LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-18-2014, 04:05 PM   #16
dugan
LQ Guru
 
Registered: Nov 2003
Location: Canada
Distribution: Slackware
Posts: 7,367

Rep: Reputation: 2747Reputation: 2747Reputation: 2747Reputation: 2747Reputation: 2747Reputation: 2747Reputation: 2747Reputation: 2747Reputation: 2747Reputation: 2747Reputation: 2747

Quote:
Originally Posted by Amarildo View Post
But what guarantees that the program you want to install doesn't contain any malicious features?

What's your take on this?
My take is that "guarantees" is an overly strong word.

Intentional backdoors/trojans introduced by the developers of the software have always been extremely rare. I can't think of any off the top of my head, for either closed source or open source, and I expect that any that people point out in replies would be both specific and blatant enough to prove the point.

As a developer myself, I trust the developers of the software to look over code that is contributed by others before incorporating it. If the project has been around for a long time, then I trust that the people working on it value their reputations and that of the project.

I know how to look over the packaging scripts that build packages (.deb, .rpm. etc) from source.

And now, I would like to add another parameter to the question: how do you know that the package that you're downloading has not been tampered with between the time the developer uploads the source, the time it's built into a .deb/.rpm/other package, and the time you download it from your favorite repository? That's supposed to be what cryptographic signing is for, but it's by no means universally used.

Last edited by dugan; 06-20-2014 at 11:15 AM.
 
1 members found this post helpful.
Old 06-19-2014, 05:03 PM   #17
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Original Poster
Rep: Reputation: Disabled
Thanks everyone, I learned a lot from you all
 
Old 06-19-2014, 07:40 PM   #18
mdooligan
Member
 
Registered: Feb 2009
Location: Vancouver BC
Distribution: Mandrake10/ArchHackery/Gentoo
Posts: 179

Rep: Reputation: 22
Quote:
Originally Posted by cynwulf View Post
You mean that you don't trust binaries compiled by distributions' package maintainers? In other words you do trust the upstream source, but not precompiled binaries quite possibly patched by the distribution you use?

This actually implies that if Joe Bloggs produces package_foo and you just compile it and install it, that's somehow safer than a typical distribution having more sets of eyes on it.

As others have hinted, I'm pretty sure that you're not reading through the full source code of every piece of software you compile.
Yes, it's true.

But...

I feel that if someone is releasing the source code for their project, it kind of forces them to be honest. If they will not release the source code, they are likely hiding something. And I do look through code when I have time. Compiling an app/lib from source is a great learning experience by scrolling through the configure logs and make logs.

It's true that nasties can be hidden in the code very cleverly, I just feel better/safer when I have the source.
 
Old 06-19-2014, 09:34 PM   #19
Syndacate
LQ Newbie
 
Registered: Aug 2008
Location: Santa Clara, CA
Distribution: Ubuntu, mainly. Too much stuff works out of the box O.o
Posts: 27

Rep: Reputation: 35
Quote:
Originally Posted by mdooligan View Post
Yes, it's true.

But...

I feel that if someone is releasing the source code for their project, it kind of forces them to be honest. If they will not release the source code, they are likely hiding something. And I do look through code when I have time. Compiling an app/lib from source is a great learning experience by scrolling through the configure logs and make logs.

It's true that nasties can be hidden in the code very cleverly, I just feel better/safer when I have the source.
Yes, I 100% agree with everything except the bold part.

The truth isn't that companies are likely hiding something, but rather many don't believe there's as much money to be made in the FOSS community (and realistically they're right). A few have really banked on it (ie. Android), but the vast majority haven't and never will. So it's not as much of a "they're obviously hiding something" thing as it is a "I want money" thing. Some people are a bit delusional and believe you can make the same amount of profit with FOSS as from non-FOSS, but that's simply not true.
 
Old 06-19-2014, 09:38 PM   #20
Tadaen
Member
 
Registered: Sep 2005
Distribution: Arch
Posts: 210

Rep: Reputation: 39
For me it comes down to one single question which happens to be the opposite of the ops question. Why should I trust software from the average website out there. Ultimately you are taking a risk either way. But with open source it as least has the ability to be audited and no matter how hard someone tries to cover up nefarious code... someone will report it and it will spread like wildfire.

It just so happens that the majority of open source stuff is in repos.

Quote:
Some people are a bit delusional and believe you can make the same amount of profit with FOSS as from non-FOSS, but that's simply not true.
I can't figure how anyone makes money directly from FOSS software. But supporting that FOSS software, that's where the money is. Red Hat, Suse, Canonical... I'm sure there are a few others that sell nothing but support, relying on open source technology (which most if not all is FOSS). I know if I had the talent I would never try to sell software of any kind. But support... Law of averages, it's a money maker.

Last edited by Tadaen; 06-19-2014 at 09:45 PM.
 
Old 06-20-2014, 12:16 AM   #21
Syndacate
LQ Newbie
 
Registered: Aug 2008
Location: Santa Clara, CA
Distribution: Ubuntu, mainly. Too much stuff works out of the box O.o
Posts: 27

Rep: Reputation: 35
Quote:
Originally Posted by Tadaen View Post
I can't figure how anyone makes money directly from FOSS software. But supporting that FOSS software, that's where the money is. Red Hat, Suse, Canonical... I'm sure there are a few others that sell nothing but support, relying on open source technology (which most if not all is FOSS). I know if I had the talent I would never try to sell software of any kind. But support... Law of averages, it's a money maker.
Yeah, you're right, they sell the support and that's their business model. Though if you're a hardcore FOSS addict you can't really use any of those distros as they all contain non-free blobs in the name of hardware support. Though that being said, the problem is simply that while you're right that that's where the money is, there's not that much money to actually be there. The user base just isn't large enough overall - it's the same reason there's very few viruses for Linux & OS X.
 
Old 06-20-2014, 12:18 AM   #22
mdooligan
Member
 
Registered: Feb 2009
Location: Vancouver BC
Distribution: Mandrake10/ArchHackery/Gentoo
Posts: 179

Rep: Reputation: 22
Ah, yes.

Non-FOSS: "I'm in it for the money."

I don't trust people who are in it for the money. I trust people who do it because they love it, and do it for free, because it's the right thing to do. They do a better job than someone who does it for the money, but it gets done when they feel like it. That's FOSS.
 
1 members found this post helpful.
Old 06-20-2014, 12:25 AM   #23
Syndacate
LQ Newbie
 
Registered: Aug 2008
Location: Santa Clara, CA
Distribution: Ubuntu, mainly. Too much stuff works out of the box O.o
Posts: 27

Rep: Reputation: 35
Quote:
Originally Posted by mdooligan View Post
Ah, yes.

Non-FOSS: "I'm in it for the money."

I don't trust people who are in it for the money. I trust people who do it because they love it, and do it for free, because it's the right thing to do. They do a better job than someone who does it for the money, but it gets done when they feel like it. That's FOSS.
Yeah, I agree with what you're saying - when people put their heart behind it great things come out of it...but money speaks much louder, often. If I could find a job where I work on FOSS software just as easily as the tons of jobs making proprietary software I'd be all over them, but the reality is that they're rare relatively. So I develop non-free software. Not going to hide behind it, I do it for a living, as do most.

In reality your computer is unlikely non-free software free, as is phone, cameras, and most other things. You may not be able to trust them, but I think in many aspects you simply have to rely on them.
 
1 members found this post helpful.
Old 06-20-2014, 12:33 AM   #24
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 9,220

Rep: Reputation: 2698Reputation: 2698Reputation: 2698Reputation: 2698Reputation: 2698Reputation: 2698Reputation: 2698Reputation: 2698Reputation: 2698Reputation: 2698Reputation: 2698
looks like an important point was missed. Of course I have no time to read and check all the sources, but it is not important at all. I check the behaviour of my box day by day and there are a lot of "paranoid" users with a lot of tricky ideas to check their ones. So if there was any working backdoor in any distro it have already been detected and reported.
 
Old 06-20-2014, 01:03 AM   #25
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 6,613

Rep: Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884
Quote:
Originally Posted by pan64 View Post
looks like an important point was missed. Of course I have no time to read and check all the sources, but it is not important at all. I check the behaviour of my box day by day and there are a lot of "paranoid" users with a lot of tricky ideas to check their ones. So if there was any working backdoor in any distro it have already been detected and reported.
Surely that is equally true for Windows?
In fact, it could be argued that one of the reasons there is more Windows Malware is that there are more people targeting it. That, in turn, forces Microsoft to plug holes and makes the OS more secure.
 
Old 06-20-2014, 05:06 AM   #26
cynwulf
Senior Member
 
Registered: Apr 2005
Location: Walsall, England
Distribution: OpenBSD
Posts: 1,920
Blog Entries: 5

Rep: Reputation: 981Reputation: 981Reputation: 981Reputation: 981Reputation: 981Reputation: 981Reputation: 981Reputation: 981
Quote:
Originally Posted by 273 View Post
Surely that is equally true for Windows?
In fact, it could be argued that one of the reasons there is more Windows Malware is that there are more people targeting it.
This is a common myth. Aside from the botnets, the real targets are servers and most servers are running GNU/Linux or some kind of *nix. This has been the case since the birth of the internet. Windows was just never a very secure OS to start with and the "internet revolution" exposed this. When the majority of XP users were running as root and many of those running pirate copies without security updates, it goes without saying is a fertile breeding ground for malware. The new "features" from MS such as UAC are seen as an annoyance and most users turn it off and still run as root - old habits die hard.

You can connect your Debian or FreeBSD box directly to the net and use it as a router/firewall (so long as it's properly secured). Nowadays the average windows user's computer is only secure when hidden behind a domestic NAT router - and guess what powers that?

Windows is also a nightmare when it comes to downloading software. Users search for software and then have to jump through hoops to get it. I had the misfortune to have to download a driver for someone a few weeks ago and could not locate it at the vendor's site. I had to peruse the usual "driverdownloadsite" websites trawling through endless bollocks, advertising, "PC Arsewiper Ultimate 2014", and idiotic wait times, telling me to sign up to download faster... A few of the download buttons I clicked on were not the download I was looking for but a link to some crapware "cleaner" app. In this kind of promiscuous environment where binaries or unverifiable 3rd party packages are just downloaded from random sites it's no wonder that malware flourishes.
Quote:
Originally Posted by 273 View Post
That, in turn, forces Microsoft to plug holes and makes the OS more secure.
Not a good way to work... can't see how it makes the OS "more secure". OpenBSD is a secure OS where security issues are dealt with transparently and proactively. Waiting for users to complain and then releasing a security patch a few weeks later does not seem like a great model for security.

As windows is the primary OS for the majority of people and is used by businesses worldwide, security should be their number 1 focus over flashy desktops and marketing.
 
Old 06-20-2014, 05:18 AM   #27
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 6,613

Rep: Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884
Cynwolf: I was going to reply in full but I will just ask that you read my post in the context in which it was written ratjer than just cut and pasting an anti-Microsoft pro-BSD/Linux rant full of out of date hyperbole.
 
Old 06-20-2014, 05:37 AM   #28
Randicus Draco Albus
Senior Member
 
Registered: May 2011
Location: Hiding somewhere on planet Earth.
Distribution: OpenBSD
Posts: 1,647
Blog Entries: 8

Rep: Reputation: 578Reputation: 578Reputation: 578Reputation: 578Reputation: 578Reputation: 578
Quote:
I will just ask that you read my post in the context in which it was written
Quote:
In fact, it could be argued that one of the reasons there is more Windows Malware is that there are more people targeting it. That, in turn, forces Microsoft to plug holes and makes the OS more secure.
It is: 1) serious (and wrong); 2) a joke; or 3) playing Devil's advocate to facilitate further discussion. It is not at all clear which is the case.
Quote:
ratjer than just cut and pasting an anti-Microsoft pro-BSD/Linux rant full of out of date hyperbole.
Which parts of cynwulf's post were inaccurate propaganda?
 
Old 06-20-2014, 05:42 AM   #29
cynwulf
Senior Member
 
Registered: Apr 2005
Location: Walsall, England
Distribution: OpenBSD
Posts: 1,920
Blog Entries: 5

Rep: Reputation: 981Reputation: 981Reputation: 981Reputation: 981Reputation: 981Reputation: 981Reputation: 981Reputation: 981
Quote:
Originally Posted by 273 View Post
Cynwolf: I was going to reply in full but I will just ask that you read my post in the context in which it was written ratjer than just cut and pasting an anti-Microsoft pro-BSD/Linux rant full of out of date hyperbole.
My posts have been called worse...

(I seriously doubt you read my "rant" in the correct context...)
 
Old 06-20-2014, 06:15 AM   #30
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 6,613

Rep: Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884Reputation: 1884
Quote:
Originally Posted by Randicus Draco Albus View Post
It is: 1) serious (and wrong); 2) a joke; or 3) playing Devil's advocate to facilitate further discussion. It is not at all clear which is the case.
Which parts of cynwulf's post were inaccurate propaganda?
It was pretty much all knee-jerk reaction and missing the point.
To claim that malware is not generally targeted at Windows PCs because most malware authors and most intended targets of that malware are running Windows is to completely ignore all facts.
The post I replied to stated that one reason Linux is more secure is because the machines running it are monitored and problems are reported. I replied that the same is true of Windows and there are likely more peole reporting Windows problems which would surely make Windows more secure if problem reporting makes an OS more secure? Explain how one does not follow logically from the other, please?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can I trust linux? JonJAN Linux - Security 13 08-15-2011 02:24 PM
Software signature is required..Do you trust the source of the packages ? TheIndependentAquarius General 18 09-29-2010 09:36 PM
How much do you trust Linux? JROCK1980 Linux - Security 0 02-22-2004 03:27 AM
Connecting a Trust cam. to linux box bwyatt Linux - Hardware 3 07-02-2003 08:50 AM


All times are GMT -5. The time now is 01:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration