The cleanest way to compile Ubuntu from scratch?

Intro:I heard Ubuntu is safe because it is open sourced, we can see what code is running on our machine. Although there is source code of the linux kernel and many open source modules, but how could we be confident the original source of the ubuntu image matches the same source code we visit?

Question:Therefore it comes to this question: How do we recompile from scratch of the build with the file name ubuntu-20.04.2.0-desktop-amd64.iso at 2.8GB?

With some of the following requirements:

  1. Minimized binary file in the build process
  2. Minimized black box process
  3. Ideally end up the same SHA-256 check sum with the original build
2

2 Answers

If you are into self-compiling everything, maybe Gentoo is a better choice for you.

Having worked for a Linux distributor for 16 years (and counting), I can assure you that it's far from trivial to compile a complete Linux distribution. The business value of the companies that are doing that is in the know-how, infrastructure and work procedures (and their automation) to do that. This is not anything to easily replicate at home.

You can build one or a handful of packages at home easily, but when it comes to a full distribution, it's a massive task. How many man-years are you willing to spend?

Having said that, Gentoo Linux is based around the idea to let every user do exactly that at home; but still, you need to have some trust in those who provide the source tarballs and all the patches on top of them. If you are suspicious, you can dig deep into one or a few of them and check what they are doing, but it's unrealistic to do that for any meaningful percentage of the whole distribution.

Also, I have doubts that you will manage to optimize the resulting binaries better (at least in any meaningful way) than those who have been doing that for a living for many, many years.

Still, if you feel you must do it, go ahead. ;-)

3

First, you learn how to build a single package, discover how to find and use the same compiler environment and flags, discover how to use exactly the same source code revision, etc. -- and compare it's checksum.

Then you learn how to build each of the thousands of packages on the installer image (some are quite complex) -- and compare each checksum.

Then you learn how to snapshot the system you built, compress it into a squashfs image, and make it a bootable .iso.

Without a build farm to compile each package from source, an expert already skilled in building those complex packages could do it on their own high-end workstation in several of effort. A beginner could easily take years.

...And at the end of all that, your checksum will be wrong for every package you built. Each package is signed, and you don't have the private keys.

But let's put that aside -- everything else will match. Your build logs will match the Ubuntu build logs (available on Launchpad), line for line. Your packages will be the same size as the Ubuntu packages. They will function exactly the same. They will have identical bugs. They will have identical network usage. They will pass every other test you can think of to test for a tampered or changed package.

And that's how you verify the Ubuntu installer (that's what you linked to), not the finished system that the installer creates.

2

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like