LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-19-2014, 08:39 PM   #1
Altiris
Member
 
Registered: Mar 2013
Posts: 554

Rep: Reputation: Disabled
Who checks the integrity of Linux distros?


Is there a company or a coalition of people who inspect the source code of various/popular Linux distros to make sure they aren't doing any malicious such as logging or stealing private data? We all say/believe open source is safer and it is in most cases but are people actually checking the source code of distros to be sure or just taking their word for it?
 
Old 01-19-2014, 08:55 PM   #2
rokytnji
Senior Member
 
Registered: Mar 2008
Location: Waaaaay out West Texas
Distribution: AntiX 15 , Slackel 14.1, ChromeOS
Posts: 4,713
Blog Entries: 19

Rep: Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970
No use woooooooooooorying about that.

Besides. I run ANTIX mostly and trust the developer and and Debian. Slackware users have their own faith in their distro. I am sure if malicious code is found. It will be brought to light quicker than you can say, "Sheesh"!
 
Old 01-19-2014, 09:02 PM   #3
Altiris
Member
 
Registered: Mar 2013
Posts: 554

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by rokytnji View Post
No use woooooooooooorying about that.

Besides. I run ANTIX mostly and trust the developer and and Debian. Slackware users have their own faith in their distro. I am sure if malicious code is found. It will be brought to light quicker than you can say, "Sheesh"!
So you would just take anyone's word for it? If nobody is checking the code how do you know they are keeping their word? When people found out about Ubuntu and unity search collecting I for one believe that this wasn't discovered by looking in the code, there was a "Legal Notice" on the bottom right of the unity search. What I'm getting at is that nobody is actually inspecting code. Unless there's an organization that is doing so?
 
Old 01-19-2014, 09:33 PM   #4
rokytnji
Senior Member
 
Registered: Mar 2008
Location: Waaaaay out West Texas
Distribution: AntiX 15 , Slackel 14.1, ChromeOS
Posts: 4,713
Blog Entries: 19

Rep: Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970
Quote:
Originally Posted by Altiris View Post
So you would just take anyone's word for it? If nobody is checking the code how do you know they are keeping their word? When people found out about Ubuntu and unity search collecting I for one believe that this wasn't discovered by looking in the code, there was a "Legal Notice" on the bottom right of the unity search. What I'm getting at is that nobody is actually inspecting code. Unless there's an organization that is doing so?
People pay for WHATEVER Mac and Windows sells as a operating system and their is no source code to inspect.

I really don't get your point one bit. Anyone? Would you trust the inspecting organization?
Especially funded by external resources. Maybe you are a candidate for http://stallman.org/stallman-computing.html and http://www.gnu.org/

I don't know what else to say to you. I am just a ignorant Linux using Biker.

Edit: Besides, when a flaw was found in the kernel at kernel.org. It was caught and flashed over the net in record time. I really don't see your point. Your
Hardware is probably more compromised with backdoors and stuff from asia where it was manufactured than worrying about the integrity of source code. Do our you trust your phone? Who filters/inspects that? Android? Ya gotta be kidding me.

Last edited by rokytnji; 01-19-2014 at 09:41 PM.
 
Old 01-19-2014, 09:48 PM   #5
k3lt01
Senior Member
 
Registered: Feb 2011
Location: Australia
Distribution: Debian Wheezy, Jessie, Sid/Experimental, playing with LFS.
Posts: 2,900

Rep: Reputation: 636Reputation: 636Reputation: 636Reputation: 636Reputation: 636Reputation: 636
Yes people look at the "code" within distros. As an example research AnonymousOS and what happened there. The beauty of Open Source is that the source is open and anyone can look at it and report bugs or other problems, submit patches, fork the code and improve on it.

Your reference to Ubuntu and Unity is, in my opinion, not the norm but then again Ubuntu, Canonical, and Ubuntu users are not the norm anyway. The Ubuntu ecosystem is unfortunately a very strange beast within Open Source and is, in my opinion, the Open Source equivalent to the MS Windows ecosystem. Fanboys believe whatever they are told by those who they look up to for their technology fashions.
 
Old 01-20-2014, 02:25 AM   #6
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 4,437

Rep: Reputation: 1356Reputation: 1356Reputation: 1356Reputation: 1356Reputation: 1356Reputation: 1356Reputation: 1356Reputation: 1356Reputation: 1356Reputation: 1356
@Altiris - Ask yourself this question. If you were an open source developer, would you risk your reputation, hard work and respect of your peers by doing something offensive that could be easily found by anyone reading the code or simply noticing an odd file or outgoing connection?

A further safeguard is that open source projects generally have multiple developers who inspect and approve each others new code and amendments.
 
Old 01-20-2014, 02:50 AM   #7
ericson007
Member
 
Registered: Sep 2004
Location: Japan
Distribution: CentOS 7.1
Posts: 656

Rep: Reputation: 121Reputation: 121
Yes, in the case of rhel, they independantly get audits done.

http://www.redhat.com/solutions/indu...fications.html

Since rhel and those also contributes lots to the kernel and have their kernel based on the kernel at kernel.org, i think it is pretty safe to bet the kernel has been properly audited times over. Not only by peers, but also independants indirectly.
 
Old 01-20-2014, 07:42 AM   #8
dolphin_oracle
Member
 
Registered: Dec 2013
Posts: 329

Rep: Reputation: Disabled
Not to mention the Debian Foundation, which is a large organization of disparate individuals who constantly examine each other's code. And its all published for anyone to see and use.
 
Old 01-20-2014, 10:23 AM   #9
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,130
Blog Entries: 2

Rep: Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825
Quote:
Originally Posted by Altiris View Post
So you would just take anyone's word for it? If nobody is checking the code how do you know they are keeping their word? When people found out about Ubuntu and unity search collecting I for one believe that this wasn't discovered by looking in the code, there was a "Legal Notice" on the bottom right of the unity search. What I'm getting at is that nobody is actually inspecting code. Unless there's an organization that is doing so?
Even if there was some group inspecting code for malicious things, you still would have to take their word that they did not "forget" to tell you about a problem in the code. You would just move your trust from the distro's developers to some other guy working for that group. You just would need another group, inspecting the work of the first group, and another group that inspects the work of the second group, ... .
Effectively, nothing would change, at some point you just have to trust someone and the easiest way is to just trust the distro's developers. If you can't do that you are using the wrong distribution.

Last edited by TobiSGD; 01-20-2014 at 10:24 AM.
 
Old 01-20-2014, 12:40 PM   #10
DavidMcCann
Senior Member
 
Registered: Jul 2006
Location: London
Distribution: CentOS, Salix
Posts: 4,166

Rep: Reputation: 1223Reputation: 1223Reputation: 1223Reputation: 1223Reputation: 1223Reputation: 1223Reputation: 1223Reputation: 1223Reputation: 1223
Most Linuxes are developed by a community of developers, even if they are commercially soponsored like OpenSUSE and Fedora. You'd have to get everyone in the conspiracy, or run the risk of one of the developers spotting the malicious code and blowing the whistle. Ubuntu, of course, is produced by a team of employees who will do whatever they're paid to.
 
Old 01-20-2014, 12:55 PM   #11
dugan
LQ Guru
 
Registered: Nov 2003
Location: Canada
Distribution: Slackware
Posts: 7,015

Rep: Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535
Quote:
Originally Posted by Altiris View Post
Is there a company or a coalition of people who inspect the source code of various/popular Linux distros to make sure they aren't doing any malicious such as logging or stealing private data? We all say/believe open source is safer and it is in most cases but are people actually checking the source code of distros to be sure or just taking their word for it?
The largest inspection is crowd sourced. Anyone who has the ability to read code (and there are a lot of random people who can) has the ability to inspect it. The "many eyes" approach is one of the principles behind the open source.

Quote:
When people found out about Ubuntu and unity search collecting I for one believe that this wasn't discovered by looking in the code, there was a "Legal Notice" on the bottom right of the unity search.
It was "discovered" by Canonical announcing it, wasn't it? That just means that Ubuntu was transparent about what they were actually doing. There isn't a problem here. And still, anyone who wants to inspect the code can do so by checking it out from, say, packages.ubuntu.com.

So as long as you can read code, you don't have to take anybody's word.

Last edited by dugan; 01-20-2014 at 01:07 PM.
 
Old 01-20-2014, 01:37 PM   #12
jamison20000e
Senior Member
 
Registered: Nov 2005
Location: ...uncanny valley... infinity\1975; (randomly born:) Milwaukee, WI, US, Earth, end border$! ◣◢┌∩┐ Fe26-E,e...
Distribution: any GPL that works well on my cheapest, has been KDE or CLI but open... http://goo.gl/NqgqJx &c ;-)
Posts: 3,116
Blog Entries: 2

Rep: Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840
You.
 
Old 01-20-2014, 05:03 PM   #13
ericson007
Member
 
Registered: Sep 2004
Location: Japan
Distribution: CentOS 7.1
Posts: 656

Rep: Reputation: 121Reputation: 121
If you are so sceptical, just put the computer back in the box. I personally would be more worried about what info they can get legally from my bank and other accounts and all the servers i connect to rather than the operating system. You obviously didn't see the bbc article where they can get info from your machine via wireless even though your machine is not connected to the net.

Oh please rip out your gps in the car too. That probably runs linux but is actually programmed with your favorite routes and past destinations. Oh and phone taps but mail wont solve that issue because they have authority to intercept your mail.

Thinking about it. Move to a desolate island, oh sorry, satellites can still spot you.
 
Old 01-20-2014, 05:51 PM   #14
jamison20000e
Senior Member
 
Registered: Nov 2005
Location: ...uncanny valley... infinity\1975; (randomly born:) Milwaukee, WI, US, Earth, end border$! ◣◢┌∩┐ Fe26-E,e...
Distribution: any GPL that works well on my cheapest, has been KDE or CLI but open... http://goo.gl/NqgqJx &c ;-)
Posts: 3,116
Blog Entries: 2

Rep: Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840
BSD, Ufw, IPtables, Firewalled, http://en.wikipedia.org/wiki/Penetration_test, http://sectools.org/,,, and on...

Last edited by jamison20000e; 01-20-2014 at 05:52 PM.
 
Old 01-20-2014, 06:36 PM   #15
jefro
Moderator
 
Registered: Mar 2008
Posts: 15,408

Rep: Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207Reputation: 2207
I don't say open source is safer.

jamison20000e posts the basic correct answer. You have every right and ability to view and test and submit changes.

No operating system has been proven resistant. Many very old applications still contain issues. Learning and using as many best practices as you can helps to avoid issues no matter what OS you use.

Last edited by jefro; 01-20-2014 at 06:38 PM.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Hardware compatible with one or more linux distros. Will it work on all other distros necromancer44 Linux - Hardware 2 06-07-2010 07:28 PM
Data Integrity Checks itnaa Linux - Software 7 12-22-2006 02:28 PM
Is there a utility that checks the stability of a linux install? jtp51 Slackware 3 11-02-2004 03:42 PM
linux won't start after checks vavavoom Linux - Newbie 5 11-04-2003 10:58 PM
Integrity checks on RH 6.1 munyard Linux - Security 1 12-11-2002 08:29 AM


All times are GMT -5. The time now is 08:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration