I think, when you are on this road, that you should start building your chain of
trust a UEFI/BIOS - either from some company which has a lot to loose by
compromising customers (probably not Huawei) or just get a laptop from Purism.
Tomas
On Tue, 2019-10-08 at 14:10 -0700, Mike C. wrote:
> >
> >
>
> There are many, many turtles involved.
>
Funny you should say that, I had a similar thought, "It's turtles all the
way down", when thinking about some other current events.
> The source-to-binary mapping involves a toolchain to build it.
> The toolchains (compilers and linkers and such) are
On Tue, Oct 8, 2019 at 8:39 AM Mike C. wrote:
> [...]
> Maybe I'm getting off in the weeds a bit here, but I'm wondering if there's
> or should be a mechanism where the kernel running on a computer can be
> compared to the upstream source kernel image.
>
There are many, many turtles involved.
T
Most distribution modify the kernel before packaging it. So, you are likely
to find that they are different.
Afaik - The only reasonable way to get unmodified kernel is to get
unmodified kernel from kernel.org, verify its signature and compile it
yourself.
The Alternative is to understand what yo
in many cases, it's NOT the "real" kernel as published by The Linux
Foundation: Red Hat and Debian, at least and for sure, maintain their own
patch sets for the kernel.
They do publish them, of course, because the license requires it, but the
resulting binary is definitely not what was running in
On Mon, 7 Oct 2019, Tyrell Jentink wrote:
No there's not; Not only that, in many cases, it's NOT the "real" kernel
as published by The Linux Foundation: Red Hat and Debian, at least and for
sure, maintain their own patch sets for the kernel; They do publish them,
of course, because the license r
here are 2 stages where the download could be compromised:
1) Man-in-the-middle attacks when you (the user) download the file from
the server to your machine, resulting in a file that differs from the one
you
intended to download.
2) modifications made on the server. The file you downloaded is cor
>
> So there's no "chain of custody", for lack of a better term, digital
> signature where one could look at the kernel running on a Linux system and
> trace it back to the original Linux kernel that was released?
>
No there's not; Not only that, in many cases, it's NOT the "real" kernel as
publis
The key thing always confuses me, but it is also worth noting is that
there are 2 stages where the download could be compromised:
1) Man-in-the-middle attacks when you (the user) download the file from the
server to your machine, resulting in a file that differs from the one you
intended to downlo
That is, of course, only useful if the distribution itself is
not compromised.
In case it is truly compromised, including signing and
sha256 infrastructure, I do not think you can do much about it.
Hope it helps,
Tomas
-- This is precisely what I'm trying to understand. What's preventing
someone
The gnarly problem with cryptographic signatures is making sure that the
public keys you are using to verify are the correct ones, since usually the
way you get the public keys are the same way you get the signatures and the
blobs they protect. You need some reliable out-of-band way of gaining
conf
> You could download distribution .iso as well as its sha256sum. Then you
> run: sha256sum fileName.iso and compare them.
>
> All distributions I know are additionally signed and will complain/abort
> when the signature does not match.
>
> That is, of course, only useful if the distribution itse
You could download distribution .iso as well as its sha256sum. Then you
run: sha256sum fileName.iso and compare them.
All distributions I know are additionally signed and will complain/abort
when the signature does not match.
That is, of course, only useful if the distribution itself is not
compr
How would one know or determine if their beloved Linux distro of choice is
hacked, altered or otherwise compromised?
And not from years of using it with applying security updates or just
willy-nilly throwing apps on it for fun but from the source when you
download it.
Say I want to build my own d
14 matches
Mail list logo
