How much do you trust your Linux distro devs?
I will assume everyone understands the security problem when a build isn't reproducible. In short, just because something is open source, doesn't mean the compiled application you're downloading and installing hasn't had any malicious modules added to it before being compiled. It's not enough for something to be open source, it has to be reproducible as well.
I don't think there are any reproducible linux distros. Every one I have looked into requires you to download and install from an image file. That means you must trust the developer who signed that image because they could add all kinds of malicious code to it.
We always suspected that winows, mac, android, ios are spyware for the intel agencies and now it has been proven that ios has a backdoor most likely put there by NSA.
Why don't we suspect the devs of linux distros to do the same thing?
What do we really know about the people signing the image files? do you even know their names? It's also a bit crazy how so many people trust SELinux when its made by NSA.
Is this the reason why most people don't bother trying to potect their data from the intel agencies? No one wants them doing their unconstitutional and illegal snooping in our data, them finding out that we like to listen to the rick roll music video but maybe it's simply impossible to prevent that, 100% impossible no matter how hard you try.
LSMs won't help us when the distro itself is corrupted.
Or do you actually trust that your distro image file that you installed from and any updates later aren't compromised? Tell me which distro you're using and what you know about the devs who sign the image file and updates and why you trust them? Keep in mind they can be forced to compromising the distro and forced to keep silent.
Well as long as we can't formally enforce security and end to end verify hw+sw we'll have to live with varying amounts of trust and checks.
Wrt reproducibility: NixOS minimal ISO is now 99+%, GNOME ISO at ~95% (measured heuristically as described there): https://reproducible.nixos.org
Didn't realize they have gotten this far already!
The actual problem lies in the code that is packaged... A dev sneaking in malware in the CI/CD pipeline would paint a huge target on their back because it's easy to detect and normally few well-known members get to control this. Including malicious code in an obscure dependency however...
I looked into nixos. First of all it has same problem as all other distros where you need to trust a signed image file.
Secondly, on the page https://nix.dev/contributing/how-to-contribute they say "Currently the focus is on funding in-person events to share knowledge and grow the community of developers proficient with Nix. With enough budget, it would be possible to pay for ongoing maintenance and development of critical infrastructure and code – demanding work that we cannot expect to be done by volunteers indefinitely." So that means they want a centralized team.
Third there's an active topic there which shows clearly that the team behind nixos is centralized and corrupt and politically driven: https://discourse.nixos.org/t/why-was-jon-ringer-banned-from...
This whole project smells like a honey pot. Centralized = bad.
Got any ideas what you would like to see instead/how to solve these pain points?
I've looked into running my own hydra instance recently. It's possible but I don't have the machine that I could host it on for my purposes right now (I would want to mirror the fixed output derivations and be able to compile most things in ramfs).
Great question but I'm not experienced enough developer to give the best answer. I don't know if it's possible to make this happen in the near enough future but the best would be if we could build the distro ourselves "reproducible builds". Then we can know for certain there are no added malicious modules added by the person signing the image.
Otherwise I think whatever the solution is, it must be a decentralized and censorship resistant solution, which means there must also be anonymity for the devs otherwise they can be forced to do bad things or even put in prison for working on a freedom software.
I think we can probably learn a lot from Monero's developers. I think the best solution is probably a fair launch DAO where everyone can vote on who should be allowed to be a developer, who will do the signing, which features we want, etc.
I think others can give better and more detailed answers than me. I will look into what hydra is that you mentioned.
Hydra is the CI/CD platform executing jobs (the nixpkgs/NixOS job is defined in nixpkgs itself).
Having lurked for some years in the NixOS community I think it's too early to insinuate wrongdoing. It's no guarantee, but I believe all core contributors are giving their best. If malware gets distributed it's from upstream-compromised software.
The technological basis for verifiable IT is not well developed for now, but my guess would be they'd embrace it immediately (many core contributors come from the functional programming community). As things are, they are looking for resources to make core development sustainable. There's a million things to do (just look at the nixpkgs bug tracker). Cachix and hydra and the labor are expensive...
And dunno about the political angle. That sort of shit is part of life for decades in the distro space (and in most organisations of any kind) and we'll manage.
Risk is equal to severity of the outcome multiplied by the chance of that outcome. If I were running a bank, I'd probably be very careful about what Linux distros I use. But for my own personal data, I don't think the CCP or Russia are going to be able to do anything meaningful based on my RedTube browsing history or my Wikipedia deep dives into penguin morphology.
so you are saying you dont care about your privacy but i dont understand how that is relevant
Where did I say that? Can you point to it? Or did you imagine it because you are incapable of understanding new ideas the first time that you read them and need numerous instances to chunk them away for later recognition?
[flagged]