Except for a few distros that assist their users to build everything they install from source (kiss and forks, LFS and forks, gentoo and forks, crux, exherbo, T2-sde, etc), most linux-distributions, offer binaries to be installed, usually backed up by the source code (script) building the package from either their own source code, or what we call upstream (other FOSS sources). How do you know though, that what the source repository shows and what the binary package contains is the same? One way is to build it with the same recipe (packaging source script) and compare the sums. Very few people do this and in very rare and controlled environments is the product the same, meaning checksums are identical (Arch is reporting 15-20% failure to reproduce their own packages). So what most distros do is they sign their packages and by having their public signature key, you know what they built is what you got. But are you sure they built it right, or did they take adequate measures to make sure what they pulled from upstream to build the package is what the author really published? How can you check?
There are two general methods packagers make sure what they use is what the author released. One is using git to draw the source which contains various tools in making sure the author’s repository of source and what you cloned is the same. The other way is a tarball of the source repository, signed by the author with a GnuPG key, known as a gpg key, and you check the tarball (a compressed archive xxxx.tar.xzz yyyy.tar.bz2 zzz.tar.gz .. etc accompanied with a same name .asc or .sig file containing the signature). It is virtually impossible as far as we know that a “man in the middle” will be able to switch the tarball on you “live”, and be able to counterfeit the signature so your altered code is signed by the correct author as well. But “man-in-the-middle” MIM attacks are not as rare as you think, even though it takes tremendous infrastructure to make one and get away with it. For people though who may be targeted by such infrastructure it is not unlikely, it is expected (highly likely). How do you know you may be targeted? I think you know, we know, that you know, why you are targeted by you know whom.
So if the packaging script uses git to clone the code, or uses a signed tarball, and the builder is setup to only proceed if the signatures match, then you know between the external source and the builder, things seem safe. Things are better for reproducibility sakes if the sums of the tarballs and any patch and configuration files are contained in the packaging script. AND, the builder will refuse to build a package if what is in the source as input has different checksums than what is fed to the builder. This means that at any given moment, you copy the packaging script containing all those checksums, you build the same package yourself, and the contents should be identical. Is this so much to ask?
If the builder signs themselves the packages made, and your binaries are signed, this is good. That means your package manager will check the distro’s signatures (usually called a keyring if there are more than one developers doing packaging) before it installs a package.
Now all those checks and verifications to some seem redundant and an overkill. Such people may say “I” don’t think anyone is targeting me, so this is not likely it will happen to me, but they are producing packages for “you”. They may also say, due to their own bias and ignorance, that MIM attacks are very rare and do not happen, but are only theoretically possible. So “THEY” decide this is unnecessary and an additional complication, and let the builder build packages without checking tarballs, without failing if published checksums don’t match, and just go by due to nobody checking on them.
Then you ask, if it wasn’t so much trouble, why did they omit making those checks or have the builder stop unless everything matches? WHY? Stupidity is one side of the face of those who are guilty, guess what the other side may be!
“Knowledge is freedom”, and lack of knowledge is lack of freedom, and such irresponsible people build on their own ignorance and irresponsibility, and publish dangerous software for less suspecting “victims”. It will be hard to tell whose victims they will be, whether they were really “acting” ignorant and irresponsible because they are, or are they playing this role to create more victims themselves, or provide dominant powers with more victims. Meaning they are irresponsible people on the payroll.
I say, check on your distro, see in detail the process of building, test here and there to see if things “add up”, are the checksums published are really used, is the upstream source signed and those signing keys used in the packaging script, and then the packages signed and your package manager screening those that fail, deleting them asking for a new copy? Free yourself, rely on nobody.
I have recently found, in tremendous disappointment, that certain distros have allowed certain packagers, to risk the safety of users, by pretending to use checksums when the builder doesn’t fail on non-matching ones, failing to check gpg keys of upstream tarballs, and getting generally away with tremendous risk to themselves, to their users, and the reputation of linux in general. Such careless and irresponsible projects should be blacklisted and avoided for being an offense to common sense of decency.
Maybe if things were more organized in the linux community things would be more see-through. Building logs would be visible, sums and gpg keys used everywhere, and those that fail to adopt all the common and known measures would be blacklisted. There would be an organization “of users” controlling the vendors and not the vendors themselves controlling who stays afloat and who doesn’t. It appears as between them, offenders, have a code of silence against whistle blowing. “We just worry about what we do, we don’t speak of other distros here”. So you are banned once by the offender, you are banned twice by the peers refusing to let you talk about the other distro. Business is good for all businessmen!
You, a devil’s advocate, will say, if someone publishes code, signs it, you compile it, install it, and use it, how do you know to trust them? One is that you and thousands of others can audit and review their published code, the other is reputation. The longer an author of FOSS is known, published, and his code used, the more trustworthy they become. With large corporations such as freedesktop, google, IBM, facebook, publishing enormous amounts of code in alarming frequency, it is virtually impossible to review their code as fast as they pump it out. By the time you find and report a glitch (security glitch) they may have revised the code three more times. It would take an organization 4 times as large as Brave-Browser corporation, to review the code of each edition/release of the browser, between release n and release n+1!! Runit’s code hasn’t been touched for nearly a decade, and hundreds, if not thousands, have read every line of it, maybe twice!
It takes YEARS to build trust in code writing, it takes ONE DAY to lose it for a LONG TIME!
Moral of the story:
If you, and the people around you (depending on you and your expertise), have reasons to believe you may be targeted for whatever reason, by known famous organized attacking organizations, DO NOT USE software and distributions that take such security measures lightly and deem them extreme. Their ignorance are a risk to your livelihood and your data’s security. Need I spell it out? Either get more serious with the FOSS you use, or stop playing around with “childish” projects whose security is taken as a joke.
“Knowledge is freedom“, but what would freedom be like without equality? And when we are surrounded by deranged dictators seeking every opportunity to enforce their ego-trips on anyone they can take advantage of, we will have neither freedom nor equality. You throw one stone and you hit three such people in the linux community. It is unimaginable how many toxic dictators are congregated around “Free” software, and how common it is for whistle-blowers to vanish because of such dictators.
Not here people, speak UP! We are listening and we will not provide a safe house for such fascists!
Just think, like we mentioned last year about irc, you install binaries from a specific source, your package manager hits their servers during every update, you provide your whereabouts by participating in forums, chatrooms, and lists, and your data is clearly on the hands of such schizophrenic psychopaths to take advantage of you.
NONE of those we offended with the “irc” “freenode” article, came out to say we were wrong, and ask us to take back the offensive accusation! They went on as business as usual. And they will continue to go on and on and on, as long as there are victims!
systemd-free linux community 
MITM is very common in a corporate environment – most organisations are running SSL proxy services ‘without deep inspection’ of course they tell you…. so running using https for everything is now no longer safe. I am very cautious now when using the work’s laptop for downloading stuff and definitely don’t use it for anything personal – especially so if there’s to be a password involved…..
You can’t really trust anybody, even if we know there’s a MITM – how do we know that upstream there isn’t a MITM after the MITM…
LikeLike
AFAIU to launch a MIM attack on someone’s system you have to either immitate you are the internet, or manage to proxy all internet connections from that system through your server and pick and choose packets, including DNS calls, so the tarball the server is requesting is redirected to a faked server, a fake valid key is provided and the tarball is substituted. This is why I said it it takes a multilayered infrastructure to have this done. Now a corporation (or their paid spies) to do this to another, or a state agency to do it on an adversary, it is possible between the matched pair. Also political organization against their adversaries can also stage something like this. In a few circumstances you may have a X-cross between such entities. The victim should usually have some interest to any of those that makes them a target. It would be very rare for an individual to attack an individual by doing this. There is just no usual interest even if the ability was there.
Yes, trust is very thinly spread, and trust is one of those things that take a long time to construct and only minutes to destroy. This alone sometimes is plenty of damage, to cast doubt on trust relations. One of the aspects that Open Free code has much superior to anything else is that it is published, it is widely used, and it is unlikely something will stay cloaked for too long. Beyond my paranoia there are many who are worse, who will have systems after systems, running, doing specific routine operations, and having their network input/output measured gram by gram, to see if there is something out of the ordinary. People do this with memory as well, since it is a field of attack. You have 1000, you need to use 200, you should have 800 left, and when it is over you should have 1000 again. When it shows 777 left, and then at the end you get 967 free, what is left unexplained? You start your system in the morning, you have 134MB of ram use, you work all day, you shut all programs down, clean cache, tmp, … and go back to the initial boot up state, only now 156MB are used. You can explain 9.2MB of it, but there is 1.8MB unexplained. Something is leaking! Something may be running that you can not readily see. OOooohhhh!!! 🙂
The question remains, whether there are reasons you would be a target for an attack or not. If not, sleep easy, who cares if someone is spying. If you have devoted your life being an enemy to a corporation, a government, all government, or a particular political organization, chances are they have noticed you and they will engage in your war. Chances are if you are weak you will lose. Large scale inequality creates the conditions of a large scale war, and war is not for children, unlike what Pat Benetar said. In the war there is no neutrality, if you are not on the one side you are definitely on the other. Some flower children irresponsibly think they are neutral and don’t care, spreading a certain degree of carelessness and “don’t worry”-ism to people who really need some degree of safety.
Whose side are you on boys, whose side are you ON? Harlan County Kentucky, remembered!
LikeLike
Please share what distros you’re talking about.
LikeLike
If I did say this specific X and Y are acting irresponsibly, doing this and that, it would be unfair as there are probably many more doing it that I can’t entirely go through and inspect. Those that I know have gotten the message, through this article, and hopefully they will shape up. The one I am mostly concerned about only started partially doing this recently.
To add to the confusion, say a distro doesn’t do what I say they do, and internally when they build a package they do check sums and validate signatures, but don’t publish the sums and keys they use to check. Who says they don’t fall as victims to MIM attack themselves. By not publishing what they went by, someone else will build with their recipe and not realize there was a difference. So it is not only essential to use such authentication checks but to also publish them, and depending on packaging have this info stored inside the pkg. Use an archiver or just console tools and dissect a package from the distro you use, see what they have stored in the root of the package. In void for example, what is called .xbps, is a tar compressed with zstd, and in the root directory of the tar they list such info. All their packages are also signed by the distros gpg key.
So, void is not one of those offenders.
LikeLike
” With large corporations such as freedesktop, google, IBM, facebook, publishing enormous amounts of code in alarming frequency, it is virtually impossible to review their code as fast as they pump it out. By the time you find and report a glitch (security glitch) they may have revised the code three more times. It would take an organization 4 times as large as Brave-Browser corporation, to review the code of each edition/release of the browser, between release n and release n+1!! Runit’s code hasn’t been touched for nearly a decade, and hundreds, if not thousands, have read every line of it, maybe twice!”
I agree. But… but… but…
Isn’t it sort of a popular trope among the open source enthusiasts that we should always “release early and releases often?” I’ve often wondered how these 2 ideas coincide.
LikeLike
🙂 I don’t know. There is a fashionable rush all the time, eagerness for the next release, more and more bugfixes and redesign, then there is this security rush to have everything triple tested by millions of lab-rats (users) before something is adopted into “stable”. This is how we archers serve the common good, as useful dummies. This is how debian can call something stable. Something about being smart for running 1-2-3year old software when 3-4 releases later thousands of people see no problem with all that bug-fixing and patching.
Then there is this tendency by some bleeding/cutting edge distros to brand software abandoned, obsolete, outdated, because they didn’t receive a release for a while. The man that wrote runit said that all initial goals have been met, no bug has been reported, he is putting it to rest. Dare anyone call this abandoned. If you want more features out of runit, look into s6.
LikeLike