Reproducible Builds Fedora vs Debian

Should Qubes switch to using Debian instead of Fedora for key system templates like

sys-usb, sys-net, sys-firewall ? Fedora does not currently compile and build using reproducible

infrastructure.

1 Like

If you select debian and not fedora on install, you get debian based, as far as I know.

2 Likes

Ok; but what about dom0? This is Fedora based.

2 Likes

Yes, it is. I’m not as worried about it as you, but that doesn’t mean your worry isn’t valid, and it would be nice to have the option there.

1 Like

It just strikes me as odd that a major distro like Fedora wouldn’t be compiling and building using reproducible infrastructure, it seems a bit strange that its omitted.

1 Like

There’s almost zero chance of the project moving to Debian for dom0 imo.
Other options have been put forward, as you should know from GitHub.
Once we have a fully working sys-gui,which can be Debian based, then dom0 starts to fade away.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.
2 Likes

I appreciate your reply; could you kindly link me to the Github discussion?

1 Like

Fedora is beginning to look like a supply chain attack vector… :frowning:

1 Like

But we will still be able to access it and have the full controll over Qubes OS installed on our own hardware?

1 Like

Yeah the dom0 is still there, its not as though it has been removed right? Just because there’s a gui
doesn’t mean the underlying (potentially vulnerable) Fedora distro code isn’t present right?

Please see this Reddit discussion concerning this subject:

Not on their own, no. But the intent is to eventually use [diverse double-compilation (Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers), which can be used to detect the presence of malicious compilers or build environments. Reproducible builds — specifically the ability for other people, not just Fedora, to build packages — is a necessary first step towards that.

Bruce Schneier’s commentary on the DDC paper](Countering "Trusting Trust" - Schneier on Security) explains things clearly. Note that it requires being able to check that the resulting binaries are identical. Without the ability to reproducibly build software with a single compiler, you can’t even start comparing its output with other compilers.

2 Likes

See also this discussion:

https://reproducible-builds.org/events/athens2015/benefits/

I think I saw that thread on github. However, if someone has that link handy and would put it here, that would be good.

Edit: Change the OS used in dom0 · Issue #1919 · QubesOS/qubes-issues · GitHub

1 Like

Anyway, at this point, user would not directly interact with dom0, so it
will be very much transparent (i.e. even if that would be Debian - which
is another option - …

https://groups.google.com/g/qubes-devel/c/mTZjx03Zu8s/m/b830ZHuYAQAJ

you won’t have a chance to call apt-get there)

It’s already an easy installer option, so it’s up to the user.

As @thanky0u already linked, we have an open issue for this:

They are considering Alpine Linux? but Alpine doesn’t use deterministic builds…

Why not Arch Linux?

Discussion about OS comparisons here:

HardenedBSD also seems to match at least some of the Whonix criteria:

https://www.hardenedbsd.com/content/easy-feature-comparison