LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-12-2010, 02:52 AM   #1
kellyapproved
LQ Newbie
 
Registered: Jul 2010
Posts: 19

Rep: Reputation: 0
Trusting Linux


Because Linux is open source, anyone can take a distro, modify it and offer it up for free on the Internet.

With Windows, many people download it using a torrent and there have been times when malware has been incorporated into the OS so as to be able to take control of the pirated OS.

Wouldn't the same hold true with all the different flavors of Linux. I can trust the big brand names, but it's all the different iterations of the major distros that I would have my concerns about.
 
Old 07-12-2010, 03:44 AM   #2
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 16,818

Rep: Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408
Quote:
Wouldn't the same hold true with all the different flavors of Linux.
it could and has BUT a big BUT
because it is open it CAN be checked

there are hashes made for prebuilt code and the package managers check it . Every now and then something might slip by, BUT it is caught fast .
in the past 5 years I have NOT seen this for my self
( i have not gotten a " messed with" package )
 
Old 07-12-2010, 03:45 AM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 376Reputation: 376Reputation: 376Reputation: 376
Quote:
Originally Posted by kellyapproved View Post
Because Linux is open source, anyone can take a distro, modify it and offer it up for free on the Internet.

With Windows, many people download it using a torrent and there have been times when malware has been incorporated into the OS so as to be able to take control of the pirated OS.

Wouldn't the same hold true with all the different flavors of Linux. I can trust the big brand names, but it's all the different iterations of the major distros that I would have my concerns about.
Yes, malicious code could be incorporated into any distro by its developer(s). And no, you're not alone – many people have an easier time trusting "big brand names" than they do the little projects for this reason (among others).
 
Old 07-12-2010, 03:56 AM   #4
tommyttt
Member
 
Registered: Oct 2009
Location: Federal Way, WA
Distribution: openSUSE 11.4 x86_64, openSuSE 12.1, Fedora 15
Posts: 207

Rep: Reputation: 34
Quote:
Originally Posted by kellyapproved View Post
Because Linux is open source, anyone can take a distro, modify it and offer it up for free on the Internet.

With Windows, many people download it using a torrent and there have been times when malware has been incorporated into the OS so as to be able to take control of the pirated OS.

Wouldn't the same hold true with all the different flavors of Linux. I can trust the big brand names, but it's all the different iterations of the major distros that I would have my concerns about.
If you don't trust any OS downloaded, run it from a sandbox or other secure environment so you don't contaminate your system. In other words, put it into its own partition with no other partitions mounted.

Tom
 
Old 07-12-2010, 04:06 AM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 376Reputation: 376Reputation: 376Reputation: 376
Quote:
Originally Posted by John VV View Post
there are hashes made for prebuilt code and the package managers check it
Right, but that only protects you from third party tampering. The distro developer is still able to build the packages using evil source code (while providing you with innocent source code). That said, at least GNU/Linux users have the option of building entire systems from source code (which can be thoroughly analyzed) if they so desire – Windows users don't have that kind of freedom.
 
Old 07-12-2010, 11:55 AM   #6
kellyapproved
LQ Newbie
 
Registered: Jul 2010
Posts: 19

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by tommyttt View Post
If you don't trust any OS downloaded, run it from a sandbox or other secure environment so you don't contaminate your system. In other words, put it into its own partition with no other partitions mounted.

Tom
Thank you everyone, this was interesting to read.

@tommyttt, this wouldn't work for me. I am looking for distro that I can use as a LiveCD/boot to RAM that I can use when I'm away from home.

I've gone with Linux Mint, they seem to have a track record of a few years behind them and I like this distro quite a bit. I suspect if there was anything bad with their code, it would have come out long before now.
 
Old 07-12-2010, 12:03 PM   #7
rsciw
Member
 
Registered: Jan 2009
Location: Essex (UK)
Distribution: Home: Debian/Ubuntu, Work: Ubuntu
Posts: 206

Rep: Reputation: 44
A few good live CDs available are Debian, Ubuntu and Knoppix, all of them trustable.
 
Old 07-12-2010, 03:17 PM   #8
David2010
Member
 
Registered: May 2009
Posts: 255

Rep: Reputation: 23
Quote:
Originally Posted by win32sux View Post
Right, but that only protects you from third party tampering. The distro developer is still able to build the packages using evil source code (while providing you with innocent source code). That said, at least GNU/Linux users have the option of building entire systems from source code (which can be thoroughly analyzed) if they so desire – Windows users don't have that kind of freedom.
Although it is a pain in the arse, a person can look threw the source code of every single program they install. But who would actually do that?

I use gentoo but I don't look through the source code downloaded by "emerge".

I suppose I just have a lot of trust towards linux being a safe OS.
 
Old 07-12-2010, 03:33 PM   #9
Awatto
Member
 
Registered: Aug 2003
Location: Halifax, NS
Distribution: Debian, Gentoo, Ubuntu, Fedora
Posts: 128

Rep: Reputation: 30
Not too long ago, Gentoo discovered a back door that had been in the distro for ~8 months. See:

http://www.zdnet.com/blog/bott/linux...r-updated/2206

Linux isn't infallible, and neither are the distro maintainers (Gentoo is wonderful!) but the "security" part of open source comes from the fact that if there IS a problem, anyone can notice it, patch it, and send it upstream to be included (after review) in binaries for everyone. This is the safety brought to you by open source, not that open source/linux is entirely secure. It simply gets fixed faster/easier.
 
Old 07-12-2010, 03:40 PM   #10
David2010
Member
 
Registered: May 2009
Posts: 255

Rep: Reputation: 23
Quote:
Originally Posted by Awatto View Post
Not too long ago, Gentoo discovered a back door that had been in the distro for ~8 months. See:

http://www.zdnet.com/blog/bott/linux...r-updated/2206

Linux isn't infallible, and neither are the distro maintainers (Gentoo is wonderful!) but the "security" part of open source comes from the fact that if there IS a problem, anyone can notice it, patch it, and send it upstream to be included (after review) in binaries for everyone. This is the safety brought to you by open source, not that open source/linux is entirely secure. It simply gets fixed faster/easier.
I just installed gentoo on this laptop not but less than a week ago.

I am very careful about which programs I install. I don't use IRC so I don't have to worry about that.

But I understand that no OS is... bullet proof.
 
Old 07-12-2010, 04:45 PM   #11
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 376Reputation: 376Reputation: 376Reputation: 376
Quote:
Originally Posted by David2010 View Post
Although it is a pain in the arse, a person can look threw the source code of every single program they install. But who would actually do that?
While only a handful of people do that sort of thing, the freedom to do so is still there for all GNU/Linux users. Even if you're not a programmer yourself, there's nothing stopping you from handing all the source code over to a professional auditor before you build it (financial factors are another story, of course). And even so, at that point you're still reliant upon trust in the auditor.

Trust is and always will be a part of the equation in one way or another – regardless of OS and/or license.

Last edited by win32sux; 07-12-2010 at 04:49 PM.
 
Old 07-12-2010, 05:01 PM   #12
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 16,818

Rep: Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408
trust also is earned most big projects stay with in 2 to 3 days for a " Major" bug / hole to be fixed . Sometimes that is not possible and a fix takes years but those are exceptions .
 
Old 07-12-2010, 05:18 PM   #13
David2010
Member
 
Registered: May 2009
Posts: 255

Rep: Reputation: 23
Quote:
Originally Posted by win32sux View Post
While only a handful of people do that sort of thing, the freedom to do so is still there for all GNU/Linux users. Even if you're not a programmer yourself, there's nothing stopping you from handing all the source code over to a professional auditor before you build it (financial factors are another story, of course). And even so, at that point you're still reliant upon trust in the auditor.

Trust is and always will be a part of the equation in one way or another – regardless of OS and/or license.
I have plenty of programming experience but I don't have the free time to look threw the source code of every program I install.

Although having the option to do so is convenient.
 
Old 07-12-2010, 09:48 PM   #14
kellyapproved
LQ Newbie
 
Registered: Jul 2010
Posts: 19

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Awatto View Post
Not too long ago, Gentoo discovered a back door that had been in the distro for ~8 months. See:

http://www.zdnet.com/blog/bott/linux...r-updated/2206

.
That's horrible. A quote from the ZDnet site "It’s much worse than it appears"

I guess it's a matter of the devil you know vs the devil you don't.
 
Old 07-12-2010, 10:10 PM   #15
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 16,818

Rep: Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408
the unreal iso , and only one of the mirrors was comprised
dose any one here use "Unreal3.2.8.1" it is not even listed on distro watch.

a good example of how it is suppose to work ( and dose work)
is:
Fedora 8

some of the red hat ran mirrors were "cracked "
so all packages were suspended. checked and reissued a NEW hash after being checked.

it turned out that NONE of the fedora rpm's were messed with but EVERYTHING was checked

Last edited by John VV; 07-12-2010 at 10:15 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Trusting SCO LXer Syndicated Linux News 0 08-08-2009 06:50 AM
Trusting aptitude and apt-get? jiml8 Linux - Software 2 07-28-2008 10:45 PM
LXer: Trusting Microsoft: Not Going to Happen LXer Syndicated Linux News 2 03-22-2007 03:42 PM
Trusting myself! (Firestarter) robertmarkbram Linux - Security 0 07-15-2004 10:15 PM
trusting eth0 in mandrake 9 ironChimp Linux - Networking 6 02-21-2003 06:19 PM


All times are GMT -5. The time now is 06:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration