Should Arch Linux be delisted?

One of its main packagers lives in China, which is, you know, not exactly privacy-friendly… This of course would’ve been fine if all Arch Linux packages were reproducible, but this is not yet the case (see <reproducible DOT archlinux DOT org>).

https://www.archlinux.org/packages/?packager=felixonmars
https://www.archlinux.org/people/developers/#felixonmars

Felix Yan

Alias: felixonmars
Location: Wuhan, China

I couldn’t report this on <github DOT com SLASH privacytools> because GitHub rejects registration attempts made using Tor Browser. You should really self-host GitLab or something…

Sorry for the links, this forum doesn’t let me post more than two.

I would say no, because otherwise where would it end? Should we delist some other distribution that maintainers from US, UK, AU? There wouldn’t be anything left.

If it bothers you that much, compile from source, which is quite easy to do through ABS.

3 Likes

Just a reminder, dont confuse Chinese Communist Party with regular chinese citizens.

4 Likes

Maintainers aren’t an issue, package build scripts are human-readable. It’s the binary packages that I worry about. Unlike for example Debian, Arch Linux packages are built by developers themselves, not by dedicated build servers.

Speaking of Debian, I couldn’t find any publicly available information on the location of its build servers… Hm… We’re in a deeper hole than I thought, aren’t we?

The build servers can be malicious, too. Building everything yourself also doesn’t result in 100% security since you must understand every single line of code, possible side effects, and consider all software libraries.

Then, some programming languages like C or C++ come with unspecified or implementation-specific behavior. So even if you understand every single line of code, the compiled program may be still vulnerable or malicious because you didn’t consider such things. Of course, compiler can be malicious, too.

All in all, there is a point where trust is needed.

3 Likes

Paying attention to the security-related practices of Linux distributions, such as package signing, build reproduciblity, handling of vulnerabilities etc, makes sense, but going to the extremes is often not constructive and it may cause one to ignore bigger, simpler and more important things in the realm of privacy.

Filtering Linux distributions by individual packagers and developers would be an endless job.

Also, as @infosechandbook wrote, it’s not possible to achieve a completely trustless system.
Ken Thompson’s concept of a compiler backdoor is old but still relevant. See “Reflections on Trusting Trust”.

1 Like

I’m filtering distributions by countries where their source code is compiled, not by individual developers. Like, would you trust DuckDuckGo if its servers were located in China?