Assurance of Quality as attractor/motivator for potential Adopters to commit to Ubuntu (any flavour)

It is my opinion that the following discussion

• External audit of code for Ubuntu Mate?

was terminated thru intervention via “abortion”, to use a figurative description of what I perceived happened.

There are VERY valid reasons for newcomers approaching the world of Linux wanting to have independant assurance of a “known” level of quality, as provided by an unafilliated 3rd-party.

The very “hands-off” approach of highlighting that Ubuntu and other OSS applications and OSs are indeed “Open-Source”, allowing for anyone to review the code, does not address the inherent need which stems from the fact that many (dare I say most) of those who are considering to move away from Windows (or other systems) simply lack the competence due to lack of awareness, skills, tools, or reputation required to make the kind of assessments/determination that could lead them perform the type of Certification being discussed themselves.

To ignore that reality is, in my view, disrespecting the people who make up the marketplace from which the OSS Community hope to attract those adoptees.

Let us not lose sight of the fact that people can and do recognize acts of disrespect, intentional or not, and distance themselves from those who intentionally or unwittingly offer such disrespect.

Given the context the above attempts to clarify, I respectfully ask the powers that be … that the request … put forward by @SleepTimer … be reconsidered, possibly in the form of a more “focused” goal, of limiting such an audit to the elements that compose the “installed default” configuration, for any of the Flavours.

Now, I understand that there are many Distros that make use of some of the same building blocks for the OS/Distros.

Yes, it would be difficult to get everyone on-board to insist on seeing some documented evidence of process control for each of those shared components, but for some of those key components, like the Kernel, couldn’t the industry come together to “encourage” the upstream provider organization to accept such an audit, as a means to give the eco-system a greater visibility of “discipline” and “accountability”?

Maybe an “ISO Certification” would address that market need.

I do know, given the eco-system, that it would be near impossible to obtain Common Criteria certification for every little bit of the eco-system, but would it be completely unreasonable to have some expectation, for a default installation of Ubuntu (any flavour?), that it be Certified for

• Common Criteria Protection Profile for GPOS

and that the installation-time interraction allows the choice of applying that Certified installation … or “scaling back” to the current default installation configuration which, correct me if I’m wrong, does not comply with that “minimum” benchmark.

Yes, I do realize that I have crossed the boundary from “Quality” in to the realm of “Security”. But truly, isn’t that what everyone’s real focus is these days?

After all, being able to reassure both the General Public, or Business Decision-Makers, that various configurations actually conform to, and assure, various “established” Protection Profiles for targetted scenarios, would go a very long way towards regaining Public trust in informatics and network infrastructure that has been steadily undermined with each new instance of breach, let alone tampering, that is reported in the news.

I respectfully submit the above for consideration.

Moved to the Site Feedback category, as that’s where complaints about moderation belong.

The post you complained about was closed simply because “somebody else should resource my idea” is unproductive. Further discussion in that topic merely encourages the myths that the community is somehow entitled to Canonical Ltd’s resources, or that Canonical Ltd seeks community input on their internal resourcing or strategy decisions. Neither is true, and continued hopeful discussion on that topic is misleading, a disservice to our fellows users in the community.

If you are interested in Security or Quality Assurance or Process Control, then I suggest you get more involved with those teams at either the Ubuntu or Debian level. Both projects have produced voluminous documentation over the years, and welcome new volunteers willing to help with the work.

Let us not lose sight of the fact that people can and do recognize acts of disrespect, intentional or not, and distance themselves from those who intentionally or unwittingly offer such disrespect.

Right now I am beginning to feel disrespected. I gave what I considered as a reasoned and comprehensive reply in that topic.

And now I am being told that when I switched from Win98 to Ubuntu I did so in ignorance of the security vulnerabilities in Windows and in ignorance of the security that Linux has and Linux distributions have.

I am pleased that that particular topic was closed.

I was going to add some more information that Microsoft is laying Windows source code open to audit. But only those small parts of the code that being audited will show Windows meeting certain government standards. Without which government departments will not be allowed to buy Microsoft software. Compare that to Ubuntu being open source and already being shown to meet those government standards.

I could not add that as a reply. All the same I was and am pleased that the topic was closed.

Regards

Canonical has paid for various external audits, reviews and certifications which is even prominently shown on the website (and a hard requirement for many of Canonicals customers):

https://ubuntu.com/security/security-standards

If you want such a thing to happen for one of the flavors (which use completely different package selections and defaults from the main OS) you are free to organize a donation collection or convince someone from an entity that does such reviews to do it as community contribution like i.e. @popey recently did by providing a tool to scan snaps for open vulnerabilities…

Thanks for the mention @ogra!

The concern about trust and quality is legitimate, and I get why newcomers want some kind of external validation. It’s a reasonable human instinct.

That said, I’d gently push back on the framing here. @SleepTimer’s original post was essentially “someone else should do this expensive thing” without any real engagement with the practicalities, and this thread continues in a similar vein. The open source model is the audit mechanism - it’s not a cop-out, it’s genuinely how this works.

The snapscope tool @ogra mentioned came about because I saw a gap, thought it was worth addressing, and built something. That’s the path here too. If you genuinely care about this - and it sounds like you do - get involved. The Ubuntu security team exists. Debian has processes. There are real ways to contribute rather than asking Mark Shuttleworth to write a cheque.

I’m not trying to be dismissive of the underlying concern, but “someone with money should fix this” isn’t a plan.

The ISO Quality standard is about ensuring that the “Process” is fully documented and “disciplined” in such a way as to prevent (for the most part) bad stuff from slipping thru and finding itself in the end result. That looks more to the “how” it came about, with a view that the process can be deemed inherently reproduceable, the implication derived that there is assurance about the “how” which by extrapolation gives assurance about a continued future pattern regarding the “what” being produced.

So, on that point, let’s agree to disagree, and leave it at that, each of us walking away having a better understanding of the other.

That statement, very much unfortunately, reflects the underlying assumption that people raising issues need to become coders in order to “move mountains” to where they need them. I hate it when people try to play on the sympathy of others as an excuse but, in my case, I am feeling the need to justify myself.

I try to do my bit, however limited via responses to postings, but will never have the blocks of time that are required or can be dedicated to proper “deep dive” for truly impactful contributions because I am prioritizing my wife’s recovery from cancer. For me, the bits that I “dabble” in are all geared to setting myself up for a more stable long-term platform that would allow me to better further my studies/research into “managing” that treatment/recovery, without mentioning the complications added by her having had 2 separate instances of “stroke”, and the ongoing pain from fibromyalgia.

So … it is my very reasonable expectation that a quality-driven underpinning to whichever platform I choose for my home computer being someone who needs that stability, as I am sure it is the same for essentially any End-User. Except for having tried a few Distros during the first couple of years on Linux, starting in 2004, I have been with Ubuntu since about 2007 and never looked back. But there is a very big chasm of trust between that lived experience (living with the “devil you know” and have “tamed”) and the rock-solid foundation provided by an ISO Quality Assurance Certification. I am sure that, for many, that stance is also true.

So, having said my peace, I leave the matter for futher reflection with those who are able, can and do devote their precious time and resources to the continue betterment of Ubuntu … with our eternal gratitude!

I appreciate this option.

Can we see the documentation on all of this?

It seemed quite scarce to me.

Thank you for that reference, Oliver. Much appreciate the reassurance on the framework of Security protecting the Canonical environment and platforms. That is significant … to confirm the “sanity” encapsulation.

Unfortunately, that does not address the main consideration of ongoing repeatability regarding Quality of deliverables, when End Users make reference to “ISO Certification”. For the certification that reflects that facet of Organizational “performance”, the usual reference is one geared specifically to Quality, which is

• ISO 9001:2015
  Quality management systems — Requirements

If you are wondering how they differ, the following reference is a good high-level overview of those differences:

• What is the Difference Between ISO 9001 and ISO 27001?

Unfortunately, I haven’t been able to find any reference to compliance with that Certification standard.

Is it possible that it has been achieved and not publicly announced?

While I myself am not pushing for anything like what is discussed in the following article reference, I bring it to your attention as it certainly seems that it might be attractive as an Organizational Performance initiative, while not necessarily committing to attain such certification:

• ISO 21502 and Success Management: A Required Marriage in Project Management

I do recognize that Agile Development does imply the need to “break rules” at times, but as long as the breaking is structured and managed closely, that process in itself is a critical success-oriented organizational skill which rarely has an established organizational framework for repeated success.

Not sure we do have an actual 9001 cert, but we surely follow the process (pretty much since day one, though back in the days the cycles were longer and the community was actually involved in the planning during the bi-annual UDS)

https://ubuntu.com/blog/the-rhythm-of-reliability

Regarding proof/documentation, there is

https://trust.canonical.com/ where you can see the signed certs…

And just as a side note, all three links I posted lately were among the first five hits on Google for “Canonical ISO certification”, it isn’t like it is hidden when you bother actually just looking for it…

What form should this demanded certificate take?

A paper/card based certificate sent through the post? A digital image?

Will Canonical please certify that the certificate I received through the post is genuine? Can someone please certify that the digital image that came with the ISO image is genuine and not something made by an AI program? I think the watermark is not a genuine Canonical watermark.

It never ends.

@ericmarceau

I am not writing this as a moderator, only as a long-time member of the Ubuntu Forums and now Ubuntu Discourse.

The following are my own thoughts on the matter having looked at the direction this topic has taken.

It saddens me deeply to see demands being made of a company that has given the world an amazing, free, open-source product enjoyed and used safely by millions.

It saddens me that the links provided by @ogra have been more or less ignored. Canonical has striven for and provided certification for enterprise and business customers.

It bothers me that the inherent trust system implied by open source development is seemingly being ignored.

Canonical has absolutely zero obligations, legal or otherwise, to provide the ISO certification you seem to be expecting as your right.

For me, having used Linux for the past 21 years, I will trust the the built-in security, I will trust the developers who work day and night to ensure that Ubuntu users are safe, I will trust the open source community that watches itself and works tirelessly to give us something for now and the future.

@ericmarceau @SleepTimer
Are you aware that each certification needs a trusted certification authority? Why do you trust those? How do these certification authorities proove they are trustworthy? What makes them a certification authority?
They are certification authorities only because they are trusted by many …

To me this makes the Ubuntu and FOSS community some kind of certification authority.

Another thought: what’s a certified operating system worth if users install software from untrusted sources with root privileges?
A lack of user awareness is much more a risk. Nobody will audit the users install. Supported Ubuntu will receive (security) updates and patches. But that’s worth nothing with for example a back door installed by the user himself.

I’m talking about ‘what you are given’ and if there is no audit ~ it is basically untrustworthy.

Chances are the police are all over it too!

Ubuntu is most certainly not “unaudited” or “untrustworthy.”

Ubuntu is open source. Its code, including the upstream Linux kernel, is publicly available and continuously reviewed by thousands of independent developers, companies, and security researchers worldwide.

That is the complete opposite of “no audit.”

Packages are cryptographically signed, security vulnerabilities are tracked via public CVEs, and patches are released transparently.

If anything suspicious were inserted, it would be visible to the entire community and caught quickly. That’s precisely how the open-source model works.

As for “the police are all over it,” that’s wild, unsubstantiated speculation without evidence.

Ubuntu is widely deployed across enterprises, academia, cloud providers, and governments globally.

Extraordinary claims require actual proof and not just suspicions.

If the standard is verifiability, Ubuntu meets it far more directly than most proprietary operating systems.

Time to close this topic.

There is an entire section of Ubuntu Discourse devoted to Security and trust.
Certifications are plainly displayed.
The open source methods establishing trust have been long established.

If Ubuntu does not meet paranoid criteria that are more applicable to proprietary software, folks are welcome to choose a different OS that satisfies them.