When looking at the file /etc/apt/sources.list.d/official-package-repositories.list, we can see the following repositories:
deb http://packages.linuxmint.com debbie main upstream import backport #id:linuxmint_main
deb https://deb.debian.org/debian buster main contrib non-free
deb https://deb.debian.org/debian buster-updates main contrib non-free
deb http://security.debian.org buster/updates main contrib non-free
For the last three lines, we can simply look at Debian for reproducible-build compliance.
Concerning the first line:
deb http://packages.linuxmint.com debbie main upstream import backport #id:linuxmint_main
Are packages in http://packages.linuxmint.com reproducible-build compliant?
Does LMDE4 overall preserve its status as a Debian-style reproducible-build compliant OS?
Reproducible-build compliance
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
-
eriksank
Reproducible-build compliance
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
-
Moonstone Man
- Level 16
- Posts: 6054
- Joined: Mon Aug 27, 2012 10:17 pm
Re: Reproducible-build compliance
Everyone here is a user just like you. I use LMDE4 and a LM 20 Ubuntu derivative, but as a user just helping other users, like most people here, I wouldn't know one end of a "reproducible-build compliant OS" from another, if I knew what one was in the first place, and even then I might not care what one is. The point is, there are no developers here, nor are any of us rabid fanboys of one thing or another, so maybe you should ask on github, or investigate it yourself.eriksank wrote: ⤴Fri Feb 19, 2021 12:15 am Are packages in http://packages.linuxmint.com reproducible-build compliant?
Does LMDE4 overall preserve its status as a Debian-style reproducible-build compliant OS?
That doesn't mean you won't get an answer, but if you do, buy a lottery ticket
-
eriksank
Re: Reproducible-build compliance
The reproducible-build software engineering standard facilitates auditing for malware;
reproducible-builds.org
Why does it matter?
Whilst anyone may inspect the source code of free and open source software for malicious flaws, most software is distributed pre-compiled with no method to confirm whether they correspond.
This incentivises attacks on developers who release software, not only via traditional exploitation, but also in the forms of political influence, blackmail or even threats of violence.
This is particularly a concern for developers collaborating on privacy or security software: attacking these typically result in compromising particularly politically-sensitive targets such as dissidents, journalists and whistleblowers, as well as anyone wishing to communicate securely under a repressive regime.
Debian, Tails, Alpine, and Arch are fully compliant already.
LMDE4 should be reproducible-build compliant, unless Linux Mint added something in the Mint repository that isn't.
reproducible-builds.org
Why does it matter?
Whilst anyone may inspect the source code of free and open source software for malicious flaws, most software is distributed pre-compiled with no method to confirm whether they correspond.
This incentivises attacks on developers who release software, not only via traditional exploitation, but also in the forms of political influence, blackmail or even threats of violence.
This is particularly a concern for developers collaborating on privacy or security software: attacking these typically result in compromising particularly politically-sensitive targets such as dissidents, journalists and whistleblowers, as well as anyone wishing to communicate securely under a repressive regime.
Debian, Tails, Alpine, and Arch are fully compliant already.
LMDE4 should be reproducible-build compliant, unless Linux Mint added something in the Mint repository that isn't.