Lead Image © jaroonrat vitoosuwan , 123RF.com
Verifying packages with Debian's ReproducibleBuilds
Identical Build
Open source software offers a big security benefit: Unlike proprietary software, anyone can view the source code, so in theory you know what you are installing. However, the overwhelming majority of users install prebuilt software packages provided by their Linux distributors. These users rely on system developers and package maintainers to ensure that the binary packages do not contain malicious code that deviates from the official source code.
The Debian ReproducibleBuilds project helps you verify that the package matches the source code and that no flaws have been introduced (Figure 1) [1].
Figure 1: If the build system is compromised, the binary package produced by it in the ReproducibleBuilds system has a different hash value (red entry).
Attack Scenarios
As a popular Linux distribution, Debian distributes its own software to a large number of users worldwide. The customers are not only private users, but also organizations, research institutions, and companies. This complex and decentralized software distribution system creates opportunities for attackers to foist malicious code onto
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Debian's quest for reproducible builds
Debian's reproducible builds project tries to meet strict security requirements for binary packages from its archives through the creation of bitwise identical binary packages. -
HPC Container Maker
Building HPC applications for production systems is never easy, especially when containers are involved, but with Python and HPC Container Maker, you can describe the container you want quickly and easily without having to worry about the details.
-
Opportunities and risks: Containers for DevOps
Containers are an essential ingredient for various DevOps concepts, but used incorrectly, they do more harm than good. - Rocky Linux 9 Now Available
-
Digital signatures in package management
Serious distributions try to protect their repositories cryptographically against tampering and transmission errors. Arch Linux, Debian, Fedora, openSUSE, and Ubuntu all take different, complex, but conceptually similar approaches.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
