Security of pre-build firmware image

Hello everybody,
The list of routers for which pre-build firmware is available is impressive. I assume this is done by a group of volunteers. Once a new version has been released, these volunteers compile it and make it available for everybody. If this is not right, then please correct me.

I hope that nobody misunderstands the following question. I really appreciate all the work by the developers and in no way want to imply anything negative. I just try to understand the process.

How do I know that there are no backdoors in the build firmware? How do I know that the provided image is just the project source code without any additional modules? When looking at the page for a certain router, I couldn't see who create the image or how. I am sure there are safeguards in place, I just would like to understand the process better.

This is incorrect, all firmwares are built from source on automated 'buildbots' maintained by the project (some using donated resources) and signed with project signature keys, images aren't thrown over the fence by random individuals. Support for devices is added on the source level, you can follow every change by reading (and/ or auditing) https://git.openwrt.org/?p=openwrt/openwrt.git;a=shortlog and the addon package feed commit histories. Efforts for reproducible builds are advanced quite far, but might not be 100%.

If you don't want to trust the project built binaries, you can build your images from source yourself - if you trust the source (and/ or have audited it).

Thank you slh. So these buildbots are configured to create all the images automatically once the source code for a new kernel has been released? This is really interesting.

They are actually continuously building snapshots. Releases are just builds made from a tag that triggers the release builds.

• https://buildbot.openwrt.org/master/images/#/grid
• https://buildbot.openwrt.org/openwrt-21.02/images/#/grid

Ps. Kernel version plays no role here. It is about any new commits to the OpenWrt source repo.

You don't.

But if there were, someone would have found them.

There are a lot of eyes on the firmware.

It would be naive to think there is no unknown zero day backdoor in the firmware. It would also be naive to think OpenWRT isn’t a target to break in to in todays world since there are people that are targeted by governments that probably use the firmware just to evade the same government.

But what are we actually comparing the security with? The manufacturers own firmware with Linux kernels of version 2.6 or something like that?
Their normal security updates are only to change the background color of the cloud management display and everyone is impressed by their hard security work.