Sources and how to build peppermint

[PCNetSpec]

All I'm saying is Team Peppermint can guarantee our own code is clean, but we haven't the manpower to fully audit all Ubuntu packages (that would be a MASSIVE task) and/or third party source code. to a great degree we have to trust that GNU --> Kernel.org --> Debian --> Ubuntu aren't out to get you (until shown otherwise), but so far nobody has shown this beyond possibly the Amazon lens (which we don't use, and wasn't "hidden" to begin with).

If we're carrying any malicious code it would most definitely be from an upstream source (and not us), and it would be a "linux as a whole" problem not just a "Peppermint" one .. and yet even though some of the most paranoid and clever people in the world have their eyes on the code (because they can), nobody is suggesting Linux has a problem.

I personally trust that "open" source "pretty much" guarantees nobody sticks malicious code in there because it would be pretty easy to find, the authors would be ostracised, and the code cleaned up or dumped.

What Ulysses_ is doing is that "many eyes on the code" in action .. he's taking the original source code from say LibreOffice, compiling it, and making sure the binaries produced from compiling it match those included in Ubuntu packages (to make sure Ubuntu aren't "adjusting" the binaries beyond what can be clearly studied in their patches) .. it's PRECISELY this kind of community scrutiny that ensures we're all safe, and keeps companies like Canonical (and us I guess) "in check"

Not only don't I have a problem with that, I applaud it .. it's a prime example of what makes open source work.

[Pikolo]

I don't think Ulysses will succeed in making a reproducible build(that's the CS buzzword for "getting the same binary in independent compilation") of the whole PMOS system. I know that Debian has been trying really hard to use repeatable builds for a few years now, yet building an .iso is not yet possible that way.

Finding out if a certain package can be built that way shouldn't be hard. About 80% of them are, if I can read https://wiki.debian.org/ReproducibleBuilds correctly. Since Ubuntu often takes packages from Debian unstable, that ratio for PMOS will probably be lower. I applaud your project

[AndyInMokum]

.. it's PRECISELY this kind of community scrutiny that ensures we're all safe, and keeps companies like Canonical (and us I guess) "in check"

Not only don't I have a problem with that, I applaud it .. it's a prime example of what makes open source work.

...Finding if a certain package is possible to be built that way shouldn't be hard to find. About 80% of them are, if I can read https://wiki.debian.org/ReproducibleBuilds correctly. Since Ubuntu often takes packages from Debian unstable, that ratio for PMOS will probably be lower. I applaud your project

I agree, It really cool what Ulysses it attempting to do.  I'm looking forward to knowing how he gets on and if he finds anything that needs questioning   .

[Pikolo]

I think the biggest security/privacy concerns these days are going to be implemented in hardware such as the "Trusted Platform Module" and the like .. completely bypassing software security, and ensured for the life of the PC.

If you want to loose the peace of mind on how far you've underestimated the maliciousness of hardware backdoors in your system, read this: https://libreboot.org/faq.html#intel. Just a few weeks ago, Intel admitted someone found a bug affecting most Intel processors since 2010: https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/

Purging the backdoor is an exercise in electronic engineering: https://hardenedlinux.github.io/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html. This is a version for less technical users:

The ME consists of an individual processor core, code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography engine, internal ROM and RAM, memory controllers, and a direct memory access (DMA) engine to access the host operating system’s memory as well as to reserve a region of protected external memory to supplement the ME’s limited internal RAM. The ME also has network access with its own MAC address through the Intel Gigabit Ethernet Controller integrated in the southbridge (ICH or PCH).

The Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen. And it has a network interface that is demonstrably insecure, which can allow an attacker on the network to inject rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a threat to freedom, security, and privacy that can’t be ignored.

Just in case that isn't clear from the quote - the ME is a keylogger with it's own network connection, ie. it is NOT affected by your laptop's firewall.

[Ulysses_]

I knew this was coming. And developed a script to run on a separate, much older computer (1999), based on tinycore linux that played the role of the gateway that started by blocking all of the internet, and every time a packet from my peppermint computer arrived to this gateway, it did an inverse DNS lookup and updated a list of detected domain names that it kept on display which also included peppermint's attempted DNS lookups. And it had a prompt where you explicitly accepted a domain name and it unblocked its associated IP and DNS lookups to this domain, or you explicitly accepted an IP. In other words, a block-by-name firewall.

As expected, a lot of connections are attempted even when you do not intentionally put an address on firefox's address box, not sure it was a good thing to block them all except obviously useful ones.

[VinDSL]

Just a few weeks ago, Intel admitted someone found a bug affecting most Intel processors since 2010: https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/

Did you read this part, in the article ?   

Judging from Intel's statement, It's now up to computer makers to distribute the digitally signed firmware patches for people and IT admins to install. That means if your hardware supplier is a big name like Dell, one of the HPs, or Lenovo, you'll hopefully get an update shortly. If it's a no-name white box slinger, you're likely screwed: things like security and cryptography and firmware distribution is too much hard work in this low-margin business. You may never get the patches you need, in other words.

[Ulysses_]

checking happens anyway when people add lines to existing code and sooner or later someone would notice something malicious, make big news of it, and destroy the reputation of the vendor.

Except that, in Julian Assange's words:

"UNIX-like systems like Debian (which he mentioned by name) are engineered by nation-states with backdoors which are easily introduced as ‘bugs’, and how the Linux system depends on thousands of packages and libraries that may be compromised."

Debian Is Owned By The NSA

From the same article:

"Debian famously botched the SSH random number generator for years (which was clearly sabotaged)".
"Speaking of botched security affecting Red Hat, Debian, Ubuntu, Gentoo, SuSE, *BSD, and more, the nightmarish OpenSSL recently botched SSL again (very serious)".

So much for liberte distros. I had a hunch too, that something was fishy about it, even unbeknown to the developers.