Ever wondered how Trisquel and Ubuntu differs and what’s behind the curtain from a developer perspective? I have. Sharing what I’ve learnt will allow you to increase knowledge and trust in Trisquel too.
The scripts to convert an Ubuntu archive into a Trisquel archive are available in the ubuntu-purge repository. The easy to read purge-focal script lists the packages to remove from Ubuntu 20.04 Focal when it is imported into Trisquel 10.0 Nabia. The purge-jammy script provides the same for Ubuntu 22.04 Jammy and (the not yet released) Trisquel 11.0 Aramo. The list of packages is interesting, and by researching the reasons for each exclusion you can learn a lot about different attitudes towards free software and understand the desire to improve matters. I wish there were a wiki-page that for each removed package summarized relevant links to earlier discussions. At the end of the script there is a bunch of packages that are removed for branding purposes that are less interesting to review.
Trisquel adds a couple of Trisquel-specific packages. The source code for these packages are in the trisquel-packages repository, with sub-directories for each release: see 10.0/ for Nabia and 11.0/ for Aramo. These packages appears to be mostly for branding purposes.
Trisquel modify a set of packages, and here is starts to get interesting. Probably the most important package to modify is to use GNU Linux-libre instead of Linux as the kernel. The scripts to modify packages are in the package-helpers repository. The relevant scripts are in the helpers/ sub-directory. There is a branch for each Trisquel release, see helpers/ for Nabia and helpers/ for Aramo. To see how Linux is replaced with Linux-libre you can read the make-linux script.
This covers the basic of approaching Trisquel from a developers perspective. As a user, I have identified some areas that need more work to improve trust in Trisquel:
- Auditing the Trisquel archive to confirm that the intended changes covered above are the only changes that are published.
- Rebuild all packages that were added or modified by Trisquel and publish diffoscope output comparing them to what’s in the Trisquel archive. The goal would be to have reproducible builds of all Trisquel-related packages.
- Publish an audit log of the Trisquel archive to allow auditing of what packages are published. This boils down to trust of the OpenPGP key used to sign the Trisquel archive.
- Trisquel archive mirror auditing to confirm that they are publishing only what comes from the official archive, and that they do so timely.
I hope to publish more about my work into these areas. Hopefully this will inspire similar efforts in related distributions like PureOS and the upstream distributions Ubuntu and Debian.
Trisquel should, perhaps, become a Debian derived distribution and base on Debian rather than Ubuntu – at that point, you have all the benefit of the numbers of Debian developers and the existing Debian reproducible builds effort.
Potentially becoming a Debian pure blend and packaging *only* the scripts needed to strip out non-free packages would potentially be easier from within Debian. The current situation of trusting Debian to build an infrastructure that Ubuntu will use for their packaging efforts at some point, only for Trisquel to repackage again seems wasteful.
Yeah, what is the state of reproducible builds for Ubuntu?
We have PureOS for those that wants a more Debian-like experience, and I run it on my old X201 laptop. The same concerns I bring up here can be brought up against PureOS as well, and I hope to duplicate the work I do for both Trisquel and PureOS. A lot of infrastructure and improvements went into Ubuntu compared to Debian too, and switching back to Debian will lose those. I believe Trisquel adds some packages directly from Debian instead of going via Ubuntu, but I think they are all rebuilt rather than using the Debian-provided binaries — maybe coming up with a way for Trisquel to directly import both Ubuntu and Debian packages would be an improvement.
From what I recall, PureOS still uses the Linux kernel images from Debian that I find problematic. And I have some ppc64el-based Talos machines, which seems unlikely that PureOS will support. So Trisquel seems like a better fit for me.
For as long as Debian and Ubuntu are viable projects, I’m happy that there are derived free software distributions based on each of them.
Pingback: Apt Archive Transparency: debdistdiff & apt-canary – Simon Josefsson's blog
Pingback: Trisquel is 42% Reproducible! – Simon Josefsson's blog
Pingback: How To Trust A Machine – Simon Josefsson's blog