investigate Gentoo Linux Derivatives
Opened this issue · 14 comments
There are quite a few Gentoo Linux Derivatives:
http://en.wikipedia.org/wiki/Category:Gentoo_Linux_derivatives
Perhaps we can learn from or re-use (parts of) their build scripts.
Hi,
most of them are not supported anymore and rest do not focus on
security. I just now uploaded latest version of my scripts to main and
DR site. I will test if Securix could be build without issues in
VirtualBox, as Gentoo team often changing dependencies in way that
installer might fail, and then share with you easy steps how to build
your own. It will give you basic overview about system.
Thank you
—
Martin Čmelík
2014-10-10 16:36 GMT+02:00 Patrick Schleizer notifications@github.com:
There are quite a few Gentoo Linux Derivatives:
http://en.wikipedia.org/wiki/Category:Gentoo_Linux_derivativesPerhaps we can learn from or re-use (parts of) their build scripts.
—
Reply to this email directly or view it on GitHub.
Hi,
I'm facing some issues related to encrypted system partition and change of Gentoo portage USE flags. Hopefully this will be solved by end of this week.
Thank you
Hi Patrick,
issues has been fixed, rest solved by temp workarounds.
// Install instructions
1] Download:
http://www.securix.org/securix-amd64.iso
2] Create new virtual in VirtualBox (2 CPU, 64bit support, 100GB HDD, ...), set downloaded ISO as boot
3] When you will boot into this host, execute from shell:
wget securix.org/install.sh
bash install.sh
...let auto-installer to guide you...
Please report me any issues.
This has to be base for Whonix port.
How is that securix-amd64.iso created from source?
most of them are not supported anymore and rest do not focus on security
That's both no condition for discarding them. If they implemented something like #1 or another form of build automation, we could re-use it and fix the rest.
Securix-amd64.iso is just Gentoo install CD
We dont need to re-use build automation while Securix have its own... no?
If you really need generic amd64 for Whonix port, just let me know
In meantime try to install current version, as I expect that it will take some time until you will find a way how to fit Whonix on Gentoo
Having something like "download this binary iso http://www.securix.org/securix-amd64.iso" in build instructions is a red flag. Builders would complain about this and rightly so. Either securix-amd64.iso could have been maliciously altered on the server or a man-in-the-middle attack could have maliciously altered it. Among other reasons.
Referring to some iso in build instructions is not really instructions for building completely from source code.
We shouldn't refer to any binary files for builders from source code. To do this right, we should only refer to binary files downloadable from the original project we're building upon: Gentoo.
Patrick, as first: Gentoo is source-based distribution... it is not Debian or RedHat
securix-amd64.iso is just platform (live cd) for build of Securix, nothing more. It is unchanged ISO from Gentoo team, Im just using older versions as Gentoo team usually release ISO which have couple of bugs and installer is not working properly. This is how Gentoo is installed, always from minimal install ISO.
I didnt get the point of MitM attack in relation to ISO image....?
As mentioned above, installation of Gentoo is from install ISO. This is common practice for years.
securix-amd64.iso is just platform (live cd) for build of Securix, nothing more. It is unchanged ISO from Gentoo team, Im just using older versions as Gentoo team usually release ISO which have couple of bugs and installer is not working properly.
This is fine. But then it needs to be properly documented.
- Ideally we can just point to official, https, gentoo.org.
- If that is not possible.
- Point out it is unchanged ISO from Gentoo team.
- Accompanying gpg signature.
- Document which key signed it. (Link to original source suffices.)
- Don't rename the file?
- Snapshot the original website with a service such as http://webcitation.org/archive when picking a snapshot.
I didnt get the point of MitM attack in relation to ISO image....?
Builder downloads http://www.securix.org/securix-amd64.iso -> mitm hooks in -> mitm adds backdoor to the iso on the fly -> builder ends up with malicious iso -> builder uses that iso to build and ends up with compromised image.
My link is pointing to unchanged name of original ISO (HTTP 301) and the reason why it is not pointing directly to Gentoo is, that on Gentoo servers are leaved just few last versions and remaining are deleted, so it might happen that link will be corrupted in future. The ISO image has been uploaded yesterday just because of you, as a first test pilot, but here you have link where you can verify GPG sign as well http://mirror.securix.org/iso/.
btw I know that it has to be properly documented... but even Alpha testers didn't get instructions as Securix is not out now, you're the first one who can try installation...
MitM - with GPG sign from Gentoo team, it has to be OK
Is it feasible that the install script bootstraps from an .iso , then download after encrypted partitioning all necessary sources, and that your script builds hardened from sources?
Without installing any binaries, but once again compiling absolutely everything from source?
I understand we need a binary kickstart somewhere (which is a weakpoint if not properly audited -signature verification being only one aspect- ), but dual compilation on separate machines (one for prod, one for audit) and verification of the binary is a possible solution (among audit of the binary).
@martincmelik
Hi,
to clarify it bit more. Installer is not using binary packages with exemption of stage3 which is gentoo minimal set of applications. Everything else is compiled and even something from stage3 (bash, gcc, libc) which Im recompiling during installation in order to build core with gcc protections.
Does it fit your requirement?
Thank you