4 Comments ↓

I've been using Linux for many years, mostly because it promises to be safe as open source. However, I still don't understand who is responsible for building the repository binaries and the hash sums that come with it:

do maintainers build the binaries somewhere locally and then upload them to a repository with hash sums?
or, do they just make a source code release, like new Git tag, then a shared OS image is built it and sign?

If it's the first option, then my PC is a larger hole on the planet Earth.

Posted in: s/Linux

👻 ps

Mar 21 · 9 months ago

4 Comments ↓

👻 ps [OP] · 2025-03-21 at 18:53:

I'm using Debian and Fedora, and it seems that I'm now ready for Gentoo if I'm asking myself about that.

I can't believe the whole world trusts binaries signed by some unknown maintainer who just has an account in the Debian or Fedora repository. I'm not sure that everything is that bad; I hope I just misunderstand the security model of the repositories.

Once, I created a deb package, and there are really binaries inside that I can compile with a backdoor. I'm not sure if I can actually upload it to the official repository once I reach the required trust level.

🐑 zeerooth · 2025-03-21 at 21:39:

Many distros nowadays use CI on some servers for package builds. Taking Void as an example, a maintainer of a package writes a template transparently stating how the package is going to be built, then submits a merge request to a central package repo and then gets it approved/rejected. If the change gets approved, the build runs in CI, with logs of the jobs accessible publicly. All of that helps to ensure, at the very least, that noone but core team members have access to the process of turning source files into binary packages.

🚀 clseibold [🛂] · 2025-03-22 at 00:37:

@ps Eh, that's not really how it works, afaik. They aren't random people who upload things.

There are two different things here: the ISO to install the distro, and the packages in the package managers. The ISOs are built by the distro teams themselves, and they pick and choose which packages are in by default.

Every thing added to a distro's official repos are usually looked at by the package maintainers. Some are more involved than others.

For example, Debian and some other distros will usually require only open source software. Some distros require something is a reproducible build from the source code itself. Flathub has very detailed rules on your flatpaks, and a developer's flatpak is looked at to make sure they follow these rules, but they don't technically care about whether your application is open source or not, because they allow closed-source software (but they will notify users if something is closed-source or not on the Flathub website).

Also, yeah, CIs are used to automatically build stuff, and to make sure builds aren't failing. Package maintainers also have to make sure that there's no bad interactions between packages, and that for a package that depends on another package, the package being depended on (and its version) is in the repos.

As for the Linux kernel itself, Linus Torvalds manages the main branch of the kernel, and then there are forks. Linus, however, only merges forks from people he trusts. So you get a hierarchy where a person Linus trusts can merge code from another developer, and then Linus merges from that person that he trusts. And then everyone stays up to date by pulling from Linus' branch of the kernel.

(I guess now the Linux Foundation or whoever manages a branch that's specifically for Stable Linux, but yeah).

🐙 norayr · 2025-03-22 at 00:56:

ps, i am glad you are considering gentoo, but in terms of security, one still needs to be cautious: there are some packages (well recipes) marked with version 9999, that means they will download git versions of software.

i myself prepared ebuild for lagrange with version number 9999 which gets the git version.

git version from master or main is dangerous.

git version described by hash is probably better.

now in general, to the op i will say, package enters the distro, not only gentoo, usually as a recipe on how to build it: where to get what are the hashes of downloaded files, how to unpack, build, install, prepare package.

then many people look at those, depending on distribution.

and not only those involved in the creation of distro, anyone in the world can study the code which those package recipes build.

and lots of security researchers and black hat hackers too, do.

our main hope is that the problem will be found by good people, who will report it.

in generally using package repos, especially if you're on debian stable is very safe. the package travels long distance to reach stabe and is very likely fine.

in arch not so long road to rolling release and xz backdoor reached it.

and in generally installing from programming language package repos is not safe, we saw what happened several times, so sticking with os default package repos is much safer.

i think security is just one of the side effects of free software. but the main point is freedom.

alas it is much harder to comprehend than security or privacy. and many justify usage of iphones by 'security', however bizarre it sounds. (:

i also maintain lagrange and many other packages for official repos of one linux distro. the community is small, i was active, they know me for years, in general trust me, sometimes ignore me.

so the i provide the recipe and the source, and ci builds.

usually all package building pipelines forbid downloading code from internet at build time.

you must upload source and it will be pasefsd to the builder along with your patches, if any