Re: [GNU-linux-libre] Help users to verify their downloads

[Patrick McDermott]

Hello,

On 2018-06-18 at 08:37, Donald Robertson wrote:
> We've recently received some feedback from users concerned about
> verifying their downloads of free distros. [...] Could I get help in
> checking what other distros are providing for this issue, and working to
> encourage all distros to provide such options?

I'll answer this for ProteanOS.  Tl;dr: This is partially done but
important parts are still in progress.

First, I'll provide some background on how ProteanOS is distributed.
Unlike many other distributions, there are no self-contained live,
installer, or flashable system images.  The official way to install
ProteanOS is to cross-install from another distribution using "prokit",
an installer package (and more) similar to debootstrap in Trisquel and
gNewSense.  prokit downloads a set of individual packages from a package
archive mirror to construct a bootable (or chroot'able) system.
Packages in that system are then managed by opkg.  The package archive
is managed by "pro-archman", similar to reprepro in Trisquel/gNewSense.

Now, about download verification.  prokit is distributed alongside MD5
and SHA-256 checksums and an OpenPGP signature.  prokit and opkg in turn
both check the integrity of all downloaded packages using both MD5 and
SHA-256 checksums (generated by pro-archman).  So checksumming at least
is done, and the installer package is signed.

However, prokit and ProteanOS's opkg binaries currently don't do any
signature verification, nor does pro-archman generate signatures on the
archive.  There are a few things to be done to accomplish that, and this
work is in progress.

First, the GPGME library and its dependencies need to be packaged in
ProteanOS so signature checking can be enabled in opkg.  In 2014 [1][2]
I did some of that packaging and offered the rest of the packages as
low-hanging fruit for anyone interested.

Next, pro-archman needs to gain the ability to sign package archive
index files.  (Those index files contain the MD5 and SHA-256 checksums
of package files, completing the chain of trust to the packages
themselves.)  And finally prokit needs to be modified to verify index
file signatures (once the implementation design is finalized).

I updated and summarized the remaining work in a wiki page [3] last
year (plus some small changes shortly ago).  Progress is admittedly
slow, but package verification is a priority in ProteanOS.


Also, since Denis brought it up in this thread, I'll mention that build
reproducibility is also something I'd like to get done in ProteanOS.  I
actually started looking into it a bit way back in July 2013 [4] (before
it was cool!) as a QA measure to validate architecture port bootstraps.
At that time, it looked like ProteanOS actually wasn't too far off from
being reproducible, although the distribution has grown a lot in the
years since and I haven't checked binary differences recently.

It likely won't happen anytime soon, as I currently have a few higher
priorities in ProteanOS right now (including signatures) and a complete
reproducibility implementation will likely require some extra tooling
work to track and replicate build environments (installed package
versions, SOURCE_DATE_EPOCH, etc.).  But it's on my radar.


[1]: http://lists.proteanos.com/proteanos-dev/2014/06/msg00001.html
[2]: http://lists.proteanos.com/proteanos-dev/2014/09/msg00001.html
[3]: http://www.proteanos.com/dev/archive/signing/
[4]: http://lists.proteanos.com/proteanos-dev/2013/07/msg00002.html

-- 
Patrick McDermott, CEO
Libiquity
Putting customers in control of high-quality technologies
http://www.libiquity.com/