LWN: Comments on "KDE neon users may want to reinstall"

KDE neon users may want to reinstall

pboddie — Tue, 15 Nov 2016 11:47:27 +0000

I was just wondering what was actually there in the directories containing the packages. Did they look at the files and try and account for where they all came from, when they were uploaded, and so on, or did they just delete everything and tell everyone else to do the same? Also, aren't these things signed at some level?

KDE neon users may want to reinstall

FLHerne — Tue, 15 Nov 2016 08:26:38 +0000

'KDE neon' is a distribution (with a stock-KDE desktop, of course), so the recommendation is indeed to reinstall the whole thing.

KDE neon users may want to reinstall

cjwatson — Tue, 15 Nov 2016 04:45:03 +0000

Surely they have audit logs of uploads? If not, that should be worrying in itself.

KDE neon users may want to reinstall

Jonno — Tue, 15 Nov 2016 00:16:25 +0000

> Oh cool when did Debian reach 100% reproducibility? [Or even 90% reproducibility?]

Debian testing (aka stretch) reached 91% by October 1 [1], and is currently at 91.4% [2].

> The web page https://wiki.debian.org/ReproducibleBuilds says:
> Reproducible builds in Debian are still at the experimental stage. While we are making very good progress, it is a stretch to say that Debian is reproducible or even partially reproducible until the needed changes are integrated in the main distribution.

As usual the documentation isn't exactly up-to-date. The last piece needed was integrated into the main distribution at November 6 [3], only the infrastructure to publish the build environment specification online (so a third party can reproduce it) is still missing...

1: https://reproducible.alioth.debian.org/blog/posts/75/
2: https://tests.reproducible-builds.org/debian/testing/inde...
3: https://lists.debian.org/debian-dpkg/2016/11/msg00000.html

KDE neon users may want to reinstall

amacater — Mon, 14 Nov 2016 23:33:31 +0000

91% reproducible in Debian testing as of yesterday - see the mini-Debconf from Cambridge.

May not be complete for Stretch. Will also involve SUSE, Fedora, OpenWRT and other projects.

See: http://meetings-archive.debian.net/pub/debian-meetings/20...

KDE neon users may want to reinstall

smoogen — Mon, 14 Nov 2016 23:06:11 +0000

Oh cool when did Debian reach 100% reproducibility? [Or even 90% reproducibility?] The web page https://wiki.debian.org/ReproducibleBuilds says:

Reproducible builds in Debian are still at the experimental stage. While we are making very good progress, it is a stretch to say that Debian is reproducible or even partially reproducible until the needed changes are integrated in the main distribution.

But the graph shows a pretty high amount of builds being reproducible.. is there some staleness or just that the graph does not convey some key issues?

KDE neon users may want to reinstall

amacater — Mon, 14 Nov 2016 22:35:46 +0000

The article underneath might help - if KDE Neon were Debian rather than Ubuntu based, you could always rebuild it reproducibly and check it accordingly

KDE neon users may want to reinstall

welinder — Mon, 14 Nov 2016 22:25:21 +0000

That's a weird recommendation.

If no-one actually uploaded evil bits, then there is no need to reinstall.

If someone did, reinstallation of KDE is not a solution. Reinstallation of the entire machine together with cancellation of all private keys and passwords stored or used on the machine in the meantime. The works, in other words.

Perhaps they really ought to see if the packages *were* tampered with by means of recompilation and comparison. Or whatever else it takes.