> > So there's no "chain of custody", for lack of a better term, digital > signature where one could look at the kernel running on a Linux system and > trace it back to the original Linux kernel that was released? > No there's not; Not only that, in many cases, it's NOT the "real" kernel as published by The Linux Foundation: Red Hat and Debian, at least and for sure, maintain their own patch sets for the kernel; They do publish them, of course, because the license requires it, but the resulting binary is definitely not what was running in a Linux Foundation test server.
When dealing with binaries, though, you are placing trust in the developers who built the distribution and the build environment, to have done so in a trustworthy manner. If you want more verification, you have to get the source code directly from a trustworthy source, and compile it yourself. If you want more verification than that, you have to actually read that source code before compiling it. If you want "proof" from the developers, they need to do so in the sense and form of a mathematical proof; That the specifications are implimented correctly, that the code is compiled correctly, that the compiler is working correctly, that the binary is what the source code defined, that nothing was added or removed along the way. As far as I know, there is only one kernel to have done so: seL4 ( http://sel4.systems/ ), but I'm not nearly nerd enough to justify why one would care. _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
