Why do people trust binary distros?

Seriously, what's stopping the CIA from implanting their own package maintainers, bribing some or even making their own distro?

Imagine how beneficial it'd be for them to own a Debian package maintainer. Just like that, they could implant a package with a malicious patch into almost every Debian based distro, and there's one that's of particularly great interest to them, namely Tails. But even if they don't own a Debian package maintainer, if they had a man in the right position on some popular Debian based distro like Mint or Ubuntu, that would still be extremely beneficial.

Imagine if some newer, smaller distro was actually started and is literally owned by the CIA. Like, some distro that would be appealing to the kind of people who visit this place (because those are the types of people that would probably be quite appealing for them to monitor), like some hot new systemd free distro or free as in freedom distro or something. Like Artix, antiX, Hyperbola, Obarun, MX Linux or some Devuan based distro something.
Less likely, but possible is Void, but even if they hadn't started Void themselves, Void is starving for package maintainers, imagine how easy it'd be for them to push their man in.
Again, less likely, but possible is Mint, I mean Ubuntu and lots of other distros were filling the same niche, Mint wasn't really necessary (which is why it wasn't very likely for "civilians" to start Mint, like nobody really needed it, so why would people waste their effort), and by that time it was obvious that Linux was the OS used by people concerned about privacy and it was still not too late to start a distro that could one day be the most popular normalfag distro, so they could've seen an opportunity to tweak GNOME a bit to make it look like windows and pitch that to the masses and use their CIA powers to spread it and popularize it; that way, they'd have a popular distro to use to monitor most of the tech illiterate people who switched to Linux for privacy for whatever reason.

And how the fuck can anyone trust Fedora is beyond me, I mean RedHat is literally in cahoots with the NSA, imagine how easy it would be for them to put their people in the right positions in the Fedora project through RedHat.

Literally, the only distro I truly feel safe using is Gentoo with ACCEPT_LICENSE="-* @FREE" and a deblobed kernel.

Attached: 1522279549065.png (483x595, 349.49K)

Other urls found in this thread:

reproducible-builds.org/
wiki.debian.org/ReproducibleBuilds
redhat.com/security/data/openssh-blacklist.html
twitter.com/SFWRedditImages

Nothing. I trust binary distros because I trust in the community to fix problems as they come to light.

It's why we've been moving to reproducible builds. It's not like it really matters though since your software is made by transexual communists that have been recently taught by their Jewish handlers to bash the fash and the sores itelf might contain AIDS.

delet this, just use Windows 10 and accept it. who cares, make money

Attached: shkrelihat3.png (145x165, 41.25K)

So I assume you personally read all the source code from source based distros before you compile anything, but after you download it?
Otherwise, what's the practical difference?

They already have and the implant is called SystemD.

Inb4 the systemd/debian voted things in for your own good goyim shill

There was an easter egg related to a James Bond movie in the old logind code that systemd replaced that none of your 'many eyes' ever saw. So be glad the new systemd code is much better audited.

You're right of course. In fact I suspect that heartbleed was put in OpenSSL deliberately.

Aren't packages cryptographically verified? Of course the maintainer could supply a fraudulent package to begin with.

How is this fixed by compiling your own software though? Wherever you downloaded the source files can also mess with it. Even if you downloaded it straight from the programmer I'm sure the feds could set up some kind of MITM system where you download it from them instead. All the source sites could be compromised too, I mean Microsoft owns github for fucks sake. They could replace the source code of projectes without the original programmer even knowing, I bet it's all backdoored to hell, and if it's not it's just a question of time until it is. Unless you audit all the code yourself you can't really be sure.

I feel quite comfortable using OpenBSD where the whole system is audited. You get all you need for the basic operating system but things like web browsers and produtivity apps are downloaded from user made repositories which of course is a threat vector, but the base system should be safe. Of course someone could infiltrate OpenBSD development, but with how autistic they all are, and how obsessed with code correctness they are, and how even incorrect documentation is tagged as a critical bug, I think it would be rather hard for such an infiltrator to be able to insert malicious code without it being known for long.

Bing "reproducible builds".

You could have posted the link
reproducible-builds.org/

Simple things fuck with the binary like use of the FILENAME macro gives "/home/user/projects/main.c" on my PC but "C:\Users\fagot\work\main.c" on OP's PC.
Automatic build timestamps are further cancer. Build timestamps are the idiot's version number. You won't believe how many projects still use them.

source?

I'm the source. If you had a specific login name, on logout you'd get a little quote about "going down?" like from whatever Bond movie. I'd have to find it again in the source.

Security is very important. That's why 100% of the software on my system was written by people I've never met and couldn't name.
Now using that software as compiled by others would be incredibly foolish that's why I spend 3 hours a day compiling said software which means I'm secure.

Binary distro means the problems will never come to light
Thats the entire issue

Just keep all your secret/sensitive shit in cold storage
Be like Snowden and use TAILS (or HEADS) for anything that isnt normie shit like watching youtube
Dont put your CP collection on the cloud

Debian made it a project to get everything reproducible in their releases (only RedHat has similar engineering power to tackle large projects like this that have to push changes to thousands of packages upstream). It's getting close to being fully reproducible.
wiki.debian.org/ReproducibleBuilds

CP is safe in the cloud if properly encrypted.

You don't seem to know how Gentoo works.
It gets tarballs from the upstream.
The code I compile here on my machine is verified upstream code.
There's no need for me to check that code because there are plenty of people who go through that in the upstream.
The difference is that in binary distros, the package maintainer compiles the code from the upstream and can implant a malicious patch before distributing the binary version.

In practice, if other distro maintainers don't compile the thing themselves to check the integrity of the binary, no one will and I'm pretty sure no one questions the senior package maintainers, but even if they do, imagine if the distro is literally owned by the CIA, and by that I mean ofc not every distro maintainer is a CIA agent, but only the core maintainers, the ones no one questions.
Gentoo is a different story, because anyone can read ebuilds and people do read them, so the CIA pushing a malicious ebuild would be highly unlikely, because it's likely enough that someone would read it.
It's much less likely that binary distro users will compile the shit themselves just to check the integrity of the binaries. No Mint users is gonna check the binaries. Do Artix or MX Linux users check their binaries? I don't think so.

You are assuming that they are competent and paying attention. The fact is the libre community is full of mentally ill trannies that are more likely to inject bad code than they are to report or fix it.

>(((community))) actually applies patches users submit
you might as well just ignore your particular flavor of linux's bug tracker and just go straight upstream, the xir's there might actually pay attention to your concerns, but probably not, they'll be more concerned that you get their pronouns right.

oh and let's not forget
NOTABUG WONTFIX
...
18 months later

What's easier and less likely to be discovered, trying to commit a malicious patch on github or starting a distro like antiX, Artix, Hyperbola, Obarun or MX Linux and patching the software from the upstream with your malicious piece of code before compiling it and distributing it as a binary?

Compromising a package maintainer or having an agent work hard to gain trust and become a package maintainer himself may not be easier but it's still less likely to be discovered if pulled off correctly, and come on, it's the fucking CIA, they can pull something like that off. It's just a question of whether it would pay off, and in my opinion it would, as I said, imagine how beneficial would be for them to own a Debian package maintainer (less likely) or a Fedora package maintainer (definitely likely) or have a man in the right position on the Mint or Ubuntu project.

You're now talking as if those kinds of people aren't a small minority of FOSS devs.
And all the important shit worth compromising is in the hands of competent devs, not mentally ill trannies.
And even if the mentally ill trannies were in charge of a program worth compromising, they may produce some low quality code, but those commies at least wouldn't sell themselves to American law enforcement agencies.
And again, what's easier, searching for exploits or just patching the code and distributing a malicious binary?

Hi reddit

Actually this is still easier than trying to commit a malicious patch to something that competent devs are in charge of.

And even if they manage it, again, what's more effective?
Pushing some patch that opens up a small vulnerability that can be exploited and used in roundabout ways before it's inevitably discovered or literally imbuing the upstream code with spyware before distributing the binaries that no one is taking a good look at?

...

...

Anyone can read build scripts, Gentoo has enough people who read ebuilds or who are likely to read them; each ebuild is likely to be read by someone other than it's maintainer at some more or less close point in time by someone, especially the important ones; even if an ebuild is somehow compromised, someone will eventually discover it.
Trying to compromise a build script doesn't pay off.
Nobody "reads" binaries though.

Anyone can read build scripts, Gentoo has enough people who read ebuilds or who are likely to read them; each ebuild is likely to be read by someone other than it's maintainer at some more or less close point in time, especially the important ones; even if an ebuild is somehow compromised, someone will eventually discover it.
I myself had to read the ebuild on two separate occasions.
Trying to compromise a build script doesn't pay off.
Nobody "reads" binaries though.

Even if you do trust them, they were actually compromised a few years back. Intruders managed to sign their own packages.
redhat.com/security/data/openssh-blacklist.html

...

If someone else does it while allowing me to check how everything works, I don't see a problem.

you havent made an argument against anything ive said though

It's important to trust people on everything except ./configure && make

Look, what it all boils down to is that binary distros are extremely more likely to have compromised packages than source based distros and the question:

I trust Gentoo enough to use it (I've explained why in my previous posts).
Yes, it does take some faith. Basically
But to trust a binary distro, especially something like antiX, Artix, Hyperbola or MX Linux or even Mint or Parabola or something takes a lot more faith. That much fate I simply cannot have in a distro and I don't know how other people can.
How can people trust binary distros when there are such obvious scenarios in which they can be compromised that simply don't exist for source based distros?
(I don't want to repeat myself here, go read the OP again and my other posts)

KILL YOURSELF

I mean he has some valid points, how do you know if you aren't botneted if you cant review the source code before the installation?
The fact that most popular GNUlinux owo desktop threads are made by the haxxorz instead of companies make gentoo really reasonable choice

Attached: lyingnigger.jpeg (268x268, 15.2K)

That is unbelievably hard. I could have given you full intel processing specs, and you still wouldn't have found the spectre bugs.

Name non binary repos? I tried installing gentoo, but you still need a binary to bootstrap off of. I tried LFS, but you need to have a gcc binary to do the initial pass of compilation.
t. ken thompson

based on what

Every line of systemd was poured over by haters to find anything at all to complain about. So yes, it's been extremely well audited.

The distro's are called tails and redhat server edition.
Op is a faggot.

The solution is CD-ROM based source code packages from 10-15 years ago. If you don't like that then use the weirdest and most insane optimization/error checking options for *insert compiler here* as to avoid obvious code cutting backdoors

Your solution has a problem when the CIA fucks with the source code at the developer level.
Since the CIA owns github and gitlab via microscam now, malicious patch at source code. Since you can add a botnet to programs as people download the source code and the SHA or verification always shows the modified source. If you are worried about the original devs seeing the modified source SHA fuckery then have the SHA change based on login accounts/IP adresses.

The autisists using the distro are living proof of said dedication.

Systemdicks has many haters, but few are competent programmers and even fewer are competent security auditors. Care to back up said audit with a source?

FTFY OP!
If you can't DCC and 3x audit what's compiled, you are already fucked!
Nvm self-built hardware, the distro needs to be reaudited by several compilers!

IPFS-based distro when?

Nobody's retarded enough to waste their life cleaning up after Pottering. We can instead just run another init, and not have to deal with his stupid shit.

...

even as a joke, no

nice LARP

I like the NixOS and Guix way of doing things.

did they think this through?

I've wondered about this myself.

The software you use may be open source and trustworthy up there in the git repos, but what's on your computer is not "open source" and not necessarily the same thing from the git repos.
It's compiled binaries you have no feasible way of auditing.
Your program didn't simply teleport itself from the git repo to your machine where it magically turned out compiled.
It went through multiple points in between and it may have been tampered with at any of them.

So, unless you're using a mature and well established distro with confirmed good security practices and trustworthy maintainers which have been around as active community members for long enough and are known to be principled men of integrity, the "open source" software you end up with comes not only with the same uncertainty which is intrinsic to any closed source software, but the kind of uncertainty that comes with a pirated copy of Windows sold to you on a CD by some gook in a back alley.

Attached: unsure_girl.png (379x205, 19.34K)

What we generally consider trustworthy - stands entirely on a handful of traits that are easy to emulate. Hell, image building and destroying is fucking lucrative business.

There is a better plan right now though,

Nothing. That's why you should audit every single line of code, including the kernel. See you in 20 years.

...

fell for bait. snowden's family involved with CIA and he was a fucking CIA to start with

or just use gentoo

gentoo has several backdoors in portage and there's untold amounts in the linux kernel

Don't use portage then and use an alternative. Also care to list these backdoors?

Debian, as usual, is leading the way on this with reproducible builds where they (and you) can check that the maintainer didn't slip something in. Some of the other highly motivated distros are going to attempt to ride their dicks but even with the bulk of the engineering being done by Debian (fixing programs that have non-determinism in their build scripts) it's a lot of work.

File and line number of the backdoors?

gpg verification is not enabled by default and none of the mirrors are https

I'm not going to shell out my time for a 20 second google search, its common knowledge.
You should be able to find it even through auditing the code yourself. It's open source, it shouldn't be that hard.

your dumb

It's not about upstream code you moron.
Read

OP, i like how you think. Right now, i use Debian GNU/Linux, should i switch over to Gentoo GNU/Linux? You probably heard this question a million times but, what are the benefits of switching to gentoo? All i can think of is you can debloat the kernel and useflags/compiling from source. Is there anything else besides that?

Hey there retarded weeaboo fatass faggot, open source != secure. You might as well install and use binaries if you aren't reviewing every bit of the source code yourself. Otherwise compiling from source is a waste of time. And no, I don't believe for a second that you read the millions of lines of code in the Linux kernel alone.

The NSA being able to backdoor your system isn't even an issue in itself. The problem is that anyone who isn't the NSA can use these backdoors. Unless you're some kind of pedophile, the NSA won't do shit to you. But Rajj from India will steal your credit card info and make you kindly send 1BTC dollars to his address to unlock your machine sir.

So fuck off with your childish understanding of the importance of privacy and open source software. I bet you're using a cell phone and a desktop/laptop that has an IME/PSP and the stock EFI. At my company (a US DoD subcontractor) they've warned us that any screen or document or area we pass a cell phone camera in front of is automatically compromised. I recommend that you neck yourself now, you fedora tipping fuck.

Attached: BR-edb0bf4.jpg (1001x667, 86.59K)

why trust anything. anything could be botnet you cant trust anything anyone else made. how can you trust that your car doesnt have a gps tracker in it. how can you trust that your house is stable unless you rip down the walls and look and examine everything. you got to trust other people to some degree its part of being an adult.

Absolutely.
From Debian? Easy.
Gentoo is both stable and up to date (unlike Debian).
Because Gentoo is source based, you can mix stable and bleeding edge without anything breaking, basically portage will keep your system consistent by rebuilding what needs to be rebuilt and updating what needs to be updated.
Basically you can install any version of any package without your system breaking (like Debian would) because it's designed to work.
No "dependency hells".
You can even have multiple versions of the same package installed at the same time due to an advanced portage feature called slotting.
You can easily apply patches just by putting them in the appropriate directory and portage will take care of it.
The deb binary package format is shit. It's shit for maintaining and dealing with in general.
Gentoo uses build scripts called ebuilds which contain instructions for Portage on where to download the source from, what to do with it, where to install it it, etc.
Ebuilds are simple and easy to read, edit, write and maintain (unlike deb files).
Overlays. Those are user ebuild repos (like the equivalent of AUR for Gentoo). Lots of packages in them, not to mention there's lots of packages in the main repo as well.
Combined the number is probably pretty close to Debian package count.
No systemd.
Top tier documentation and support, large and helpful community surrounding it (if you run into an issue, feel free to ask on #gentoo on Freenode).
God tier package manager.
Power, customizability, flexibility, control, freedom of choice, etc.
Most importantly, it just works.

Also, it's rolling release.

...

You are making my dick hard, can you stop?
Hmmm, so what's the difference between gentoo and funtoo then?

So I just spent the last few hours going over every modified package in Devuan since no one seems to know exactly what this thing is. I looked through the history of every package that is a modified Stretch package and checked the diffs. TL;DR it's a joke.

Funtoo is pretty much no different than Gentoo.
The main dev introduced some minor changes to portage and whatnot, had to fork some ebuilds I suppose and decided fuck it since I gotta maintain this stuff, why not make it a new distro.
I don't know much about it, really, you should check it out yourself if you're interested.
They provide debian kernels and some different profiles iirc so that's nice for some people I suppose.
They also have some nice general GNU/Linux guides and tutorials on their wiki like on using awk, sed, bash, LVM, networking, ZFS, etc

Maybe nobody cared enough to complain about it? Easter eggs are very common.

meme distro being meme
nothing to see here

Funtoo is what Gentoo should've been if it wasnt for too much elitism and internal squabbling by the Gentoo team.

And since SystemD isn't yet a kernel dependency in Debian, bootstrapping with a Debian kernel makes sense since you can get a system up and running quicker.

No, fuck you. You're the dev, I expect you to release your crappy stuff in a format that is ready-out-the-box. I do not want to spend 3 days fruitlessly trying to figure out why your shitty makefile keeps throwing errors. I mean, FFS! Did you even TEST your makefile?

Meanwhile on Windows, "it just werks" and you triple niggers wonder why everybody uses Windows. News flash: we tolerate Microsoft's bullshit because your bullshit fucking sucks. B-b-but muh platform differences! Fuck off retard, if Microsoft can force all platforms to play nice, so can you.

what is the point? this post show exactly what devuan is intented to be: a systemd-free debian. So it is normal to see that the packages are entirely from debian removing the ones dependent of poteringD

That people say you can't use Debian without systemd as init and that Devuan has had to make huge changes to 'thousands' of packages to change that. Turns out both are untrue - it's almost nothing more than logos and it doesn't let you do anything you couldn't already do on Debian.

Every change falls into one of these categories:
- changing logos, themes, distro name, URLs, email addresses, gpg keys, tooling
- removal of optional systemd support (libsystemd0)
- unnecessary replacement of Lennart's other projects
- modifying xbill to xlennart
- additions of personal software projects

I don't see a reason to remove optional systemd support, but if that's your thing, that's about the only value it has. I'd rather be able to choose what init I use just like any other program.

Remind me how well that went for OpenSSL?

You don't seem to know how gentoo works. Source files themselves are downloaded either from upstream or from mirrors, the files are checked against the hash that is stored inside portage's manifests, and the portage tree itself is verified by digital signature. In order to do a targeted malicious patch the attacker would need to break three different systems. It's still not perfect and I for one would like to see reproducible builds implemented on portage as well for an extra layer of security (and to make binhosts more viable for most of gentoo usage)

Well said.

Hey moron
Binary distros are moving towards reproducble builds
Gentoo was vulnerable to mitm up until 2018, yeah sure those developers are trustworthy
Three letter agencies contribute to linux itself, it has backdoors.

...

Can I build and install Debian from source, like Gentoo?

Sounds like more useless work to get to the fucking

what's stopping the CIA from merging their source code into packages
in fact linux already has 7+ backdoors
you're dumb

Attached: a751be809f676b74650b930f2673af5d725abacecc42116d1d2848ba1a51b5f7.png (950x1344, 1.22M)

Says the guy not running a Python computer.

Right now I'm on Slackware which is a binary install and you install packages from source afterwards. I'm thinking of going full Gentoo with the X200 Thinkpad I just bought, however I don't want to spend days compiling Firefox and Libreoffice, so I'm planning on cheating and getting the binaries for those from Portage. What other packages take ridiculously long to compile on an X200 Thinkpad? Qt5? I don't want to cheat too much, otherwise that'd defeat the purpose of a source-based distro.

Most people don't have the mental energy for Gentoo.

All the packages that take long to compile have a binary alternative.
But don't bother, just let them compile, you don't have to update every single day.
Do like me, I forbid myself from updating if I've updated less than 30 days ago, and then I update when the computer is not going to see use during the day, and usually it takes 4~ hours to compile everything, although I have a high end cpu.

Bull fucking shit. Lots of Gentoo documentation is outdated or missing entirely.
That is probably its weakest selling point ignoring the new CoC.

And gentoo support is either none, the arch forums or being ignored at the official IRC.

Attached: maximum gab.png (608x655, 330.77K)

Now this is bullshit.
I've been to the irc and the gentoo fourms hundreds of times and they've always given me an answer or a place to start looking.

Attached: 1b8274302dcd6ab6738bbb0ad2f4cd68-imagejpeg.jpg (519x696, 52.88K)

First time I see someone complain about Gentoo documentation.
I'm sure you've got lots of examples to provide then.

First time I see someone complain about Gentoo documentation.
I'm sure you've got lots of examples to provide then.

Gentoo is absolute shit. Funtoo killed it years ago.

Your post is absolute shit.
The least you could do is elaborate.