Reproducible Builds Fedora vs Debian

Should Qubes switch to using Debian instead of Fedora for key system templates like

sys-usb, sys-net, sys-firewall ? Fedora does not currently compile and build using reproducible


1 Like

If you select debian and not fedora on install, you get debian based, as far as I know.


Ok; but what about dom0? This is Fedora based.


Yes, it is. I’m not as worried about it as you, but that doesn’t mean your worry isn’t valid, and it would be nice to have the option there.

1 Like

It just strikes me as odd that a major distro like Fedora wouldn’t be compiling and building using reproducible infrastructure, it seems a bit strange that its omitted.

1 Like

There’s almost zero chance of the project moving to Debian for dom0 imo.
Other options have been put forward, as you should know from GitHub.
Once we have a fully working sys-gui,which can be Debian based, then dom0 starts to fade away.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

I appreciate your reply; could you kindly link me to the Github discussion?

1 Like

Fedora is beginning to look like a supply chain attack vector… :frowning:

1 Like

But we will still be able to access it and have the full controll over Qubes OS installed on our own hardware?

1 Like

Yeah the dom0 is still there, its not as though it has been removed right? Just because there’s a gui
doesn’t mean the underlying (potentially vulnerable) Fedora distro code isn’t present right?

Please see this Reddit discussion concerning this subject:

Not on their own, no. But the intent is to eventually use [diverse double-compilation (Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers), which can be used to detect the presence of malicious compilers or build environments. Reproducible builds — specifically the ability for other people, not just Fedora, to build packages — is a necessary first step towards that.

Bruce Schneier’s commentary on the DDC paper](Countering "Trusting Trust" - Schneier on Security) explains things clearly. Note that it requires being able to check that the resulting binaries are identical. Without the ability to reproducibly build software with a single compiler, you can’t even start comparing its output with other compilers.


See also this discussion:

I think I saw that thread on github. However, if someone has that link handy and would put it here, that would be good.

Edit: Change the OS used in dom0 · Issue #1919 · QubesOS/qubes-issues · GitHub

1 Like

Anyway, at this point, user would not directly interact with dom0, so it
will be very much transparent (i.e. even if that would be Debian - which
is another option - …

you won’t have a chance to call apt-get there)

It’s already an easy installer option, so it’s up to the user.

As @thanky0u already linked, we have an open issue for this:

They are considering Alpine Linux? but Alpine doesn’t use deterministic builds…

Why not Arch Linux?

Discussion about OS comparisons here:

HardenedBSD also seems to match at least some of the Whonix criteria: