How can I confirm that the binaries in my Ubuntu are from the source code it should be from?

security

Like 99% of users, I install Ubuntu from ready-made binaries.

How can I verify myself that those binaries are in fact from the original source code from Ubuntu?

It would be good to verify that NSA/someone has not collaborated with either Ubuntu or Linode (my VPS provider) to mess with the binaries. If we could verify the binaries, they would also be unlikely to attempt this in the first place as it would be easy to call them out on it.


Solution 1:

You can download the sourcecode and compile it yourself. But wait - first you have to check that sourcecode, because if Canonical collaborated with the NSA, they probably have entered some code somewhere to allow for a keylogger or something that can be activated remotely.

So...

  1. after downloading the sourcecode,
  2. you have to check all code,
  3. and then compile it!

But wait - can you trust the compiler?

Solution 2:

If you're not willing to accept "because Ubuntu says so", then you can't.

Solution 3:

Ubuntu offers convenient means to compile a package on your own machine. However, there is no way to check that the executable in a binary package that you downloaded has been obtained from that source code. The signing process used by Ubuntu reduces the risk of third-party tampering with the packages substantially, but you still have to trust that no harmful code has been added before the compilation that is not reflected in the downloadable source code.

The reason is that it is tremendously hard to obtain precisely the same binaries as there are in the compiled packages, as these depend on the precise compiler version, its options, and probably there are also some paths or environment variables compiled into the binary. So you will be unable to obtain precisely the same binary when compiling yourself, which would "verify" the downloaded binary.

There is actually a small research community around precisely this problem - how to make compilation reproducible.

Having said that, a manual comparison of a downloaded binary and a self-compiled one can detect added/modified code, so it would be risky for someone offering binaries and the source code to hide something in the binaries, as this can be detected.

But then there is also the problem of trusting the compiler, as already mentioned...

Solution 4:

It is a difficult problem to create the exact same binaries on two different machines. The TOR project does this as regular part of their build. There is a description how they do it. Debian and Fedora seem to have projects making this possible for this distributions, but they are in the early stages. It doesn't seem like there is any work done in Ubuntu.

To reproduce a Ubuntu binary Package you would need to reproduce the environment it was created in as closely as possible. To start with that, you first need to find out where and how this packages where compiled. It doesn't look like that information is easy to find.

Related

kill process with htop
Alert when terminal program finishes running? [duplicate]
Cannot copy to USB - every USB stick is read only (16.04)
"Your profile could not be opened correctly." while opening Chrome(ium)
Automatic shutdown at specified times?
Easy way to convert long to wide format with counts [duplicate]
JLabel - Show longer text as multiple lines?
Draw with lines in Java
How does PostgreSQL enforce the UNIQUE constraint / what type of index does it use?
Why is a borrow still held in the else block of an if let?
Deinit method is never called - Swift playground
How to compare string and integer in python?