Hello Community,
I was wondering what is the overall verification process before adding an architecture to Ubuntu Mate Download page: Choose an architecture | Download
I recently downloaded a GPD hardware optimized distribution and my worry is that it also includes some sort of malware/backdoor/intended vulnerability apart from the tweaks for that particular hardware.
Thanks for any comment on this.
Does the checksum match the .iso you downloaded ? if it does, no malware.
Thanks for the follow up @pavlos_kairis . I did check the SHA checksum after downloading but that's not what I meant.
I meant how do you actually build the components but I think I sort of found the answer: Ubuntu MATE 21.10 for the GPD Pocket 3
@Wimpy who is a trusted member here published the assembled installation, previously I was under the impression that the people from GPD published the image which I would consider problematic.
Anyway - is there some sort of github repository I can have a look at?
Over on the Device Ports page on the website (link is in the footer), there's a link to where they're generated:
My understanding is that the image is based on amd64 but is tweaked for an optimised "out of the box" experience for each of the hardware.
Certainly that is the case but I was wondering how transparent are the changes and/or tweaks.
There are some ways you could check:
Theoretically, if the script only adds additional files into the squashed filesystem, and you use the exact same version of the tools to run the script, the checksum should match. This isn't a guarantee because there's compression involved (for squashfs)
The other method is to mount & compare the squashfs file system from the regular amd64 ISO, and the gpd ISO to see what has changed. The file is located here:
casper/filesystem.squashfs
Wimpy sometimes does live streams of what he's doing - you can find some on GPD: