carlo von lynX wrote: >>> My current state of information is such that any source-code >>> based distribution is less likely to be affected by backdoors >>> until debian and all derivates indeed ship reproducible binaries. >>> If Whonix can be rebuilt from source, so can Qubes OS? >> >> how do you securely distribute sources to be built? a source based >> distribution has different trade-offs, rather than being immune to >> tampering. > > Gentoo provides cryptographic hashes for all tars and zips it uses > for over ten years now. It's really no black magic. Gentoo has other > issues and I don't understand why there is so little interest in > OS built from source. If techies were admitting what a crazy risk > it is to trust binary distributions, maybe source-code based ones > would be much more advanced usability-wise by now. > > But I acknowledge the work being done for reproducible debian and > I wished I would also have time to participate in that. You might as well be interested in GNU Guix https://www.gnu.org/software/guix/ a package manager for the GNU system. It allows you to install pre-built packages, or just download the source and build locally with separable build environments. https://www.gnu.org/software/guix/manual/guix.html#Features "Finally, Guix takes a purely functional approach to package management, as described in the introduction (see Introduction). Each /gnu/store package directory name contains a hash of all the inputs that were used to build that packageâcompiler, libraries, build scripts, etc. This direct correspondence allows users to make sure a given package installation matches the current state of their distribution. It also helps maximize build reproducibility: thanks to the isolated build environments that are used, a given build is likely to yield bit-identical files when performed on different machines (see container). This foundation allows Guix to support transparent binary/source deployment. When a pre-built binary for a /gnu/store item is available from an external sourceâa substitute, Guix just downloads it and unpacks it; otherwise, it builds the package from source, locally (see Substitutes)." https://www.gnu.org/software/guix/manual/guix.html#Substitutes "Today, each individualâs control over their own computing is at the mercy of institutions, corporations, and groups with enough power and determination to subvert the computing infrastructure and exploit its weaknesses. While using hydra.gnu.org substitutes can be convenient, we encourage users to also build on their own, or even run their own build farm, such that hydra.gnu.org is less of an interesting target. Guix has the foundations to maximize build reproducibility (see Features). In most cases, independent builds of a given package or derivation should yield bit-identical results. Thus, through a diverse set of independent package builds, we can strengthen the integrity of our systems. In the future, we want Guix to have support to publish and retrieve binaries to/from other users, in a peer-to-peer fashion. If you would like to discuss this project, join us on guix-devel@xxxxxxxx" An interesting talk on Guix was given this August at GNU Hacker's Meeting: http://audio-video.gnu.org/video/ghm2014/2014-08--courtes--were-building-the-gnu-system--ghm.webm ~flapflap
Attachment:
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk