How much do you trust your Linux distro devs?
I don't think there are any reproducible linux distros. Every one I have looked into requires you to download and install from an image file. That means you must trust the developer who signed that image because they could add all kinds of malicious code to it.
We always suspected that winows, mac, android, ios are spyware for the intel agencies and now it has been proven that ios has a backdoor most likely put there by NSA.
Why don't we suspect the devs of linux distros to do the same thing?
What do we really know about the people signing the image files? do you even know their names? It's also a bit crazy how so many people trust SELinux when its made by NSA.
Is this the reason why most people don't bother trying to potect their data from the intel agencies? No one wants them doing their unconstitutional and illegal snooping in our data, them finding out that we like to listen to the rick roll music video but maybe it's simply impossible to prevent that, 100% impossible no matter how hard you try.
LSMs won't help us when the distro itself is corrupted.
Or do you actually trust that your distro image file that you installed from and any updates later aren't compromised? Tell me which distro you're using and what you know about the devs who sign the image file and updates and why you trust them? Keep in mind they can be forced to compromising the distro and forced to keep silent.
10 comments
[ 4.9 ms ] story [ 34.7 ms ] threadWrt reproducibility: NixOS minimal ISO is now 99+%, GNOME ISO at ~95% (measured heuristically as described there): https://reproducible.nixos.org
Didn't realize they have gotten this far already!
The actual problem lies in the code that is packaged... A dev sneaking in malware in the CI/CD pipeline would paint a huge target on their back because it's easy to detect and normally few well-known members get to control this. Including malicious code in an obscure dependency however...
Secondly, on the page https://nix.dev/contributing/how-to-contribute they say "Currently the focus is on funding in-person events to share knowledge and grow the community of developers proficient with Nix. With enough budget, it would be possible to pay for ongoing maintenance and development of critical infrastructure and code – demanding work that we cannot expect to be done by volunteers indefinitely." So that means they want a centralized team.
Third there's an active topic there which shows clearly that the team behind nixos is centralized and corrupt and politically driven: https://discourse.nixos.org/t/why-was-jon-ringer-banned-from...
This whole project smells like a honey pot. Centralized = bad.
I've looked into running my own hydra instance recently. It's possible but I don't have the machine that I could host it on for my purposes right now (I would want to mirror the fixed output derivations and be able to compile most things in ramfs).
Otherwise I think whatever the solution is, it must be a decentralized and censorship resistant solution, which means there must also be anonymity for the devs otherwise they can be forced to do bad things or even put in prison for working on a freedom software.
I think we can probably learn a lot from Monero's developers. I think the best solution is probably a fair launch DAO where everyone can vote on who should be allowed to be a developer, who will do the signing, which features we want, etc.
I think others can give better and more detailed answers than me. I will look into what hydra is that you mentioned.
Having lurked for some years in the NixOS community I think it's too early to insinuate wrongdoing. It's no guarantee, but I believe all core contributors are giving their best. If malware gets distributed it's from upstream-compromised software.
The technological basis for verifiable IT is not well developed for now, but my guess would be they'd embrace it immediately (many core contributors come from the functional programming community). As things are, they are looking for resources to make core development sustainable. There's a million things to do (just look at the nixpkgs bug tracker). Cachix and hydra and the labor are expensive...
And dunno about the political angle. That sort of shit is part of life for decades in the distro space (and in most organisations of any kind) and we'll manage.