Peppermint OS Community Forum

Support => Advanced Topics => Topic started by: Ulysses_ on April 24, 2017, 01:45:05 pm

Title: Sources and how to build peppermint
Post by: Ulysses_ on April 24, 2017, 01:45:05 pm
Where are the sources for peppermint linux?
Title: Re: Sources and how to build peppermint
Post by: scifidude79 on April 24, 2017, 02:09:35 pm
What do you mean by "sources?"  Download links?  Source code?
Title: Re: Sources and how to build peppermint
Post by: mac on April 24, 2017, 03:27:42 pm
As per scifidude79's reply your question is a little vague.  However, if you mean where to download Peppermint LOOK HERE (http://peppermintos.com).  If you want to view the sources list then run the following command in your terminal
Code: [Select]
pluma /etc/apt/sources.list
  If you want to edit the source list run
Code: [Select]
sudo pluma /etc/apt/sources.list
  You can also open the Synamptic Package Manager and navigate to Settings > Repositories. 

BTW, Welcome to the forum!   ;)
Title: Re: Sources and how to build peppermint
Post by: zebedeeboss on April 24, 2017, 04:15:50 pm
Hi all

I think he wants the Peppermint source code so he can build/compile/create his own peppermint?

Regards Zeb...
Title: Re: Sources and how to build peppermint
Post by: scifidude79 on April 24, 2017, 05:13:08 pm
Hi all

I think he wants the Peppermint source code so he can build/compile/create his own peppermint?

Regards Zeb...

Yeah, I think you're right.  I was alerted to this post via e-mail (because it's from a new user)  so I didn't pay attention to the thread title.  :-[
Title: Re: Sources and how to build peppermint
Post by: Ulysses_ on April 24, 2017, 05:14:05 pm
I want the source code for the operating system, to check if there are any binaries in it that are not open-source.  And build it myself. No intention of changing anything that cannot be changed with apt.
Title: Re: Sources and how to build peppermint
Post by: VinDSL on April 24, 2017, 07:38:52 pm
Got a pretty good collection, over on the git:  https://goo.gl/3hVvTY    8)

EDIT

LP is a good source, too:  https://goo.gl/aH1DCR
Title: Re: Sources and how to build peppermint
Post by: Ulysses_ on April 24, 2017, 08:09:47 pm
What, the entire operating system is in packages, that are added to ubuntu? Where's the ubuntu source code?
Title: Re: Sources and how to build peppermint
Post by: scifidude79 on April 24, 2017, 09:24:28 pm
There should be links to the Ubuntu source code on the Ubuntu website.  Though, more specifically, I think Peppermint is based on the Lubuntu source code.  It's available on the Lubuntu website.  As for how exactly the OS is built, only one man knows for sure.
Title: Re: Sources and how to build peppermint
Post by: Ulysses_ on April 25, 2017, 07:22:17 pm
And who is the man who knows how to build the peppermint OS?

Also, could someone confirm whether the live CD contains binaries that are just inherited from ubuntu and not built? Maybe the signed EFI files?

Finally, if ubuntu has been forced to modify its binaries with secret source code, has the developer of peppermint taken care of this by building ubuntu and debian from the published sources?

So who is the man to ask?
Title: Re: Sources and how to build peppermint
Post by: murraymint on April 25, 2017, 07:29:57 pm
I installed "virtual Richard M Stallman" (vrms). Bear in mind that some of this was added by me personally to my system (the MAME games-related ones, the Skype, etc).

Code: [Select]
vrms
        Non-free packages installed on tom-HP-Peppervilion

adobe-flash-properties-gtk          GTK+ control panel for Adobe Flash Player plugin
adobe-flashplugin                   Adobe Flash Player plugin
intel-microcode                     Processor microcode firmware for Intel CPUs
libcg                               Nvidia Cg core runtime library
libcggl                             Nvidia Cg Opengl runtime library
libretro-genesisplusgx              Libretro wrapper for Genesis Plus GX
mame                                Multiple Arcade Machine Emulator (MAME)
mess-data                           Data files for the Multi Emulator Super System (MESS)
nemo-dropbox                        Dropbox integration for Nemo
nvidia-cg-dev                       Cg Toolkit - GPU Shader Authoring Language (headers)
nvidia-cg-toolkit                   Cg Toolkit - GPU Shader Authoring Language
skype                               client for Skype VOIP and instant messaging service
skype-bin                           client for Skype VOIP and instant messaging service -
unrar                               Unarchiver for .rar files (non-free version)

         Contrib packages installed on tom-HP-Peppervilion

b43-fwcutter                        utility for extracting Broadcom 43xx firmware
browser-plugin-freshplayer-pepperfl PPAPI-host NPAPI-plugin adapter for pepperflash
bunsen-pepperflash                  Pepper Flash Player - browser plugin
firmware-b43-installer              firmware installer for the b43 driver
gnome-video-arcade                  Simple MAME frontend
iucode-tool                         Intel processor microcode tool
libdvd-pkg                          DVD-Video playing library - installer
ttf-mscorefonts-installer           Installer for Microsoft TrueType core fonts

  14 non-free packages, 0.6% of 2210 installed packages.
  8 contrib packages, 0.4% of 2210 installed packages.
Title: Re: Sources and how to build peppermint
Post by: PCNetSpec on April 25, 2017, 09:27:53 pm
Hi all

I think he wants the Peppermint source code so he can build/compile/create his own peppermint?

Regards Zeb...

If this is the plan, please be sure to remove ALL Peppermint branding and original artwork .. also be sure to remove anything else that may be covered by third party copyright, trademarks, and license agreements such as (but not limited to) the Ray Bilcliff wallpaper images unless you get the original IP owners written consent to redistribute.

So you CAN modify and redistribute Peppermint CODE in accordance with the applicable included license(s) and use it in your own distinctly branded distro, but you CANNOT distribute your own "Peppermint".

@ Ulysses_
Some context to your questions would probably make answering easier .. what are you aims, goals, and requirements here ?

If you're after the source code for all the packages that make up Ubuntu 16.04.2 in one place (all 15.6Gb of it) .. look here for the 4 DVD ISO images:
http://cdimage.ubuntu.com/releases/16.04/release/source/
Obviously that source code will  be frozen at the date of the 16.04.2 release, so won't contain the source code for updated packages, nor will it contain source code for anything from the "Partner" repos.
Title: Re: Sources and how to build peppermint
Post by: Ulysses_ on April 26, 2017, 08:14:54 am
Aims and motivations: Been using peppermint as a guest in vmware VM's since the beginning of your distro, with windows as the host. Now windows is becoming spyware so I want to switch to an open-source host such as peppermint, and an open-source hypervisor such as virtualbox for my VM's. But even in open-source there is the possibility that the binaries you get from repositories have spyware functionality added that does not appear in the source code of C, C++, assembler or whatever you get from the repos as source code. So to be sure I want to build peppermint myself, from the public source code that is less likely to contain spyware functionality because that would destroy the reputation of peppermint. And build ubuntu too. And debian if need be. Nothing must be downloaded as a binary. Kinda like linuxfromscratch.com. Would make it minimal too. The advantage of debian/ubuntu/peppermint compared to linux from scratch is you automatically get informed of security updates.
Title: Re: Sources and how to build peppermint
Post by: Slim.Fatz on April 26, 2017, 09:45:17 am
Hi Ulysses_,

Your ideas are interesting. However, I wonder if you might save yourself a lot of work by selecting a Linux distro that is already built with free (libre) software, does not include any proprietary software or binary blobs? Examples of such distros are ConnochaetOS (https://distrowatch.com/table.php?distribution=connochaet) , Trisquel GNU/Linux (https://distrowatch.com/table.php?distribution=trisquel) and gNewSense (https://distrowatch.com/table.php?distribution=gnewsense).

There are probably more such distros, but these are the ones that I know exist. I do not mean to discourage you from using PeppermintOS as your basis. I only think that it might make things easier for you to use one of those that I've mentioned.

Good luck.  :)

Regards,

-- Slim
Title: Re: Sources and how to build peppermint
Post by: Ulysses_ on April 26, 2017, 11:23:23 am
It's not as simple as proprietary versus open-source, this only part of the issue. It's potentially fake open source versus real open source. Those distros are probably a better starting point but wait a sec. Are you saying that the peppermint we download by default contains proprietary software?
Title: Re: Sources and how to build peppermint
Post by: murraymint on April 26, 2017, 11:29:12 am
You get to choose whether or not to download certain proprietary components during installation. You've seen that, for example, graphics drivers and processor microcode can be proprietary, but they certainly help to run an OS. I suppose it's a compromise, isn't it?
Title: Re: Sources and how to build peppermint
Post by: scifidude79 on April 26, 2017, 11:47:42 am
Are you saying that the peppermint we download by default contains proprietary software?

Yep, it sure does.  Flash plugin.  I don't remember if there's anything else in the default package that's proprietary, but that definitely is.
Title: Re: Sources and how to build peppermint
Post by: murraymint on April 26, 2017, 12:02:02 pm
The Dropbox integration for Nemo as well. I don't use Dropbox so I've just removed that one.
Title: Re: Sources and how to build peppermint
Post by: scifidude79 on April 26, 2017, 12:06:56 pm
The Dropbox integration for Nemo as well. I don't use Dropbox so I've just removed that one.

Ah, I knew there was something else that I was forgetting.  Indeed, that is proprietary.  Funny, I remove both, but not due to them being proprietary, just because I don't use them.
Title: Re: Sources and how to build peppermint
Post by: Slim.Fatz on April 26, 2017, 12:33:34 pm
Hi Ulysses_,

No. I'm not saying anything about that. In fact, I do not know. Nor do I really care ... but that is just the way I am.  :D

What I am saying, I have already said: it might be less hassle to start with a distro that ONLY has free (libre) software (including kernel modules) instead of going through the source and kernel searching for non-free software and kernel modules, removing them and building the whole thing again. If you do not trust the developers of the distros that I named in my previous posting, then you will still have to go through everything and check for non-free items.

It would be easiest to just ask another fanatic whom you trust (perhaps Richard Stallman) for a suggestion.  ::)

Regards,

-- Slim
Title: Re: Sources and how to build peppermint
Post by: Ulysses_ on April 27, 2017, 06:07:37 am
That's what I thought you meant, thanks. Missing the point though. With truecrypt for example, no one has been able to build the source code and get binaries identical to the published binaries. Then a story circulated that some German had done it, by fiddling with the compiler optimization options and other options, except no links to his work or supposed compiler options were given.

Any self-respecting three letter agency would take advantage of this fact that an identical binary is not trivial to build sometimes. Let the geeks audit the open source code as much as they like, it's not where the state actors hide their functionality. Hence the motivation to build Libre and not just check it.
Title: Re: Sources and how to build peppermint
Post by: murraymint on April 27, 2017, 06:17:16 am
Now windows is becoming spyware so I want to switch

This is the bit I find somewhat amusing, that you're only just (over?)reacting to this problem now. When do you think Windows will "become" spyware?

Title: Re: Sources and how to build peppermint
Post by: VinDSL on April 27, 2017, 06:37:47 am
Heh !  Read between the lines ...

Webroot 'mistakenly' flags Windows as Malware and Facebook as Phishing site (https://goo.gl/vddwMN)

Quote
Popular antivirus service Webroot mistakenly flagged core Windows system files as malicious and even started temporarily removing some of the legit files, trashing user computers around the world.

Basically, Webroot (https://www.webroot.com/us/en) got too smart for itself and flagged Facebook as phishing site, and winders as malware.   8)
Title: Re: Sources and how to build peppermint
Post by: VinDSL on April 27, 2017, 07:01:58 am
Look, I'm as paranoid as the next person - probably the most careful person you know, but I have good reason(s).  It's a matter of survival.  I don't want to end up on the bottom of the Caesars Palace swimming pool, or 'accidentally' slipping and falling off a high-rise parking garage.

I don't own a cell phone, and I never discuss anything of importance on the web.

That said, I've had my identity stolen twice - not because of anything I did.  Both times, it was because of stolen records from medical insurance companies.

IMO, the greater issue is, 'everyone else' already has your information from cradle to grave, and THEY aren't taking care of it.

If you're trying to prove anything and everything is corrupt, you're right. 

All you can do is feed 'the machine' false information.  It's easier than you think ...  ;)
Title: Re: Sources and how to build peppermint
Post by: Ulysses_ on April 27, 2017, 07:23:32 am
This is the bit I find somewhat amusing

Here's some more for your amusement.

Microsoft Admits Windows 10 Auto-Spying Canít Be Disabled

http://21stcenturywire.com/2015/11/04/nsa-partner-in-crime-microsoft-admits-windows-10-auto-spying-cant-be-disabled/

Terms and conditions for windows 10:

"Microsoft collects information about you, your devices, applications and networks, and your use of those devices, applications and networks. Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage."

Title: Re: Sources and how to build peppermint
Post by: zebedeeboss on April 27, 2017, 07:26:50 am
Hi Ulysses_,

What murraymint meant was,  Windows 10 HAS been spyware from Day 1, nearly 2 years ago now. yet you are just posting now ?

Regards Zeb...
Title: Re: Sources and how to build peppermint
Post by: Ulysses_ on April 27, 2017, 07:42:02 am
Hoping so. All windows versions from vista onwards are being updated with windows 10 features. Many people are disabling updates for this reason, but rumor has it that updates occur whether you choose it or not.

My windows host has been disconnected from the internet for some 10 years now, only VM's see the internet and only through a physical USB-to-ethernet adaptor that is virtually plugged into a VM.
Title: Re: Sources and how to build peppermint
Post by: PCNetSpec on April 27, 2017, 07:59:54 am
IMO, the greater issue is, 'everyone else' already has your information from cradle to grave, and THEY aren't taking care of it.

If you're trying to prove anything and everything is corrupt, you're right. 

All you can do is feed 'the machine' false information.  It's easier than you think ...  ;)

That right there is the only sensible course of action .. you can  build as many binaries as you wish yourself but unless you're planning on going through every line of code yourself (impossible) there's always some level of trust/distrust involved. And even if you somehow KNEW the source was clean you still have to worry as soon as you connect your PC to the outside world.

Ubuntu (like every other distro) does not author most of the software that's included in their distribution .. they may apply patches to the "orig" source, it's easy enough to check the contents of these patches, but if you think they are somehow being forced by some government agency to modify the "orig" source, then you have to apply the same logic further up the chain and you now start worrying if Xorg or the GNU toolchain, or CUPS, or Python, or the kernel itself has been compromised.

The best the open source world can do is have "many (and experienced) eyes" not so much studying the source code itself, but studying what their computer is transmitting .. THEN trying to figure out what's causing unexpected behaviour and letting the world know .. so far this approach seems to have stood everyone in good stead.

Unlike Microsoft who are not even trying to hide the fact they are spying on you because it would be impossible to hide (the network traffic is easy to spot if not read), if something was generating unexpected traffic in Linux it would be just as quickly spotted and the offending package and authors cut off and nailed to a cross.

At the same time you must recognise you cannot be 100% "secure" if you keep sensitive data on a computer any more than you were if you wrote the combination to your wall safe (or the formula to your successful burger sauce) down on a piece of paper, the best you can achieve is misdirection, obfuscation, flying under the radar, and being vigilant.

IMHO being paranoid about source code is a waste of time .. no single person can verify all the code that makes up a modern distro (or even just the kernel, or LibreOffice) .. it's not about the source code until unexpected behaviour points you in that direction, and there are a LOT of people watching Linux for unexpected behaviour, in fact most of the best system administrators in the world, universities, companies, banks, governments themselves, etc. and a generally security conscious community.
Title: Re: Sources and how to build peppermint
Post by: Ulysses_ on April 27, 2017, 09:41:39 am
Nothing like one person checking the source code of an entire o/s is suggested or needed because checking happens anyway when people add lines to existing code and sooner or later someone would notice something malicious, make big news of it, and destroy the reputation of the vendor. That's not good enough for bsd people so one of their flavours of bsd, openbsd, has been audited they say, which is minimal obviously, but minimal is what we want as a host for virtualisation. Except openbsd has no decent virtualisation that I know of, only containers. Building source code should be automatic in security and privacy oriented distros. Like you can build the entire source base of firefox with a single make command.
Title: Re: Sources and how to build peppermint
Post by: murraymint on April 27, 2017, 07:05:05 pm
All windows versions from vista onwards are being updated with windows 10 features
Funny, I was just thinking this morning "that's just what THEY would do". ;)

Quote
only VM's see the internet and only through a physical USB-to-ethernet adaptor that is virtually plugged into a VM.
Can anyone explain that to a "virtual n00b"?  ???
Title: Re: Sources and how to build peppermint
Post by: PCNetSpec on April 27, 2017, 08:44:39 pm
Aims and motivations: Been using peppermint as a guest in vmware VM's since the beginning of your distro, with windows as the host. Now windows is becoming spyware so I want to switch to an open-source host such as peppermint, and an open-source hypervisor such as virtualbox for my VM's. But even in open-source there is the possibility that the binaries you get from repositories have spyware functionality added that does not appear in the source code of C, C++, assembler or whatever you get from the repos as source code. So to be sure I want to build peppermint myself, from the public source code that is less likely to contain spyware functionality because that would destroy the reputation of peppermint. And build ubuntu too. And debian if need be. Nothing must be downloaded as a binary. Kinda like linuxfromscratch.com. Would make it minimal too. The advantage of debian/ubuntu/peppermint compared to linux from scratch is you automatically get informed of security updates.

Okay I get that .. a bit paranoid but then sometimes they ARE out to get you :)

Well the original source code (and patches) for all Ubuntu and Peppermint packages IS available, so there's nothing stopping you building each package and comparing the binaries to check that they were indeed created from the source you're being shown.

It actually raises an interesting question - As Peppermint uses launchpad for our Peppermint specific packages, and you cannot upload pre-compiled binaries to launchpad instead you upload the source package and it gets compiled into the finished package on the launchpad servers, theoretically Ubuntu could inject code into our binaries as they're compiled.

I'm pretty sure if they did that, someone would immediately get shot though .. and it would be super easy to spot.

Then again, how do you know the GNU compilers themselves aren't injecting code (which would be harder to spot without seeing the source code, which you could  never be 100% sure was the ACTUAL source code) .. as I said, you can never be 100% sure of anything, it's all about degree, watching for the unexpected, and intentional obfuscation.
Title: Re: Sources and how to build peppermint
Post by: Ulysses_ on April 28, 2017, 02:13:11 pm
Quote
only VM's see the internet and only through a physical USB-to-ethernet adaptor that is virtually plugged into a VM.
Can anyone explain that to a "virtual n00b"?  ???

It's when you plug one of the following to your computer and windows has no driver for it so it does not work (but even if it did you could still go to the Device Manager and disable it or even remove the driver if you're technical enough) so no internet access for the host, no microsoft spyware updates. But vmware can give the device to a virtual machine and if the operating system of the virtual machine has a driver for it, as linux does, then only the virtual machine can access the internet:

http://www.ebay.com/itm/USB-3-0-to-10-100-1000-Mbps-Gigabit-RJ45-Ethernet-LAN-Network-Adapter-For-PC-/332120241187

For extra security I do not use this device on a linux guest but on a bsd-based pfsense guest, that is a gateway that allows other virtual machines to have access to the internet through virtual network interfaces and virtual cables between the virtual machines.
Title: Re: Sources and how to build peppermint
Post by: Ulysses_ on April 28, 2017, 02:25:28 pm
The catch is, you do not know if vmware has a backdoor that allows full control of the host from the virtual machine, which would negate the above strategy. Hence the need for open source throughout.
Title: Re: Sources and how to build peppermint
Post by: PCNetSpec on April 28, 2017, 02:31:47 pm
I think the biggest security/privacy concerns these days are going to be implemented in hardware such as the "Trusted Platform Module" and the like .. completely bypassing software security, and ensured for the life of the PC.
Title: Re: Sources and how to build peppermint
Post by: Ulysses_ on April 28, 2017, 03:07:03 pm
Do you have any information that points to hardware like that not needing the drivers and an operating system to spy on you?
Title: Re: Sources and how to build peppermint
Post by: PCNetSpec on April 28, 2017, 03:09:58 pm
https://en.wikipedia.org/wiki/Trusted_Platform_Module

My point is that if the hardware is running software/firmware independently of the OS (and it's encrypted, and remote capable) there's zero protection.

I'm not saying this is the case, YET, but we're heading that way.
Title: Re: Sources and how to build peppermint
Post by: Ulysses_ on April 28, 2017, 03:15:26 pm
Where does it say that such hardware can be harmful even if software does not use it?
Title: Re: Sources and how to build peppermint
Post by: Ulysses_ on April 28, 2017, 03:31:58 pm
Here's a more likely scenario. Some computers, such as mine, do not allow you to disable Secure Boot in the UEFI settings at boot time. Therefore you are forced to use an operating system with a kernel approved by Microsoft and signed by Microsoft, which ubuntu and certain other distros are for the time being but libre distros may not be, either now or in the future. Therefore only a few approved kernels will be allowed to exist eventually, and these kernels will be forced to include spyware functionality and it's checkmate.
Title: Re: Sources and how to build peppermint
Post by: PCNetSpec on April 28, 2017, 04:19:58 pm
So you don't think it would be MUCH easier for governments and corporations to implement spyware in hardware .. completely sidestepping the OS, not requiring complicity from the software developers, running underneath the OS so effectively undetectable in software, and irremovable by the users without bricking the system ?

And you don't think we're already moving in that direction where the waters have already been tested in court with who has the rights to modify hardware (such as Xbox and Playstation, and mobile phones), and that it's okay for devices and/or software to spy on you as long as you agree at point of sale (but there are little to no options).

In fact if your BIOS (or some other discreet chip) were "phoning home" your keystrokes right now would you know ?

Now I REPEAT, I'm NOT saying TPM is currently that technology (so stop asking me to provide "proof" that it is), but it is capable of "remote attestation" (google it), the tech exists and the legalities of deployment have all been pretty well established in case law.

I'd be fairly certain it's coming and you're not going to be able to do much about it once it arrives.

Okay, taking my tin hat off now :)
Title: Re: Sources and how to build peppermint
Post by: Ulysses_ on April 28, 2017, 04:42:05 pm
Of course what you say is true, and malicious hardware would have to be connected to the ethernet adapter. So countermeasures are possible, if components such as a usb to ethernet adapter can be clear of malicious hardware.
Title: Re: Sources and how to build peppermint
Post by: PCNetSpec on April 28, 2017, 04:48:41 pm
IF being the operative word .. but when they get around to this do you think they'll give you such an easy "out" as USB (or do you think only USB devices that conform will be flagged as "Trusted" and therefore be allowed to work) ? ;)

The ONLY way to be sure would be to not connect it AT ALL .. and even then you'd probably have to electromagnetically isolate it.

Anyway my point was .. there is NO way to fire up a computer and be certain you're secure.

If you want to compile everything and check all the binaries match .. good for you, godspeed and happy hunting :)

https://www.google.com/patents/WO2010151102A1?cl=en

[EDIT]

BTW, If you find anything untoward during your experimenting with upstream packages please let us know.
Title: Re: Sources and how to build peppermint
Post by: murraymint on April 28, 2017, 05:19:13 pm
The catch is, you do not know if vmware has a backdoor that allows full control of the host from the virtual machine, which would negate the above strategy. Hence the need for open source throughout.
Thanks for the explanation, and the above was the reason I was asking about it.
Title: Re: Sources and how to build peppermint
Post by: Ulysses_ on April 28, 2017, 05:27:21 pm
No claim was ever made here that now and forever one can be certain they're secure. It is an arms race between free people and bullies. As in all arms races, neither side knows in full what all the other side's capabilities are at any time.

The USB to ethernet to a VM trick of mine is really just an obscurity tactic, counting on not getting too much atttention online.

Curiously, people switch their minds off and change topic when they hear it, so that's an added advantage. That's what I've seen elsewhere, not here.
Title: Re: Sources and how to build peppermint
Post by: PCNetSpec on April 28, 2017, 05:39:08 pm
Yep, you're only paranoid if they're not out to get you ;)

I have no problem with what you're attempting here, and would be very interested in your findings .. that said Peppermint makes no claims to be 100% "clean" in any sense .. that claim would be impossible to prove and therefore possibly misleading (not being intentionally misleading is the only thing I can promise) ;)

As with any "distro" we can only "guarantee" our own code and ethics .. we cannot absolutely guarantee code not authored by us that's part of this distribution, in that there has to be a certain amount of upstream trust healthily balanced against community involvement and scrutiny.
(scrutinise away my friend .. it all helps everyone in the end).
Title: Re: Sources and how to build peppermint
Post by: zebedeeboss on April 29, 2017, 01:30:33 am
I got a headache now - Thanks Guys  :-\  :-\  :-\
Title: Re: Sources and how to build peppermint
Post by: PCNetSpec on April 29, 2017, 07:18:31 am
All I'm saying is Team Peppermint can guarantee our own code is clean, but we haven't the manpower to fully audit all Ubuntu packages (that would be a MASSIVE task) and/or third party source code. to a great degree we have to trust that GNU --> Kernel.org --> Debian --> Ubuntu aren't out to get you (until shown otherwise), but so far nobody has shown this beyond possibly the Amazon lens (which we don't use, and wasn't "hidden" to begin with).

If we're carrying any malicious code it would most definitely be from an upstream source (and not us), and it would be a "linux as a whole" problem not just a "Peppermint" one .. and yet even though some of the most paranoid and clever people in the world have their eyes on the code (because they can), nobody is suggesting Linux has a problem.

I personally trust that "open" source "pretty much" guarantees nobody sticks malicious code in there because it would be pretty easy to find, the authors would be ostracised, and the code cleaned up or dumped.

What Ulysses_ is doing is that "many eyes on the code" in action .. he's taking the original source code from say LibreOffice, compiling it, and making sure the binaries produced from compiling it match those included in Ubuntu packages (to make sure Ubuntu aren't "adjusting" the binaries beyond what can be clearly studied in their patches) .. it's PRECISELY this kind of community scrutiny that ensures we're all safe, and keeps companies like Canonical (and us I guess) "in check" :)

Not only don't I have a problem with that, I applaud it .. it's a prime example of what makes open source work.
Title: Re: Sources and how to build peppermint
Post by: Pikolo on May 05, 2017, 06:10:56 pm
I don't think Ulysses will succeed in making a reproducible build(that's the CS buzzword for "getting the same binary in independent compilation") of the whole PMOS system. I know that Debian has been trying really hard to use repeatable builds for a few years now, yet building an .iso is not yet possible that way.

Finding out if a certain package can be built that way shouldn't be hard. About 80% of them are, if I can read https://wiki.debian.org/ReproducibleBuilds correctly. Since Ubuntu often takes packages from Debian unstable, that ratio for PMOS will probably be lower. I applaud your project
Title: Re: Sources and how to build peppermint
Post by: AndyInMokum on May 05, 2017, 06:41:54 pm
.. it's PRECISELY this kind of community scrutiny that ensures we're all safe, and keeps companies like Canonical (and us I guess) "in check" :)

Not only don't I have a problem with that, I applaud it .. it's a prime example of what makes open source work.
...Finding if a certain package is possible to be built that way shouldn't be hard to find. About 80% of them are, if I can read https://wiki.debian.org/ReproducibleBuilds correctly. Since Ubuntu often takes packages from Debian unstable, that ratio for PMOS will probably be lower. I applaud your project

I agree, It really cool what Ulysses it attempting to do.  I'm looking forward to knowing how he gets on and if he finds anything that needs questioning   ;).
Title: Re: Sources and how to build peppermint
Post by: Pikolo on May 05, 2017, 11:44:02 pm
I think the biggest security/privacy concerns these days are going to be implemented in hardware such as the "Trusted Platform Module" and the like .. completely bypassing software security, and ensured for the life of the PC.

If you want to loose the peace of mind on how far you've underestimated the maliciousness of hardware backdoors in your system, read this: https://libreboot.org/faq.html#intel (https://libreboot.org/faq.html#intel). Just a few weeks ago, Intel admitted someone found a bug affecting most Intel processors since 2010: https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/ (https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/)

Purging the backdoor is an exercise in electronic engineering: https://hardenedlinux.github.io/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html (https://hardenedlinux.github.io/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html). This is a version for less technical users:
Quote
The ME consists of an individual processor core, code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography engine, internal ROM and RAM, memory controllers, and a direct memory access (DMA) engine to access the host operating systemís memory as well as to reserve a region of protected external memory to supplement the MEís limited internal RAM. The ME also has network access with its own MAC address through the Intel Gigabit Ethernet Controller integrated in the southbridge (ICH or PCH).

The Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen. And it has a network interface that is demonstrably insecure, which can allow an attacker on the network to inject rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a threat to freedom, security, and privacy that canít be ignored.

Just in case that isn't clear from the quote - the ME is a keylogger with it's own network connection, ie. it is NOT affected by your laptop's firewall.
Title: Re: Sources and how to build peppermint
Post by: Ulysses_ on May 06, 2017, 02:43:15 am
I knew this was coming. And developed a script to run on a separate, much older computer (1999), based on tinycore linux that played the role of the gateway that started by blocking all of the internet, and every time a packet from my peppermint computer arrived to this gateway, it did an inverse DNS lookup and updated a list of detected domain names that it kept on display which also included peppermint's attempted DNS lookups. And it had a prompt where you explicitly accepted a domain name and it unblocked its associated IP and DNS lookups to this domain, or you explicitly accepted an IP. In other words, a block-by-name firewall.

As expected, a lot of connections are attempted even when you do not intentionally put an address on firefox's address box, not sure it was a good thing to block them all except obviously useful ones.
Title: Re: Sources and how to build peppermint
Post by: VinDSL on May 06, 2017, 04:40:16 pm
Just a few weeks ago, Intel admitted someone found a bug affecting most Intel processors since 2010: https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/ (https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/)

Did you read this part, in the article ?   8)

Quote
Judging from Intel's statement, It's now up to computer makers to distribute the digitally signed firmware patches for people and IT admins to install. That means if your hardware supplier is a big name like Dell, one of the HPs, or Lenovo, you'll hopefully get an update shortly. If it's a no-name white box slinger, you're likely screwed: things like security and cryptography and firmware distribution is too much hard work in this low-margin business. You may never get the patches you need, in other words.
Title: Re: Sources and how to build peppermint
Post by: Ulysses_ on May 24, 2017, 03:20:29 pm
checking happens anyway when people add lines to existing code and sooner or later someone would notice something malicious, make big news of it, and destroy the reputation of the vendor.

Except that, in Julian Assange's words:

"UNIX-like systems like Debian (which he mentioned by name) are engineered by nation-states with backdoors which are easily introduced as Ďbugsí, and how the Linux system depends on thousands of packages and libraries that may be compromised."

Debian Is Owned By The NSA (https://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa)

From the same article:

"Debian famously botched the SSH random number generator for years (which was clearly sabotaged)".
"Speaking of botched security affecting Red Hat, Debian, Ubuntu, Gentoo, SuSE, *BSD, and more, the nightmarish OpenSSL recently botched SSL again (very serious)".

So much for liberte distros. I had a hunch too, that something was fishy about it, even unbeknown to the developers.