LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-17-2014, 03:06 PM   #1
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Rep: Reputation: Disabled
Why do you trust most Linux packages?


Before I start, let me explain that this topic is not intended to cause any flames. I'm not a Windows user/fanboy, I just want to know your opinion

When most Linux users want to install a program, they look up at their distro's repositories. So if you want to install VLC you just look for VLC on the package manager of your distro.

But what guarantees that the program you want to install doesn't contain any malicious features?

I wonder if there's a good scrutny by the distro developers/maintainers on most of the software they put up to download, because it seems that most just take the source packages and build the software, not analysing the source-code itself. So should we ultimately trust VLC? Cinnamon? GIMP? Has developers actually looked at the entire source code searching for any possible malicious code or there's some sort of "trust" in the Linux world that if I create a new software that becomes famous it'll probably be in most distros without people actually looking at the source-code?

Even TrueCrypt, people trusted it for 10 years without even a single audit being made on the software. Recently an audit was made and the source-code contained no backdoors, no malware, nothing malicious, but even though TC is Source Available I doubt many people actually got their eyes for too many hours searching for nasty things in these past 10 years.

What's your take on this?
 
Old 06-17-2014, 03:20 PM   #2
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 6,725

Rep: Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916
My take is that it is difficult (but not impossible) to keep the existence of a hidden back-door secret from people working on the source code of an application. Therefore, since most (but not all) open source software is produced by teams of people it stands to reason that more than one person is likely to know about a back door. Once more than one person knows anything it is extremely difficult even for big companies and governments with threats of bankrupting, jail time or worse so for free projects where people of all kinds come and go it would be verging on the impossible to get everyone to keep the secret.
I have, though, actually used open-source software which contained instructions to make it part of DDoS. That was a small project lead mainly by one person and since that debacle the team has made sure that there is always more than one pair of eyes on any code changes.
 
1 members found this post helpful.
Old 06-17-2014, 03:28 PM   #3
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 6 (pre-systemd)
Posts: 2,775

Rep: Reputation: 746Reputation: 746Reputation: 746Reputation: 746Reputation: 746Reputation: 746Reputation: 746
Good luck with looking at the source:

http://cm.bell-labs.com/who/ken/trust.html
 
1 members found this post helpful.
Old 06-17-2014, 03:35 PM   #4
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 6,725

Rep: Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916
Quote:
Originally Posted by smallpond View Post
Good luck with looking at the source:

http://cm.bell-labs.com/who/ken/trust.html
Of course nothing can be 100% trusted but when that compiler was written how many people were working on it and to what purpose? Has it been audited and by whom?
I think the idea here is that there is a lot more chance of a hidden nasty remaining undiscovered in closed-source software than open source. It doesn't mean that one is somehow immune just that there's a lower probability of malicious code remaining hidden in open source (or any other collaborative, including some closed-source) software.
 
1 members found this post helpful.
Old 06-17-2014, 03:43 PM   #5
saivinoba
Member
 
Registered: Oct 2007
Distribution: Gentoo, Gentoo ~amd64, Linux Mint 17
Posts: 48

Rep: Reputation: 9
In my opinior it's a good question. But something that will not get you straight, 'this is like this' kind of solution. We can only discuss it and increase our awareness on security matters.

I'm not a developer or package maintainer but this is how I see it. All of this works on web-of-trust model. The developers sign the source package. Rest of the community trust these developers. The packagers verify the signature of downloaded source code and then compile and check if software works as intended. If OK, they create binary packages and sign it. We trust our distro's packagers and install the packages. Mostly the package manager software will have built-in function to verify the authenticity of the package.

However, if any of these guys put malicious code, or the bug slips in, we are not safe. Usually, the argument is 'it's opensource, everybody can see the code and fix (or help to fix) if there is any bug/malware'. But let's say we are ten friends working on a project. It's possible that each of us think that since the code is openly available, any of the nine others will look into the code and report and/or fix bugs. Even if somebody finds a bug and fixes it, we are vulnerable till the point of fixing and the fix being available to us.

But then again, FOSS is all about commitment, enthusiasm, pro-active work. People do put lot of efforts into chasing bugs and fixing them. All in their free time as volunteer effort. We should be thankful to them for this. This is where I and you come into play. We can all contribute to the effort in whatever way we can.
 
1 members found this post helpful.
Old 06-17-2014, 07:15 PM   #6
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mageia, and whatever VMs I happen to be playing with
Posts: 12,360
Blog Entries: 16

Rep: Reputation: 3146Reputation: 3146Reputation: 3146Reputation: 3146Reputation: 3146Reputation: 3146Reputation: 3146Reputation: 3146Reputation: 3146Reputation: 3146Reputation: 3146
If I trust the distro maintainers enough to use their distro, I think it's reasonable to trust the packages that they choose to include in their repositories. It's rather all of a piece, isn't it? It's not necessarily infallible, but reputable distros do vet the packages included in their repros.

Trusting those repos is certainly more reasonable than trusting some random Windows *.exe file downloaded from some random website somewhere on the innerwebs.
 
1 members found this post helpful.
Old 06-17-2014, 07:34 PM   #7
jailbait
LQ Guru
 
Registered: Feb 2003
Location: Blue Ridge Mountain
Distribution: Linux Mint 17, Debian 8
Posts: 7,862

Rep: Reputation: 311Reputation: 311Reputation: 311Reputation: 311
I am not paranoid enough to worry about it.

---------------------
Steve Stites
 
2 members found this post helpful.
Old 06-17-2014, 09:58 PM   #8
Syndacate
LQ Newbie
 
Registered: Aug 2008
Location: Santa Clara, CA
Distribution: Ubuntu, mainly. Too much stuff works out of the box O.o
Posts: 27

Rep: Reputation: 35
There really isn't much to be said about it.. Why do I trust most Linux packages? Same reason I trust most OS X or Windows binary files - no good reason, just "because."

It's essentially impossible to go through all the source of all the packages on your system and verify everything manually - especially since 95% of Linux distributions have non-free SW in there - making it literally impossible.

That being said, many many many many many more people trust that Windows (in its base, no programs) is free of malicious code and same goes for OS X, etc. though it's blind trust all around - you're putting your trust in the company that the product is free of it. This is the same way you put your trust in the waiter that he's not going to take a picture of your card.

There's no way to know for sure except to review it yourself. Even if a very popular person in the community reviews it, they may have missed something, or they may be in on the malicious nature of it and "missed" something. No options except review yourself or blind trust.

I mean screw end user packages - most of the OS isn't reviewed by many many people, so if somebody wanted it secured, they'd be best to start there.

Last edited by Syndacate; 06-17-2014 at 09:59 PM.
 
1 members found this post helpful.
Old 06-18-2014, 10:14 AM   #9
mdooligan
Member
 
Registered: Feb 2009
Location: Vancouver BC
Distribution: Mandrake10/ArchHackery/Gentoo
Posts: 179

Rep: Reputation: 22
I, for one, don't trust binary packages. And with the vast myriad of distros out there, there's only a very few I trust, and then I just install bare-bones to get me to a login prompt, and compile from there. Although some things, like X, OpenOffice, web browser, Blender, etc, are nearly impossible to compile myself, so I end up installing a binary in spite of my best efforts and reluctance to do so.

Yeah, trust is a fragile thing. People blindly downloading apps for their Android OS sounds like a accident waiting to happen.
 
1 members found this post helpful.
Old 06-18-2014, 10:38 AM   #10
Syndacate
LQ Newbie
 
Registered: Aug 2008
Location: Santa Clara, CA
Distribution: Ubuntu, mainly. Too much stuff works out of the box O.o
Posts: 27

Rep: Reputation: 35
Quote:
Originally Posted by mdooligan View Post
I, for one, don't trust binary packages. And with the vast myriad of distros out there, there's only a very few I trust, and then I just install bare-bones to get me to a login prompt, and compile from there. Although some things, like X, OpenOffice, web browser, Blender, etc, are nearly impossible to compile myself, so I end up installing a binary in spite of my best efforts and reluctance to do so.

Yeah, trust is a fragile thing. People blindly downloading apps for their Android OS sounds like a accident waiting to happen.
Though what does that do? It's not a matter of whether you built the binary or the binary was built on a build server, as the OP mentioned, many many many people blindly trusted TrueCrypt and it FINALLY had an official audit (crowd sourced I believe) like 6mo or so ago after what, 10 years? It's been open source the whole time. The thing is that just because it's open source doesn't mean anybody is actually & actively reading it, and in order for the user to not have to trust anybody then they must review all code they compile manually, themselves.
 
1 members found this post helpful.
Old 06-18-2014, 10:49 AM   #11
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 6,725

Rep: Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916Reputation: 1916
Quote:
Originally Posted by mdooligan View Post
I, for one, don't trust binary packages. And with the vast myriad of distros out there, there's only a very few I trust, and then I just install bare-bones to get me to a login prompt, and compile from there. Although some things, like X, OpenOffice, web browser, Blender, etc, are nearly impossible to compile myself, so I end up installing a binary in spite of my best efforts and reluctance to do so.

Yeah, trust is a fragile thing. People blindly downloading apps for their Android OS sounds like a accident waiting to happen.
Surely it takes you months to work through all the source code for all the programs you install looking for back doors? How long did it take you to check your C compiler abd linker for starters?
 
1 members found this post helpful.
Old 06-18-2014, 11:10 AM   #12
cynwulf
Senior Member
 
Registered: Apr 2005
Location: Walsall, England
Posts: 1,967
Blog Entries: 5

Rep: Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004
Quote:
Originally Posted by mdooligan View Post
I, for one, don't trust binary packages.
You mean that you don't trust binaries compiled by distributions' package maintainers? In other words you do trust the upstream source, but not precompiled binaries quite possibly patched by the distribution you use?

This actually implies that if Joe Bloggs produces package_foo and you just compile it and install it, that's somehow safer than a typical distribution having more sets of eyes on it.

As others have hinted, I'm pretty sure that you're not reading through the full source code of every piece of software you compile.
 
1 members found this post helpful.
Old 06-18-2014, 11:53 AM   #13
replica9000
Senior Member
 
Registered: Jul 2006
Location: USA
Distribution: Debian, FreeBSD, Android
Posts: 1,051
Blog Entries: 2

Rep: Reputation: 224Reputation: 224Reputation: 224
I trust packages in the official repositories, and well known repositories. Usually if I need a package outside of a trusted repository, I'll look more into it before using it. I'm not going to be ultra paranoid about it though. Even if the upstream source is good, something could potentially be compromised between upstream and the repository.
 
1 members found this post helpful.
Old 06-18-2014, 03:23 PM   #14
DJ Shaji
Member
 
Registered: Dec 2004
Location: Yo Momma's house
Distribution: Fedora Rawhide, ArchLinux
Posts: 517
Blog Entries: 15

Rep: Reputation: 106Reputation: 106
One thing to note: even if looking at the source doesn't guarantee that any malicious code can be detected, it would still be easier on an open source system to detect malicious behavior. It's the same with rootkits and ssh break-ins. You know something's wrong when the system starts acting up. Even if somehow the tools that one can use to detect an intrusion/malicious code injection have themselves been compromised, things like CPU load or the flashing lights on the nic would still be indicative that something is not right. If you think the system is compromised, nuke it and start over. If you think an entire distro is compromised, pick another one. The only thing that the above mentioned paper points out is that compiler level hacks are difficult to detect. That's true of all computer security.
 
1 members found this post helpful.
Old 06-18-2014, 03:59 PM   #15
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
Quote:
Originally Posted by Amarildo View Post
Before I start, let me explain that this topic is not intended to cause any flames. I'm not a Windows user/fanboy, I just want to know your opinion

When most Linux users want to install a program, they look up at their distro's repositories. So if you want to install VLC you just look for VLC on the package manager of your distro.

But what guarantees that the program you want to install doesn't contain any malicious features?

I wonder if there's a good scrutny by the distro developers/maintainers on most of the software they put up to download, because it seems that most just take the source packages and build the software, not analysing the source-code itself. So should we ultimately trust VLC? Cinnamon? GIMP? Has developers actually looked at the entire source code searching for any possible malicious code or there's some sort of "trust" in the Linux world that if I create a new software that becomes famous it'll probably be in most distros without people actually looking at the source-code?

Even TrueCrypt, people trusted it for 10 years without even a single audit being made on the software. Recently an audit was made and the source-code contained no backdoors, no malware, nothing malicious, but even though TC is Source Available I doubt many people actually got their eyes for too many hours searching for nasty things in these past 10 years.

What's your take on this?
Things to consider:
1) open-source software has more eyes that look through the code than proprietary software. Sure, maybe not you or non-programmers, but others do.
2) open-source software has less of a chance of containing a backdoor in plain sight, because it would be easy to locate, however if properly obfuscated like OpenSSL is, then it would be much easier. It is even easier to hide it when you never release the code (proprietary).
3) other users use open-source software, so if it were malicious, they would have reported it as well as the programmers looking at the code.
4) If you're worried about hackers, always verify the .asc gpg signature of the package.
5) open-source and proprietary software are developed with different motives in mind. One is about developing something that you too will use, and the other is about mining as much data as possible from the "user" so you can feed them some more targeted advertising.

Why do I trust Linux packages, because I don't trust proprietary ones for the above reasons. I do program, and if I suspect any malware I will investigate. However, I've been using clamav for a quite a while and have only found one Windoze-only trojan on my system long ago. Experience also vouches for open-source, because using antivirus on Windoze I have found hundreds of different malware over the years I was using it. That plus the constant Windoze rot made me switch. Windoze just isn't a reliable enough OS to get meaningful work done on. I really am surprised how everyone else puts up with it. If you can put up with it then you should be good for the next inquisition ... you can stand a lot of pain and anguish.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can I trust linux? JonJAN Linux - Security 13 08-15-2011 02:24 PM
Software signature is required..Do you trust the source of the packages ? TheIndependentAquarius General 18 09-29-2010 09:36 PM
How much do you trust Linux? JROCK1980 Linux - Security 0 02-22-2004 03:27 AM
Connecting a Trust cam. to linux box bwyatt Linux - Hardware 3 07-02-2003 08:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 09:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration