Fedora 36 open source, decompile, verification

Is it possible to see the source code for fedora 36 somewhere, all of it, maybe with some sort of documentation to understand it? Is it possible to decompile the download ISO image and compare it to the sourcecode?

I see that it is possible to verify the download ISO with CHECSUM files. But Fedora claims to be open source so it should be possible to see the sourcecode and compare it with the ISO to make sure you know what you are installing. For eksample Windows is not open source and it is not possible to tell if they have hidden backdoors in the code, like Snowden claimed.

1 Like

Seems to be in Fedora Project’s mirror servers. Here is Fedora 36 source code (I think… I’m fairly new to Linux), but it is on a mirror in the United States so you may want to pick a different mirror from here.

how do I read this stuff? I downloaded some of the files from the mirror .src, source files, and open with notepad and it all looks encryptet. Any documentation on how to put it together to your own iso image? Aslo, is it possible to decompile the original download from fedora wesite and confirm that it is identical to the open source version? Is this mirror from the latest update and identical to what you download from their website?

1 Like

I do not know the answer to any of these questions, because I am very new to Linux as my main OS.

In general it is not practical to decompile binaries to compare to the original source code, for a large number of reasons.

All of Fedora is built from source packages called source RPMs; they are available to anyone and contain the full source code (and spec files, build scripts, etc.) used to build every binary package in the distribution. It is certainly possible to rebuild all of the packages, and build your own installer ISO, if you wish, although that will be a large and complex process.

You mentioned ‘notepad’ which likely means you are using a Windows computer; it won’t be easy to open and inspect the source RPMs on that computer, and it definitely can’t be done using a text editor.

1 Like

Ok, where do I get started if I want to create my own Fedora 36 ISO image?
Is everything collected in one place and does it exist any documentation on how to compile it? Does the source code for each patch and update exist?

I don’t personally have any idea how to go about creating your own packages from the source code, and then creating an ISO from those packages. The processes to do this are all documented and are used by the Fedora team who builds those things, but you’d need to do some research to find them.

Yes, every single package in Fedora is produced from the source code in its source package, and that source is complete. The Fedora packaging rules require this to be true.

1 Like

The source for fedora packages is at https://src.fedoraproject.org.

For example, I recently wanted to see what options the sudo package was configured with and I found the answer by going to https://src.fedoraproject.org, searching for sudo, clicking rpms/sudo in the search results, clicking the Files tab, and inspecting the sudo.spec file for the f36 branch.

In a spec file, you can see where the upstream source is gotten from and any patches that are applied, etc.

Sometimes it is helpful to download the source rpm, as you tried. To expand the source rpm, you’ll want the rpmdevtools package. Here’s how I downloaded the sudo source rpm and expanded it:

sudo dnf install rpmdevtools
cd ~/Downloads
dnf download --source sudo
rpm -i sudo-1.9.8-5.p2.fc36.src.rpm
cd ~/rpmbuild
vim sudo.spec

To install the build dependencies, I did this

sudo dnf builddep ~/rpmbuild/SPECS/sudo.spec

To unpack the sources and apply any patches (rpmbuild, RPM Packaging):

rpmbuild -bp ~/rpmbuild/SPECS/sudo.spec

To compile after I made a change:

rpmbuild -bc --noprep ~/rpmbuild/SPECS/sudo.spec

To build the rpm:

rpmbuild -bb ~/rpmbuild/SPECS/sudo.spec

When done, wipe the tree:


Regarding creating one’s own ISO image, sorry, I never tried that.

1 Like

Ok, thanks! it would be nice to see a videoseries on youtube where some1 built the ISO and explained stuff. It would be educational.