Debian User Forums

[teika]

Hi. Most, if not all, linux distros don't seem to guarantee that binary packages are built from the corresponding source packages. I.e., there's the possibility that "bad" developers[1] put binary packages built from their own source, not from the published source package. Since these packages are produced by official developers, they receive the checksums from the distro, and get published as a part of the distro.

I think it's time to fix this situation. As always so in the OpenSource, it has to be done by providing public, objective verifiability.

I'm a layman user and don't know if it works, but the solution I imagine is:
* Let's remember distros offer binary packages, and they're publicly available, at least for some period.
* Now the core: Distors should publish the record of the environment where binary packages are built; the log of (un)installation of packages, and maybe the platform to build.
* The check: If independent groups prepare the same or an equivalent environment, build from a source package, and the output binary package coincides exactly with the published binary package, then it means package's building process was "clean".

What I'm talking about is verifiability which is absent now. It does not prove binary packages are free from backdoors. For example, if the inintial binaries are tainted, it's possible to compromise the produced packages. But it's difficult to repeat it for years, if all binaries are built from published source packages.

If it's too simplistic, please fix me, and save Linux world. Serious intellectual efforts have improved the world for centuries, and they well deserve respect.

# I asked a preliminary question at superuser.com, but people there except one didn't understand, and closed the question. ;-)

[1] US, Communist China, and Russia's cyber troops, at least, have enough reason and ability to set backdoors to Linux. I guess their main targets are servers, but not sure at all. I'm not sure either if they really want to intrude to distros, since working in upstreams may be far more efficient. But please don't mix these points to this thread, and discuss elsewhere. Pointers are welcome.

Anticipated questions and answers:
Q: Why an installation log is necessary?
A: Because different versions of compilers (and toolchains) can produce different codes. Header files collision or multiple versions of libraries can affect, too. Remainder of older versions of packages may also affect, so the list of installed package is not enough, and the entire log is wanted. (If latter cases happen, it's a distro's bug, but they sometimes do happen.)

Q: What happens when a binary package, say gcc or dpkg, is discoverd to have a backdoor? Is it still meaningful to continue the proposed process?
A: You can go back to older releases of the distro, and upgrade gradually. Or you can directly type "make" from the shell to build and replace the existing dpkg. In that case, the log of all shell activity is required. (As a final resort, you can also use other distros to build Debian.)

Q: But "bad" folks will establish a fake organization which claims to confirm binary package integrity, no?
A: Probably yes, but if you can check, it's a big progress. Currently none can verify.

(Again, please correct my FAQ if necessary.)

Best regards.