Hi, I would like to compile the updates for dom0 and for custom HVMs from source. I’m interested in doing this for packages from the Qubes repos only and not for the repos of the underlying Linux distro.
Is there a reliable way to do that?
Reason: This would make Qubes a lot more “trustless” in my opinion. We can compile our own Qubes iso with the Qubes Builder and that’s good, but with updates we have to rely on a promise. Quote from the Qubes Templates docs: “We guarantee that the binary updates are compiled from exactly the same source code as we publish.”
And to further clarify:
I have compiled some things in the past and it was always a little struggle when I did.
I’m not sure where to start here. I imagine the procedure as monitoring the repos for new updates and then simply downloading the new sources from Github to compile them. That seems like a error-prone and stressful idea though.
Updates are basically just packages with greater version numbers. As you can compile a package, you can always pull from the repo and compile a latest one. Then installing the new package over your old one should do it for you.
BTW qubes packages support reproducible build at least to some extent ( I haven’t investigated ), which ensures with the same source code you always get the same binary output. This might alleviate your concern about the trustworthiness of Qubes team and infrastructure.
Additionally, compiling from source is not for the faint of heart and requires the corresponding toolchain, of course. Now, to your trust concerns, you would need to trust that build toolchain too in any case, unless you want to build that too and somehow bootstrap the entire thing from first principles.
In sum, I can understand your concerns, but in order to apply a complete zero trust approach, the amount of effort is very significant and the potential decrease in risk not that great, with the potential for other issues to appear too (version mismatches, dependency hell, etc.). Probably not worth it, but that’s just my opinion.
Yes, I’ve read about that. Debian also is working towards such a reproducibility. But how do we know if that’s ever going to become a reality? Until then 1 binary package is enough to compromise a system.
On the other hand even self-compiled software could contain malware. Probably even software that’s been very thoroughly audited. A seemingly legitimate update function within a software would be enough to introduce malware at some point.
I agree. If you still want to do get other things done in your spare time then it’s probably not worth it.
I still wish it would be a thing for Qubes. It would be great if you could utilize the Qubes Builder not only for the .iso but also for compiling the updates.
It is a thing for Qubes - if you want to you can build the same packages
used in updates from source using the builder tools.
Nothing to stop you, and the process is relatively straightforward -
once you have your build system configured right.
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.