I think, when you are on this road, that you should start building your chain of trust a UEFI/BIOS - either from some company which has a lot to loose by compromising customers (probably not Huawei) or just get a laptop from Purism.
Tomas On Tue, 2019-10-08 at 14:10 -0700, Mike C. wrote: > > > > There are many, many turtles involved. > > > > Funny you should say that, I had a similar thought, "It's turtles all the > way down", when thinking about some other current events. > > > > The source-to-binary mapping involves a toolchain to build it. > > The toolchains (compilers and linkers and such) are subject to change too. > > > > > > There are certainly mechanisms to check whether one set of binary blobs > > are identical to another set of binary blobs. Those mechanisms work and are > > robust. But the same source might generate slightly different binaries. > > > > > The checking mechanisms aren't smart enough to tell you anything other > > than "THESE THINGS ARE DIFFERENT". > > > > > > So lest I wander off into tin foil hat land, it seems reasonable for one to > trust in not having a kernel that has been intentionally compromised for > nefarious purposes. > > The distro that raised this question is Deepin. It's developed by an org. > in China. They joined the Linux Foundation in 2015, for whatever that's > worth. > > Now Hauwei is shipping Linux laptops with Deepin pre-installed. > > It seems most folks should be more concerned with user space and apps in > terms of personal data privacy and security. > > That said, have you heard of "reproducible builds"? > > > > Not until you mentioned it. Precisely answers my original inquiry! > > "Reproducible builds can act as part of a chain of trust > <https://en.wikipedia.org/wiki/Chain_of_trust>;[1] > <https://en.wikipedia.org/wiki/Reproducible_builds#cite_note-reproducible-buil > ds-homepage-1> > the > source code can be signed, and deterministic compilation can prove that the > binary was compiled from trusted source code. The aim is to prove that the > source code has not been tampered/modified to e.g. add a backdoor > <https://en.wikipedia.org/wiki/Backdoor_(computing)>." > > https://en.wikipedia.org/wiki/Reproducible_builds > _______________________________________________ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug _______________________________________________ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug