Trusting Linux
 

Because Linux is open source, anyone can take a distro, modify it and offer it up for free on the Internet.

With Windows, many people download it using a torrent and there have been times when malware has been incorporated into the OS so as to be able to take control of the pirated OS.

Wouldn't the same hold true with all the different flavors of Linux. I can trust the big brand names, but it's all the different iterations of the major distros that I would have my concerns about.

it could and has BUT a big BUT
because it is open it CAN be checked

there are hashes made for prebuilt code and the package managers check it . Every now and then something might slip by, BUT it is caught fast .
in the past 5 years I have NOT seen this for my self
( i have not gotten a " messed with" package )

Yes, malicious code could be incorporated into any distro by its developer(s). And no, you're not alone – many people have an easier time trusting "big brand names" than they do the little projects for this reason (among others).

If you don't trust any OS downloaded, run it from a sandbox or other secure environment so you don't contaminate your system. In other words, put it into its own partition with no other partitions mounted.

Tom

Right, but that only protects you from third party tampering. The distro developer is still able to build the packages using evil source code (while providing you with innocent source code). That said, at least GNU/Linux users have the option of building entire systems from source code (which can be thoroughly analyzed) if they so desire – Windows users don't have that kind of freedom.

Thank you everyone, this was interesting to read.

@tommyttt, this wouldn't work for me. I am looking for distro that I can use as a LiveCD/boot to RAM that I can use when I'm away from home.

I've gone with Linux Mint, they seem to have a track record of a few years behind them and I like this distro quite a bit. I suspect if there was anything bad with their code, it would have come out long before now.

A few good live CDs available are Debian, Ubuntu and Knoppix, all of them trustable.

Although it is a pain in the arse, a person can look threw the source code of every single program they install. But who would actually do that?

I use gentoo but I don't look through the source code downloaded by "emerge".

I suppose I just have a lot of trust towards linux being a safe OS.

Not too long ago, Gentoo discovered a back door that had been in the distro for ~8 months. See:

http://www.zdnet.com/blog/bott/linux...r-updated/2206

Linux isn't infallible, and neither are the distro maintainers (Gentoo is wonderful!) but the "security" part of open source comes from the fact that if there IS a problem, anyone can notice it, patch it, and send it upstream to be included (after review) in binaries for everyone. This is the safety brought to you by open source, not that open source/linux is entirely secure. It simply gets fixed faster/easier.

I just installed gentoo on this laptop not but less than a week ago.

I am very careful about which programs I install. I don't use IRC so I don't have to worry about that.

But I understand that no OS is... bullet proof.

While only a handful of people do that sort of thing, the freedom to do so is still there for all GNU/Linux users. Even if you're not a programmer yourself, there's nothing stopping you from handing all the source code over to a professional auditor before you build it (financial factors are another story, of course). And even so, at that point you're still reliant upon trust in the auditor.

Trust is and always will be a part of the equation in one way or another – regardless of OS and/or license.

trust also is earned most big projects stay with in 2 to 3 days for a " Major" bug / hole to be fixed . Sometimes that is not possible and a fix takes years but those are exceptions .

I have plenty of programming experience but I don't have the free time to look threw the source code of every program I install.

Although having the option to do so is convenient.

That's horrible. A quote from the ZDnet site "It’s much worse than it appears"

I guess it's a matter of the devil you know vs the devil you don't.

the unreal iso , and only one of the mirrors was comprised
dose any one here use "Unreal3.2.8.1" it is not even listed on distro watch.

a good example of how it is suppose to work ( and dose work)
is:
Fedora 8

some of the red hat ran mirrors were "cracked "
so all packages were suspended. checked and reissued a NEW hash after being checked.

it turned out that NONE of the fedora rpm's were messed with but EVERYTHING was checked