Debian's New Mandate to Increase Security

Added: 2026-05-13

[00:00:00]Security is something that we always want in our Linux distributions and we're starting to see a wave of distributions take a further step to increase security and Debian looks like it's the first to make this mandatory.

[00:00:19]Thanks for checking out this video by Switch to Linux. If you like this type of content, subscribe to the channel if you've not already done so. Leave us a like and a comment down below. Of course, Debian one of those great granddaddies of Linux and this is a good distribution although I have some concerns about its future.

[00:00:36]But, all of that controversy aside, we always have to give praise when a distribution comes down and does something really good. And in this case, Debian came down and did something really good for security which will, if properly implemented, prevent any form of supply chain breach that could happen at least if people are paying attention.

[00:00:58]And of course, we're talking about package reproducibility. And this came down initially from the list serves here at Debian. So, they mentioned the reproducibility aided by the reproducibility builds project. We've decided it's time that Debian must ship reproducible packages. So, since yesterday they've enabled our migration software to block migration of all new packages that can't be reproduced or existing packages in testing that regress in reproducibility.

[00:01:28]So, what does this actually mean?

[00:01:31]So, let's actually look at the wiki here because this really defines what reproducible builds means. So, this has to do with that checksum. I know many people when you download a Linux distribution, you might probably skip that step of verifying your download and you really shouldn't. And the reason you shouldn't is because if somebody gets in there and does something malicious like has happened on Linux Mint about a decade ago and I'm forgetting um uh it Ubuntu Mate or Lubuntu? It's one of the Ubuntu flavors recently uh it happened and we covered both the video uh both of those topics when they came out. People got in through a hacked WordPress site, which isn't too unsurprising with the fact there was a giant cPanel breach in this last week, and they were able to get in there and change the downloads. And for people for about 2 hours or so in each of those cases, if you downloaded the distribution, you have downloaded something with malware installed. Now, the distro still worked. It showed every sign of being the correct distribution, but there was extra malicious code put inside of there that you may not have expected to be there, especially since you're downloading reputable distributions with good reputable teams.

[00:02:48]Now, if you checked the checksum of that, and the checksum come off wrong, you go, "Uh, there must have been an error in the download." And you would have discarded it and either downloaded it again or downloaded it from a different mirror or done something different. And that is a whole Linux ISO.

[00:03:06]What reproducibility means in the scope of the software is that every component of the operating system itself must have a similar binary hash. The problem is if you take some generic source code that is written and you just compile it yourself and then you run a hash on the binary that spits out, that uh that hash is going to change. It's going to change based on your computer environment. It's going to change based on the the date and the time that you compile that. All of these things are things that go into the build. And so, for a standard person simply issuing a software online, they can compile it themself, publish their hashes, and anywhere that picks it up, as long as the hash matches, you have a good degree of confidence that that download has not been tampered with. And that is an excellent thing.

[00:03:54]The challenge here is of course is what happens when you want to download the source code and then you want to go ahead and use that source code across some other bill. You want to build it yourself. How do you check what your downloaded binaries and what theirs are if you're compiling at different times?

[00:04:13]So there's some extra steps taken in the compiling step that's going to throw out things like the variable like that like the dates that the time of compile, maybe some of the equipment and it's going to give you a reproducible hash based on just the components of the software itself including all of the components that might have come from a supply chain. So this means that if any weird shenanigans goes on, a supply chain could be breached or something else weird happens and you do not have the same hash as somebody else under a reproducibility model, then you know that that software likely has been tampered with and you can discard that software and not use it. Now, it's not likely we are all going to go ahead and double-check every piece of software, but why this is important is in that step of compiling the ISO for download, they are going to take that step to make sure all of the reproducibility of all of the software packages are perfectly in a line so you have confidence that that one master ISO is going to be correct. And this is a huge huge step in security. And for this, Debian has ultimate praise on this. Uh now, Arch has been experimenting with this, NixOS have been doing a lot of this, but none of those other distros has it absolutely hard fast required yet.

[00:05:35]And that is what the next edition of Debian is going to have. Debian 14 will be forced on reproducible builds as of this time. So here's just a little bit about how this works. Reproducible builds, known as deterministic compilation, process of building the software, ensuring the resulting binary code can be reproduced, including that hash. So, this produces a chain of trust, which you can be confident that the software has not been tampered with somewhere along the line.

[00:06:08]And uh this is of course in response to a lot of supply chain breaches and things like that because you know, that one guy in Nebraska actually needed to get a little bit of sleep, so his package had to you know, go to sleep while some hacker might have been playing around in there. Now, this goes back in the early '90s with the GNU project using some of these, and as I said in the more recent uh Arch has been working with it. So, Arch Linux is working on making it official. Debian um was working with it with Bookworm.

[00:06:36]FreeBSD is working with it. NixOS claims 100% reproducible build in June of 2021 for their minimal ISO releases, not for the whole thing. Tails is using reproducible builds, which is good because Tails has a good security model.

[00:06:49]Even F-Droid uses reproducibility builds, and this is awesome if you happen to be using your GrapheneOS phones, and you want to download good audited software, F-Droid is a great place utilizing reproducible builds.

[00:07:02]Uh so, the this is actually a really good step in security.

[00:07:07]And I don't remember if there was much else that I wanted to pull out from the uh no, there's nothing else I didn't already mention in the in the It's FOSS article. So, that's what we have looking forward to. Of course, Debian is the grandfather of Ubuntu. Does this mean Ubuntu will be fully uh reproducible? Uh probably not. Uh but, unless of course, they look at this and go, "That's a great idea." But, their Debian base certainly would be. Linux Mint has is based on Ubuntu, and also the based uh based on Debian, the LMDE, Linux Mint Debian Edition, is also available for download on Linux Mint's website. That is based on it. So, all of these downstream distributions are going to have the end result of a lot tighter security based on the fact that Debian is taking this step. So, this is an awesome an awesome awesome thing that Debian is doing. So, I just wanted to bring that to everyone's attention and let me know your thoughts about all that in the comments down below.