[tor-talk] Qubes? debian? binary? reproducible?

flapflap flapflap at riseup.net
Sun Dec 7 12:45:52 UTC 2014


carlo von lynX wrote:
>>> My current state of information is such that any source-code
>>> based distribution is less likely to be affected by backdoors
>>> until debian and all derivates indeed ship reproducible binaries.
>>> If Whonix can be rebuilt from source, so can Qubes OS?
>>
>> how do you securely distribute sources to be built?  a source based
>> distribution has different trade-offs, rather than being immune to
>> tampering.
> 
> Gentoo provides cryptographic hashes for all tars and zips it uses
> for over ten years now. It's really no black magic. Gentoo has other
> issues and I don't understand why there is so little interest in
> OS built from source. If techies were admitting what a crazy risk
> it is to trust binary distributions, maybe source-code based ones
> would be much more advanced usability-wise by now.
> 
> But I acknowledge the work being done for reproducible debian and
> I wished I would also have time to participate in that.

You might as well be interested in GNU Guix
  https://www.gnu.org/software/guix/
a package manager for the GNU system.

It allows you to install pre-built packages, or just download the source
and build locally with separable build environments.
  https://www.gnu.org/software/guix/manual/guix.html#Features
  "Finally, Guix takes a purely functional approach to package
  management, as described in the introduction (see Introduction). Each
  /gnu/store package directory name contains a hash of all the inputs
  that were used to build that package—compiler, libraries, build
  scripts, etc. This direct correspondence allows users to make sure a
  given package installation matches the current state of their
  distribution. It also helps maximize build reproducibility: thanks to
  the isolated build environments that are used, a given build is likely
  to yield bit-identical files when performed on different machines (see
  container).

  This foundation allows Guix to support transparent binary/source
  deployment. When a pre-built binary for a /gnu/store item is available
  from an external source—a substitute, Guix just downloads it and
  unpacks it; otherwise, it builds the package from source, locally (see
  Substitutes)."

  https://www.gnu.org/software/guix/manual/guix.html#Substitutes
  "Today, each individual’s control over their own computing is at the
  mercy of institutions, corporations, and groups with enough power and
  determination to subvert the computing infrastructure and exploit its
  weaknesses. While using hydra.gnu.org substitutes can be convenient,
  we encourage users to also build on their own, or even run their own
  build farm, such that hydra.gnu.org is less of an interesting target.

  Guix has the foundations to maximize build reproducibility (see
  Features). In most cases, independent builds of a given package or
  derivation should yield bit-identical results. Thus, through a diverse
  set of independent package builds, we can strengthen the integrity of
  our systems.

  In the future, we want Guix to have support to publish and retrieve
  binaries to/from other users, in a peer-to-peer fashion. If you would
  like to discuss this project, join us on guix-devel at gnu.org."

An interesting talk on Guix was given this August at GNU Hacker's
Meeting:
http://audio-video.gnu.org/video/ghm2014/2014-08--courtes--were-building-the-gnu-system--ghm.webm

~flapflap

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20141207/e2a859d2/attachment-0001.sig>


More information about the tor-talk mailing list