Following the Russian invasion of Ukraine, nations have sought to remove themselves from Russian influence, for example over fuel supply lines etc and introduced sanctions on import/exports. Many Linux distros originate within Russia and their sphere of influence. Is it time to consider the possible ramifications of this? Is it time to call a halt to Russian distros and others associated with them? Should mirrors stop propagating them? Is it now time for there to be an organization suitably equipped to forensically test suspect distros?

No.

1 members found this post helpful.

If you don't feel comfortable, don't use it. There are plenty of choices.

My main concern would be whether the distro is state-sponsored. I wouldn't touch Red Star Linux with a 50ft pole. But I think we shouldn't assume that just because something is built in a certain area, the software is nefarious.

What happened to "with enough eyes all bugs are shallow" or whatever was said? If that is true then people will find the bad stuff they may or may not put in the code. If it's not then the whole security model of open source just got blown apart and we should all walk away right now.

Or is this a politically based viewpoint?

Several "brands" of software originating in Russia are now homed and supported outside of Russia. The atmosphere INSIDE Russia had become oppressive even BEFORE the snactions went into effect, and It people have been leaving the country so they could continue their work.

I would check with the developer and maintainer groups, just to ensure that the distribution is not supporting the Russian economy. (Or at least, not directly). I would not abandon members of a good team without adequate reason.

I wonder though. The Russians are pretty notorious for cyberwarfare. Could we really trust anything they produced?

Given the Snowden leaks, it's pretty clear one can't trust anything coming out of the U.S. either.

I guess the real risk is more likely to be whether someone living under the Russian regime could be coerced into bad action. But then again, the U.S. isn't above applying "pressure" when it wants to. The TrueCrypt project shutdown was widely suspected to be a result of such pressure. And then there was the Dual_EC_DRBG backdoor debacle a few year back.

Let's face it. If you're running anything newer than a 486 it's probably already can't be trusted.

2 members found this post helpful.

This

Well,... the US, Israel, Uk and Germany have all been caught doing that too. I'd love to have the ability to be invisible (like on a scifi movie) so that I could go into some of the CIA, NSA building and see what they are up to.

I have only been in one or two of those buildings. In any areas where you could find out what anyone is up to, no fly would be allowed. Just sayin'

download the source offered to the world and build it yourself, if you distrust their binaries.

if you are concerned about them getting Linux, it's too late. the community there is (or at least was) huge and there are several Russian language distros. rumor is that Uncle Vlad even uses Linux out of distrust of USA, et al., although he could work in German if his language skills are still sharp.

even invisible flies?

I personally gave up Tetris.

2 members found this post helpful.

"It's a great big world out there," and software systems like Linux really don't care about "world politics." Nor should we. Because we have work to do. 'Nuff said.

2 members found this post helpful.

Sorry, but I cannot give reputation to the same post more than once... Reputation-points 2 to 10 are here:
Linux is not about thrill and buzz. That's Windows. You mixed something up.

(I would not trust an OS that is of 100% US-American origin)

1 members found this post helpful.