When I do “sudo apt-get update && sudo apt-get upgrade” to upgrade my PureOS Librem laptop, how dangerous is this?
In the end, I’m trusting some compiled binaries. How does this differ from running an .exe I get via email on Windows?
If you’re running stock PureOS with only the PureOS repo, it is just as dangerous (or not dangerous) as running stock PureOS and applications available from the Software application. As for the specific answers to your questions as it relates to the PureOS repo itself, someone from Purism would be the best to answer that.
Once you begin adding additional software repos, then the sky is the limit in terms of danger. Just do your research on the source of any repo before you add it.
I think most PureOS binaries are the Debian ones.
It’s almost impossible to be 100% safe in this, you have to trust them or you can compile them by yourself, but it’s best if you compile your own compiler first, could be some malware on an already compiled one.
Never tried PureOS here so I’ll be taking my knowledge from what I used Debian.
You should be alright since Debian is rock solid as a diamond, I would just do update and upgrade in a separated command just as a safety measure to avoid potential conflicts.
Who compiled these binaries?
How many eyes were on the compilation process?
Last I checked “more than 90% of the packages in the Debian repository have been shown to be able to build reproducibly.” (source [Wikipedia]).
More Info: https://wiki.debian.org/ReproducibleBuilds
I would assume the same is for PureOS.
Although, showing signs of reproducibility does not mean they are reproducible.
How likely is it there is malware on these binaries?
Linux in general, has a very low rate of malware.
Plus, PureOS has a very good bug reporting program and only installs free software applications by default. If any spyware was found and made public it would be stated everywhere.
As for applications installed after the vanilla installation, most have been audited to some degree.
Everything listed in the official PureOS repository is free software (to my knowledge).
You can’t compare the security of Debian vs. some fork like PureOS.
The apt mirrors of Debian are spread and replicated worldwide with strict GPG signatures
and only a handful of developers and operators have access to it.
repo.puri.sm is hosted on some Digital Ocean virtual server, sharing physical access with
many other virtual servers, and considering the latest Intel attacks there is nothing much
that keeps them “bulletproof” except some grain of optimistic salt.
No matter how you trust their team, every little change to the Debian code-base can be a
potential security issue. That’s how OpenSSL’s heartbleed vulnerability was introduced by mistake.
And no one will really care to ever audit it, for just a few hundreds of users, it’s not an interesting fork.
You make good points. You have almost convinced me to ditch PureOS for Debian. More eyes on it. Does someone else want to chime in on this? If one stays away from the proprietary software that Debian supposedly allows, what’s better about PureOS in terms of security? Isn’t Debian by default all open-source anyway unless you specifically opt-in to proprietary software?
http://www.gnu.org/software/repo-criteria.html
http://www.gnu.org/distros/free-system-distribution-guidelines.html
After extensive research I have decided to go with Debian. There’s ZERO reason not to if you care about security. The default 14 DVDs are all free software and if you don’t install anything else, you’re set with gold standard security.