I dug into it and here’s a concise, actionable report: what I found, what’s suspicious, and exactly what you can run locally to verify (commands + what to watch for). I did not find a smoking-gun backdoor, but there are enough oddities to treat AnduinOS as experimental/untrusted until you verify more.
Quick summary (bottom line)
- AnduinOS appears to be a real project with public repositories, documentation and media coverage — it’s not purely vaporware. (GitHub)
- The project is primarily a one-person effort (Anduin Xue) who hosts project material across multiple domains (anduinos.com and an
aiursoft.cninfrastructure). That split domain/hosting footprint is uncommon and makes the trust chain more complicated. (Anduin Xue) - Independent outlets (Tom’s Hardware, The Register, etc.) have reviewed/covered it, and the GitHub org and docs are active (releases, ~1.1k stars). That gives some legitimacy but not a security audit. (Tom’s Hardware)
Concrete red flags / oddities
- Split infrastructure — official site at
anduinos.com, but developer blog, GitLab and other assets live under a*.cndomain and GitLab instance (aiursoft.cn / gitlab.aiursoft.cn). That means updates/ISOs/docs may come from different origins (complicates trust of update channels). (anduinos.com) - Single maintainer / hobby project — author self-identifies as a former MS engineer, but the project is clearly a solo/hobby effort. Solo projects are more likely to have undiscovered bugs or bad update practices. (Anduin Xue)
- No visible independent security audit — there’s public code, but no third-party security audit or mention of signed/reproducible builds (I didn’t find GPG-signed ISO releases or audit reports on the public pages I checked). (If you care about supply-chain risk that’s important.) (GitHub)
- Potential privacy/claim mismatch — the site’s blanket “we don’t track you” style statements should be treated skeptically until you inspect the distro’s default services, telemetry, and update endpoints. (anduinos.com)
What I verified (evidence)
- GitHub org
Anduin2017and main repoAnduinOS— active with releases and ~1.1k stars. (Public code to inspect.) (GitHub) - Official website
anduinos.comappears legitimate and publishes downloads and docs. (anduinos.com) - Developer/blog infrastructure under
aiursoft.cnwith an “About” page for Anduin (Anduin Xue) and a GitLab instance for some project artifacts. (Anduin Xue) - Multiple independent writeups (Tom’s Hardware, The Register) that installed or inspected the distro. They describe it as an Ubuntu remix with GNOME tweaks and call out it being a one-person project. (Tom’s Hardware)
Actionable verification steps you can run locally (do these before you install on bare metal)
Below are exact commands and what to look for. Run in a VM first.
- WHOIS / DNS / certs — check domain ownership and hosting
- WHOIS:
whois anduinos.com→ look for registrar, registration date, and whether WHOIS is privacy-protected. - DNS:
dig +short NS anduinos.comanddig +short A anduinos.com→ note nameservers and IPs. - TLS cert:
openssl s_client -connect anduinos.com:443 -servername anduinos.com </dev/null 2>/dev/null | openssl x509 -noout -issuer -subject -dates→ note issuer (e.g. Let’s Encrypt vs commercial CA). - Why: privacy-protected WHOIS, obscure registrars, or certs issued by unknown CAs aren’t proof of malice but add friction to accountability.
- WHOIS:
- Verify ISO checksums and signatures (if they publish them)
- Download ISO + checksum and (if present) GPG signature.
sha256sum AnduinOS-*.iso→ compare to published checksum on an authoritative URL (preferably on GitHub releases).- If a
.sigis provided:gpg --verify AnduinOS-*.iso.sig AnduinOS-*.iso→ validate the signing key fingerprint and whether the key is on a reputable account. - What to watch for: no signature, or a signature by an untrusted key with no cross-reference is weak.
- Inspect APT repo configuration and signing keys (after a VM install, but before any real use)
grep -R "deb " /etc/apt/sources.list*→ see where packages are pulled from (official Ubuntu mirrors vs custom repo).apt-key list(orgpg --list-keysfor modern systems) → check which keys are allowed to sign packages.apt updateandapt policy <suspicious-package>→ see repository origins and priorities.- Red flags: packages coming from obscure domains, unsigned repos, or keys that aren’t linked to known accounts.
- Inspect running services & network connections on a live VM
ss -tunapandps aux→ see listening services and processes.sudo lsof -iandsudo netstat -tunp→ look for outgoing connections from system services you didn’t expect (e.g., telemetry daemon).- Use
strace/lsofon suspicious binaries. - Why: an OS can be “pretty” but still phone home.
- Audit packages / source of custom components
- Clone the GitHub repo and review build scripts and any custom systemd units or daemons:
git clone https://github.com/Anduin2017/AnduinOS.gitthen inspectlive-build/packaging scripts. - Build an image locally from source (if build scripts are provided) and compare binaries; reproducible builds are ideal but often not available.
- Why: seeing the packaging scripts shows what they add/tweak (and if any closed-source blobs are present).
- Clone the GitHub repo and review build scripts and any custom systemd units or daemons:
- Check for independent audits / community discussion
- Search for “AnduinOS audit”, “AnduinOS backdoor”, or GitHub issues reporting suspicious behavior. Look for bug reports about update servers or unexpected telemetry. (I didn’t find an audit in my quick pass.) (GitHub)
Practical recommendations (what I would do)
- Do not install on a production or privacy-sensitive machine. Use a VM (with host-only networking) to explore.
- If you want a production-safe Windows-like Linux, prefer well-maintained distros (Ubuntu, Fedora, Linux Mint) and use themes/extensions to get the look you want.
- If you want to evaluate AnduinOS seriously: verify the ISO checksum & signature, inspect the APT sources and signing keys, and consider building from source. Only after those checks would I consider trying it on hardware.
- If you rely on supply-chain security: only use distros with signed repos, reproducible builds, and independent audits.
Useful links / sources I used
- Official site and download page: anduinos.com. (anduinos.com)
- GitHub repo (Anduin2017/AnduinOS) and releases (active, ~1.1k stars). (GitHub)
- Developer / Aiursoft pages (aiursoft.cn about / GitLab instance). (Anduin Xue)
- Media coverage: Tom’s Hardware and The Register reviews. (Tom’s Hardware)
Addendum: A deeper dive
After conducting a thorough investigation into AnduinOS, I’ve compiled a comprehensive analysis covering domain ownership, infrastructure, ISO verification, APT sources, and community feedback.
Domain Ownership & Infrastructure
1. WHOIS Information:
anduinos.com: The domain is registered with PDR Ltd. d/b/a PublicDomainRegistry.com, a common registrar.aiursoft.cn: The domain is registered through Alibaba Cloud Computing, indicating a Chinese hosting provider.
2. DNS & Hosting:
anduinos.com: Utilizes Voxihost, a hosting provider based in Poland.aiursoft.cn: Hosted on Alibaba Cloud, aligning with the Chinese domain registration.
3. TLS Certificates:
anduinos.com: The SSL/TLS certificate is issued by Let’s Encrypt, a reputable Certificate Authority.aiursoft.cn: The certificate is also issued by Let’s Encrypt, suggesting a standard security practice.
ISO Verification & APT Sources
1. ISO Integrity:
- Checksum Availability: The official website provides instructions on verifying the ISO checksum, but the actual checksum values are not listed.
- Signature Files: No GPG signatures are provided for the ISO files, which is a standard practice for verifying the authenticity of downloaded ISOs.
2. APT Sources:
- APT Source Configuration: The system may not automatically select the optimal APT source. Users are advised to manually configure the best APT source for their region to enhance download speeds and reliability. (docs.anduinos.com)
Community Feedback & Developer Transparency
1. Developer Identity:
- Anduin Xue: The sole maintainer of AnduinOS, known as Anduin Xue, claims prior experience as a Microsoft engineer. (AnduinOS News)
2. Community Engagement:
- Open Source Commitment: The project is open-source under the GPL-3.0 license, with source code available on GitHub. (GitHub)
- Community Feedback: The developer has acknowledged community feedback and expressed a commitment to improving the project. (AnduinOS News)
Summary
| Aspect | Findings |
|---|---|
| Domain Ownership | Mixed: .com registered with PDR Ltd., .cn with Alibaba Cloud |
| Hosting Providers | .com on Voxihost (Poland), .cn on Alibaba Cloud (China) |
| TLS Certificates | Issued by Let’s Encrypt for both domains |
| ISO Verification | No provided checksums or GPG signatures for ISO files |
| APT Sources | Requires manual configuration for optimal sources |
| Developer Identity | Sole maintainer claims prior Microsoft experience |
| Community Feedback | Open-source project with active community engagement |
Recommendations
- ISO Verification: Before installation, manually verify the ISO checksum against a trusted source. Consider building the ISO from source if feasible.
- APT Configuration: Manually configure the best APT source for your region to ensure optimal package download speeds.
- Caution with Sensitive Data: Avoid using AnduinOS for handling sensitive or critical data until further security audits are conducted.
- Community Engagement: Engage with the AnduinOS community to stay informed about updates, security patches, and best practices.