5

Let's say there is an open-source application with binaries available in .tar.xz format, but not as a .deb package. And there is a .deb package in the Debian SW repository apparently built by the Debian community.

Given that I trust the application itself, can I also trust its version in the Debian repository? Debian team claims that they "take security very seriously". Though, how does it look in practice? Can I be sure that the security team reviews all submitted packages and verify that the code was not altered before being packed up? Or do they only react (e.g. remove package from the repo) upon an incident?

(To anticipate a question: it is beneficial to use the .deb package, because it simplifies update and the overall maintenance).

Trudy
  • 854
  • 2
    "verify that the code was not altered before being packed up" ... In the Debian maintainer's guide there's a section named "Fix Upstream Bugs". From this it may be inferred that maintainers do actively modify the source before distributing, maintainers are permitted to make changes. I cannot comment on how such patches are peer reviewed. – Philip Couling Apr 28 '20 at 14:43

3 Answers3

5

The Debian Security Team does not review all packages before upload because they are a small group of volunteers and there are over 67,000 packages in the archive. I'm not aware of any other Linux distro (or other major project or distributor) that has such a procedure, either.

However, the Debian build daemons do build every package from its source, so you can download the source package (with apt-get source PACKAGENAME) and verify the tarball and patches are as you expect them to be. All source packages are cryptographically signed, as is the archive, so you can be sure that the packages have not been modified from the source that was uploaded.

Debian also has an initiative to build all packages reproducibly so that you can produce a bit-for-bit identical package on your own and verify that nothing has been tampered with. There is a list of packages which do and don't build reproducibly.

In general, Debian is widely considered a trustworthy source of binaries and numerous major organizations use it, although of course you must make your own determination. If you really need every binary and binary package audited, then you'll have to manage that yourself, since I'm not sure that any OS distributor of any size provides that service.

bk2204
  • 4,099
  • 7
  • 9
  • Couldn't find a similar list of unreproducibly build packages for the stable release. Does it mean that only reproducibly build packages get into the stable? 2. Does it mean that all packages in Debian repo are always built from sources, even if there are binaries available from application authors (see my original question). 3. Do you know if there is any published Debian policy for build reproducibility and other security requirements for packages in the repo?
    • – Trudy Apr 29 '20 at 07:20
  • No, it means other than security updates and a few non-security updates, all packages are uploaded to unstable first and progress to stable. 2. All packages in main must build from source, even if upstream binaries are available. contrib and non-free are encouraged but not guaranteed. 3. There's a SHOULD requirement.
    • – bk2204 Apr 29 '20 at 11:17
  • I had to better express myself. Though, there is is the same list for the stable release (under its codename).
    • – Trudy Apr 29 '20 at 12:12