| ▲ | altairprime 2 hours ago | |
> I would never ever trust Linux from a vendor. If it's not installed by myself, I refuse to use it. I bet you would, though, if the built OS image were 100% reproducible except for the signature. Once you have a fully reproducible Linux OS build, you can literally copy paste the cryptosig from the vendor and it will work with the image you built yourself from source that you inspected yourself. Then it’s impossible for the government to tap it without breaking the reproducible image checksum and thus the published cryptosig. It’s a better defense than any warrant canary would be, and it satisfies your concerns fully. Arch shows only 15 packages left for their core OS to be built reproducibly; what I don’t see at their dashboard is the state of their ISO build reproducibility, but I imagine that’s the same as the core, so maybe it’s just unstated for obviousness. https://reproducible.archlinux.org/ Does GrapheneOS publish their repro build efforts as a dashboard anywhere? | ||
| ▲ | fph 11 minutes ago | parent | next [-] | |
> Does GrapheneOS publish their repro build efforts as a dashboard anywhere? Instructions to fully reproduce a build are here: https://grapheneos.org/build#reproducible-builds (disclaimer: I never tried using them). | ||
| ▲ | doublerabbit 39 minutes ago | parent | prev [-] | |
> I bet you would, though, if the built OS image were 100% reproducible except for the signature. CryptoSecure, depends how done but again, neither can be fully trusted when they were headed by government agencies in the past. I don't trust Linux now that Microsoft got mits on it with WSL. RedHat sold-out to IBM and Debian got in bed with Canonical. Arch & Valve I might lead more too but then again I guess they've got to make money somehow. I use FreeBSD and I don't trust that either unless I can do make install world. | ||