[PLUG] Is a Linux Distro compromised?
Tomas Kuchta
tomas.kuchta.lists at gmail.com
Mon Oct 7 21:53:43 UTC 2019
You could download distribution .iso as well as its sha256sum. Then you
run: sha256sum fileName.iso and compare them.
All distributions I know are additionally signed and will complain/abort
when the signature does not match.
That is, of course, only useful if the distribution itself is not
compromised. In case it is truly compromised, including signing and sha256
infrastructure, I do not think you can do much about it.
Hope it helps,
Tomas
On Mon, Oct 7, 2019, 17:42 Mike C. <mconnors1 at gmail.com> wrote:
> How would one know or determine if their beloved Linux distro of choice is
> hacked, altered or otherwise compromised?
>
> And not from years of using it with applying security updates or just
> willy-nilly throwing apps on it for fun but from the source when you
> download it.
>
> Say I want to build my own distro, how do I verify that I'm getting the
> authentic / original kernel to start with?
>
> If I'm downloading a distro, how would I do the same verification?
>
> Is this something that we just rely on the general Linux community to do
> monitor and report on?
>
> Or is there something that's accomplished through hash algorithms and
> digital signatures that your average Linux user can verify themselves?
>
> I hope I'm making some sense here.
>
> Thank you,
>
> Mike
> _______________________________________________
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
More information about the PLUG
mailing list