Announcing Whonix's First Implementation of Verifiable Builds
-----BEGIN PGP SIGNED MESSAGE-----
you may or may not be interested, that Whonix  (a derivative of
Debian) first implementation of verifiable builds has been finished.
It should make it reasonable to believe, that the original Whonix.ova
images have been build from the source code that has been published
for that Whonix version with no malicious additions by the Whonix
builder or build machine. Next Whonix version will be build that way.
It's not as good as reproducible-builds , where you can simply
compare the hash of the resulting image, but without any
deterministically build operating systems, that's impossible for the
Whonix project to archive.
How it works (very brief)... Whonix does not add binary packages. All
binary packages are taken from Debian repositories. Whonix is only a
collection of config files and scripts. Images is extracted, MBR, VBR
gets dumped and compared, checksums of all files within the image are
created. All information is written into a report file. When having
two reports (one of official builds and a own build), those can be
compared. The full documentation of that feature and links to the
related scripts can be found in whonix.org wiki. 
I am happy to hear if I have overseen any holes, where backdoors could
still be hidden.
And I also have a question. During Whonix's build process, after
installing all packages inside the image, commands like
are run. And during first boot, commands like
are run. Is there perhaps a better way of temporarily getting rid of
non-deterministic files than manually running these scripts, for
example letting dpkg call those scripts?
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----