[tor-talk] Qubes? debian? binary? reproducible?
flapflap at riseup.net
Sun Dec 7 12:45:52 UTC 2014
carlo von lynX wrote:
>>> My current state of information is such that any source-code
>>> based distribution is less likely to be affected by backdoors
>>> until debian and all derivates indeed ship reproducible binaries.
>>> If Whonix can be rebuilt from source, so can Qubes OS?
>> how do you securely distribute sources to be built? a source based
>> distribution has different trade-offs, rather than being immune to
> Gentoo provides cryptographic hashes for all tars and zips it uses
> for over ten years now. It's really no black magic. Gentoo has other
> issues and I don't understand why there is so little interest in
> OS built from source. If techies were admitting what a crazy risk
> it is to trust binary distributions, maybe source-code based ones
> would be much more advanced usability-wise by now.
> But I acknowledge the work being done for reproducible debian and
> I wished I would also have time to participate in that.
You might as well be interested in GNU Guix
a package manager for the GNU system.
It allows you to install pre-built packages, or just download the source
and build locally with separable build environments.
"Finally, Guix takes a purely functional approach to package
management, as described in the introduction (see Introduction). Each
/gnu/store package directory name contains a hash of all the inputs
that were used to build that package—compiler, libraries, build
scripts, etc. This direct correspondence allows users to make sure a
given package installation matches the current state of their
distribution. It also helps maximize build reproducibility: thanks to
the isolated build environments that are used, a given build is likely
to yield bit-identical files when performed on different machines (see
This foundation allows Guix to support transparent binary/source
deployment. When a pre-built binary for a /gnu/store item is available
from an external source—a substitute, Guix just downloads it and
unpacks it; otherwise, it builds the package from source, locally (see
"Today, each individual’s control over their own computing is at the
mercy of institutions, corporations, and groups with enough power and
determination to subvert the computing infrastructure and exploit its
weaknesses. While using hydra.gnu.org substitutes can be convenient,
we encourage users to also build on their own, or even run their own
build farm, such that hydra.gnu.org is less of an interesting target.
Guix has the foundations to maximize build reproducibility (see
Features). In most cases, independent builds of a given package or
derivation should yield bit-identical results. Thus, through a diverse
set of independent package builds, we can strengthen the integrity of
In the future, we want Guix to have support to publish and retrieve
binaries to/from other users, in a peer-to-peer fashion. If you would
like to discuss this project, join us on guix-devel at gnu.org."
An interesting talk on Guix was given this August at GNU Hacker's
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 630 bytes
Desc: OpenPGP digital signature
More information about the tor-talk