[PLUG] Is a Linux Distro compromised?

tomas.kuchta.lists at gmail.com tomas.kuchta.lists at gmail.com
Wed Oct 9 07:13:54 UTC 2019


I think, when you are on this road, that you should start building your chain of
trust a UEFI/BIOS - either from some company which has a lot to loose by
compromising customers (probably not Huawei) or just get a laptop from Purism.

Tomas

On Tue, 2019-10-08 at 14:10 -0700, Mike C. wrote:
> > 
> > There are many, many turtles involved.
> > 
> 
> Funny you should say that, I had a similar thought, "It's turtles all the
> way down", when thinking about some other current events.
> 
> 
> > The source-to-binary mapping involves a toolchain to build it.
> > The toolchains (compilers and linkers and such) are subject to change too.
> > 
> 
> 
> > There are certainly mechanisms to check whether one set of binary blobs
> > are identical to another set of binary blobs. Those mechanisms work and are
> > robust. But the same source might generate slightly different binaries.
> 
> 
> 
> > The checking mechanisms aren't smart enough to tell you anything other
> > than "THESE THINGS ARE DIFFERENT".
> > 
> > 
> 
> So lest I wander off into tin foil hat land, it seems reasonable for one to
> trust in not having a kernel that has been intentionally compromised for
> nefarious purposes.
> 
> The distro that raised this question is Deepin. It's developed by an org.
> in China. They joined the Linux Foundation in 2015, for whatever that's
> worth.
> 
> Now Hauwei is shipping Linux laptops with Deepin pre-installed.
> 
> It seems most folks should be more concerned with user space and apps in
> terms of personal data privacy and security.
> 
> That said, have you heard of "reproducible builds"?
> > 
> > Not until you mentioned it. Precisely answers my original inquiry!
> 
> "Reproducible builds can act as part of a chain of trust
> <https://en.wikipedia.org/wiki/Chain_of_trust>;[1]
> <https://en.wikipedia.org/wiki/Reproducible_builds#cite_note-reproducible-buil
> ds-homepage-1>
> the
> source code can be signed, and deterministic compilation can prove that the
> binary was compiled from trusted source code. The aim is to prove that the
> source code has not been tampered/modified to e.g. add a backdoor
> <https://en.wikipedia.org/wiki/Backdoor_(computing)>."
> 
> https://en.wikipedia.org/wiki/Reproducible_builds
> _______________________________________________
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug



More information about the PLUG mailing list