cross-posted from: https://sh.itjust.works/post/62361303
Hello good people.
Is no one afraid of Bazzites auto updating nature?
I am myself worried about the potential for well timed supply chain attacks from wherever they build their OS images, which somehow build malicious images or just gets itself into the normal image builds and we auto update to.
Is this an unfounded worry? Does anyone know of the security measures in place to prevent attacks?
Auto update just feels weird to me, especially for something like my OS. I’m asking because I went and installed it and realised auto updating seems to be their philosophy… which is scary?
p.s. i couldnt find anyone online discussing this
Thonks
Thanks for your answer. I have a lot of trust with Fedora, I guess I am more worried specifically about bazzites build process potentially being exploited. Sounding like I am being extra paranoid with Bazzite for maybe no reason
The entire bazzite build process is well documented, the entire pipeline is implemented with standard CNCF and OpenSSF tooling, the readme has crypto verification that you can run to verify it yourself. These systems have been in place since before Universal Blue went GA (It’s about 5y old).
Fedora being a better choice than Homebrew because it’s update pipeline is too slow is not something anyone should be proud of. The Bazzite images run full syft scans before they’re even finally assembled, if it’s in there that second the build fails and users never see it. The entire industry is moving left on this, with proactive work upstream - “keep old things in the field” is an antipattern.
Here’s all the info!