Bazzite is based on Fedora, which is known to have a high level of integrity. (By integrity, I mean that a reasonable person will consider it to likely be a trustworthy OS for typical home or office use.)
Bazzite also uses much code from KDE Plasma. KDE also has a good reputation, especially when it comes to the code that is included in Fedora distros.
Outside of those primary codebases, Bazzite also contains some code created by members of the Bazzite team. Some of these members have names and faces (and have published nice videos of themselves), while others are anonymous.
To the best of my research (which could lead to incorrect conclusions, so please correct me if I’m mistaken!), relatively few people use Bazzite when compared to other Linux ISOs, and it’s probable that not a single person outside the small Bazzite team has gone through all the Bazzite code.
Besides “trust us, we’re good people” (which you most likely are!), or going through each line of code ourselves and then building Bazzite from scratch, what measures are in place to ensure Bazzite’s integrity as a trustworthy OS?
Hi Jorge. You and your team have created an impressive project! It’s amazing to see what a great job you all have done.
Although cosign indicates the executable code is most likely to match what was supposed to be built, what measures are in place to ensure that nothing bad slips into the source code (accidentally or even on purpose)?
As an example, almost everyone was blindsided by what happened with the xz library, and the general belief there was that many people and organizations had eyes on the code (or should have). With Bazzite, the number of eyes on the code is minimal (possibly just 2-4 tired eyes for parts of the code), so even accidental mishaps seem like they could slip through without end users being aware until it’s too late.
I think the base on Fedora is a big plus for Bazzite, but are there any install or runtime checks that download hashes from Fedora to see if what’s being installed and executed actually matches Fedora’s code?
Are there any third-party code and process reviews?
Are there any measures in place like these so that people can be comfortable trusting their data to the OS?