•

• Home Page, Headlines • DW Weekly, Comments • Packages, Package Management • Glossary, FAQ, Mobile Site	• Search, Sitemap • Major Distributions • Submit Distribution • Upcoming Releases	• About DistroWatch • Page Hit Ranking • Advertise • Torrent Downloads

DistroWatch.com is sponsored by

News/Opinions/Reviews ▼
Release Announcements News and Headlines DW Weekly DW Weekly / Review Archive News/Article Search Upcoming Releases Opinion Polls Visitor Ratings & Reviews Project Rankings by Ratings Podcasts, Newsletters & Reviews
Packages ▼
Packages We Track Package Management Package Releases Compare Packages Across Distros Show package versions for all distros
Find/Submit Distro ▼
Search For Distro Search For Distro - Advanced Major Distributions Waiting List Submit Distribution Discontinued Distributions Random Distribution
Tutorials & Learning ▼
Search For An Article Questions and Answers Columns Tips and Tricks Columns Myths And Misunderstandings Columns Glossary Simplified Manual Pages
Related Resources ▼
Other Operating Systems Compatible Hardware Security Advisories Torrent Downloads Upload Torrents Distro Verification Keys Visual Distro Family Tree Linux User Groups
DistroWatch.com ▼
About DistroWatch Contact Us Page Hit Ranking Page Hit Trends Advertise Frequently Asked Questions Contributing Donate Our Donations Programme

News and Open Source Releases

Headlines

2016-05-30

The Qubes build process

Most of us tend to consider the security of the packages we run. We want to make sure they come from trusted sources, such as a distribution's repository, and that the software is up to date. Few of us pause to consider whether the server which originally built the software, or the developer's computer where the source code was written, might be compromised. Joanna Rutkowska of the Qubes OS project does think about such avenues of attack and has written about the steps Qubes takes to keep their build processes secure. One example of the measures the Qubes project takes involves not trusting remote servers: "We have always built all the official Qubes packages and ISO images on our private computers, i.e. ones whose physical security we can reasonably guarantee. This is because we have always assumed all external infrastructure (aka "the cloud") to be untrusted. Indeed, because datacenter personnel can always (stealthily) read/write the memory of systems or VMs running in their datacenters, allowing the build process to run there would always make it possible for external parties to either tamper with the build process and/or steal the release singing keys, if these were also uploaded, as many projects do."

More headlines from this project Back to News

TUXEDO
TUXEDO Computers - Linux Hardware in a tailor made suite Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included! Learn more about our full service package and all benefits from buying at TUXEDO.

Advertisement

Star Labs
Star Labs - Laptops built for Linux. View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.

Shells.com
Your own personal Linux computer in the cloud, available on any device. Supported operating systems include Android, Debian, Fedora, KDE neon, Kubuntu, Linux Mint, Manjaro and Ubuntu, ready in minutes. Starting at US$4.95 per month, 7-day money-back guarantee

Copyright (C) 2001 - 2023 Atea Ataroa Limited. All rights reserved. All trademarks are the property of their respective owners. Privacy policy. Change privacy settings.
DistroWatch.com is hosted at Copenhagen.

Contact, corrections and suggestions: Jesse Smith
Tips: Bitcoin

bc1qtede6f7adcce4kjpgx0e5j68wwgtdxrek2qvc4
Monero

86fA3qPTeQtNb2k1vLwEQaAp3XxkvvvXt69gSG5LGunXXikK9koPWZaRQgfFPBPWhMgXjPjccy9LA9xRFchPWQAnPvxh5Le
PayPal.me/distrow • Patreon.com/distrowatch