security · package scans
Every package built for the Odyssey repository passes an automated safety scan before it is signed and published. This page is the record of those scans — what passed, what was caught, and what we did about it.
Trust worked fifty years ago. Today there is no trust.
Have you ever asked yourself whether one of Brave's maintainers — and I apologise to the Brave team, their package is spotless, it is simply the first one I studied, so it came to mind — could turn malicious and inject a backdoor into the package? Who would catch it? Are we supposed to trust upstream blindly? My answer is a flat no. Not upstream, not anyone — not even the kernel. (And between us: I scan the Linux kernel sources too.)
This is the hard part to write, because two kinds of reader will reach opposite conclusions, and I want to answer both before they do.
If you are less technical, you might read this and think: now this is real security. Let me stop you there — no, it is not 100% secure. An attacker is an intelligent person, usually above average, and no defender can guarantee with certainty that nothing malicious is hidden somewhere inside the code, the build process, or the repository of an entire distribution. It cannot be done. The only way to come close would be to dedicate yourself to auditing a single upstream source from a single project — and you can see why that is not practical for a distributor.
If you are more technical, you might think the opposite: who are you kidding, this is for show — there is no point scanning a package without looking inside the JS or the bundled code. Here my answer is yes, I do. The scan unpacks the packages and analyses every file, looking for unwanted patterns. I know perfectly well this is powerful but not omnipotent. It is, however, powerful — and every source is inspected deeply, and documented.
The limit is false positives. That is exactly why, in the record below, you will find an explanation for every package that was flagged and then allowed into the repository.
I have already said more than enough. I cannot explain further: if I published how the scanning system is built, what it looks for, and which parameters trip a flag, an attacker would simply use them.
I will repeat it plainly: my repository is not "secure." No repository is. But of the more than 300 active distributions listed on DistroWatch, I do not know of one with a repository as state-of-the-art as this. The key is not trust. The key is no trust — nobody, mathematical verifiability, public signed manifests, reproducibility.
Enormous security challenges are coming, and many are still underestimating them. Odyssey Linux has not. Security is one of the founding pillars this distribution is built on — it is the bond with the people who use it: their protection, their respect, their safety. A distribution distributes software; the word says it itself. I want to do that impeccably.
| package | version | scanned | status |
|---|