3. How is software packaged and distributed securely on Linux?

How is software packaged and distributed securely on Linux?

tl;dr: Summarizing why it's necessary for a signature/checksum chain of custody to have reproducible builds, and saying that the web of trust can be big and complicated.

Hi /u/TwistedTomZ , op here. What you say is true, but maybe a bit of an oversimplification.

It's true that a combination of gpg signatures and checksums are used to create a chain of custody, if you will. But thing get a little more complicated when you try to actually download the source code in the same order, and reproduce all the changes made.

This is because, even with the same source code, each CPU will compile a binary with a different checksum. This could lead you to believe that an attacker changed the binary at the end of the chain of custody (when the source code is compiled).

The reason for this is that CPU's are set up to optimize code when compiling it so it runs best on your particular chips instruction set, and other platform specific features (microarchitecture).

The concept of reproducible builds, it seems, is to compile all software to binaries in a tightly controlled environment so you can get the same checksum regardless of your processor.

Trust relationships tend to make the 'chain of custody even more complicated', since, when you have a lot of package maintainers they're able to countersign (endorse) each other and subordinates, expanding the web of trust.

I'm not sure how far the network of trust goes, or how it works, which is part of the reason I asked the question. Also, I just yesterday became familiar with the concept of reproducible builds, so take what I say with a grain of salt. I think it's fair to say it's amazing that we aren't all swimming in malware right now, though.

/r/linuxquestions Thread Parent
Previous
Next

Recently removed from /r/linuxquestions

NVIDIA K2100M - X.org gives me better performance then NVIDIA drivers but it glitches Using rootfs of Ubuntu/Debian with arbitrary kernels (on same arch) PC stuck in dark mode How to set the right screen resolution without xrandr How to transition from Windows to Linux painlessly? Best Debian based Distro fro Old Laptops Thinking of going from Windows > Arch. Questions about VMs, AUR/other repos and VFIO. What are the top 5 linux NO NOs you have learned over the years of using linux? How would your workflow break by switching to macOS? Is there a foundation for Linux power users? Run command once a day, but only when internet connection is available. Why is Ubuntu a pain in my case? For software that is not supported in linux, is it better to run it on a vm with MacOS or with windows 10/11? Hello! I need help with manjaro! boot,audio problems!new user :< Is vim worth it?

More Random Comments

Common Sense Skeptic's Malicious Misinformation [Schefter] Tom Brady is retiring from football after 22 extraordinary seasons, multiple sources tell @JeffDarlington and me. More coming on ESPN.com. Anyone else’s Nparents have NO friends or hobbies? Rich kids of Columbia, what do your parents do for living and what is the net worth? How many more Charlie Todds must there be before our prisons are reformed? - The suicide of a young inmate points up how indifferent we are now to conditions in jail It is time employers start treating single workers with the same respect that married workers with family's get. I like trucks How often are mistakes made? Have you ever physically felt something in a dream? If so, what? Worst experience ever Hopefully it will be worth the wait Ukraine urges west to be ‘vigilant and firm’ in Russia talks i cant wait to live alone When lightners enter a Dark World they become their ideal self, and vice versa for darkners The sub is overrun by psyops these days