[PLUG] Is a Linux Distro compromised?

[Mike C.]

>
> There are many, many turtles involved.
>

Funny you should say that, I had a similar thought, "It's turtles all the
way down", when thinking about some other current events.


> The source-to-binary mapping involves a toolchain to build it.
> The toolchains (compilers and linkers and such) are subject to change too.
>


> There are certainly mechanisms to check whether one set of binary blobs
> are identical to another set of binary blobs. Those mechanisms work and are
> robust. But the same source might generate slightly different binaries.



> The checking mechanisms aren't smart enough to tell you anything other
> than "THESE THINGS ARE DIFFERENT".
>
>
So lest I wander off into tin foil hat land, it seems reasonable for one to
trust in not having a kernel that has been intentionally compromised for
nefarious purposes.

The distro that raised this question is Deepin. It's developed by an org.
in China. They joined the Linux Foundation in 2015, for whatever that's
worth.

Now Hauwei is shipping Linux laptops with Deepin pre-installed.

It seems most folks should be more concerned with user space and apps in
terms of personal data privacy and security.

That said, have you heard of "reproducible builds"?
>
> Not until you mentioned it. Precisely answers my original inquiry!

"Reproducible builds can act as part of a chain of trust
<https://en.wikipedia.org/wiki/Chain_of_trust>;[1]
<https://en.wikipedia.org/wiki/Reproducible_builds#cite_note-reproducible-builds-homepage-1>
the
source code can be signed, and deterministic compilation can prove that the
binary was compiled from trusted source code. The aim is to prove that the
source code has not been tampered/modified to e.g. add a backdoor
<https://en.wikipedia.org/wiki/Backdoor_(computing)>."

https://en.wikipedia.org/wiki/Reproducible_builds