Linux Distros - Does Country of Origin Matter?

So with countries like Germany trying to regulate social media under the guise of protecting people from "hate speech" (https://www.theverge.com/2017/6/23/15852048/germany-hate-speech-facebook-twitter-fine-censorship), does anyone worry about the country of origin for the Linux distribution? Could there be some sort of back door that the government forces them to put in so they can constantly monitor everything you do? I know Germany isn't the only country that tries to do these kinds of things cough America cough, but I'm using them as an example because this is pretty recent.

If you think it does matter, which country do you think you would be safest from? Which is the least tyrannical about the internet?

I can understand blocking out some stuff, like terrorist organization recruitment videos. But when they use the words "hate speech", I can't help but think that if they actually get what they want, they're just going to start blocking out anything that goes against their agenda, because they can call anything they disagree with "hate speech" cough Antifa cough.

Not really.

I mean most popular OSs are usually pretty community driven and the community spans multiple countries. Suse for instance is based in Germanny, but they have offices all over the planet. They have an office in downtown seattle. Ubuntu and Redhat also have foreign offices.

There are a few niche distros that are very country specific, but they don't get a whole lot of development time and are therefore somewhat useless.

Sooooooo meh?

1 Like

Countries schmuntries.

As long as it's not redstar linux, you're fine.

4 Likes

Technically only encryption and patent law had/have an effect.

Two examples:

  • FOSS implementation of US crypto wikipedia or
  • Linux Mint including codecs that are patent protected/require licenses in certain countries (US mostly). Their defence: we are in france and it does not apply here. They are small enough that it wasn't tested in court. It is problematic that LM is distributed world wide even where these patents are an issue.

On a social level country of origin can be very important. If you don't speak/read English then having a "local" distro or distro with local community is very important. There are little known african distros that have the best support for their local language. While all big languages are open to translations of local languages, those are rarely a blocker for release (e.g. low german). If you only speak one language and your system is 50% English that really sucks.

1 Like

This was only 3 years ago

Distro was called Tails
Honestly I doubt the average user can protect thier privacy from the huge supercomputers and advanced software developed and hinted at in Vault 7, I just use the advance blur option like this:
James Clapper likes farm animals

1 Like

That's pretty much what I've been thinking. Even if there is no intentional backdoor, that doesn't mean you have any real privacy on the internet. And considering that, since the government doesn't benefit from the distro, there's no reason to boycott the distro.

1 Like

But i use redstar linux as my daily driver.

Indeed a Linux distribution isnt going to protect your privacy in any way or form.
To protect your privacy, you just have to change your own habbits.
But still there basiclly is no full privacy protection on the internet.

1 Like

It can matter. Both from the distro point of view and end user.

Patent law in the US doesnt really allow distros to use patent encumbered code. this is why Fedora for example doesn't include patent encumbered programs. They wont take the risk. Other distros do include those things because they don't apply in the country the primarily operate from or they accept the risk, or they are oblivious to the risk.

As an end user it matters as well. If you live in the US it may be illegal to use things like libdvdcss to crack the encryption on dvds so you can play them.

The option is they dont include the thing or they move country or host it by a 3rd party. In any case, most distros are open.

What exactly are you looking to answer?

1 Like

Considering the open-source nature of Linux, that's extremely unlikely. You just can't hide stuff in there without a vast army of neckbeards figuring it out.

1 Like

I would like to be one of those people that participates in that, minus the neckbeard part. But between full-time work, full-time school, girlfriend time, and a little bit of me time, I haven't found the motivation to even figure out where to start.

The most basic explanation I can think of is government spying built into the distro.

Mozzila managed to hide google-analitics inside FF. And people found out just now. And they are not planning to remove it because its too convenient. https://github.com/mozilla/addons-frontend/issues/2785

1 Like

You may wish to seek out a distro which periodically posts a security canary. Here is an example from Qubes OS.

You may also wish to engage the devs of your favorite distro and inquire as to why they do not, likewise, post a security canary. It is entirely possible that they have already been compromised by national intelligence services, or that security is merely an afterthought for them. Either way, it would be interesting to compile their responses here, for everyone to review.

Here is the rationale behind the security canary.

1 Like

Firefox was removed from F-Droid a while ago because their source code wasn't completely open. That alone made me suspect of Mozilla in general and Firefox in particular. If the analytics were embedded in the closed-source part, that might explain why it took so long to find it. Then again I haven't reviewed the code myself (because that's way above my skill level)

They may not be planning to completely remove it, but they did ship a hotfix to disable it if you have "do not track" enabled in the privacy settings.

Not really. It's open source and that's what gives liberates it from a lot of things. The only issue you'll face with distros is the accessibility for the app/software you use. i may be easier to get something to work in ubuntu but might be tough in fedora or vice versa, depending upon the case.

Offtopic but thought this was worth sharing;
During an interview a pentester was asked why Finland has so much nerd know-how (relative to population).
Answer was due to the second world war.
Things like cryptography for example was openly teached in schools, whilst, if you compare to Sweden (neighbour and basically a twin, but hasn't been at war in hundreds of years). Cryptography of any kind was a heavily guarded secret and priviledged to a select few.
Ontopic: open sourcing provides benefits which outweigh proprietary depending on the circumstances; where distros are developed doesn't matter since most are developed across continents, but, if it's open, does it matter? No.

Not really. If you’re downloading from a local mirror (one inside germany) it should have the exact same SHA256 accross many mirrors.

Example:

http://de.releases.ubuntu.com/zesty/SHA256SUMS and http://mirror.waia.asn.au/ubuntu-releases/zesty/SHA256SUMS are the exact same data. You should be able to achieve a similar result with many other Linux distros.

Because Linux is a community-driven project and because the code is SO public, I wouldn’t worry so much about the backdoors as much as the abilities that are available to you by law.

1 Like

To add on to this I would say to also verify that SHA256SUM locally after downloading.

1 Like