Qubes QubesOS Build Security & Reproducible Builds (Qubes Is A Honeypot Response)

How is the source code for the Xen hypervisor(dom0), Fedora, Debian all obtained, keys verified and
then compiled?

→ A custom python script had to be developed to both download and check the signatures of all the Xen, Fedora and Debian dependencies and download them over a secure SSL/TLS channel.

What compiler is used to compile Qubes/Xen/Fedora/Debian?

This is not made clear by the developers. i.e. is it the GNU C compiler GCC?

Does Qubes use reproducible builds? (Detects build infrastructure tampering, code injection, by
detection of differences in hashes of equivalent pacakges, which are reproducible across different
dev infrastructures). Qubes has SOME reproducible builds listed here:


Hardened Toolchains

→ I haven’t seen much on hardened tool chains as compared with Gentoo:


→ What about hardened C libraries like Muslc? what about C libraries used in Xen or Fedora or Debian?
Are those hardened C libraries? Does Debian and Fedora use PIE (Position Independent Executables)?
Does Xen have any toolchain or C library hardening, or PIE?

Here are the distros which have active reproducible builds:


The whole build is not reproducible yet, if that’s what you’re asking:

Having reproducible builds is important from a supply chain attack standpoint. Here are the distros with
active reproducible builds:


Do you think we don’t know that and we are not actively working on that subject? Reproducible builds for Debian: a big step forward | Qubes OS


Are there reproducible builds for Xen (Fedora doesn’t have them anymore)? What about hardened C libraries like muslc? More information on which compiler is being used(GCC?), hardened toolchains as described by the hardened Gentoo project:

Stack Smashing Protection (SSP)
Position Independent Executables (PIE)
Stack clash protection
Control Flow Technology (CET)