "This is a “static” distro, normally run from a live CD. Since it will not receive security updates, it should be used offline."
  16. From free-distros.html" "This is a “static” distro, normally run from a live CD. Since it will not receive security updates, it should be used offline."
  17. There is no backport of the security fixes to stable releases. Instead users are encouraged to run guix pull to get the latest Guix version along with security fixes.
  18. There is no backport of the security fixes to stable releases. Instead users are encouraged to run guix pull to get the latest Guix version along with security fixes.
  19. The Guix channel is https://git.savannah.gnu.org/git/guix.git and channels signatures are enforced. If builders don't have a given package, the computer running guix will try to compile that package instead.
  20. The Guix manual explains how to enable unattended upgrades
  21. The Guix channel is https://git.savannah.gnu.org/git/guix.git and channels signatures are enforced. If builders don't have a given package, the computer running guix will try to compile that package instead.
  22. /etc/pacman.conf has the following:
    SigLevel = Required DatabaseOptional
    LocalFileSigLevel = Optional
  23. reference: https://repo.hyperbola.info:50000/other/mirrorlist/mirrorlist.txt
  24. Reference: the default /etc/pacman.d/mirrorlist
  25. Reference: /etc/pacman.conf has "SigLevel = [...] DatabaseOptional"
  26. Any kind of automatic updates are very very strongly discouraged. Even completely unofficial software to do that warn users very strongly and put a lot of mechanisms in place to make sure that users will be aware that this will break their system at some point.
  27. /etc/pacman.conf has the following by default:
    SigLevel = Required DatabaseOptional
    LocalFileSigLevel = Optional
  28. According to the default /etc/pacman.d/mirrorlist, it only uses "https://redirector.parabola.nu/$repo/os/$arch".
  29. However even if the redirector uses https, the package database signatures are not enforced since Parabola has "SigLevel = [...] DatabaseOptional" in /etc/pacman.conf by default.
  30. This can be done by installing and configuring the unattended-upgrades package
  31. In the latest Replicant 6.0 releases, only serious privacy issues were fixed. Since it's based on unmaintained Android versions its contributors cannot fix security updates without porting Replicant to newer Android versions.
  32. Users are expected to manually install new releases.
  33. This can be done by installing and configuring the unattended-upgrades package
  34. If reproducible builds officially supported, we should be able to open bugs about non reproducible packages and/or send patches to fix them. If it is not supported we could try to send patches to enable reproducible builds and/or help the distribution supporting it instead.
  35. 35.0035.0135.0235.0335.0435.0535.0635.0735.0835.0935.10 The official lists of projects supporting reproducible is at https://reproducible-builds.org/projects/ . Note that not all theses projects are FSDG compliant and that some might even contain nonfree software and other really problematic issues.
  36. Guix can now bootstrap its C toolchain (see The Full-Source Bootstrap: Building from source all the way down for more details), but some languages are not bootstraped yet (vala, Haskell, etc). See Group:Software/research/ProgrammingLanguages#Guix_status for more details.
  37. https://wiki.parabola.nu/Reproducible_Builds
  38. Guix has the AppArmor related packages with some basic AppArmor profiles inside, and its kernel also has AppArmor available. However at the time of writing the Guix manual has no information at all about AppArmor, and there is no service definition for it. In addition, AppArmor would probably need a way to find its profiles installed by other packages than AppArmor. And finally, some packages like hplip don't install yet AppArmor profiles.
  39. git grep -i lockdown in guix source code shows 'CONFIG_SECURITY_LOCKDOWN_LSM is not set'
  40. While there are SELinux policies for Guix, they are meant to use with a host distribution that supports SELinux. In addition there are many limitations that prevent this policy to make it practical or secure to use Guix. See the SELinux Support part in the Guix manual for more details.
  41. The Parabola kernel has AppArmor, and the AppArmor package (and various other packages) ship profiles in /etc/apparmor.d. There is also some documentation in the AppArmor Arch Linux wiki page.
  42. linux-libre, linux-libre-lts and linux-libre-vanilla have the following configuration for i686 and x86_64: 'CONFIG_SECURITY_LOCKDOWN_LSM=y', '# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set' and 'CONFIG_LSM="landlock,lockdown,yama,integrity,bpf'. So on x86, lockdown is enabled by default if UEFI secure boot is on. However Parabola doesn't support UEFI Secure boot so we can assume it's disabled by default. Lockdown is not available on armv7h as all armv7h/aarch64 kernel have 'CONFIG_SECURITY_LOCKDOWN_LSM is not set'. There is documentation on how to enable lockdown manually in the Security#Kernel_lockdown_mode ArchLinux wiki page.
  43. Parabola has some SELinux related packages in the pcr repository, but they were only added to enable the development of SELinux policies for other distributions (Replicant). At the time of writing Parabola still doesn't have proper SELinux integration.
  44. linux-image-amd64 has the following configuration for i686 and x86_64: 'CONFIG_SECURITY_LOCKDOWN_LSM=y', 'CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y', 'CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"'. So on x86, lockdown is enabled by default if UEFI secure boot is on. Since PureOS supports UEFI Secure boot, it can be enabled if UEFI secure boot is enabled, but it can't be deactivated easily if UEFI secure boot can't be deactivated (it may be possible by passing kernel argument through grub).
  45. There is no information on how to disable it so it's unknown if we just needs to edit some init files, or if we need to patch some files and recompile Replicant, etc. If you recompile Replicant 6.0, you will also have to generate scripts to migrate the data to your new signing key.
  46. On Ubuntu AppArmor is enabled by default, and Trisquel is based on Ubuntu.
  47. linux-image-5.13.0-52-generic has the following on x86_64: 'CONFIG_SECURITY_LOCKDOWN_LSM=y', 'CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y' and 'CONFIG_LSM="lockdown,yama,integrity,apparmor'. So at least on x86_64 lockdown is enabled by default if UEFI secure boot is on. However Trisquel 10 doesn't support UEFI Secure boot so we can assume it's disabled by default. Trisquel 10 also doesn't support i686 but it supports aarch64 and someone needs to check the status on aarch64. There is documentation on how to enable lockdown manually in the Security#Kernel_lockdown_mode ArchLinux wiki page.