Template:Verifiable Builds Comparsion Table
|Whonix||Tails||Tor Browser||Qubes OS TorVM||corridor|
|Deterministic Builds||No||No||Yes ||No||Not applicable. |
|Based on a Deterministically Built Operating System||No ||No ||Not applicable.||No ||No |
|Verifiably no backdoor in the project's own source code||Invalid ||Invalid ||Invalid ||Invalid ||Invalid |
|Verifiably vulnerability free||No ||No ||No ||No ||No |
|Verifiably no hidden source code in upstream distribution/binaries||No ||No ||No ||No ||No |
|Project's binary builds verifiably created from project's own source code (no hidden source code in the project's own source code)||No (Deprecated.) ||No||Yes||No||Not applicable. |
- Open Source does not automagically prevent backdoors, unless the user creates its own binaries from source code itself. The ones who compile, upload and distribute (also the webhost) the binaries could add a hidden code without publishing the backdoor code. Nothing prevents one to claim, that a certain binary has been built from a clean source code, while the binary was actually built by the source code plus the backdoor code. Also the ones who may have infected the build machine with a backdoor are in position to add a backdoor without the distributor being aware of it. Deterministic builds can detect backdoors. For more information on deterministic builds and why this is important, see:
- See Deterministic Builds Part One: Cyberwar and Global Compromise and Deterministic Builds Part Two: Technical Details.
- Just shell scripts.
- To be fair, there are no deterministically built operating system yet. It would take lots of effort to create one and its far from easy. There is work going on in Debian about reproducible builds, but it's far from done.
A backdoor can either be a vulnerability as in a bug in the source code. Vulnerabilities can get introduced by accident (human error) or on purpose. Once the software has been deployed and the vulnerability has been found, it might happen, that an attacker uses an exploits to gain unauthorized access. Such vulnerabilities (or purposely planted backdoors) can, with cleverness, be planted in Open Source code plain sight, while being very difficult and unlikely to be spotted by people looking at the code. Examples:
- An attempt to backdoor the kernel.
- Some argued, the Debian SSL debacle, wasn't a bug, but a backdoor (no one has spot vulnerability in the source code for years!).
Therefore it is impossible to claim that non-trivial source code is backdoor free, because a backdoors can be hidden as vulnerabilities. Auditors scrutinizing the source code can only state their opinion about the quality of the source code and eventually report a vulnerability. It can only be reasonably easily checked, if the source code is free of computer viruses (for example, trojan horses), not backdoors.
- Although possible (in theory?), there are no mathematically proven bug free operating systems yet.
- The upstream distribution is the distribution on which the project is based on. Whonix and Tails are based on Debian, thus Debian is their upstream distribution. QubesOS TorVM is based on Qubes OS, which itself is based on Fedora and Xen.
- See Trust#Verifiable Builds.