Ubuntu – How to confirm that the binaries in the Ubuntu are from the source code it should be from

Security

Like 99% of users, I install Ubuntu from ready-made binaries.

How can I verify myself that those binaries are in fact from the original source code from Ubuntu?

It would be good to verify that NSA/someone has not collaborated with either Ubuntu or Linode (my VPS provider) to mess with the binaries. If we could verify the binaries, they would also be unlikely to attempt this in the first place as it would be easy to call them out on it.

Best Answer

You can download the sourcecode and compile it yourself. But wait - first you have to check that sourcecode, because if Canonical collaborated with the NSA, they probably have entered some code somewhere to allow for a keylogger or something that can be activated remotely.

So...

after downloading the sourcecode,
you have to check all code,
and then compile it!

But wait - can you trust the compiler?

Related Solutions

Ubuntu – release notes from security updates that were installed in the background

The results of unattended-upgrades are logged at /var/log/unattended-upgrades. Though this will not contain the changelogs; it will show you what has been upgraded. You can then use one of the methods mentioned by others to see the actual changelogs.

You might also be interested in the apticron package. It can be set up to email you about any packages on the system that need to updated. This email will include summary of changes in each package generated by apt-listchanges.

By default it will mail root. If you don't have this set to forward to a real account already, edit /etc/apticron/apticron.conf, to set the email address:

EMAIL="foo@bar.com"

Ubuntu – How to list all setuid binaries in the Ubuntu repository

setuid executables are not recorded in the package metadata, so a short answer to your question would be: no, you can't. The only way to look for setuid executables in an archive would be to download every package and scan them.

However, if what you want to do is to list all setuid executables installed on your system, this command is what you are looking for:

find / -type f \( -perm -4000 -o -perm -2000 \)

Then, if you want to know where an executable comes from:

dpkg -S <file-path>

For example:

$ dpkg -S /bin/ping
iputils-ping: /bin/ping

Best Answer

Related Solutions

Ubuntu – release notes from security updates that were installed in the background

Ubuntu – How to list all setuid binaries in the Ubuntu repository

Related Question