You are not logged in.
Pages: 1
All the Q4OS code is released under open source free licenses. The very most of our code is in human readable form and it's available directly in the target Debian packages. Anyone can now inspect this code, it's just easy to download the package from live repositories and extract it. Such code is released under GPLv2 license. In addition, there are a few packages containing compiled binary code writen in C++. It's released under preferred GPLv2 or inherited free licence by the libraries used.
At the moment we are using our own scripting build system incompatible with that current Debian one. It's due to historic reasons and backward compatibility, as original Q4OS had been compiled by completely another development team. So compiling Q4OS sources and building Debian compatible packages is now quite complicated task and it requires to fulfill various build dependencies. We have limited development resources available to maintain such dependencies public and keep build system automatically usable, although the code itself is clean in a good shape. We consider publishing such system counterproductive. In order to fulfill licence terms, the code is available on request, so we could also explain current specifica of building and the code itself.
A possible, partial solution would be to add the complete debug information as regular packages, so anyone could extract the code from such package and get it binary verifiable. It's an extra time consuming agenda and we didn't decide about it so far. Would anyone be interested in that ?
The final goal we want to achieve is to convert current build system to get it Debian source compatible and even binary reproducible. That is quite a big task and we are continuously working on that. As we achieve that goal, we are ready to publish the source code on-line, and provide it the standard Debian way as source packages via Q4OS repositories. That would bring a great benefit for us, as it would significantly increase credibility and make independent security inspection possible. But without strict binary compatibility it wouldn't.
For binary incompatible builds an independent security code inspection doesn't make much sense anyway. The resulting compiled package differs from the distributor's original one, so an inspection cannot reveal a potential malicious code inside on-line packages. As far as we know, most of small Linux distributions don't use binary reproducible builds. Debian, for example, uses binary reproducible builds, but still distributes binary blobs within firmware packages, so users are not completely isolated from potential malicious code as well.
Offline
How much does Q4OS add to, remove from and alter Debian's source code ?
Q4OS doesn't alter Debian source code at all. It uses all the Debian binary packages and repositories as they are, with no modification. Q4OS only adds its own packages within own repositories separated. In addition, Q4OS provides repositories with most of original Trinity desktop packages, but a few packages modified. These modifications are released under inherited original code licenses, mostly LGPLv2, and the source code is available for any interested party on request. Trinity desktop is not part of Debian repositories anyway.
Offline
What about packages ?
Q4OS uses Advanced package management tool (APT) https://en.wikipedia.org/wiki/APT_(software) thanks to the great Debian base. All the Q4OS binary packages are in the .deb format, they are provided thru APT repositories.
We have also designed our own, as we beleive some kind of innovative, application installers format with .esh or .qsi suffix. Installers aim to be a complement to the default APT system and enable application installation for independent developers in a decentralized way. Although Q4OS installers feature different archive format, they are fully compatible with APT as they actually install .deb packages in clean APT way. These installers specification is free and open source, you can find some examples here https://github.com/q4os-installers . Those who want to fiddle with or create custom installer for an application, should read developer documentation https://www.q4os.org/dqa009.html first.
Offline
Does anyone unaffiliated with Q4OS review Q4OS' source code ?
As far as we know, there is no independent public spot, where someone would analyse or review the code at the moment. We provide any of Q4OS source code to the public according to licenses used. A few parties made requests for Q4OS sources, or its parts, some of them requested various additional information. They certainly check and view the code, they may try to use it in their derived projects, but we haven't an instant feedback to confirm how carefully they review the code in the sense of security. Any unverifiable confirmation would have no value anyway..As we have stated before, an independent security inspection of Q4OS binaries will only be possible, as soon as we will be able to release binary reproducible build system. But even then, we may not be able to answer this question definitively.
Offline
Pages: 1