Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
But what guarantees that the program you want to install doesn't contain any malicious features?
What's your take on this?
My take is that "guarantees" is an overly strong word.
Intentional backdoors/trojans introduced by the developers of the software have always been extremely rare. I can't think of any off the top of my head, for either closed source or open source, and I expect that any that people point out in replies would be both specific and blatant enough to prove the point.
As a developer myself, I trust the developers of the software to look over code that is contributed by others before incorporating it. If the project has been around for a long time, then I trust that the people working on it value their reputations and that of the project.
I know how to look over the packaging scripts that build packages (.deb, .rpm. etc) from source.
And now, I would like to add another parameter to the question: how do you know that the package that you're downloading has not been tampered with between the time the developer uploads the source, the time it's built into a .deb/.rpm/other package, and the time you download it from your favorite repository? That's supposed to be what cryptographic signing is for, but it's by no means universally used.
You mean that you don't trust binaries compiled by distributions' package maintainers? In other words you do trust the upstream source, but not precompiled binaries quite possibly patched by the distribution you use?
This actually implies that if Joe Bloggs produces package_foo and you just compile it and install it, that's somehow safer than a typical distribution having more sets of eyes on it.
As others have hinted, I'm pretty sure that you're not reading through the full source code of every piece of software you compile.
Yes, it's true.
But...
I feel that if someone is releasing the source code for their project, it kind of forces them to be honest. If they will not release the source code, they are likely hiding something. And I do look through code when I have time. Compiling an app/lib from source is a great learning experience by scrolling through the configure logs and make logs.
It's true that nasties can be hidden in the code very cleverly, I just feel better/safer when I have the source.
Distribution: Ubuntu, mainly. Too much stuff works out of the box O.o
Posts: 71
Rep:
Quote:
Originally Posted by mdooligan
Yes, it's true.
But...
I feel that if someone is releasing the source code for their project, it kind of forces them to be honest. If they will not release the source code, they are likely hiding something. And I do look through code when I have time. Compiling an app/lib from source is a great learning experience by scrolling through the configure logs and make logs.
It's true that nasties can be hidden in the code very cleverly, I just feel better/safer when I have the source.
Yes, I 100% agree with everything except the bold part.
The truth isn't that companies are likely hiding something, but rather many don't believe there's as much money to be made in the FOSS community (and realistically they're right). A few have really banked on it (ie. Android), but the vast majority haven't and never will. So it's not as much of a "they're obviously hiding something" thing as it is a "I want money" thing. Some people are a bit delusional and believe you can make the same amount of profit with FOSS as from non-FOSS, but that's simply not true.
For me it comes down to one single question which happens to be the opposite of the ops question. Why should I trust software from the average website out there. Ultimately you are taking a risk either way. But with open source it as least has the ability to be audited and no matter how hard someone tries to cover up nefarious code... someone will report it and it will spread like wildfire.
It just so happens that the majority of open source stuff is in repos.
Quote:
Some people are a bit delusional and believe you can make the same amount of profit with FOSS as from non-FOSS, but that's simply not true.
I can't figure how anyone makes money directly from FOSS software. But supporting that FOSS software, that's where the money is. Red Hat, Suse, Canonical... I'm sure there are a few others that sell nothing but support, relying on open source technology (which most if not all is FOSS). I know if I had the talent I would never try to sell software of any kind. But support... Law of averages, it's a money maker.
Distribution: Ubuntu, mainly. Too much stuff works out of the box O.o
Posts: 71
Rep:
Quote:
Originally Posted by Tadaen
I can't figure how anyone makes money directly from FOSS software. But supporting that FOSS software, that's where the money is. Red Hat, Suse, Canonical... I'm sure there are a few others that sell nothing but support, relying on open source technology (which most if not all is FOSS). I know if I had the talent I would never try to sell software of any kind. But support... Law of averages, it's a money maker.
Yeah, you're right, they sell the support and that's their business model. Though if you're a hardcore FOSS addict you can't really use any of those distros as they all contain non-free blobs in the name of hardware support. Though that being said, the problem is simply that while you're right that that's where the money is, there's not that much money to actually be there. The user base just isn't large enough overall - it's the same reason there's very few viruses for Linux & OS X.
I don't trust people who are in it for the money. I trust people who do it because they love it, and do it for free, because it's the right thing to do. They do a better job than someone who does it for the money, but it gets done when they feel like it. That's FOSS.
Distribution: Ubuntu, mainly. Too much stuff works out of the box O.o
Posts: 71
Rep:
Quote:
Originally Posted by mdooligan
Ah, yes.
Non-FOSS: "I'm in it for the money."
I don't trust people who are in it for the money. I trust people who do it because they love it, and do it for free, because it's the right thing to do. They do a better job than someone who does it for the money, but it gets done when they feel like it. That's FOSS.
Yeah, I agree with what you're saying - when people put their heart behind it great things come out of it...but money speaks much louder, often. If I could find a job where I work on FOSS software just as easily as the tons of jobs making proprietary software I'd be all over them, but the reality is that they're rare relatively. So I develop non-free software. Not going to hide behind it, I do it for a living, as do most.
In reality your computer is unlikely non-free software free, as is phone, cameras, and most other things. You may not be able to trust them, but I think in many aspects you simply have to rely on them.
looks like an important point was missed. Of course I have no time to read and check all the sources, but it is not important at all. I check the behaviour of my box day by day and there are a lot of "paranoid" users with a lot of tricky ideas to check their ones. So if there was any working backdoor in any distro it have already been detected and reported.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by pan64
looks like an important point was missed. Of course I have no time to read and check all the sources, but it is not important at all. I check the behaviour of my box day by day and there are a lot of "paranoid" users with a lot of tricky ideas to check their ones. So if there was any working backdoor in any distro it have already been detected and reported.
Surely that is equally true for Windows?
In fact, it could be argued that one of the reasons there is more Windows Malware is that there are more people targeting it. That, in turn, forces Microsoft to plug holes and makes the OS more secure.
Surely that is equally true for Windows?
In fact, it could be argued that one of the reasons there is more Windows Malware is that there are more people targeting it.
This is a common myth. Aside from the botnets, the real targets are servers and most servers are running GNU/Linux or some kind of *nix. This has been the case since the birth of the internet. Windows was just never a very secure OS to start with and the "internet revolution" exposed this. When the majority of XP users were running as root and many of those running pirate copies without security updates, it goes without saying is a fertile breeding ground for malware. The new "features" from MS such as UAC are seen as an annoyance and most users turn it off and still run as root - old habits die hard.
You can connect your Debian or FreeBSD box directly to the net and use it as a router/firewall (so long as it's properly secured). Nowadays the average windows user's computer is only secure when hidden behind a domestic NAT router - and guess what powers that?
Windows is also a nightmare when it comes to downloading software. Users search for software and then have to jump through hoops to get it. I had the misfortune to have to download a driver for someone a few weeks ago and could not locate it at the vendor's site. I had to peruse the usual "driverdownloadsite" websites trawling through endless bollocks, advertising, "PC Arsewiper Ultimate 2014", and idiotic wait times, telling me to sign up to download faster... A few of the download buttons I clicked on were not the download I was looking for but a link to some crapware "cleaner" app. In this kind of promiscuous environment where binaries or unverifiable 3rd party packages are just downloaded from random sites it's no wonder that malware flourishes.
Quote:
Originally Posted by 273
That, in turn, forces Microsoft to plug holes and makes the OS more secure.
Not a good way to work... can't see how it makes the OS "more secure". OpenBSD is a secure OS where security issues are dealt with transparently and proactively. Waiting for users to complain and then releasing a security patch a few weeks later does not seem like a great model for security.
As windows is the primary OS for the majority of people and is used by businesses worldwide, security should be their number 1 focus over flashy desktops and marketing.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Cynwolf: I was going to reply in full but I will just ask that you read my post in the context in which it was written ratjer than just cut and pasting an anti-Microsoft pro-BSD/Linux rant full of out of date hyperbole.
I will just ask that you read my post in the context in which it was written
Quote:
In fact, it could be argued that one of the reasons there is more Windows Malware is that there are more people targeting it. That, in turn, forces Microsoft to plug holes and makes the OS more secure.
It is: 1) serious (and wrong); 2) a joke; or 3) playing Devil's advocate to facilitate further discussion. It is not at all clear which is the case.
Quote:
ratjer than just cut and pasting an anti-Microsoft pro-BSD/Linux rant full of out of date hyperbole.
Which parts of cynwulf's post were inaccurate propaganda?
Cynwolf: I was going to reply in full but I will just ask that you read my post in the context in which it was written ratjer than just cut and pasting an anti-Microsoft pro-BSD/Linux rant full of out of date hyperbole.
My posts have been called worse...
(I seriously doubt you read my "rant" in the correct context...)
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by Randicus Draco Albus
It is: 1) serious (and wrong); 2) a joke; or 3) playing Devil's advocate to facilitate further discussion. It is not at all clear which is the case.
Which parts of cynwulf's post were inaccurate propaganda?
It was pretty much all knee-jerk reaction and missing the point.
To claim that malware is not generally targeted at Windows PCs because most malware authors and most intended targets of that malware are running Windows is to completely ignore all facts.
The post I replied to stated that one reason Linux is more secure is because the machines running it are monitored and problems are reported. I replied that the same is true of Windows and there are likely more peole reporting Windows problems which would surely make Windows more secure if problem reporting makes an OS more secure? Explain how one does not follow logically from the other, please?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.