Template:Verifiable Ovas Introduction
|Warning: Deprecated. Dedicated maintainer required.|
|Warning: This feature only adds security if people like you actually use it! Don’t assume that someone else is doing it for you!|
Whonix has a feature which allows the community to check that Whonix .ova releases are verifiably created from project's own source code. We call this verifiable builds. This only proves that the person and machine building Whonix has added nothing malicious, such as a backdoor. It doesn't prove, that there are no backdoors in Debian. This isn't possible, because neither Debian nor any other operating system provides deterministic builds yet. Rather this feature is no attempt to proof, that there aren't any vulnerabilities in Whonix's or Debian. A remotely exploitable bug in Whonix or Debian, a flaw in Whonix's firewall leaking traffic or code phoning home the contents of your harddrive would still be fatal. A precondition so this feature can improve overall security is, that the community is auditing Whonix's and Debian's source code for being free of backdoors and vulnerabilities in the first place. In summary, we believe this feature is useful and can improve security, but however isn't a magical answer to all computer security and trust questions. The following table hopefully helps understanding what this feature achieves.
|Whonix||Tails||Tor Browser||Qubes OS TorVM||corridor|
|Deterministic Builds||No||No, Planned ||Yes ||No||Not applicable. |
|Based on a Deterministically Built Operating System||No ||No ||Not applicable.||No ||No |
|Verifiably no backdoor in the project's own source code||Invalid ||Invalid ||Invalid ||Invalid ||Invalid |
|Verifiably vulnerability free||No ||No ||No ||No ||No |
|Verifiably no hidden source code in upstream distribution/binaries||No ||No ||No ||No ||No |
|Project's binary builds verifiably created from project's own source code (no hidden source code in the project's own source code)||No (Deprecated.) ||No||Yes||No||Not applicable. |
You might be curious, why Whonix is verifiable while neither Debian nor any other operating system is? This is because Whonix is very simple, to oversimplify it: Whonix is just a collection of configuration files and scripts, i.e. Whonix's source code does not contain any compiled code etc. On the other hand, Debian is a full operating system. And of course, without the great work of the Debian project and all the upstream projects, Whonix wouldn't exist.This feature was first available with Whonix 8. Only users who download a new image can profit from this feature. Auditing versions older than Whonix 8 with this script is not possible. 
- Due to build machine compromise.
- Whonix is based on Debian.
- Some Debian developres are working on it, see Reproducible Builds.
- Open Source does not automagically prevent backdoors, unless the user creates its own binaries from source code itself. The ones who compile, upload and distribute (also the webhost) the binaries could add a hidden code without publishing the backdoor code. Nothing prevents one to claim, that a certain binary has been built from a clean source code, while the binary was actually built by the source code plus the backdoor code. Also the ones who may have infected the build machine with a backdoor are in position to add a backdoor without the distributor being aware of it. Deterministic builds can detect backdoors. For more information on deterministic builds and why this is important, see:
- See Tails Roadmap.
- See Deterministic Builds Part One: Cyberwar and Global Compromise and Deterministic Builds Part Two: Technical Details.
- Just shell scripts.
- To be fair, there are no deterministically built operating system yet. It would take lots of effort to create one and its far from easy. There is work going on in Debian about reproducible builds, but it's far from done.
A backdoor can either be a vulnerability as in a bug in the source code. Vulnerabilities can get introduced by accident (human error) or on purpose. Once the software has been deployed and the vulnerability has been found, it might happen, that an attacker uses an exploits to gain unauthorized access. Such vulnerabilities (or purposely planted backdoors) can, with cleverness, be planted in Open Source code plain sight, while being very difficult and unlikely to be spotted by people looking at the code. Examples:
- An attempt to backdoor the kernel.
- Some argued, the Debian SSL debacle, wasn't a bug, but a backdoor (no one has spot vulnerability in the source code for years!).
Therefore it is impossible to claim that non-trivial source code is backdoor free, because a backdoors can be hidden as vulnerabilities. Auditors scrutinizing the source code can only state their opinion about the quality of the source code and eventually report a vulnerability. It can only be reasonably easily checked, if the source code is free of computer viruses (for example, trojan horses), not backdoors.
- Although possible (in theory?), there are no mathematically proven bug free operating systems yet.
- The upstream distribution is the distribution on which the project is based on. Whonix and Tails are based on Debian, thus Debian is their upstream distribution. QubesOS TorVM is based on Qubes OS, which itself is based on Fedora and Xen.
- See Trust#Verifiable Builds.
- Not possible doesn't mean impossible here. Would just involve lots of work.
- Because in order to implement the verifiable builds feature, we need to get rid of lots of non-deterministic auto-generated files at the end of the build process and to re-create them during first boot.